JP2020123786A - Communication control unit - Google Patents

Abstract

To provide a communication control unit enabling safety of a social infrastructure system to be improved without involving change of the social infrastructure system.SOLUTION: The communication control unit includes a communication control unit device and a shield cover. The communication control unit device uses a second wireless communication unit to communicates with a client device including a first wireless communication unit, and uploads information acquired from the client device to a server device, via a network. The shield cover is made of a material blocking radio waves and covers at least the first wireless communication unit and the second wireless communication unit to shield, from the outside, a communication space in which the first wireless communication unit and the second wireless communication unit communicate with each other.SELECTED DRAWING: Figure 3

Description

Embodiments of the present invention relate to a communication control unit.

In a social infrastructure system such as a surveillance camera, it is necessary to protect the data and the control of equipment handled from attacks such as malware. However, it is difficult to frequently replace the devices that make up the social infrastructure system. Therefore, there is a problem that safety measures are insufficient.

JP, 2009-117887, A

The problem to be solved by the present invention is to provide a communication control unit capable of improving the safety of a social infrastructure system without changing the social infrastructure system.

The communication control unit of the embodiment has a communication control unit device and a shield cover. The communication control unit device communicates with the client device including the first wireless communication unit using the second wireless communication unit, and uploads the information acquired from the client device to the server device via the network. The shield cover is made of a material that blocks radio waves, and covers at least the first wireless communication unit and the second wireless communication unit so that the first wireless communication unit and the second wireless communication unit communicate with each other. Shield the communication space from the outside.

The figure which shows the structural example of the communication control system 1 of embodiment. FIG. 3 is a block diagram showing a functional configuration example of a client device 10 and a server device 20 according to the embodiment. FIG. 3 is a block diagram showing a functional configuration example of a client-side communication control device 30 of the embodiment. FIG. 3 is a block diagram showing a functional configuration example of a server-side communication control device 31 of the embodiment. The figure which shows an example of the hardware constitutions of the IC card 40 of embodiment. FIG. 3 is a block diagram showing a functional configuration example of the IC card 40 of the embodiment. 3 is a block diagram showing an example of a functional configuration of a communication control management device 50 of the embodiment. FIG. The sequence chart which shows an example of the processing which communication control system 1 of an embodiment performs. The figure which shows an example of 30 A of client side communication control apparatuses, and 70 A of shield covers. The figure which shows an example of the client side communication control apparatus 30B and the shield cover 70B. The figure which shows an example of 30 A of client side communication control apparatuses, and 70 C of shield covers. The figure which shows an example of 30 A of client side communication control apparatuses, and the shield cover 70D. The figure which shows the structural example of the client side communication control apparatus 30Y of 2nd Embodiment.

Hereinafter, the communication control unit of the embodiment will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a diagram showing a configuration example of a communication control system 1 of the embodiment. The communication control system 1 includes at least one or more client devices 10, a server device 20, at least one or more client-side communication control devices 30, a server-side communication control device 31, a communication control management device 50, and a gateway 60. , A shield cover 70. The client device 10 is, for example, a surveillance camera that is already installed, or a sensor device such as other IoT device. Therefore, the client device 10 may not have a sufficient function necessary to execute the encryption process and the decryption process.

The client device 10 and the client-side communication control device 30 communicate wirelessly. The wireless communication includes, for example, communication using a Wi-Fi network, Bluetooth (registered trademark), or the like.

The client-side communication control device 30 wirelessly communicates with the gateway 60. The gateway 60 communicates with the server-side communication control device 31 by wireless communication or wired communication via the network NW. The server-side communication control device 31 is connected to the network NW by wired communication and communicates with the client-side communication control device 30 via the network NW. The server-side communication control device 31 and the server device 20 communicate by wire.

That is, the client device 10 connects to the network NW via the client-side communication control device 30. The server device 20 connects to the network NW via the server-side communication control device 31. The details of the configurations of the client device 10 and the server device 20 will be described later.

The client-side communication control device 30 is connected between the client device 10 and the gateway 60, and mediates communication between the client device 10 and the server device 20. That is, the client-side communication control device 30 functions as a wireless access point of the client device 10. The client-side communication control device 30 receives the data acquired by the client device 10 from the client device 10, and transmits the received data to the server device 20. Here, when transmitting data to the server device 20, the client-side communication control device 30 encrypts the data acquired from the client device 10 and transmits the encrypted data to the server device 20.

In addition, the client-side communication control device 30 receives data transmitted from the server device 20 to the client device 10 from the server-side communication control device 31, and transmits the received data to the client device 10. Here, the data received by the client-side communication control device 30 is, for example, data encrypted by the server-side communication control device 31. When transmitting data to the client device 10, the client-side communication control device 30 decrypts the data received from the server device 20 via the server-side communication control device 31, and transmits the decrypted data to the client device 10.

The shield cover 70 shields the communication space in which the client device 10 and the client-side communication control device 30 communicate with each other from the outside. The shield cover 70 is made of a material that blocks radio waves. Since the client device 10 is covered with the shield cover 70, the client device 10 cannot wirelessly communicate with another access point 10X. Details of the shield cover 70 will be described later.

The server-side communication control device 31 is connected between the server device 20 and the network NW, and mediates communication between the client device 10 and the server device 20. The server-side communication control device 31 receives the data transmitted from the server device 20 to the client device 10 from the server device 20, and transmits the received data to the client device 10. Here, when transmitting data to the client device 10, the server-side communication control device 31 encrypts the data acquired from the server device 20 and transmits the encrypted data to the client device 10.

Further, the server-side communication control device 31 receives data transmitted from the client device 10 to the server device 20 from the client-side communication control device 30, and transmits the received data to the server device 20. Here, the data received by the server-side communication control device 31 is, for example, data encrypted by the client-side communication control device 30. When transmitting data to the server device 20, the server-side communication control device 31 decrypts the data received from the client device 10 via the client-side communication control device 30, and transmits the decrypted data to the server device 20.

