JP2017135599A - Radio base station device, radio communication system, and control method of radio base device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a radio base station device that controls terminal spoofing while suppressing an introduction cost.SOLUTION: A base station 10 comprises: a key management part 111 that holds first key information PMK; a key formation part 113 that forms second key information PMK1 by a first calculation using first identification information as specific identification information for a radio terminal, which is acquired from the radio terminal, and the first key information PMK; a key preventing part 114 that controls so tat the second key information PMK1 formed by the key formation part 113 is prevented to the radio terminal; a verification part 115 that acquires the identification information specified to the communication terminal which tries to perform radio data communication with the base station 10 as second identification information from a communication terminal, uses the first calculation using the second identification information and the first key information PMK, and verifies that the communication terminal holds the second key information PMK1; and a data communication part 116 that perform encrypted data communication with the communication terminal on the basis of the second key information PMK1 under one condition that success of the verification by the verification part 115 is determined.SELECTED DRAWING: Figure 6

Description

  The present invention relates to a radio base station apparatus that performs radio communication with a radio terminal, a radio communication system, and a control method for the radio base station apparatus.

  Conventionally, a LAN using a wireless communication terminal (hereinafter also referred to as a terminal) and a wireless base station device (hereinafter also referred to as a base station) that communicates with the terminal via a wireless communication link (hereinafter also referred to as a communication link). (Local Area Network) is used. A terminal can communicate with another communication device (such as a Web server or a mail server) on a network connected to the wireless LAN via the wireless LAN. In wireless communication, there is no wired connection by a cable or the like between communicating devices, and therefore security risks such as wiretapping or spoofing are relatively large. As a measure for preventing eavesdropping or spoofing, the communication signal is encrypted, but it is not sufficient.

  Patent Literature 1 discloses a communication system that prevents impersonation of a terminal by generating key information used for encryption of a communication signal based on information held by the terminal and the base station.

Japanese Patent No. 4550759

  However, in the communication system disclosed in Patent Document 1, it is necessary that both the terminal and the base station have functions that are not installed in the conventional terminal and base station. Therefore, in order to make the communication system disclosed in Patent Document 1 function, it is necessary to introduce both the terminal and the base station included in the communication system, and the introduction cost is high and the convenience is low.

  The present invention has been made to solve the above problems, and an object of the present invention is to provide a radio base station apparatus and the like that suppress impersonation of a terminal while suppressing introduction cost.

  In order to solve the above problem, a radio base station apparatus according to an aspect of the present invention is a radio base station apparatus for performing encrypted data communication with a radio terminal, and has first key information. A key management unit, a terminal information acquisition unit that acquires first identification information that is identification information unique to the wireless terminal, the first identification information acquired by the terminal information acquisition unit, and the first key information A key generation unit that generates second key information by a first calculation using the key, a key providing unit that controls the second key information generated by the key generation unit to be provided to the wireless terminal, and the wireless base Identification information unique to a communication terminal that is a wireless terminal that intends to perform data communication with a station is acquired from the communication terminal as second identification information, and the second identification information and the first key information are used. Using the first operation, the communication terminal is configured to transmit the second key information. A verification unit for verifying possession and data communication encrypted based on the second key information on the condition that it is determined that the verification by the verification unit is successful. A data communication unit for communication with the terminal;

  According to this, the radio base station apparatus can verify the validity of the radio terminal using the second key information generated based on the identification information of the radio terminal. Specifically, the radio base station apparatus generates second key information in consideration of the identification information of the radio terminal, and the radio terminal to be connected to the radio base station apparatus has valid key information In consideration of the identification information of the wireless terminal. This prohibits other wireless terminals from using the second key information generated in consideration of the identification information of one wireless terminal to connect to the wireless base station apparatus. In addition, the terminal to be connected to the radio base station apparatus according to the present invention only needs the function of the conventional terminal, and does not require a special function for connecting to the radio base station apparatus according to the present invention. Therefore, the radio base station apparatus of the present invention can suppress the terminal impersonation while suppressing the introduction cost.

  The first calculation may include a calculation based on a one-way function.

  According to this, it is substantially impossible for the radio base station apparatus to obtain the first key information used for generating the second key information from the second key information. Thus, leakage of the first key information to the outside of the radio base station apparatus is suppressed. Thereby, the impersonation of a terminal can be suppressed further.

  Further, the verification unit transmits (a) first information to the communication terminal, and (b) first information based on the first information and the second key information provided to the communication terminal by the key generation unit. Second information calculated by the communication terminal using two operations is acquired from the communication terminal together with the second identification information, and (c) based on the first key information and the acquired second identification information. When the third information calculated by the second calculation matches the second information, it may be determined that the verification is successful.

  According to this, the radio base station apparatus can specifically verify that the terminal has the second key information. Therefore, the radio base station apparatus can more specifically realize suppression of terminal impersonation.

  The verification unit may acquire a communication frame including the second information transmitted by the communication terminal, and acquire the second identification information from a transmission source address field included in the acquired communication frame.

  According to this, the radio base station apparatus suppresses impersonation of the terminal more specifically and reliably by using the address field of the communication frame used for verification that the terminal holds the second key information. be able to.

  The first identification information and the second identification information of the communication terminal may each include a hardware address of the communication terminal.

  According to this, the radio base station apparatus can more specifically suppress the impersonation of the terminal by using the hardware address of the terminal.

