JP2013128204A - Access control system and wireless portable terminal - Google Patents

Abstract

PROBLEM TO BE SOLVED: To suppress unauthorized access to a network and enhance security of the network.SOLUTION: A wireless portable terminal 7 is configured to acquire a decryption key from an administrator terminal 2, acquires an encrypted password (encryption information) from an initial information acquisition tag 4 or an exhibit tag 5, and acquires a password by decrypting the acquired encryption information by the decryption key. Therefore, by managing the administrator terminal 2, it is possible to authorize only the wireless portable terminal 7 permitted by the administrator to access a network 9, for example. Consequently, it is possible to suppress unauthorized access to the network 9 and enhance security of the network 9.

Description

  The present invention relates to an access control system and a wireless portable terminal.

Conventionally, as an access control system, for example, there is a conventional technique described in Patent Document 1.
In this prior art, a wireless portable terminal performs wireless communication with an access point based on setting information used for wireless communication between the wireless portable terminal and the access point. Thereby, the wireless portable terminal can be accessed to the network via the access point.
In this conventional technique, the wireless portable terminal reads the setting information from an RFID (Radio Frequency Identification) tag storing the setting information.

JP 2005-303459 A

  However, in the above prior art, the wireless portable terminal reads the setting information from the RFID tag that stores setting information used for wireless communication between the wireless portable terminal and the access point. Therefore, for example, setting information is arbitrarily read from the RFID tag by a wireless portable terminal that is not permitted by the administrator, and wireless communication between the wireless portable terminal and the access point is illegally performed based on the setting information. There was a possibility. As a result, unauthorized access to the network may occur and network security may be reduced.

  The present invention pays attention to the above points, and it is an object to be able to suppress unauthorized access to a network and to improve network security.

One aspect of the access control system of the present invention is:
An access control system that performs wireless communication between a wireless portable terminal and a communication relay device, and enables the wireless portable terminal to access a network via the communication relay device, the wireless portable terminal and the communication relay device An RFID tag that stores encryption information obtained by encrypting setting information used for wireless communication with the wireless communication terminal, and a key storage device that stores a decryption key that can decrypt the encryption information. An encryption information acquisition unit that acquires the encryption information from an RFID tag, a decryption key acquisition unit that acquires the decryption key from the key storage device, and the decryption of the encryption information acquired by the encryption information acquisition unit A decryption unit that decrypts the setting information based on the decryption key obtained by a key obtaining unit; and the configuration information that is decrypted by the decryption unit based on the setting information. Characterized by comprising a communication unit for performing signal relay device and wireless communication.

One aspect of the wireless portable terminal of the present invention is:
A wireless portable terminal that performs wireless communication with a communication relay device, and obtains the encryption information from an RFID tag that stores encryption information obtained by encrypting setting information used for wireless communication between the wireless portable terminal and the communication relay device An encryption information acquisition unit, a decryption key acquisition unit that acquires the decryption key from a key storage device that stores a decryption key that can decrypt the encryption information, and the encryption acquired by the encryption information acquisition unit A decryption unit for decrypting the setting information based on the decryption key obtained by the decryption key obtaining unit; and the communication relay device based on the setting information decrypted by the decryption unit. And a communication unit for performing wireless communication.

  As described above, the wireless portable terminal acquires the decryption key from the key storage device, acquires the encryption information from the RFID tag, and acquires the setting information by decrypting the acquired encryption information with the decryption key. Therefore, for example, by managing the key storage management device, only the wireless portable terminal permitted by the administrator can be permitted to access the network. Therefore, unauthorized access to the network can be suppressed, and network security can be improved.

Another aspect of the access control system of the present invention is as follows:
A plurality of the communication relay devices are arranged in association with each of a plurality of preset areas, and can perform wireless communication with the wireless portable terminal in each of the arranged areas, and the RFID tag And storing the setting information used in wireless communication between the wireless portable terminal and the communication relay device disposed in each of the plurality of regions and associated with each of the disposed regions. And

As described above, the RFID tag is arranged in each of the plurality of areas, and stores setting information corresponding to the communication relay device associated with each arranged area. Therefore, for example, the communication relay device can be switched by acquiring the encryption information from the RFID tag.
Another aspect of the access control system of the present invention is as follows:
The wireless portable terminal includes a key storage unit that stores the decryption key acquired by the decryption key acquisition unit, and a set time that is set in advance after the decryption key acquisition unit acquires the decryption key. And a time erasure unit that erases the decryption key from the key storage unit when it has elapsed, the decryption unit storing the encryption information acquired by the encryption information acquisition unit in the key storage unit The setting information is obtained by decrypting with the decryption key.

  As described above, when the preset time elapses after the wireless portable terminal acquires the decryption key, the decryption key stored in the key storage unit is deleted. Therefore, for example, the decryption key can be deleted from the wireless portable terminal when the administrator sets the usage time of the wireless portable terminal or when the wireless portable terminal is left in the exhibition facility. Therefore, the outflow of the decryption key can be suppressed, and the network security can be further improved.