In the present embodiment, data encryption performed by the client-side communication control device 30 and the server-side communication control device 31 is performed by, for example, SSL (Secure Socket Layer)/TLS (Transport Layer Security) protocol. .. The client-side communication control device 30 and the server-side communication control device 31 combine, for example, the SSL/TLS protocol with HTTP to encrypt the data included in HTTP to make HTTPS (HTTP Secure) with improved security. replace.

Note that the data encryption performed by the client-side communication control device 30 and the server-side communication control device 31 is not limited to HTTP being HTTPS. The client-side communication control device 30 and the server-side communication control device 31 may be replaced with a secure communication protocol with improved safety by combining the SSL/TLS protocol with various communication protocols. For example, the client-side communication control device 30 and the server-side communication control device 31 may replace FTP (File Transfer Protocol) with FTPS (FTP Secure).

In this embodiment, the data encrypted by the client-side communication control device 30 or the server-side communication control device 31 is output to the network NW. In other words, in this embodiment, the data flowing through the network NW is encrypted data. Therefore, it is possible to avoid the danger that the data transmitted/received on the network NW is maliciously accessed from the outside and the data is intercepted, and the safety is improved. It should be noted that the data eavesdropping here means an "act of stealing data or an action of extracting data".

The communication control management device 50 issues a client certificate and a private key to the client side communication control device 30. For example, the communication control management device 50 issues an IC card that stores a client certificate and a private key. Further, the communication control management device 50 transmits the client certificate stored in the IC card and the private key to the client side communication control device 30 to which the IC card is attached via the network NW.

Further, the communication control management device 50 issues a server certificate and a secret key to the server side communication control device 31. For example, the communication control management device 50 issues an IC card that stores a server certificate and a private key. Further, the communication control management device 50 transmits, via the network NW, the server certificate stored in the IC card and the private key to the server side communication control device 31 in which the IC card is mounted. Each of the client certificate, the server certificate, and the private key is necessary for determining the common key (session key) used when the client-side communication control device 30 and the server-side communication control device 31 perform encrypted communication. Information.

Further, the communication control management device 50 registers a pair of the legitimate client device 10 and the client side communication control device 30. For example, the communication control management device 50 acquires the address information of the client device 10 and the address information of the client-side communication control device 30, creates a whitelist that associates the two pieces of address information, and stores the whitelist in its own storage unit. Store. The address information includes, for example, an IP address and a MAC address. The communication control management device 50 instructs the client-side communication control device 30 to connect to the client device 10 having the address information registered in the whitelist based on the created whitelist.

The communication control management device 50 may acquire the address information by the administrator's input using the operation unit of its own device, or may acquire the address information from the client side communication control device 30. In the latter case, the client-side communication control device 30 sends the address information of the client device 10 acquired when the short-range wireless communication is established with the client device 10 and its own address information to the network NW at the time of initial setting. You may transmit to the communication control management apparatus 50 via.

Here, an example of an environment in which the communication control system 1 is installed will be described. The client device 10 and the server device 20 are components that form a social infrastructure system. The social infrastructure is, for example, a facility necessary for preparing a social infrastructure such as a road transportation network, a power generation facility, a delivery power facility, a water treatment facility, or a gas distribution facility. The social infrastructure system is, for example, a mechanism for stably operating the social infrastructure by monitoring the social infrastructure, grasping changes in the situation, and responding to the changes. In the following, a case where the client device 10 and the server device 20 are components of a monitoring system that monitors roads and public facilities will be described as an example. In this case, the client device 10 is a device (network monitoring camera) that transmits the imaged data in which the road condition and the like are imaged through the network NW. The server device 20 is a device that receives the imaging data transmitted by the client device 10 via the network NW.

The client device 10 and the server device 20 are not limited to the components of the monitoring system. For example, the client device 10 and the server device may be components of a system that monitors the power status of power generation equipment or delivery power equipment, a system that acquires the delivery status at a distribution center, or equipment at a factory or research institute. It may be a component such as a system for acquiring the operating status of.

Next, the configurations of the client device 10 and the server device 20 will be described. FIG. 2 is a block diagram showing a functional configuration example of the client device 10 and the server device 20 of the embodiment.

The client device 10 includes a communication unit 11, a client control unit 12, and an imaging unit 13. The communication unit 11 establishes wireless communication with the client-side communication control unit 30, for example. The communication unit 11 wirelessly communicates with, for example, the client-side communication control device 10 in a communication band usable by the client device 10. The usable communication band of the client device 10 may be set by the own device or may be set according to an instruction from an external device. Further, the usable communication band of the client device 10 may be changed according to an instruction from an external device.

The client control unit 12 is, for example, a processor including a CPU (Central Processing Unit) and the like, and controls the client device 10 as a whole. For example, when the client control unit 12 receives a command from the server device 20 via the communication unit 11, the client control unit 12 causes the image capturing unit 13 to start or stop image capturing according to the control from the server device 20, or images the image capturing unit 13. Imaging conditions such as the direction of the camera and the magnification at the time of imaging are set.

The image capturing unit 13 captures an image of a landscape at a predetermined location according to an instruction from the client control unit 12. The imaging unit 13 outputs the captured data (imaging data) to the client control unit 12.

The server device 20 includes a communication unit 21, a server control unit 22, an imaged data storage unit 23, and an output unit 24. The communication unit 21 is, for example, an Ethernet (registered trademark) port of the server device 20. In the present embodiment, the communication unit 21 is connected to the server-side communication control device 31 via a wired cable and outputs data transmitted from the server device 20 to the client device 10 to the server-side communication control device 31.

The server control unit 22 is, for example, a processor including a CPU, and controls the server device 20 as a whole. The server control unit 22 sends a predetermined command to the client device 10, for example. In addition, the server control unit 22 causes the image data storage unit 23 to store the image data captured by the client device 10, for example. The imaging data storage unit 23 stores the imaging data according to the instruction of the server control unit 22.