  In order to solve the above-described problem, a radio communication system according to an aspect of the present invention includes the above-described radio base station apparatus and the radio terminal that performs radio communication with the radio base station apparatus.

  Thereby, there exists an effect similar to the said wireless base station apparatus.

  In order to solve the above-described problem, a control method for a radio base station apparatus according to an aspect of the present invention is a control method for a radio base station apparatus for performing encrypted data communication with a radio terminal. A key management step of holding one key information, a terminal information acquisition step of acquiring first identification information which is identification information unique to a wireless terminal, the first identification information acquired in the terminal information acquisition step, and the first A key generation step of generating second key information by a first calculation using one key information and controlling the generated second key information to be provided to the wireless terminal; and the data of the wireless base station Identification information unique to a communication terminal that is a wireless terminal to be communicated is acquired from the communication terminal as second identification information, and the first calculation using the second identification information and the first key information is used. And the communication terminal A verification step for verifying possession of the second key information, and encryption based on the second key information, assuming that the verification step determines that the verification is successful. Data communication step of performing data communication with the communication terminal.

  Thereby, there exists an effect similar to the said wireless base station apparatus.

  Note that the present invention can be realized not only as an apparatus but also as a method using steps as processing units constituting the apparatus, as a program for causing a computer to execute the steps, or as a computer read recording the program. It can also be realized as a possible recording medium such as a CD-ROM, or as information, data or a signal indicating the program. These programs, information, data, and signals may be distributed via a communication network such as the Internet.

  The radio base station apparatus according to the present invention can suppress the impersonation of the terminal while suppressing the introduction cost.

FIG. 1 is a configuration diagram of a radio communication system according to an embodiment. FIG. 2 is a block diagram illustrating a hardware configuration of the base station according to the embodiment. FIG. 3 is a block diagram illustrating a functional configuration of the base station according to the related technology. FIG. 4 is a flowchart showing processing relating to introduction of key information of a base station according to related technology. FIG. 5 is a sequence diagram showing processing relating to introduction of key information in a communication system according to related technology. FIG. 6 is a block diagram illustrating a functional configuration of the base station according to the embodiment. FIG. 7 is a flowchart showing processing relating to introduction of key information of the base station according to the embodiment. FIG. 8 is a sequence diagram illustrating a process related to the introduction of key information in the communication system according to the embodiment and showing a case where the MIC verification process is successful. FIG. 9 is a sequence diagram illustrating a process related to the introduction of key information in the communication system according to the embodiment and a case where the MIC verification process fails. FIG. 10 is an explanatory diagram showing key information that each device holds or uses in the wireless communication system according to the embodiment.

  Hereinafter, embodiments will be specifically described with reference to the drawings.

  Each of the embodiments described below shows a preferred specific example of the present invention. The numerical values, shapes, materials, constituent elements, arrangement positions and connecting forms of the constituent elements, steps, order of steps, and the like shown in the following embodiments are merely examples, and are not intended to limit the present invention. In addition, among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims indicating the highest concept of the present invention are described as optional constituent elements that constitute a more preferable embodiment.

  In addition, the same code | symbol is attached | subjected to the same component and description may be abbreviate | omitted.

(Embodiment)
In this embodiment, a radio base station apparatus and a radio communication system that suppress impersonation of a terminal while suppressing introduction cost will be described.

  FIG. 1 is a configuration diagram of a wireless communication system 1 according to the present embodiment.

  As shown in FIG. 1, the wireless communication system 1 includes a base station 10 and terminals 21 and 22. The wireless communication system 1 is communicably connected to the LAN 40, and the terminals 21 and 22 can communicate with a communication device of an external network (not shown) via the LAN 40.

  The base station 10 is a radio base station apparatus that performs radio communication with the terminal 21 and the like. The base station 10 includes a wireless communication interface (hereinafter also referred to as “wireless IF”), establishes a communication link 31 with the terminal 21 by the wireless IF, and communicates with the terminal 21 through the established communication link 31. Communicate by sending and receiving. Further, the base station 10 includes a wired communication interface (hereinafter also referred to as “wired IF”), and is connected to the LAN 40 by the wired IF.

  Terminals 21 and 22 are wireless terminals having a wireless IF. Each of the terminals 21 and 22 establishes a wireless IF of the base station 10 and communication links 31 and 32, and performs wireless communication through the established communication links 31 and 32. The terminals 21 and 22 can communicate with a communication device (not shown) connected to the LAN 40 and a communication device (not shown) connected to another network connected to the LAN 40 via the base station 10. it can. Each of the terminals 21 and 22 performs wireless communication by exchanging encrypted communication frames with the base station 10. This wireless communication is performed after verifying that the communication partner has a valid encryption key by, for example, a 4-way handshake defined in IEEE802.11i. Note that a wireless terminal that intends to perform encrypted data communication with the base station 10 is also referred to as a communication terminal.

  The terminals 21 and 22 have the same functions as conventional terminals. In the following, the terminal 21 will be mainly described, but the same description holds true for the terminal 22 unless otherwise specified.

  The LAN 40 is a communication network (local area network) to which the base station 10 is connected. The LAN 40 is realized by, for example, a wired LAN that conforms to the IEEE 802.3 standard. A communication device (terminal, router, etc.) different from the base station 10 may be connected to the LAN 40.