Another aspect of the access control system of the present invention is as follows:
The wireless portable terminal includes a key storage unit that stores the decryption key acquired by the decryption key acquisition unit, a radio field intensity detection unit that detects a radio field intensity of a radio wave transmitted from the communication relay device, A radio wave erasure unit that erases the decryption key from the key storage unit when the radio wave intensity detection unit cannot detect the radio wave intensity for a preset time, and the decryption unit includes the encryption information The encryption information acquired by the acquisition unit is decrypted with the decryption key stored in the key storage unit to acquire the setting information.

  As described above, when the wireless portable terminal cannot detect the radio wave intensity of the radio wave transmitted from the communication relay device for the preset time, the decryption key stored in the key storage unit is deleted. . Therefore, for example, when the wireless portable terminal is taken out of the exhibition facility where the radio wave transmitted from the communication relay device does not reach, the decryption key can be erased from the wireless portable terminal. Therefore, the outflow of the decryption key can be suppressed, and the network security can be further improved.

  In the present invention, when the wireless portable terminal obtains the decryption key from the key storage device and obtains the encryption information from the RFID tag, the wireless encryption terminal decrypts the obtained encryption information with the decryption key so as to obtain the setting information. did. Therefore, for example, by managing the key storage management device, only the wireless portable terminal permitted by the administrator can be permitted to access the network. Therefore, unauthorized access to the network can be suppressed, and network security can be improved.

1 is a conceptual diagram showing a schematic configuration of an access control system 1. FIG. 2 is a block diagram illustrating a schematic configuration of a wireless portable terminal 7. FIG. It is a flowchart showing an activation process. It is a figure showing operation | movement of the radio | wireless portable terminal 7 in an activation process. It is a flowchart showing a positioning process. It is a figure showing the detection method of the present position of the wireless portable terminal. It is a flowchart showing a tag read process. It is a figure showing operation | movement of the radio | wireless portable terminal 7 in a tag read process. It is a flowchart showing a 1st reset process. It is a flowchart showing a 2nd reset process. FIG. 3 is a diagram illustrating an operation of the access control system 1.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
In the present embodiment, the present invention is applied to an access control system 1 disposed in an exhibition facility that exhibits various exhibits such as an art museum.
(Constitution)
FIG. 1 is a conceptual diagram showing a schematic configuration of the access control system 1.
As shown in FIG. 1, the access control system 1 includes an administrator terminal 2, access points 3 a and 3 b, an initial information acquisition tag 4, an exhibit tag 5, a database server 6, and a wireless portable terminal 7. The access points 3a and 3b and the database server 6 are connected to each other via a router 8 and a network 9 so as to communicate with each other.

  The manager terminal 2 is disposed at the entrance of the exhibition facility. The administrator terminal 2 stores a decryption key. The decryption key is a key that can decrypt an encrypted password (for example, a WEP key) stored in the initial information acquisition tag 4 and the exhibit tag 5. As the decryption key, for example, multi-digit alphanumeric characters set by the administrator can be adopted. Further, the administrator terminal 2 can communicate with a non-contact communication unit 10 (to be described later) of the wireless portable terminal 7 via short-range wireless communication. As short-range wireless communication, for example, short-distance (for example, several centimeters) communication using a 13.56 MHz frequency band can be employed. Thereby, the wireless portable terminal 7 can read the decryption key from the administrator terminal 2 through the short-range wireless communication.

  The access point 3a (hereinafter also referred to as the entrance access point 3a) is arranged in association with the area Aa set near the entrance of the exhibition facility. An access point 3b (hereinafter also referred to as an exhibition room access point 3b) is arranged in association with each area Ab of the plurality of areas Ab set in the exhibition room. The access points 3a and 3b can communicate with a wireless communication unit 11 (to be described later) of the wireless portable terminal 7 in each of the arranged areas Aa and Ab via wireless communication. Communication with the wireless portable terminal 7 is performed by encryption according to a preset encryption standard (for example, WEP) and a password. As wireless communication, for example, communication with a communication speed of about 54 Mbps using the 5.2 GHz frequency band or communication with a communication speed of about 11 Mbps using the 2.4 GHz frequency band can be employed. As a result, the wireless portable terminal 7 can communicate with the database server 6 via the access points 3a and 3b, the router 8, and the network 9.

  The initial information acquisition tag 4 is disposed in the area Aa set near the entrance of the exhibition facility. The initial information acquisition tag 4 stores AP information. The AP information is the SSID (Service Set Identifier) of the entrance access point 3a, the encryption standard used by the entrance access point 3a, and the encryption information obtained by encrypting the password of the entrance access point 3a (the wireless portable terminal 7 and the entrance access point 3a Setting information used for wireless communication). The initial information acquisition tag 4 can communicate with the non-contact communication unit 10 of the wireless portable terminal 7 via short-range wireless communication. Thereby, the wireless portable terminal 7 can read the AP information from the initial information acquisition tag 4 via the short-range wireless communication. As the initial information acquisition tag 4, a passive RFID (Radio Frequency Identification) tag is adopted.