Here, an example of a conventional system will be described. In a conventional system, when a client device and a server device are directly connected to each other via a communication unit and a network, communication between the client device and the server device is common in network surveillance cameras. HTTP, which is a communication protocol, is used. In this case, unencrypted information (so-called plaintext) output to the network by the client device or the server device flows through the network. In this case, if the data on the network is maliciously acquired from the outside, there is a risk that the captured image data will be easily intercepted or tampered with.

As a countermeasure against such an unauthorized attack, it is possible that the client device encrypts the imaged data and outputs it to the network NW. However, since a processor such as a CPU included in the surveillance camera is generally used for the purpose of being used for compression or encoding of imaged data, further processing for encryption is performed. It does not have just the resources. In such a case, the CPU that the client device originally has cannot encrypt the imaged data. When the client device is made to encrypt the imaged data, it may be necessary to change or replace the hardware configuration of the client device, for example, by mounting a processor for encrypting the imaged data on the client device. .. However, since the client device is a component that constitutes social infrastructure such as a surveillance camera, it is not easy to change or replace the hardware configuration. In view of such circumstances, it is desirable that the captured image data be encrypted and output to the network without changing the client device.

In the present embodiment, the client-side communication control device 30 connected between the client device 10 and the network NW encrypts the data transmitted by the client device 10 and outputs the encrypted data to the network NW. Further, the server-side communication control device 31 connected between the server device 20 and the network NW encrypts the control data transmitted by the server device 20 and outputs the encrypted control data to the network NW. As a result, the security of the imaging data flowing through the network NW is improved without changing the client device 10 and the server device 20.

Next, the configuration of the client-side communication control device 30 will be described. FIG. 3 is a block diagram showing a functional configuration example of the client-side communication control device 30 of the embodiment.

As shown in FIG. 3, the client-side communication control device 30 includes an NW (network) communication unit 32, a control unit 33, a device communication unit 34, a reader/writer 35, and an IC card 40. Here, the IC card 40 is an example of an “authentication unit”.

The NW communication unit 32 is connected to the network NW by wireless communication and performs wireless communication with the server-side communication control device 31 via the network NW. The NW communication unit 32 is arranged outside the communication space shielded by the shield cover 70.

The device communication unit 34 performs wireless communication with at least one client device 10 placed in a range of radio waves such as a Wi-Fi network. For example, the device communication unit 34 acquires the imaging data from the client device 10 and transmits the decoded control data to the client device 10. The device communication unit 34 is arranged inside the communication space shielded by the shield cover 70.

The control unit 33 is, for example, a processor including a CPU, and controls the client-side communication control device 30 as a whole. The control unit 33 includes, for example, a mediation processing unit 33A, a communication control unit 33B, a determination unit 33C, a log creation unit 33D, and a notification control unit 33E. Some or all of these functional units are realized by a processor such as a CPU executing a program (software) stored in a storage unit. Some or all of the functions of these components include hardware (circuit section: circuitry) such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), and FPGA (Field-Programmable Gate Array). ), or by the cooperation of software and hardware.

The mediation processing unit 33A mediates communication between the client device 10 and the server device 20. For example, the mediation processing unit 33A transmits a command to the IC card 40 via the reader/writer 35 based on the information received from the client device 10 via the device communication unit 34. The mediation processing unit 33A receives the response from the IC card 40, and transmits information based on the response received from the IC card 40 to the server device 20 via the NW communication unit 32. Further, the mediation processing unit 33A transmits a command to the IC card 40 via the reader/writer 35 based on the information received from the server-side communication control device 31 via the NW communication unit 32. The mediation processing unit 33A receives the response from the IC card 40, and transmits information based on the response received from the IC card 40 to the client device 10 via the device communication unit 34.

The communication control unit 33B uses the device communication unit 34 to periodically transmit the predetermined information to the NW communication unit 32. Alternatively, the communication control unit 33B may use the NW communication unit 32 to periodically transmit the predetermined information to the device communication unit 34. The predetermined information is, for example, information that the client-side communication control device 30 sends to itself. The predetermined information is not limited to this, and may be a command requesting the transmission of a response. When receiving this command, the communication control unit 33B causes the one of the NW communication unit 32 and the device communication unit 34 that receives the command to send a response.

The determination unit 33C determines whether or not some part of the shield cover 70 is in the open state. For example, when the NW communication unit 32 receives the information transmitted by the device communication unit 34, the determination unit 33C determines that the shield cover 70 is partially open. When the determination unit 33C receives the information transmitted using the NW communication unit 32 using the device communication unit 34, the determination unit 33C may determine that a part of the shield cover 70 is in the open state.

The determination unit 33C also determines whether or not a part of the shield cover 70 has been closed from the open state. For example, when the NW communication unit 32 no longer receives the information transmitted by the device communication unit 34, the determination unit 33C determines that the shield cover 70 is partially closed from the open state. “When the information transmitted by the device communication unit 34 is no longer received by the NW communication unit 32 ”, for example, when the information transmitted by the device communication unit 34 cannot be received by the NW communication unit 32, communication control is performed. The case where the period for which the unit 33B transmits the predetermined information is exceeded is included. Further, the determination unit 33C may determine that a part of the shield cover 70 is closed from the open state when the device communication unit 34 cannot receive the information transmitted by the NW communication unit 32.

When the determining unit 33C determines that a part of the shield cover 70 is in the open state, the log creating unit 33D creates log information indicating that. For example, the log creating unit 33D writes the open/close log information 38A of the storage unit 38 with the date and time when it is determined that a part of the shield cover 70 is in the open state.

In addition, when the determination unit 33C determines that a part of the shield cover 70 is closed from the open state, the log creation unit 33D creates log information indicating that fact. For example, the log creation unit 33D writes the open/close log information 38A of the storage unit 38 with the date and time when it is determined that a part of the shield cover 70 is closed from the open state.

When the determination unit 33C determines that a part of the shield cover 70 is in the open state, the notification control unit 33E uses the NW communication unit 32 to provide information indicating that to the server device 20 or the communication control management device. Send to 50.