  In the wireless communication system 1, it is assumed that the base station 10 is used so as to limit the terminals permitted to connect to the base station 10 to only predetermined terminals. For example, the wireless communication system 1 can be applied to a home network installed in a private house or an in-house network installed in a corporate office.

  The hardware configuration and functional configuration of the base station 10 in the wireless communication system 1 configured as described above will be described.

  FIG. 2 is a block diagram showing a hardware configuration of base station 10 according to the present embodiment.

  As shown in FIG. 2, the base station 10 includes a CPU (Central Processing Unit) 101, a ROM (Read Only Memory) 102, a main memory 103, a storage 104, a wired IF 105, and a wireless IF 106.

  The CPU 101 is a processor that executes a control program stored in the ROM 102 or the storage 104.

  The ROM 102 is a read-only storage area that holds a control program and the like.

  The main memory 103 is a volatile storage area used as a work area used when the CPU 101 executes a control program.

  The storage 104 is a non-volatile storage area that holds a control program, content, and the like.

  The wired IF 105 is a wired communication interface that is communicably connected to the LAN 40. The wired IF 105 only needs to conform to a communication standard that can be connected to the LAN 40. For example, the wired IF 105 is a wired LAN communication interface conforming to the IEEE 802.3 standard, and includes a wired communication signal generation circuit, a terminal, and the like. Have.

  The wireless IF 106 is a wireless communication interface that establishes a communication link 31 with the terminal 21 and performs wireless communication. The wireless IF 106 is a wireless LAN communication interface conforming to, for example, the IEEE 802.11a, b, g, and n standards, and includes a wireless communication signal generation circuit, an antenna, and the like.

  The functions of the base station 10 described below are realized by information processing in which the CPU 101 executes programs stored in the ROM 102, the storage 104, and the like using the main memory 103 and the like. At that time, depending on the function, the wired IF 105 or the wireless IF 106 is also used as appropriate.

  Hereinafter, the base station 10 will be described in comparison with related technologies.

  FIG. 3 is a block diagram showing a functional configuration of the base station 50 according to the related technology. Here, the related technology refers to a conventional technology related to the base station 10 according to the present embodiment, and the base station 50 is arranged in the same position as the base station 10 in the present embodiment. is there. The hardware configuration of the base station 50 is the same as the hardware configuration of the base station 10 shown in FIG.

  As illustrated in FIG. 3, the base station 50 includes a key management unit 511, a key providing unit 512, a verification unit 513, and a data communication unit 514.

  The key management unit 511 is a management unit that holds key information used for encryption of communication between the base station 50 and the terminal 21. The key management unit 511 has a PMK (Pairwise Master Key), which is key information that is a source of an encryption key used for encryption of communication between the base station 50 and the terminal 21. It is assumed that the PMK is provided only to a terminal that permits connection to the base station 50. This is because the base station 50 permits a terminal having a PMK to connect to the base station 50 and rejects a connection to a base station 50 by a terminal having no PMK.

  Further, the key management unit 511 generates and holds PTK (Pairwise Transient Key), which is key information used for encryption of communication between the base station 50 and the terminal 21, based on the PMK. The PTK is generated by calculation using a predetermined calculation formula based on the PMK. Specifically, the operation for generating the PTK by the key management unit 511 can be expressed as (Equation 1) below using the function f.

PTK = f (PMK, ANonce, SNonce, MAC (50), MAC (21))
(Formula 1)

  Here, the function f is a function for calculating PTK based on each variable in parentheses. ANonce and SNonce are random values for generating a PTK that are temporarily generated by the base station 50 and the terminal 21, respectively. MAC (50) represents the MAC address of the base station 50, and MAC (21) represents the MAC address of the terminal 21. As the function f, for example, a function defined in IEEE802.11i can be used. The key management unit 511 is realized by information processing by the CPU 101 or the like.

  The key providing unit 512 is a processing unit that acquires the PMK held by the key management unit 511 and controls the acquired PMK to be provided to the terminal 21. The PMK is provided to the terminal 21 by a communication method in which the PMK is not acquired by a communication device different from the terminal 21. As this communication method, for example, a method of transmitting PMK by WPS (Wi-Fi Protected Setup) can be used. This case will be described below, but the present invention is not limited to this case. For example, instead of using WPS, the base station 50 displays information (alphanumeric character string) indicating PMK on a display screen (not shown), and the administrator of the base station 50 provides verbal or written information to the user of the terminal 21. And the user may input to the terminal 21. The key providing unit 512 is realized by the CPU 101 and the wireless IF 106.

  The verification unit 513 is a processing unit that verifies that the terminal 21 holds the PMK provided by the key providing unit 512 to the terminal 21. For this verification, a so-called 4-way handshake method can be adopted. Details of the 4-way handshake are defined in IEEE802.11i. Below, only the characteristic part relevant to this Embodiment is demonstrated.