  The exhibit tag 5 is disposed in a region Ab set in each exhibition room. The exhibit tag 5 is affixed to an explanation panel in which the explanation of the exhibit is described in the area Ab. The exhibit tag 5 stores tag information. Tag information includes tag name, content name, SSID of the exhibition room access point 3b, encryption standard used by the exhibition room access point 3b, and encryption information obtained by encrypting the password of the exhibition room access point 3b (with the wireless portable terminal 7) Setting information used for wireless communication with the exhibition room access point 3b) and tag position information. The content name is a name indicating content information acquired from the database server 6 (for example, a description of an exhibit, an image, etc.). The tag position information is information indicating the arrangement position of the exhibit tag 5. The exhibit tag 5 can communicate with the non-contact communication unit 10 of the wireless portable terminal 7 via short-range wireless communication. As a result, the wireless portable terminal 7 can read the tag information from the exhibit tag 5 via the short-range wireless communication. As the exhibition tag 5, a passive RFID tag is adopted.

  The database server 6 stores facility information and content information. The facility information is a list of facility map information, area information, and SSIDs of the access points 3a and 3b. The facility map information is information indicating a map in the exhibition facility. The area information is information indicating the radio wave intensity of the radio wave transmitted from each access point 3a, 3b at each position in the exhibition facility. The database server 6 can communicate with the wireless communication unit 11 of the wireless portable terminal 7 via the access points 3a and 3b, the router 8, and the network 9. Thereby, the wireless portable terminal 7 can transmit the MAC (Media Access Control) address set in the wireless portable terminal 7 to the database server 6. Further, the wireless portable terminal 7 can read facility information and content information stored in the database server 6. When the database server 6 receives the MAC address, the database server 6 transmits the current time to the wireless portable terminal 7 as the activation time.

The wireless portable terminal 7 is a terminal that is loaned to the user from the manager of the exhibition facility.
FIG. 2 is a block diagram illustrating a schematic configuration of the wireless portable terminal 7.
As shown in FIG. 2, the wireless portable terminal 7 includes a non-contact communication unit 10, a wireless communication unit 11, a storage unit 12, a display unit 13, and a control unit 14.
The non-contact communication unit 10 can communicate with the manager terminal 2, the initial information acquisition tag 4, and the exhibit tag 5 through short-range wireless communication. Thereby, the control unit 14 can acquire the decryption key from the administrator terminal 2 via the non-contact communication unit 10. Further, the control unit 14 can read the AP information from the initial information acquisition tag 4 via the non-contact communication unit 10. Further, the control unit 14 can read tag information from the exhibit tag 5 via the non-contact communication unit 10.

  The wireless communication unit 11 can communicate with the access points 3a and 3b indicated by the SSID stored in the AP information area 12a via wireless communication. Communication with the access points 3a and 3b is performed by encryption based on the encryption standard and password stored in the AP information area 12a. The wireless communication unit 11 can access the network 9 via the access points 3a and 3b and the router 8 that can communicate with each other. Thereby, the control unit 14 can communicate with the database server 6 via the entrance access point 3a, the router 8, and the network 9. The control unit 14 can transmit the MAC address to the database server 6. In addition, the control unit 14 can read facility information and activation time from the database server 6. Further, the control unit 14 can read the content information from the database server 6.

In addition, the wireless communication unit 11 detects the radio field intensity of the radio wave transmitted from each access point 3a, 3b. There is a beacon as a radio wave to be transmitted. Then, the wireless communication unit 11 outputs a signal indicating the detection result (hereinafter also referred to as an intensity signal) to the control unit 14.
The storage unit 12 has a storage area for storing a decryption key, AP information, tag information, facility information, activation time, and content information. In addition, the storage unit 12 has an AP information area 12a that stores an SSID, an encryption standard, and a password used for wireless communication between the wireless portable terminal 7 and the access points 3a and 3b.

The display unit 13 can display an image in which the current position of the wireless portable terminal 7 is superimposed on a map indicated by the facility map information stored in the storage unit 12 in accordance with a display command output from the control unit 14. Yes. Further, the display unit 13 can display an image of content information stored in the storage unit 12 in accordance with a display command output from the control unit 14.
Based on various information stored in the storage unit 12 and the intensity signal output from the wireless communication unit 11, the control unit 14 executes various arithmetic processes described later according to a predetermined control program. For example, a CPU (Central Processing Unit) can be employed as the control unit 14. In addition, the control part 14 erase | eliminates the memory content (For example, a decryption key, SSID, an encryption specification, a password) from the memory | storage part 12, when all the arithmetic processings are complete | finished.

  As described above, in the access control system 1 of the present embodiment, the wireless portable terminal 7 deletes the decryption key when all the arithmetic processes are completed. Therefore, for example, when the use of the exhibition facility ends, the decryption key can be erased from the wireless portable terminal 7. Therefore, the outflow of the decryption key can be suppressed, and the security of the network 9 can be further improved.

(Calculation processing)
Next, an activation process executed by the control unit 14 of the wireless portable terminal 7 will be described. The activation process is executed when the wireless portable terminal 7 is turned on.
FIG. 3 is a flowchart showing the activation process.
As shown in FIG. 3, in step S <b> 101, when the administrator terminal 2 enters the communicable range of the non-contact communication unit 10 of the wireless portable terminal 7, the control unit 14 (short-range wireless communication) ) To establish a connection between the administrator terminal 2 and the control unit 14. Thereby, the administrator terminal 2 and the control unit 14 can communicate with each other via the non-contact communication unit 10 (short-range wireless communication).