The reader/writer 35 communicates with the IC card 40 via the contact portion 36 of the IC card 40.

The storage unit 38 is realized by, for example, a RAM or a ROM. The storage unit 38 stores a program executed by the processor, and also stores opening/closing log information 38A and the like. The opening/closing log information 38A includes information indicating the opening/closing time.

The IC card 40 is formed by mounting an IC module 41 on a plastic card base material, for example. That is, the IC card 40 includes an IC module 41 and a card base material in which the IC module 41 is embedded.

The IC module 41 includes a contact portion 36 and an IC chip 42. The contact portion 36 has terminals for various signals necessary for the IC card 40 to operate. Here, the terminals for various signals are terminals for receiving a power supply voltage, a clock signal, a reset signal, etc. from the communication control device 30 (31), and a serial data input for communicating with the communication control device 30 (31). It has an output terminal (SIO terminal). The IC chip 42 is, for example, an LSI (Large Scale Integration) such as a one-chip microprocessor.

The IC card 40 is detachably attached to the client-side communication control device 30 and can communicate with the client-side communication control device 30 via the contact portion 36. For example, the IC card 40 receives a command (processing request) transmitted by the client-side communication control device 30 via the contact unit 36, and executes processing (command processing) according to the received command. Then, the IC card 40 transmits a response (processing response), which is the execution result of the command processing, to the client-side communication control device 30 via the contact unit 36.

Next, the configuration of the server-side communication control device 31 will be described. FIG. 4 is a block diagram showing a functional configuration example of the server-side communication control device 31 of the embodiment. The server-side communication control device 31 partially has the same functional configuration as the client-side communication control device 30. Therefore, different points will be described below, and the same functional configuration as the functional configuration of the client-side communication control device 30 will be denoted by the same reference numerals and detailed description thereof will be omitted. Further, when the client side communication control device 30 and the server side communication control device 31 are not distinguished, they are simply referred to as the communication control device 30 (31) and the like.

As shown in FIG. 4, the server-side communication control device 31 includes an NW communication unit 32, a control unit 33, a device communication unit 34, a reader/writer 35, and an IC card 40. The control unit 33 includes, for example, a mediation processing unit 33A.

The NW communication unit 32 of the server-side communication control device 31 is connected to the network NW by wire and communicates with the client-side communication control device 30 via the network NW.

The device communication unit 34 of the server-side communication control device 31 is connected to the server device 20 by wire, acquires the control data from the server device 20, and outputs the decrypted imaging data to the server device 20.

Next, an example of the hardware configuration of the IC card 40 will be described. FIG. 5 is a diagram illustrating an example of the hardware configuration of the IC card 40 of the embodiment.

As described above, the IC card 40 includes the IC module 41 including the contact portion 36 and the IC chip 42. The IC chip 42 includes a UART (Universal Asynchronous Receiver Transmitter) 43, a CPU 44, a ROM (Read Only Memory) 45, a RAM (Random Access Memory) 46, and an EEPROM (Electrically Erasable Programmable ROM) 47. The components (43 to 47) are connected to each other via the internal bus BS.

The UART 43 performs serial data communication with the client side communication control device 30 via the SIO terminal described above. The UART 43 outputs data (for example, 1-byte data) obtained by converting the serial data signal received via the SIO terminal to parallel to the internal bus BS. Further, the UART 43 serially converts the data acquired via the internal bus BS and outputs it to the client side communication control device 30 via the SIO terminal. The UART 43 receives a command from the client side communication control device 30 via the SIO terminal, for example. Further, the UART 43 transmits a response to the client side communication control device 30 via the SIO terminal.

The CPU 44 executes a program stored in the ROM 45 or the EEPROM 47 to perform various processes of the IC card 40. The CPU 44 executes command processing according to the command received by the UART 43 via the contact unit 36, for example.

The ROM 45 is, for example, a non-volatile memory such as a mask ROM, and stores a program for executing various processes of the IC card 40 and data such as a command table. The RAM 46 is, for example, a volatile memory such as SRAM (Static RAM), and temporarily stores data used when performing various processes of the IC card 40. The EEPROM 47 is, for example, an electrically rewritable nonvolatile memory. The EEPROM 47 stores various data used by the IC card 40. The EEPROM 47 stores information used for various services (applications) using the IC card 40, for example.

Next, an example of the configuration of the IC card 40 will be described. FIG. 6 is a block diagram showing a functional configuration example of the IC card 40 of the embodiment. The IC card 40 includes a communication unit 40A, a control unit 40B, and a storage unit 40C. Here, each unit of the IC card 40 shown in FIG. 5 is realized by using the hardware of the IC card 40 shown in FIG.

The communication unit 40A is realized by, for example, a UART 43, a CPU 44, and a program stored in the ROM 45, and transmits and receives commands and responses to and from the client-side communication control device 30 via the contact unit 36, for example. To do. That is, the communication unit 40A receives a command (processing request) requesting a predetermined process from the client-side communication control device 30, and transmits a response to the command (processing response) to the client-side communication control device 30. The communication unit 40A causes the RAM 46 to store the received data received from the client-side communication control device 30 via the UART 43. The communication unit 40A also transmits the transmission data stored in the RAM 46 to the client-side communication control device 30 via the UART 43.

The control unit 40B is realized by, for example, the CPU 44, the RAM 45, and the ROM 46 or the EEPROM 47, and controls the IC card 40 as a whole. The control unit 40B includes a command processing unit 41B and an encryption/decryption unit 42B.

Here, the processing performed by the command processing unit 41B is an example of “authentication processing”. The process performed by the encryption/decryption unit 42B is an example of “encryption/decryption process”.

The command processing unit 41B executes various command processes. The command processing unit 41B performs an SSL/TLS handshake, for example, as command processing for requesting an HTTPS request described later. In the SSL/TLS handshake, key information and the like necessary for encrypted communication are exchanged, and mutual authentication with a communication destination device is performed. Here, the mutual authentication is an authentication process for mutually confirming that the client-side communication control device 30 and the server-side communication control device 31 are mutually authenticated devices before performing communication.