  The verification unit 513 generates an ANonce that is a random value, and transmits the generated ANonce to the terminal 21. The terminal 21 that has received the ANonce generates a SNonce that is a random value, and generates a PTK by (Equation 1) using the generated SNonce and the PMK acquired from the key providing unit 512. Then, the terminal 21 calculates an MIC (Message Integrity Code) for falsification detection using the generated PTK and the like, and transmits the calculated MIC, SNonce, and the like to the verification unit 513. The verification unit 513 generates a PTK by (Equation 1) from the PMK held by the key management unit 511, the generated ANonce, the SNonce received from the terminal 21, and the like, and calculates the MIC using the generated PTK and the like To do. Then, the verification unit 513 determines whether or not the MIC received from the terminal 21 matches the MIC calculated by the verification unit 513. If the verification unit 513 determines that they match, the verification that the terminal 21 holds the PMK is successful. It is determined that In addition, the verification unit 513 acquires the result of the verification process performed by the terminal 21 that the base station 50 holds the PMK. The verification unit 513 is realized by the information processing by the CPU 101 or the like and the wireless IF 106.

  The data communication unit 514 is a processing unit that performs data communication encrypted with the terminal 21 with the terminal 21 on the condition that the verification by the verification unit 513 is determined to be successful. Specifically, the data communication unit 514 acquires the result of the verification by the verification unit 513 and the result of the verification process by the terminal 21, and performs data communication on the condition that the verification is successful in both of them. In data communication, the data communication unit 514 acquires a communication frame generated by information processing by the CPU 101. Further, the data communication unit 514 acquires the PTK, acquires a TK (Temporal Key) that is a predetermined part of the PTK, generates a different encryption key for each communication frame based on the acquired TK, and generates The communication frame is encrypted with the encryption key and transmitted to the terminal 21. The data communication unit 514 receives a communication frame encrypted and transmitted by the terminal 21, decrypts the received communication frame with an encryption key generated based on the PTK, and provides the information to the information processing by the CPU 101. Note that the data communication unit 514 is realized by information processing by the CPU 101 or the like and the wireless IF 106.

  Processing performed by the base station 50 configured as described above will be described below.

  FIG. 4 is a flowchart showing processing relating to introduction of key information of the base station 50 according to the related technology. FIG. 5 is a sequence diagram showing processing relating to introduction of key information in a communication system according to related technology. Processing performed by the base station 50 will be described with reference to these.

  First, the base station 50 shares the same PMK with the terminal 21 through the processing from steps S501 to S502.

  In step S501, the key providing unit 512 acquires the PMK held by the key management unit 511.

  In step S502, the key providing unit 512 provides the PMK acquired in step S501 to the terminal 21 by WPS.

  Thereafter, it is verified that the base station 50 and the terminal 21 have the same PMK and PTK by the processing from step S503 to S510 (4-way handshake). For communication between the base station 50 and the terminal 21, an EAPOL-Key frame of EAPOL (Extensible Authentication Protocol over LAN) is used.

  In step S503, the verification unit 513 generates an ANonce that is a random value, and transmits the generated ANonce to the terminal 21 as a message M1.

  After step S503, when the terminal 21 receives the ANonce, the terminal 21 generates a SNonce that is a random number value, generates the PMK acquired in step S502, the ANonce received in step S503, the generated SNonce, the MAC address of the base station 50, the terminal The PTK is calculated from the MAC address of 21 by (Equation 1). Furthermore, the terminal 21 calculates the MIC based on the PTK, and transmits the SNonce and the MIC as a message M2 to the base station 50 (step S503A in FIG. 5).

  In step S504, the verification unit 513 receives the SNonce and MIC transmitted from the terminal 21 in step S503A.

  In step S505, the verification unit 513 generates a PTK by (Equation 1) using the PMK acquired in step S501, the ANonce generated in step S503, the SNonce received in step S504, and the like. Note that the PTK generated here is the same as the PTK generated by the terminal 21 if there is no impersonation of the terminal 21, and this identity is verified in a later process. In order to distinguish the PTK generated by the terminal 21 from step S503A, the PTK generated by the verification unit 513 in step S505 is described as “PTK_A”.

  In step S506, the verification unit 513 performs verification processing of the MIC received in step S504 using the PTK_A generated in step S505. Specifically, the verification unit 513 calculates the MIC (described as MIC_A for the same reason as described above) based on the PTK_A calculated in step S505, and the calculated MIC_A is the same as the MIC received in step S504. It is determined whether or not there is. When it is determined that the MIC_A and the MIC are the same, it can be confirmed that the terminal that calculated the MIC is the terminal 21 and that the PTK used by the terminal 21 to calculate the MIC is the same as the PTK_A. .

  In the verification process, the fact that the terminal that calculated the MIC is indeed the terminal 21 and that the PTK used by the terminal 21 is the same as PTK_A is expressed as “verification succeeded”. Then, the fact that the verification was not successful is expressed as “verification failed”.

  In step S507, the verification unit 513 determines whether the verification is successful in the verification process in step S506. If the verification is successful (Yes in step S507), the process proceeds to step S508. On the other hand, if the verification fails (No in step S507), the process proceeds to step S521.

  In step S <b> 508, the verification unit 513 acquires the result of the MIC verification process for authenticating the base station 50 by the terminal 21. The verification unit 513 generates a PTK using PMK, ANonce, SNonce, and the like, calculates an MIC based on the generated PTK, and transmits the calculated MIC to the terminal 21 as a message M3. The terminal 21 performs a verification process similar to the verification process performed by the verification unit 513 in step S506 on the transmitted MIC (step S506A in FIG. 5). The terminal 21 transmits a result of the verification process, that is, information indicating that the verification has been successful or has failed to the verification unit 513 as a message M4. In this way, the verification unit 513 acquires the result of the verification process transmitted by the terminal 21 in step S508.