Then, it transfers to step S102 and the control part 14 reads a decoding key from the administrator terminal 2 via the non-contact communication part 10 (short-distance wireless communication), as shown to Fig.4 (a). Subsequently, the control unit 14 stores the read decryption key in the storage unit 12.
Subsequently, the process proceeds to step S103, and when the initial information acquisition tag 4 enters the communicable range of the non-contact communication unit 10 of the wireless portable terminal 7, as shown in FIG. A connection between the initial information acquisition tag 4 and the control unit 14 is established via the contact communication unit 10 (short-range wireless communication). As a result, the initial information acquisition tag 4 and the control unit 14 can communicate with each other via the non-contact communication unit 10 (short-range wireless communication). Subsequently, the control unit 14 starts the AP information (the SSID of the entrance access point 3a, the encryption standard used by the entrance access point 3a, the encryption of the entrance access point 3a from the initial information acquisition tag 4 that can communicate with the control unit 14. Information). Subsequently, the control unit 14 stores the read AP information in the storage unit 12.

Subsequently, the process proceeds to step S104, and the control unit 14, as shown in FIG. 4C, based on the decryption key acquired in step S102, the encryption information of the entrance access point 3a acquired in step S103. Is decrypted. Subsequently, the control unit 14 erases the encryption information from the storage unit 12.
Subsequently, the process proceeds to step S105, and as shown in FIG. 4C, the control unit 14 reads the SSID of the entrance access point 3a read out in step S102, the encryption standard used by the entrance access point 3a, and the The password of the entrance access point 3a decrypted in step S104 is stored in the AP information area 12a as setting information used for wireless communication between the wireless portable terminal 7 and the entrance access point 3a. At this time, the control unit 14 erases the SSID, encryption standard, and password stored in the AP information area 12a until then.

  Subsequently, the process proceeds to step S106, and the control unit 14 establishes connection between the entrance access point 3a indicated by the SSID stored in the AP information area 12a and the control unit 14 via the wireless communication unit 11 (wireless communication). Establish. As a result, the entrance access point 3a and the control unit 14 can communicate with each other via the wireless communication unit 11 (wireless communication). Then, the control unit 14 enables communication between the database server 6 and the control unit 14 via the wireless communication unit 11, the entrance access point 3a, the router 8, and the network 9.

Subsequently, the process proceeds to step S107, and the control unit 14 transmits the MAC address of the wireless portable terminal 7 to the database server 6 enabled to communicate in step S106, as shown in FIG. 4 (d).
Subsequently, the process proceeds to step S108, and the control unit 14 reads out the facility information (facility map information, area information, a list of SSIDs of the access points 3a and 3b) from the database server 6 that is communicable in step S106. . In addition, the control unit 14 acquires the current time from the database server 6 as the activation time.
Subsequently, the process proceeds to step S109, and as shown in FIG. 4E, the control unit 14 stores the facility information and the activation time read out in step S108 in the storage unit 12, and then performs this calculation process. Exit.

Next, positioning processing executed by the control unit 14 of the wireless portable terminal 7 will be described. The positioning process is executed when the facility information is stored in the storage unit 12.
FIG. 5 is a flowchart showing the positioning process.
As shown in FIG. 5, in step S <b> 201, the control unit 14 acquires an intensity signal (a signal indicating the intensity of the radio wave transmitted from each access point 3 a, 3 b) from the wireless communication unit 11.

  Subsequently, the process proceeds to step S202, where the control unit 14 is based on the combination of the radio wave intensity indicated by the intensity signal acquired in step S201 and the radio wave intensity combination indicated by the area information stored in the storage unit 12. The current position of the wireless portable terminal 7 is detected. Specifically, the control unit 14 determines whether there is a combination whose ratio matches the combination of the radio wave intensity indicated by the intensity signal among the combinations of the radio wave intensity indicated by the area information. As a combination of radio field strengths, for example, as shown in FIG. 6, when four access points 3a, 3b (hereinafter also referred to as AP1, AP2, AP3, AP4) are arranged in the exhibition facility, A combination of the radio field intensity of the radio wave transmitted from AP1, the radio field intensity of the radio wave transmitted from AP2, the radio field intensity of the radio wave transmitted from AP3, and the radio field intensity of the radio wave transmitted from AP4 is adopted. Subsequently, when it is determined that there is a matching combination, the control unit 14 detects a position corresponding to the matching combination as the current position of the wireless portable terminal 7 from the area information. On the other hand, when the control unit 14 determines that there is no matching combination, the control unit 14 selects the combination having the closest ratio to the combination of the radio wave intensity indicated by the intensity signal from the combination of the radio wave intensity indicated by the area information. From this, the position corresponding to the selected combination is detected as the current position of the wireless portable terminal 7.