The encryption/decryption unit 42B executes a process of encrypting the data and a process of decrypting the encrypted data. The encryption/decryption unit 42B encrypts the data received from the client device 10 (the server device 20 in the case of the server-side communication control device 31) via the communication unit 40A. The encryption/decryption unit 42B decrypts the encrypted data received from the server device 20 (the client device 10 in the case of the server-side communication control device 31) via the communication unit 40A via the network NW.

The storage unit 40C is, for example, a storage unit configured by the EEPROM 47, and includes a certificate information storage unit 41C and a secret information storage unit 42C. The certificate information storage unit 41C stores the certificate issued by the communication control management device 50 for the client device 10 (server device 20 in the case of the server-side communication control device 31). Specifically, the certificate information storage unit 41C of the IC card 40 mounted on the client-side communication control device 30 stores information indicating the client certificate. The certificate information storage unit 41C of the IC card 40 mounted on the server-side communication control device 31 stores information indicating the server certificate.

The secret information storage unit 42C stores the secret key issued by the communication control management device 50 for the client device 10 (server device 20 in the case of the server-side communication control device 31). Specifically, the secret information storage unit 42C of the IC card 40 attached to the client-side communication control device 30 stores information indicating the secret key issued to the client-side communication control device 30. Further, in the certificate information storage unit 41C of the IC card 40 attached to the server-side communication control device 31, information indicating the private key issued to the server-side communication control device 31 is stored.

Next, an example of the configuration of the communication control management device 50 will be described. FIG. 7 is a block diagram showing an example of the functional configuration of the communication control management device 50 of the embodiment. The communication control management device 50 includes, for example, an NW (network) communication unit 50A, a control unit 50B, and a storage unit 50C.

The NW communication unit 50A is connected to the network NW and communicates with the communication control device 30 (31) via the network NW.

The control unit 50B is, for example, a processor including a CPU, and controls the communication control management device 50 as a whole. The control unit 50B mainly functions as a private certification authority that recognizes the validity of the communication control device 30 (31). The control unit 50B includes a key generation unit 51B, a certificate issuing unit 52B, a certificate update unit 53B, a certificate management unit 54B, and a management unit 55B.

The key generation unit 51B issues, for example, a private key corresponding to the public key included in the certificate described later, based on the authentication application from the communication control device 30 (31).

The certificate issuing unit 52B issues, for example, a certificate that recognizes the validity of the communication control device 30 (31) based on an authentication application from the communication control device 30 (31). The certificate includes a public key and information indicating the owner of the communication control device 30 (31).

The certificate update unit 53B updates the certificate by setting a new expiration date for the certificate whose expiration date has passed. The certificate update unit 53B issues, for example, a certificate in which the validity period of the certificate issued to the communication control device 30 (31) is extended based on the update application from the communication control device 30 (31). Then, the issued certificate is transmitted to the communication control device 30 (31). Information indicating the issued certificate is received by the communication control device 30 (31) and is stored in the certificate information storage unit 41C of the IC card 40 of the communication control device 30 (31). ) Certificate is extended.

The certificate management unit 54B manages already issued certificates. The certificate management unit 54B, for example, when the IC card 40 mounted on the communication control device 30 (31) is tampered with, stolen, or the like, and the mutual authentication does not prove the mutual validity, the communication control device 30 (31). Perform the process to invalidate the certificate issued to. In addition, the certificate management unit 54B uses the certificate management unit 54B to issue a certificate issued to the communication control device 30 (31) and other communication devices based on an inquiry from the communication control device 30 (31). You may make it respond whether it was issued. Further, the certificate management unit 54B may periodically check whether the issued certificate is used by the legitimate communication control device 30 (31).

The management unit 55B manages the communication control device 30 (31). For example, the management unit 55B remotely controls the mutual authentication performed by the communication control device 30 (31) via the network NW.

The storage unit 50C includes, for example, a key information storage unit 51C and a certificate information storage unit 52C. The key information storage unit 51C stores, for example, already issued public keys and information indicating secret keys. The certificate information storage unit 52C stores, for example, information indicating an already issued certificate. The key information storage unit 51C and the certificate information storage unit 52C are referred to, for example, when the key generation unit 51B issues a private key and when the certificate issuing unit 52B issues a certificate. Further, the key information storage unit 51C stores information indicating the secret key issued by the key generation unit 51B. Further, the certificate information storage unit 52C stores information indicating the certificate issued by the certificate issuing unit 52B.

Next, an example of processing performed by the communication control system 1 will be described. FIG. 8 is a sequence chart showing an example of processing performed by the communication control system 1 of the embodiment.

When transmitting the imaging data to the server device 20, the client device 10 first transmits an HTTP request to the server device 20 (step S1). The HTTP request transmitted by the client device 10 is acquired by the client-side communication control device 30 (step S2). The client-side communication control device 30 transmits an HTTPS request (ClientHello) to the server-side communication control device 31 (step S4). Thereby, the handshake between the client-side communication control device 30 and the server-side communication control device 31 is started (step S5).

Specifically, the ClientHello transmitted by the client-side communication control device 30 includes, for example, the TLS version and information indicating a list of encryption methods and algorithms used for communication. The server-side communication control device 31 transmits an HTTPS response (ServerHello) to the client-side communication control device 30 as a response to ClientHello. The ServerHello transmitted by the server-side communication control device 31 includes, for example, information selected by the server device 20 among the options presented by ClientHello. In other words, the server-side communication control device 31 makes a selection in response to the presentation from the client-side communication control device 30 to determine a specific encryption algorithm for communication.

Then, the server-side communication control device 31 sends information necessary for the common key used for encrypted communication. The information required for the common key includes, for example, information indicating the public key issued to the server device 20 and its certificate, and information requesting to send the public key of the client device 10 and its certificate. Be done. The client-side communication control device 30 sends the server-side communication control device 31 the information necessary for the public key issued to itself and its certificate, and the common key used for encrypted communication.