  In step S509, the verification unit 513 determines whether the verification result obtained by the terminal 21 acquired in step S508 is successful. If it is determined that the verification result is successful (Yes in step S509), the process proceeds to step S510. On the other hand, if it is determined that the verification result is not successful (that is, failure) (No in step S509), the process proceeds to step S521.

  In step S510, the verification unit 513 introduces the encryption key generated based on the PTK (PTK_A) generated in step S505 to the data communication unit 514, that is, the data communication unit 514 uses the encryption key for data communication. Control to do. At this time, the terminal 21 introduces the PTK generated in the MIC verification process (step S506A in FIG. 6) by the terminal 21 into the data communication unit of the terminal 21 (step S510A in FIG. 6). Thereafter, the data communication unit 514 of the base station 50 and the data communication unit of the terminal 21 perform communication using an encryption key generated based on the PTK (step S511 in FIG. 6).

  In step S521, the verification unit 513 interrupts the 4-way handshake. In this case, the base station 50 and the terminal 21 are prohibited from performing encrypted communication.

  Through the series of processes described above, only the terminal 21 that has acquired the PMK provided by the base station 50 in step S502 can connect to the base station 50 and perform encrypted communication. However, when a PMK leaks and a terminal different from the terminal 21 acquires the PMK, the terminal can perform the processing of steps S503A and S506A as the terminal 21. As a result, the base station 50 Encryption communication is possible. That is, in the process related to the introduction of key information in the related technology, the terminal 21 can be impersonated by the above method.

  FIG. 6 is a block diagram showing a functional configuration of base station 10 according to the present embodiment.

  As illustrated in FIG. 6, the base station 10 includes a key management unit 111, a terminal information acquisition unit 112, a key generation unit 113, a key provision unit 114, a verification unit 115, and a data communication unit 116. . Of the above-described components, those having the same names as the components of the base station 50 have similar functions. In the following, each of the above components will be described mainly with respect to differences from the components of the same name in the base station 50.

  Similar to the key management unit 511, the key management unit 111 is a management unit that holds key information used for encryption of communication between the base station 10 and the terminal 21. The key management unit 111 has a PMK. This PMK is equivalent to the PMK held by the key management unit 511 of the base station 50, but is not supposed to be provided to the terminal 21.

  The key management unit 111 also has PMK1, which is key information that is a source of an encryption key used for encryption of communication between the base station 10 and the terminal 21, which is generated by the key generation unit 113 described later based on the PMK. Furthermore, PTK1 calculated by calculation using the following (Equation 2) based on PMK1 is held.

PTK1 = f (PMK1, ANonce, SNonce, MAC (10), MAC (21))
(Formula 2)

  The function f in (Expression 2) is the same as the function f in (Expression 1). PMK corresponds to first key information, and PMK1 corresponds to second key information.

  The terminal information acquisition unit 112 is a processing unit that acquires identification information unique to the terminal 21. The identification information is information that can uniquely identify the individual of the terminal 21 from among the plurality of terminals of the same type as the terminal 21, for example, the hardware address (MAC (Media Access Control) of the terminal 21. ) Address) (hereinafter referred to as “MAC (21)”). The identification information may be acquired from a header of a communication frame received from the terminal 21 or may be acquired by inputting information managed as a hardware address of the terminal 21 by an administrator. Good.

  The key generation unit 113 encrypts communication between the base station 10 and the terminal 21 by a calculation using the PMK held by the key management unit 111 and the identification information of the terminal 21 acquired by the terminal information acquisition unit 112. It is a processing unit that generates PMK1, which is the information that is the source of the encryption key used for. PMK1 has a role as a PMK associated with each terminal. The key generation unit 113 acquires the PMK from the key management unit 111 and acquires the identification information of the terminal 21 from the terminal information acquisition unit 112. Then, PMK1 is calculated by a predetermined algorithm, more specifically, an operation (corresponding to the first operation) shown in the following (Equation 3).

  PMK1 = h (PMK, MAC (21)) (Formula 3)

  Here, as the function h, any function can be used as long as the value of the function can be used as PMK. As the function h, it is also possible to use a one-way function that is extremely difficult or substantially impossible to obtain an argument from the calculation result, that is, the function value, more specifically, a hash function. In this case, for example, instead of (Expression 3), PMK1 is calculated using (Expression 4), which is a more specific expression of (Expression 3).

  PMK1 = hash (PMK + MAC (21)) (Formula 4)

  Here, the function hash is a hash function. If the hash function is used, there is an advantage that the risk of PMK leaking to the outside can be reduced because it is substantially impossible to derive PMK from PMK1. Hereinafter, an example in which the function h is a hash function will be described.

  The key providing unit 114 is a processing unit that acquires PMK1 managed by the key management unit 111 and controls the PMK1 to be provided to the terminal 21. The method of providing PMK1 to the terminal 21 is the same as the method of providing PMK to the terminal 21 by the key providing unit 512 in the related art, and for example, WPS is used. Thus, since the key providing unit 114 provides not the PMK but the PMK1 to the terminal 21, the risk of the PMK leaking to the outside by the base station 10 is reduced.