  As described above, the access control system 1 according to the present embodiment detects the current position of the wireless portable terminal 7 based on the ratio between the combination of the radio wave intensity indicated by the intensity signal and the combination of the radio wave intensity indicated by the area information. I made it. Therefore, for example, even when the radio wave transmitted from each access point 3a, 3b is attenuated and the combination of the radio field intensity indicated by the intensity signal does not match the combination of the radio wave intensity indicated by the area information, the wireless portable terminal 7 The current position can be detected appropriately.

  In the present embodiment, the example in which the current position of the wireless portable terminal 7 is detected based on the combination of the radio wave intensity indicated by the intensity signal and the combination of the radio wave intensity indicated by the area information has been described. It can also be adopted. For example, the current position of the wireless portable terminal 7 may be detected by comparing the radio field intensity of radio waves transmitted from the access points 3a and 3b. For example, as shown in FIG. 6, the x direction and the y direction orthogonal to each other are set, the access point AP1 is arranged at the position of (x0, y1) in the xy coordinates, and the access point AP2 is (x1 ( > X0), y1), the access point AP3 is arranged at the position of (x0, y0 (<y1)) in the xy coordinates, and the access point AP1 is at the position of (x1, y0) in the xy coordinates. If the radio wave intensity of the radio wave transmitted from the access point AP1 is compared with the radio wave intensity of the radio wave transmitted from the access point AP2, the x coordinate of the current position of the wireless portable terminal 7 is obtained. To detect. Alternatively, the radio wave intensity of the radio wave transmitted from the access point AP3 is compared with the radio wave intensity of the radio wave transmitted from the access point AP4, and the x coordinate of the current position of the wireless portable terminal 7 is detected. Similarly, the radio wave intensity of the radio wave transmitted from the access point AP1 is compared with the radio wave intensity of the radio wave transmitted from the access point AP3, and the y coordinate of the current position of the wireless portable terminal 7 is detected. Alternatively, the y-coordinate of the current position of the wireless portable terminal 7 is detected by comparing the radio wave intensity of the radio wave transmitted from the access point AP2 with the radio wave intensity of the radio wave transmitted from the access point AP4.

  Subsequently, the process proceeds to step S203, and the control unit 14 displays an image in which the current position of the wireless portable terminal 7 detected in step S202 is superimposed on the map indicated by the facility map information stored in the storage unit 12. After the display command to be output is output to the display unit 13, the process proceeds to step S201. In addition, the control part 14 shows the facility map information which the memory | storage part 12 memorize | stores, when the elapsed time after newly acquiring tag information is less than the preset setting time (for example, 30 seconds). On the map, a display command for displaying an image in which the position indicated by the tag position information in the acquired tag information is superimposed as the current position of the wireless portable terminal 7 is output to the display unit 13.

Next, tag read processing executed by the wireless portable terminal 7 will be described.
The tag read processing is executed when the wireless portable terminal 7 is held over the exhibit tag 5 and the exhibit tag 5 enters the communicable range of the non-contact communication unit 10 of the wireless portable terminal 7.
FIG. 7 is a flowchart showing the tag read process.
As shown in FIG. 7, in step S301, as shown in FIG. 8, the control unit 14 receives tag information (tag name, content) from the exhibit tag 5 via the non-contact communication unit 10 (short-range wireless communication). Name, SSID of the exhibition room access point 3b, encryption standard used by the exhibition room access point 3b, encryption information of the exhibition room access point 3b, and tag position information). Subsequently, the control unit 14 stores the read tag information in the storage unit 12.

Subsequently, the process proceeds to step S302, and the control unit 14 decrypts the encryption information of the exhibition room access point 3b acquired in step S301 based on the decryption key stored in the storage unit 12. Subsequently, the control unit 14 erases the encryption information from the storage unit 12.
Subsequently, the process proceeds to step S303, and the control unit 14 determines the SSID of the exhibition room access point 3b read in step S301, the encryption standard used by the exhibition room access point 3b, and the exhibition room decrypted in step S302. The password of the access point 3b is stored in the AP information area 12a as setting information used for wireless communication between the wireless portable terminal 7 and the entrance access point 3a. At this time, the control unit 14 erases the SSID, encryption standard, and password stored in the AP information area 12a until then.

  Subsequently, the process proceeds to step S304, and the control unit 14 connects the exhibition unit access point 3b indicated by the SSID stored in the AP information area 12a and the control unit 14 via the wireless communication unit 11 (wireless communication). Establish. As a result, the exhibition room access point 3b and the control unit 14 can communicate with each other via the wireless communication unit 11 (wireless communication). Then, the control unit 14 enables communication between the database server 6 and the control unit 14 via the wireless communication unit 11, the exhibition room access point 3 b, the router 8, and the network 9.

Subsequently, the process proceeds to step S305, and the control unit 14 acquires the content information indicated by the content name stored in the storage unit 12 from the database server 6 that is communicable in step S304. Subsequently, the control unit 14 causes the storage unit 12 to store the acquired content information.
Subsequently, the process proceeds to step S306, and the control unit 14 outputs a display command for displaying the image of the content information acquired in step S305 to the display unit 13, and then ends the calculation process.

Next, the 1st reset process which the wireless portable terminal 7 performs is demonstrated.
The first reset process is executed when the decryption key is read from the administrator terminal 2.
FIG. 9 is a flowchart showing the first reset process.
As shown in FIG. 9, in step S <b> 401, the control unit 14 starts measuring the elapsed time after reading the decryption key from the administrator terminal 2 (hereinafter also referred to as read elapsed time).