Mutual authentication between the client-side communication control device 30 and the server-side communication control device 31 is performed as follows, for example. The client-side communication control device 30 generates a signature from the ServerHello received so far and sends it to the server-side communication control device 31. The server-side communication control device 31 verifies the signature received from the client-side communication control device 30 based on the certificate received from the client-side communication control device 30. When the verification is successful, the server-side communication control device 31 determines that the certificate is definitely that of the client-side communication control device 30. In addition, the server-side communication control device 31 generates a signature from the ClientHello or the like received so far and transmits it to the client-side communication control device 30. The client-side communication control device 30 verifies the signature received from the server-side communication control device 31 based on the certificate received from the server-side communication control device 31. When the verification is successful, the client-side communication control device 30 determines that the certificate is definitely the server-side communication control device 31.

When mutual authentication between the client-side communication control device 30 and the server-side communication control device 31 is correctly performed, the client-side communication control device 30 and the server-side communication control device 31 generate common keys used for encryption. And replace.

If the public key issued to the server device 20 sent from the server-side communication control device 31 and its certificate are certificates that the client-side communication control device 30 allows, the server-side communication control device 31 If the public key and its certificate sent from the client-side communication control device 30 are certificates that the server-side communication control device 31 allows, the handshake ends.

When the handshake with the client-side communication control device 30 is established, the server-side communication control device 31 transmits an HTTP request to the server device 20 (step S6). The HTTP request transmitted here is the HTTP request received from the client device 10 in step S2.

The HTTP request transmitted by the server-side communication control device 31 is received by the server device 20 (step S7). At this time, the server device 20 recognizes that the client device 10 has requested the HTTP request. Therefore, the server device 20 responds with an HTTP response to the client device 10 (step S8). The HTTP response transmitted by the server device 20 is acquired by the server-side communication control device 31 (step S9).

The server-side communication control device 31 encrypts the acquired HTTP response from the server device 20 using the common key determined in the handshake of step S5 (step S10). The HTTP response encrypted by the server-side communication control device 31 is received by the client-side communication control device 30 via the network NW (step S11). The client-side communication control device 30 decrypts the received HTTP response using the common key (step S12). The HTTP response decrypted by the client-side communication control device 30 is acquired by the client device 10 (step S13). The client device 10 receives the decrypted HTTP response (step S14). At this time, the client device 10 recognizes that the HTTP response is returned from the server device 20. Therefore, the client device 10 transmits the imaging data to the server device 20 (step S15).

The imaging data transmitted by the client device 10 is acquired by the client-side communication control device 30 (step S16). The client-side communication control device 30 encrypts the imaged data transmitted by the client device 10 using a common key (step S18). The imaging data encrypted by the client-side communication control device 30 is received by the server-side communication control device 31 via the network NW (step S19).

The server-side communication control device 31 decrypts the received imaging data using the common key (step S20). The imaging data decrypted by the server-side communication control device 31 is acquired by the server device 20 (step S21). The server device 20 receives the decrypted imaging data (step S22). At this time, the server device 20 recognizes that the imaging data from the client device 10 has been received.

If the mutual authentication between the client-side communication control device 30 and the server-side communication control device 31 is not correctly performed in step S5 of the above-described flowchart, the client-side communication control device 30 communicates with the communication destination. not allowed. Specifically, the client side communication control device 30 does not output the information transmitted from the communication destination to the client device 10. This is because, if the mutual authentication is not correctly performed, the communication destination may be an unauthorized communication device that looks like the server-side communication control device 31. In this case, the client-side communication control device 30 may, for example, transmit a communication record when mutual authentication is not correctly performed to the communication control management device 50. As a result, the communication control management device 50 can obtain a communication record when mutual authentication is not correctly performed, and grasp the pattern and frequency of unauthorized communication with the managed client side communication control device 30. You can monitor the network for abnormalities.

Further, the client-side communication control device 30 communicates with the communication destination based on the transmission destination list indicating the information of the communication device that permits the communication with the client device 10 instead of the mutual authentication in the handshake performed in step S5 of the above flowchart. It may be determined whether or not to permit the communication. The information about the communication device shown in the destination list is, for example, a URL (Uniform Resource Locator). The control unit 33 of the client-side communication control device 30 permits communication with the communication destination when the URL of the communication destination is a URL registered in the transmission destination list, and when the URL is not registered in the transmission destination list. Does not allow communication.

Further, the control unit 33 may update the destination list. The control unit 33 stores, for example, a URL of a communication destination permitted to communicate with the client device 10 and a communication destination URL not permitted to communicate with the client device 10 for a certain period of time. Then, the control unit 33 updates the transmission destination list by, for example, re-registering the URL of the communication destination that has been communicated for a certain period of time among the URLs registered in the transmission destination list. Alternatively, the client-side communication control device 30 may transmit to the communication control management device 50 the communication destination URLs that have been permitted to communicate and the communication destination URLs that have not been permitted to communicate for a certain period of time. In this case, for example, the communication control management device 50 may update the transmission destination list based on the communication destination URL that has communicated with the client side communication control device 30. By updating the transmission destination list by the communication control management device 50, it is possible to collectively manage the communication devices that communicate with the client-side communication control device 30 under the control of the communication control management device 50.

Further, the client-side communication control device 30 verifies whether or not the content of the information (for example, the firmware update program) transmitted to the client device 10 after the handshake performed in step S5 is established is correct. You may do it. For example, when the firmware update program for the client device 10 is transmitted via the network NW, the control unit 33 of the client-side communication control device 30 verifies using a verification key (verification key). In this case, the communication control management device 50 may transmit the verification key to each of the client side communication control device 30 and the server side communication control device 31.

For example, the server-side communication control device 31 generates a hash value from the information (plaintext) to be transmitted to the client device 10, and encrypts the generated hash value with the verification key. Then, the server-side communication control device 31 further encrypts the plaintext and the encrypted hash value with the secret key, and sends the plaintext and the encrypted hash value to the client device 10. Further, the client-side communication control device 30 decrypts the information using the common key, and acquires the plaintext and the encrypted hash value.