  The verification unit 115 is a processing unit that performs verification that the terminal 21 has PMK1. The verification method by the verification unit 115 is similar to the method in which the verification unit 513 detects that the terminal 21 holds the PMK in the related technology, but is obtained from a communication frame including the MIC in the MIC verification process. The difference is that the identification information of the terminal 21 is used.

  Specifically, the verification unit 115 generates an ANonce that is a random value, and transmits the generated ANonce to the terminal 21. The terminal 21 that has received the ANonce generates a SNonce that is a random value, and generates the PTK1 by (Formula 2) using the generated SNonce and the PMK1 acquired from the key providing unit 114. Then, the MIC is calculated from the generated PTK1 and the ANonce received from the verification unit 115, and the calculated MIC, SNonce, and the like are transmitted to the verification unit 115. Note that ANonce corresponds to the first information, and MIC corresponds to the second information.

  The verification unit 115 acquires the MIC and SNonce transmitted by the terminal 21 and the MAC address of the terminal 21. The MAC address acquired here is described as MAC (21) _A in order to distinguish it from the one acquired by the terminal information acquisition unit 112. Note that the verification unit 115 may acquire the MAC address of the terminal 21 from the transmission source address field included in the header of the communication frame including the MIC and SNonce transmitted by the terminal 21. In this way, there is an advantage that the spoofing of the terminal can be more specifically and reliably suppressed by using the address field of the communication frame used for verifying that the terminal 21 has PMK1.

  The verification unit 115 generates PTK1 by (Equation 2) using PMK1 held by the key management unit 111 and the MAC (21) _A acquired by the verification unit 115, the generated PTK1, and the generated ANonce To calculate MIC (MIC_A). Then, the verification unit 115 determines whether or not the MIC and MIC_A match. If the verification unit 115 determines that they match, the verification unit 115 determines that the verification that the terminal 21 holds the PMK1 is successful. Note that MIC_A corresponds to third information.

  The data communication unit 116 is a processing unit that performs data communication encrypted with the PTK 1 with the terminal 21 on the condition that the verification by the verification unit 115 is determined to be successful. Specifically, the data communication unit 116 acquires the result of the verification by the verification unit 115 and the result of the verification process by the terminal 21, and performs data communication on the condition that the verification is successful in both of them.

  Processing performed by the base station 10 configured as described above will be described below.

  FIG. 7 is a flowchart showing processing relating to introduction of key information of base station 10 according to the present embodiment. FIG. 8 is a sequence diagram showing a case where the MIC verification process is successful, which is a process related to the introduction of key information in the communication system according to the present embodiment.

  First, the base station 10 shares with the terminal 21 PMK1, which is information on the basis of the encryption key used for communication with the terminal 21, through the processing from step S101 to S104.

  In step S101, the key providing unit 114 acquires the PMK held by the key management unit 111.

  In step S <b> 102, the terminal information acquisition unit 112 acquires MAC (21) that is identification information of the terminal 21.

  In step S103, the key generation unit 113 generates PMK1 from (Equation 3) from PMK and MAC (21).

  In step S104, the key providing unit 114 provides PMK1 generated by the key generation unit 113 in step S103 to the terminal 21 by WPS.

  Thereafter, it is verified that the base station 10 and the terminal 21 have the same PMK1 and PTK1 by the processing from step S105 to S112 (four-way handshake).

  In step S <b> 105, the verification unit 115 generates an ANonce that is a random value, and transmits the generated ANonce to the terminal 21 as a message M <b> 1.

  After step S105, when the terminal 21 receives the ANonce, the terminal 21 generates a SNonce that is a random value, and based on PMK1, ANonce, SNonce, the MAC address of the base station 10, and the MAC address of its own device (terminal 21) ) To calculate PTK1. Further, the terminal 21 calculates an MIC for preventing falsification based on the PTK1, and transmits the SNonce and the MIC as a message M2 to the base station 10 (step S105A in FIG. 8).

  In step S106, the verification unit 115 receives the SNonce, the MIC, and the MAC (21) _A transmitted from the terminal 21 in step S105A. The verification unit 115 can receive the MAC (21) _A by acquiring the MAC (21) _A from the header of the communication frame transmitted by the terminal 21. Here, MAC (21) _A is the MAC address of the terminal 21, but as described above, it is described as MAC (21) _A in order to distinguish it from what the terminal information acquisition unit 112 acquires.

  In step S107, the verification unit 115 generates PTK1 based on the ANonce generated in step S105, the SNonce received in step S106, the MAC (21) _A, and the like. The PTK1 generated here is the same as the PTK1 generated by the terminal 21 if there is no impersonation of the terminal 21, and this identity is verified in a later process. Therefore, PTK1 generated in step S107 is referred to as “PTK1_A”.

  In step S108, the verification unit 115 performs verification processing of the MIC received in step S106 using the PTK1_A generated in step S107. Specifically, in the verification process, the verification unit 115 calculates PMK1_A using (Expression 3), calculates PTK1_A using (Expression 2), and performs an MIC operation based on the calculated PTK1_A. It can be confirmed that the terminal 21 and the PTK1 used by the terminal 21 are the same as PTK1_A.

  In step S109, the verification unit 115 determines whether the verification is successful in the verification process in step S108. If the verification is successful (Yes in step S109), the process proceeds to step S110. On the other hand, if the verification fails (No in step S109), the process proceeds to step S121.