  Subsequently, the process proceeds to step S402, and the control unit 14 determines whether or not the read elapsed time at which measurement is started in step S401 has reached a preset set time (for example, 3 hours) or more. If the control unit 14 determines that the read elapsed time has become equal to or longer than the set time (Yes), the control unit 14 proceeds to step S403. On the other hand, when it is determined that the read elapsed time is less than the set time (No), the control unit 14 performs this determination again.

In step S403, the control unit 14 deletes the decryption key from the storage unit 12, and then ends the calculation process.
As described above, in the access control system 1 of the present embodiment, when a preset set time (for example, 3 hours) elapses after the wireless portable terminal 7 acquires the decryption key, the decryption key is stored in the storage unit 12. Was erased. Therefore, for example, when the administrator sets the usage time of the wireless portable terminal 7 or when the wireless portable terminal 7 is left in the exhibition facility, the decryption key can be erased from the wireless portable terminal 7. Therefore, the outflow of the decryption key can be suppressed and the security of the network 9 can be further improved.

Next, the 2nd reset process which the wireless portable terminal 7 performs is demonstrated.
In the second reset process, facility information (a list of SSIDs) is stored in the storage unit 12, and the radio wave intensity of radio waves transmitted from the access points 3a and 3b indicated by the list of SSIDs stored in the storage unit 12 This is executed when the wireless communication unit 11 cannot be detected.
FIG. 10 is a flowchart showing the second reset process.

As illustrated in FIG. 10, in step S501, the control unit 14 cannot detect the radio wave intensity of radio waves transmitted from the access points 3a and 3b indicated by the SSID list stored in the storage unit 12. Measurement of the elapsed time (hereinafter also referred to as radio wave elapsed time) is started.
Subsequently, the process proceeds to step S502, and the control unit 14 determines whether the radio communication unit 11 cannot detect the radio wave intensity of the radio waves transmitted from the access points 3a and 3b indicated by the list of SSIDs stored in the storage unit 12. Determine whether. If the control unit 14 determines that the radio communication unit 11 cannot detect the radio field intensity (Yes), the control unit 14 proceeds to step S503. On the other hand, when it is determined that the radio communication unit 11 can detect the radio wave intensity (No), the calculation process is terminated.

  In step S503, the control unit 14 determines whether or not the radio wave elapsed time at which measurement was started in step S501 has reached a preset time (for example, 30 minutes) or more. If the control unit 14 determines that the radio wave elapsed time is equal to or longer than the set time (Yes), the control unit 14 proceeds to step S504. On the other hand, if the control unit 14 determines that the radio wave elapsed time is less than the set time (No), the control unit 14 proceeds to step S502.

In step S504, the control unit 14 deletes the decryption key from the storage unit 12, and then ends the calculation process.
As described above, in the access control system 1 of this embodiment, when the wireless portable terminal 7 cannot detect the radio wave intensity of the radio waves transmitted from the access points 3a and 3b for a preset time, the storage unit 12 The decryption key was deleted. Therefore, for example, when the wireless portable terminal 7 is taken out of the exhibition facility where radio waves transmitted from the access points 3a and 3b do not reach, the decryption key can be erased from the wireless portable terminal 7. Therefore, the outflow of the decryption key can be suppressed and the security of the network 9 can be further improved.

  As described above, in the present embodiment, the wireless portable terminal 7 in FIGS. 1 and 2 constitutes a wireless portable terminal. Similarly, the access points 3a and 3b in FIG. 1 constitute a communication relay device. Further, the passwords of the access points 3a and 3b constitute setting information used for wireless communication. Further, the encrypted password constitutes the encryption information. Further, the initial information acquisition tag 4 and the exhibit tag 5 in FIG. 1 constitute an RFID tag. Further, the administrator terminal 2 in FIG. 1 constitutes a key storage device. Further, the non-contact communication unit 10 and the control unit 14 in FIG. 2 and step S103 in FIG. 3 constitute an encryption information acquisition unit. Further, the non-contact communication unit 10 and the control unit 14 in FIG. 2 and steps S101 and S102 in FIG. 3 constitute a decryption key acquisition unit. Further, the control unit 14 in FIG. 2 and step S104 in FIG. 3 constitute a decoding unit. Further, the wireless communication unit 11 and the control unit 14 in FIG. 2, step S106 in FIG. 3, and step S304 in FIG. 7 constitute a communication unit. Moreover, the control part 14 of FIG. 2 and the step S401 to S403 time deletion part of FIG. 9 are comprised. Further, the wireless communication unit 11 in FIG. 2 constitutes a radio wave intensity detection unit. 2 and steps S501 to S504 in FIG. 10 constitute a radio wave erasing unit.