The client-side communication control device 30 also generates a hash value from the acquired plaintext and decrypts the encrypted hash value with the verification key. When the hash value generated from the plain text and the decrypted hash value are the same value, the client-side communication control device 30 determines that the information transmitted to the client device 10 has the correct content. In this case, the client-side communication control device 30 outputs the decrypted information (plain text) to the client device 10. On the other hand, when the hash value generated from the plain text and the decrypted hash value are not equal, the client-side communication control device 30 determines that the information transmitted to the client device 10 is the server device 20 or the server-side communication control device 31. It is determined that there is a possibility that the information is unauthorized information transmitted from an unauthorized communication device that is disguised as “1”. In this case, the client-side communication control device 30 does not output the decrypted information (plain text) to the client device 10.

As a result, the client device 10 can receive only the information that has been verified and has the correct content. Further, normally, it is considered that the client device 10 determines whether or not the content of the update program when updating the firmware is correct. However, instead of the client device 10, the server-side communication control device 31 instructs the client device 10 By verifying the content of the transmitted information, the processing load on the client device 10 can be reduced.

Next, an example of the client-side communication control device 30 and the shield cover 70 will be described. FIG. 9 is a diagram showing an example of the client-side communication control device 30A and the shield cover 70A. In FIG. 9, X is the horizontal direction (horizontal direction), Y is the vertical direction, and Z is the horizontal direction (depth). Here, the client device 10A is, for example, a surveillance camera.

The client device 10A is connected to the support pillar 15, and the support pillar 15 is connected to the fixing member 16. The fixing member 16 is fixed to, for example, the ceiling of a room in which the client device 10A is installed. The shield cover 70A includes a connection port 71 for passing the support column 15. The size of the connection port 71 is, for example, such that the shield cover 70A overlaps the fixing member 16 in the vertical direction Y around the connection port 71. By doing so, radio waves can be sufficiently blocked at the connection port 71. As shown in the enlarged view EV1, the connection port 71 is formed, for example, larger than the diameter (size) of the support column 15 and smaller than the diameter (size) of the fixing member 16. The enlarged view EV1 is a cross-sectional view of the connection port 71 when the shield cover 70A is viewed from the negative side in the Z direction.

Further, the shield cover 70A includes a lens window 72 at a portion corresponding to the lens 17 of the client device 10A. The lens window 72 is made of a light-transmitting material that blocks radio waves. By doing so, it becomes possible for the surveillance camera 10A to photograph the scenery of the surrounding space, and it is possible to prevent wireless communication between the client device 10A and another access point 10X via the lens window 72.

The shield cover 70A also includes a device window 73A. The device window 73A is an opening for installing the client side communication control device 30A on the shield cover 70A. As shown in the enlarged view EV2, the device window 73A is formed in a size into which the client side communication control device 30A is fitted without a gap. The enlarged view EV2 is a cross-sectional view of the device window 73A when the shield cover 70A and the like are viewed from the plus side in the Y direction. For example, a groove G1 into which the device window 73A is fitted is formed in at least a part of the outer circumference of the client-side communication control device 30A. Not limited to this, the groove G1 is not formed in the client-side communication control device 30, and the gap between the client-side communication control device 30 and the shield cover 70A (in particular, the gap in the Y direction or the Z direction) is eliminated. It may be installed on a part of the shield cover 70A. The client-side communication control device 30A and the shield cover 70A may be integrally formed.

The client-side communication control device 30A includes a blocking wall 37 between the NW communication unit 32 and the device communication unit 34. The blocking wall 37 is made of a material that blocks radio waves, and has a shape and size that match the device window 73A. By doing so, in the state where the client side communication control device 30A is installed on the shield cover 70A, there is no gap between the client side communication control device 30A and the shield cover 70A as shown in the enlarged view EV2, and the client device 10A and other devices are connected via the device window 73A. It is possible to prevent wireless communication with the access point 10X.

A connection line 39A that connects the NW communication unit 32 and the control unit 33 penetrates through a part of the blocking wall 37. The connection line 39A is also preferably made of a material that blocks radio waves. Inside the shield cover 70A separated by the blocking wall 37 (on the side of the communication space between the client device 10A and the client-side communication control device 30), the control unit 33, the device communication unit 34, and the like are arranged. The NW communication unit 32 is arranged outside the shield cover 70A separated by the blocking wall 37. By doing so, the radio waves that try to pass through the client-side communication control device 30 are blocked by the blocking wall 37, so that it is possible to prevent wireless communication between the client device 10A and another access point 10X.

The shield cover 70A also includes an operation window 74. The operation window 74 is provided with a door 75 that can be opened and closed. The door 75 is also made of a material that blocks radio waves. By doing so, the user can open the door 75 and perform an operation on the operation unit of the monitoring camera 70A or an operation of changing the direction of the lens 17 of the monitoring camera 70A. Further, by completely closing the door 75, it is possible to prevent wireless communication between the client device 10A and another access point 10X.

FIG. 10 is a diagram showing an example of the client-side communication control device 30B and the shield cover 70B. The points different from the client-side communication control device 30A and the shield cover 70A described in FIG. 9 will be described below, and the same points will not be described.

As shown in the enlarged view EV3, the client communication control device 30B includes an inner device 30_IN arranged inside the shield cover 70B and an outer device 30_OUT arranged outside the shield cover 70B. The enlarged view EV3 is a cross-sectional view of the device window 73B when the shield cover 70B is viewed from the positive side in the Y direction. A control unit 33, a device communication unit 34, and the like are mounted on the inner device 30_IN. The NW communication unit 32 is arranged in the outer device 30_OUT.