  In step S <b> 110, the verification unit 115 acquires the result of the MIC verification process for authenticating the base station 10 by the terminal 21. The verification unit 115 calculates PTK1 using ANonce and SNonce, calculates MIC based on the calculated PTK1, and transmits the calculated MIC as message M3 to the terminal 21 (step S108A in FIG. 8). The terminal 21 executes a verification process similar to the verification process performed by the verification unit 115 in step S107 on the transmitted MIC, and the result (verification succeeded or verification failed) is verified. 115 is transmitted as a message M4. In this manner, the verification unit 115 acquires the result of the verification process transmitted by the terminal 21 in step S110.

  In step S111, the verification unit 115 determines whether the result of verification by the terminal 21 acquired in step S110 is successful. If it is determined that the result of the verification is successful (Yes in step S111), the process proceeds to step S112. On the other hand, when it is determined that the verification result is not successful (that is, failure) (No in step S111), the process proceeds to step S121.

  In step S112, the verification unit 115 introduces the PTK1 (PTK1_A) generated in step S107 into the data communication unit 116, that is, controls the data communication unit 116 to use PTK1 as an encryption key used for data communication. At this time, the terminal 21 introduces the PTK1 generated in the MIC verification process (step S108A in FIG. 8) by the terminal 21 into the data communication unit of the terminal 21 (step S112A in FIG. 8). Thereafter, the data communication unit 116 of the base station 10 and the data communication unit of the terminal 21 perform communication using PTK1 as an encryption key (step S113 in FIG. 8).

  In step S121, the verification unit 115 interrupts the 4-way handshake. In this case, the base station 10 and the terminal 21 cannot perform encrypted communication.

  In the above series of processing, the terminal 21 that has acquired PMK1 transmitted by the base station 10 in step S104 can connect to the base station 10 and perform encrypted communication. On the other hand, even if a terminal different from the terminal 21 acquires PMK1 transmitted by the base station 10 in step S104 by any method, the terminal cannot impersonate the terminal 21 and perform cryptographic communication with the base station 10. . This will be described below.

  FIG. 9 is a sequence diagram showing a process related to the introduction of key information in the communication system according to the embodiment and showing a case where MIC verification fails. FIG. 9 is a diagram illustrating that the terminal 22 acquires PMK1 to be provided to the terminal 21 and attempts to impersonate the terminal 21 to connect to the base station 10 and fails.

  In step S104B, the terminal 22 acquires PMK1 generated by the base station 10 in step S102 by some method.

  In step S105B, when the terminal 22 receives the ANonce transmitted by the base station 10 in step S105, the terminal 22 generates a SNonce that is a random value, and from PMK1, ANonce, SNonce, the MAC address of the base station 10, and the MAC address of the terminal 22 PTK (hereinafter referred to as “PTK2”) is calculated based on a predetermined calculation formula. Further, the terminal 22 calculates an MIC for preventing falsification based on the PTK2, and transmits the SNonce and the MIC to the base station 10 as a message M2A.

  In step S108, the verification unit 115 performs verification processing of the MIC transmitted by the terminal 22 in step S105B using the PTK2_A generated in step S107. Specifically, in the verification process, the verification unit 115 calculates PMK2_A using (Expression 3), calculates PTK2_A using (Expression 2), and generates the terminal 22 based on the calculated PTK2_A The verification fails by confirming that PTK2 does not match PTK2_A. Thereafter, the 4-way handshake is interrupted (step S121).

  Thus, even if the terminal 22 which is a terminal different from the terminal 21 acquires the PMK1 generated based on the identification information of the terminal 21, the verification fails in the 4-way handshake between the terminal 22 and the base station 10. The terminal 22 cannot perform encrypted communication with the base station 10. That is, the terminal 22 is prohibited from impersonating the terminal 21 and connecting to the base station 10.

  FIG. 10 is an explanatory diagram showing key information that each device holds or uses in the wireless communication system 1 according to the present embodiment.

  As shown in FIG. 10, the base station 10 has PMK, PMK1 and PMK2, and PTK1 and PTK2. The PMK is information that is a source of a communication encryption key, and is information that is assumed not to leak outside the base station 10. PMK1 and PMK2 are information serving as encryption key sources for communication between the base station 10 and the terminal 21 and between the base station 10 and the terminal 22, respectively. PTK1 and PTK2 are generated by a 4-way handshake based on PMK1 and PMK2, respectively.

  The terminal 21 has PMK1 and PTK1. These are the same as those owned by the base station 10. PMK1 is provided from the base station 10 by WPS, for example, and PTK1 is generated by a 4-way handshake.

  The terminal 22 has PMK2 and PTK2. These are the same as those owned by the base station 10. PMK2 is provided from the base station 10 by WPS, for example, and PTK2 is generated by a 4-way handshake.

  In the communication link 31 established between the base station 10 and the terminal 21, encryption communication based on PTK1 is performed. In the communication link 32 established between the base station 10 and the terminal 22, encryption communication based on PTK2 is performed.

  In this way, it is suppressed that a terminal different from the terminal 21 impersonates the terminal 21 and performs cryptographic communication with the base station 10. At this time, even if PMK1 leaks to the outside, the terminal that acquired PMK1 cannot perform encrypted communication with base station 10. This is because both the PMK1 and the MAC address of the terminal 21 are necessary to perform encrypted communication with the base station 10.