(Operation, other)
Next, the operation of the access control system 1 of this embodiment will be described.
FIG. 11 is a diagram illustrating the operation of the access control system 1.
As shown in FIG. 11, it is assumed that a user has lent a wireless portable terminal 7 from an administrator and turned on the lent wireless portable terminal 7. Then, the wireless portable terminal 7 starts activation processing (calculation processing in FIG. 3). Subsequently, it is assumed that the user holds the wireless portable terminal 7 over the administrator terminal 2. Then, by the activation process, the wireless portable terminal 7 reads out the decryption key from the administrator terminal 2 via the non-contact communication unit 10 (short-range wireless communication), and the read decryption key is stored in the storage unit 12. It memorize | stores (step S101, S102).

  Subsequently, it is assumed that the user holds the wireless portable terminal 7 over the initial information acquisition tag 4. Then, the wireless portable terminal 7 acquires AP information from the initial information acquisition tag 4 via the non-contact communication unit 10 (short-range wireless communication), and decrypts the encrypted information in the acquired AP information based on the decryption key. To obtain a decrypted password (steps S103 and S104). Subsequently, the wireless portable terminal 7 stores the SSID of the entrance access point 3a in the acquired AP information, the encryption standard used by the entrance access point 3a, and the decrypted password in the AP information area 12a of the storage unit 12 ( Step S105). Thereby, the wireless portable terminal 7 can be accessed to the network 9 via the entrance access point 3a (wireless communication) indicated by the SSID stored in the AP information area 12a. Communication with the entrance access point 3a is performed by encryption based on the encryption standard and password stored in the AP information area 12a. As a result, the wireless portable terminal 7 can communicate with the database server 6 via the entrance access point 3a, the router 8, and the network 9.

  As described above, in the access control system 1 of the present embodiment, when the wireless portable terminal 7 acquires the decryption key from the administrator terminal 2 and acquires the encryption information from the initial information acquisition tag 4, the acquired encryption information is acquired. Is decrypted with the decryption key to obtain the password of the entrance access point 3a. Therefore, for example, by managing the administrator terminal 2, only the wireless portable terminal 7 permitted by the administrator can be permitted to access the network 9. Therefore, unauthorized access to the network 9 can be suppressed, and the security of the network 9 can be improved.

Further, the wireless portable terminal 7 acquires the password of the entrance access point 3a in an encrypted state. Therefore, the security of the entrance access point 3a can be improved. Furthermore, only the wireless portable terminal 7 that has executed the activation process and acquired the decryption key can decrypt the encrypted information and establish a connection with the entrance access point 3a.
Further, the wireless portable terminal 7 decrypts the encrypted password. Therefore, an inexpensive RFID tag having no encryption processing circuit or the like can be employed as the initial information acquisition tag 4 and the exhibit tag 5. Therefore, the manufacturing cost can be reduced. Further, even the wireless portable terminal 7 having no secure element can decrypt the encrypted password.

  Subsequently, the wireless portable terminal 7 transmits the MAC address of the wireless portable terminal 7 to the database server 6 via the entrance access point 3a, the router 8, and the network 9 (step S107). Then, the database server 6 stores the transmitted MAC address. Subsequently, the wireless portable terminal 7 acquires facility information and activation time from the database server 6 via the entrance access point 3a, the router 8, and the network 9, and stores the acquired facility information and activation time in the storage unit. 12, the activation process is terminated (steps S108 and S109).

  Here, when the facility information is stored in the storage unit 12, the wireless portable terminal 7 starts the positioning process (calculation process in FIG. 5). Subsequently, by the positioning process, the wireless portable terminal 7 is based on the radio wave intensity indicated by the intensity signal output from the radio communication unit 11 and the radio wave intensity indicated by the area information in the facility information stored in the storage unit 12. The current position of the wireless portable terminal 7 is detected (steps S201 and S202). Subsequently, the wireless portable terminal 7 outputs the display information corresponding to the facility information stored in the storage unit 12 and the current position of the wireless portable terminal 7 to the display unit 13 (step S203). Then, the display unit 13 displays an image in which the detected current position of the wireless portable terminal 7 is superimposed on the map indicated by the facility map information stored in the storage unit 12 in accordance with the transmitted display command. The flow of the positioning process is repeatedly executed, and images in which the current position of the wireless portable terminal 7 is updated are sequentially displayed on the display unit 13.

  Subsequently, it is assumed that the user moves to the exhibition room and holds the wireless portable terminal 7 over the exhibit tag 5 (hereinafter also referred to as the target tag 5). Then, the wireless portable terminal 7 starts tag read processing (calculation processing in FIG. 7). Subsequently, by the tag read process, the wireless portable terminal 7 acquires tag information from the exhibit tag 5 via the non-contact communication unit 10 (short-range wireless communication) (step S301). Here, the exhibit tag 5 is arranged in each area Ab of the plurality of areas Ab, and stores tag information of the exhibition room access point 3b associated with each arranged area Ab. Therefore, the wireless portable terminal 7 acquires tag information of the exhibition room access point 3b (hereinafter also referred to as the target access point 3b) associated with the area Ab where the target tag 5 is disposed. Subsequently, the wireless portable terminal 7 decrypts the encrypted information in the acquired tag information based on the decryption key, and obtains the decrypted password (password of the target access point 3b) (step S302). Subsequently, the wireless portable terminal 7 stores the SSID of the target access point 3b in the acquired tag information, the encryption standard used by the target access point 3b, and the decrypted password in the AP information area 12a of the storage unit 12 ( Step S303). Thereby, the wireless portable terminal 7 can be accessed to the network 9 via the target access point 3b indicated by the SSID stored in the AP information area 12a. Communication with the target access point 3b is performed based on the encryption standard and password stored in the AP information area 12a. As a result, the wireless portable terminal 7 can communicate with the database server 6 via the target access point 3b, the router 8, and the network 9. Subsequently, the wireless portable terminal 7 acquires content information from the database server 6 via the wireless communication unit 11, the target access point 3b, the router 8, and the network 9 (step S305). Subsequently, after the wireless portable terminal 7 outputs a display command corresponding to the acquired content information to the display unit 13, the tag read process is terminated (step S306). And the display part 13 displays the image etc. which show the acquired content information according to the transmitted display command.

As described above, in the access control system 1 of the present embodiment, the exhibit tag 5 is arranged in each area Ab of the plurality of areas Ab, and the exhibition room access point associated with each arranged area Ab. The encryption information of 3b was stored. Therefore, by acquiring the encryption information from the exhibit tag 5, the exhibition room access point 3b can be appropriately switched.
By the way, AP information and tag information of all access points 3a and 3b are stored in advance in the storage unit 12 of the wireless portable terminal 7, and the destination areas Aa and Ab are moved each time they move to other areas Aa and Ab. In the method of automatically establishing a connection (handover) with the access points 3a and 3b associated with, AP information and tag information are likely to flow out.

  On the other hand, in the method of the present embodiment, each time the user moves to another area Aa, Ab, the wireless portable terminal 7 is held over the initial information acquisition tag 4 and the exhibit tag 5 to the destination area Aa, Ab. AP information and tag information of the associated access points 3a and 3b are acquired, and the acquired AP information and tag information are overwritten in the storage unit 12. Thereby, AP information and facility information can be distributed and managed, and the possibility of AP information and facility information leaking can be reduced.

DESCRIPTION OF SYMBOLS 1 Access control system 2 Manager terminal 3a Entrance access point 3b Exhibition room access point 4 Initial information acquisition tag 5 Exhibit tag 6 Database server 7 Wireless portable terminal 8 Router 9 Network 10 Non-contact communication unit 11 Wireless communication unit 12 Storage unit 12a Information area 13 Display unit 14 Control unit

Claims (5)

An access control system that performs wireless communication between a wireless portable terminal and a communication relay device, and allows the wireless portable terminal to access a network via the communication relay device,
An RFID tag storing encryption information obtained by encrypting setting information used for wireless communication between the wireless portable terminal and the communication relay device;
A key storage device storing a decryption key capable of decrypting the encryption information,
The wireless portable terminal is:
An encryption information acquisition unit for acquiring the encryption information from the RFID tag;
A decryption key obtaining unit for obtaining the decryption key from the key storage device;
A decryption unit for decrypting the setting information based on the decryption key obtained by the decryption key obtaining unit, the encryption information obtained by the encryption information obtaining unit;
An access control system comprising: a communication unit that performs wireless communication with the communication relay device based on the setting information decoded by the decoding unit. A plurality of the communication relay devices are arranged in association with each of a plurality of preset areas, and wireless communication is possible with the wireless portable terminal in each of the arranged areas,
The RFID tag is disposed in each of the plurality of regions, and stores the setting information used for wireless communication between the wireless portable terminal and the communication relay device associated with each disposed region. The access control system according to claim 1, wherein: The wireless portable terminal is:
A key storage unit storing the decryption key acquired by the decryption key acquisition unit;
A time erasure unit that erases the decryption key from the key storage unit when a preset set time has elapsed since the decryption key acquisition unit acquired the decryption key;
The decryption unit is configured to decrypt the encryption information acquired by the encryption information acquisition unit with the decryption key stored in the key storage unit to acquire the setting information. Or the access control system according to 2. The wireless portable terminal is:
A key storage unit storing the decryption key acquired by the decryption key acquisition unit;
A radio wave intensity detector for detecting the radio wave intensity of the radio wave transmitted from the communication relay device;
A radio wave erasure unit that erases the decryption key from the key storage unit when the radio wave intensity detection unit cannot detect the radio wave intensity of the radio wave transmitted from the communication relay device for a preset time. ,
The decryption unit is configured to decrypt the encryption information acquired by the encryption information acquisition unit with the decryption key stored in the key storage unit to acquire the setting information. 4. The access control system according to any one of items 1 to 3. A wireless portable terminal that performs wireless communication with a communication relay device,
An encryption information acquisition unit that acquires the encryption information from an RFID tag that stores encryption information obtained by encrypting setting information used for wireless communication between the wireless portable terminal and the communication relay device;
A decryption key obtaining unit for obtaining the decryption key from a key storage device storing a decryption key capable of decrypting the encryption information;
A decryption unit for decrypting the setting information based on the decryption key obtained by the decryption key obtaining unit, the encryption information obtained by the encryption information obtaining unit;
A wireless portable terminal comprising: a communication unit that performs wireless communication with the communication relay device based on the setting information decoded by the decoding unit.

Images