  Also, even if PMK1 and the generation algorithm of PMK1 (function h in the above description) leak, if the generation algorithm includes an operation based on a one-way function, a terminal different from terminal 21 is assumed to be terminal 21 and the base station It is not possible to carry out encrypted communication with 10. Even if PMK1 and the PMK1 generation algorithm are used, it is practically impossible to generate an encryption key to be used by a terminal different from the terminal 21 because it is impossible to calculate the PMK. Because.

  In this way, the base station 10 can suppress the terminal impersonation while suppressing the introduction cost.

  As described above, the base station according to the present embodiment can verify the validity of the wireless terminal using the second key information generated based on the identification information of the wireless terminal. Specifically, the radio base station apparatus generates second key information in consideration of the identification information of the radio terminal, and the radio terminal to be connected to the radio base station apparatus has valid key information Is performed in consideration of the identification information of the wireless terminal. As a result, the second key information generated in consideration of the identification information of one radio terminal cannot be used by another radio terminal to connect to the radio base station apparatus. In addition, the terminal to be connected to the radio base station apparatus according to the present invention only needs the function of the conventional terminal, and does not require a special function for connecting to the radio base station apparatus according to the present invention. Therefore, the radio base station apparatus of the present invention can suppress the terminal impersonation while suppressing the introduction cost.

  In addition, the radio base station device cannot substantially obtain the first key information used for generating the second key information from the second key information. Thus, leakage of the first key information to the outside of the radio base station apparatus is suppressed. Thereby, the impersonation of a terminal can be suppressed further.

  Further, the radio base station apparatus can specifically verify that the terminal has the second key information. Therefore, the radio base station apparatus can more specifically realize suppression of terminal impersonation.

  Further, the radio base station apparatus can more specifically and reliably suppress the terminal spoofing by using the address field of the communication frame used for verifying that the terminal holds the second key information. .

  Further, the radio base station apparatus can more specifically suppress the terminal impersonation using the hardware address of the terminal.

  As described above, the radio base station apparatus of the present invention has been described based on the embodiment. However, the present invention is not limited to this embodiment. Unless it deviates from the meaning of this invention, the form which carried out the various deformation | transformation which those skilled in the art can think to this embodiment, and the structure constructed | assembled combining the component in different embodiment is also contained in the scope of the present invention. .

  The present invention can be applied to a base station apparatus or the like that suppresses terminal impersonation while suppressing introduction cost.

1 Wireless communication system 10, 50 Base station 21, 22 Terminal 31, 32 Communication link 40 LAN
101 CPU
102 ROM
103 Main memory 104 Storage 105 Wired IF
106 Wireless IF
111, 511 Key management unit 112 Terminal information acquisition unit 113 Key generation unit 114, 512 Key provision unit 115, 513 Verification unit 116, 514 Data communication unit M1, M2, M2A, M3, M4 Message

Claims (7)

A wireless base station device for performing encrypted data communication with a wireless terminal,
A key management unit holding the first key information;
A terminal information acquisition unit that acquires first identification information that is identification information unique to a wireless terminal;
A key generation unit that generates second key information by a first calculation using the first identification information acquired by the terminal information acquisition unit and the first key information;
A key providing unit for controlling the second key information generated by the key generating unit to be provided to the wireless terminal;
Identification information unique to a communication terminal that is a wireless terminal that intends to perform data communication with the wireless base station is acquired as second identification information from the communication terminal, and the second identification information and the first key information are obtained. A verification unit that verifies that the communication terminal has the second key information using the first calculation used;
A radio base station apparatus comprising: a data communication unit that performs data communication encrypted based on the second key information with the communication terminal on the condition that the verification by the verification unit is determined to be successful . The radio base station apparatus according to claim 1, wherein the first calculation includes a calculation based on a one-way function. The verification unit (a) transmits first information to the communication terminal, and (b) a second calculation based on the first information and the second key information provided to the communication terminal by the key generation unit. The second information calculated by the communication terminal using the communication terminal is acquired from the communication terminal together with the second identification information, and (c) the first information based on the first key information and the acquired second identification information. The radio base station apparatus according to claim 1 or 2, wherein the verification is determined to be successful when the third information calculated by the two operations matches the second information. The said verification part acquires the communication frame containing said 2nd information which the said communication terminal transmitted, and acquires said 2nd identification information from the transmission source address field contained in the acquired communication frame. Wireless base station device. The radio base station apparatus according to claim 1, wherein each of the first identification information and the second identification information of the communication terminal includes a hardware address of the communication terminal. The radio base station apparatus according to any one of claims 1 to 5,
A wireless communication system comprising: the wireless terminal that performs wireless communication with the wireless base station device. A control method of a radio base station apparatus for performing encrypted data communication with a radio terminal,
A key management step for holding the first key information;
A terminal information acquisition step of acquiring first identification information that is identification information unique to the wireless terminal;
Second key information is generated by a first calculation using the first identification information acquired in the terminal information acquisition step and the first key information, and the generated second key information is provided to the wireless terminal. A key generation step for controlling
Identification information unique to a communication terminal that is a wireless terminal that intends to perform data communication with the wireless base station is acquired as second identification information from the communication terminal, and the second identification information and the first key information are obtained. A verification step for verifying that the communication terminal has the second key information using the first calculation used;
And a data communication step of performing data communication encrypted based on the second key information with the communication terminal on the condition that the verification step determines that the verification is successful.

Images