The shield cover 70B includes a device window 73B. The device window 73B is an opening for installing the client side communication control device 30B on the shield cover 70B. In the device window 73B, as shown in the enlarged view EV3, a connection line 39B that connects the NW communication unit 32 and the control unit 33 penetrates. The inner device 30_IN and the outer device 30_OUT are connected by a connecting line 39B, and the inner device 30_IN and the outer device 30_OUT are shielded from radio waves by the shield cover 70B. Further, the device window 73B is shielded from radio waves by the connection line 39B. By doing so, radio waves that try to pass through the client-side communication control device 30B are blocked by the shield cover 70B, so that wireless communication between the client device 10B and another access point 10X can be prevented.

FIG. 11 is a diagram showing an example of the client-side communication control device 30A and the shield cover 70C. The points different from the client-side communication control device 30A and the shield cover 70A described in FIG. 9 will be described below, and the same points will not be described. The client device 10C is a device including an operation unit, a display unit, and the like, such as a personal computer.

The client device 10C includes, for example, a communication unit 11C connected to the main body of the personal computer via the wired cable C1. That is, unlike the client devices 10A and 10B, the client device 10C has a configuration in which the communication unit 11C is located outside the device. The communication unit 11C performs wireless communication in the communication band that the client device 10C can use. The shield cover 70C has a shape that entirely covers the communication unit 11C.

The shield cover 70C includes a cable window 76C. The cable window 76C is an opening for passing the wired cable C1. The cable window 76C is formed in a hole having the same diameter as the diameter of the wired cable C1 to block a radio wave passing through the cable window 76C. However, the present invention is not limited to this, and the cable window 76C may be provided with a lid member that is formed of a material that blocks a hole for passing the wired cable C1 and is provided with a notch and that blocks radio waves.

Thus, by providing the communication unit 11C outside the personal computer, the communication unit 11C can be completely covered, and the operation unit and the display unit of the personal computer are not covered with the shield cover 70C. It is possible to prevent wireless communication between the client device 10C and another access point 10X while ensuring operability for the user.

Note that the shield cover 70C may be configured such that the client side communication control device 30B can be installed like the shield cover 70B.

The communication unit 11 connected to the main body of the personal computer may be directly connected to the personal connector without using the wired cable C1. FIG. 12 is a diagram showing an example of the client-side communication control device 30A and the shield cover 70D. The points different from the client-side communication control device 30A and the shield cover 70A described in FIG. 9 will be described below, and the same points will not be described. The client device 10D is a device including an operation unit, a display unit, and the like, such as a personal computer.

The client device 10D includes, for example, a communication unit 11D connected to the main body of the personal computer via a USB connector. The communication unit 11D performs wireless communication in the communication band that the client device 10D can use. The shield cover 70D has a shape that entirely covers the communication unit 11D.

The shield cover 70D includes a connector window 76D. The connector window 76D is an opening for passing a USB connecting portion. The connector window 76D is formed in a hole having the same size as that of the USB connection portion, so that it blocks the electric wave that tries to pass through the connector window 76D. However, the present invention is not limited to this, and the connector window 76D may be provided with a lid member that is formed of a material that blocks a hole for passing a USB connection portion and has a notch, and that blocks a radio wave.

Note that the shield cover 70D may be configured such that the client-side communication control device 30B can be installed like the shield cover 70B.

As described above, the communication control system 1 according to the embodiment communicates with a client device including the communication unit 11 (first wireless communication unit) and the device communication unit 34 (second wireless communication unit), and the client device 10 Communication by uploading the information acquired from the server device 20 via the network NW to the client side communication control unit device 30 and a material that blocks radio waves, and by covering at least the communication unit 11 and the device communication unit 34. By providing the shield cover 70 that shields the communication space in which the unit 11 and the device communication unit 34 communicate from the outside, it is possible to improve the safety of the social infrastructure system without changing the social infrastructure system. A device can be provided.

Further, in the case of wireless communication, since the communication route cannot be visually observed, it is easy for the client device 10 such as the surveillance camera to confirm the communication route to which the wireless access point is actually communicating (connected). is not. Therefore, by installing a shield cover 70, which is a physical blocking element, in the client-side communication control device 30 and physically blocking wireless communication of the client device 10, the client device 10 and the client-side communication control device 30 are separated from each other. Uniquely limits the wireless communication path between them. By doing so, it is possible to avoid an unauthorized access due to a direct connection from another access point 10X to the client device 10. On the contrary, since the client device 10 cannot perform wireless communication with any device other than the client-side communication control device 30, the client device 10 can be connected to another gateway or access point and information leakage from the route can be prevented. ..

(Second embodiment)
FIG. 13 is a diagram showing a configuration example of the client-side communication control device 30Y of the second embodiment. Note that description of the same functional configuration as the client-side communication control device 30 is omitted. The client-side communication control device 30Y further includes, for example, a connection unit 39. The connection unit 39 is connected to the open/close detection unit 77 by wire. The opening/closing detector 77 is attached to the shield cover 70 near the operation window 74, and is a sensor or the like that detects opening/closing of the door 75.

The control unit 33Y of the client-side communication control device 30Y includes, for example, a determination unit 33F instead of the determination unit 33C. The determination unit 33F determines whether or not some part of the shield cover 70 is in the open state based on the detection result of the opening/closing detection unit 77. Further, the determination unit 33F may determine whether or not a part of the shield cover 70 has been closed from the open state, based on the detection result of the open/close detection unit 77.

Further, the client-side communication control device 30 has information received from the client device 10 while the shield cover 70 is partially open and information received from the client device 10 while the shield cover 70 is completely closed. May be distinguished. For example, when the determination unit determines that a part of the shield cover 70 is in the open state, the client-side communication control device 30 associates information indicating that to the information received from the client device 10 to connect the server to the server. It is transmitted to the device 20 and the communication control management device 50.

Further, the communication control system 1 according to the embodiment includes a client-side communication control device 30 connected between the client device 10 and the network NW, and a server-side communication control device connected between the server device 20 and the network NW. 31 is provided. The client-side communication control device 30 has an IC card 40 and a control unit 33. The control unit 33 requests the IC card 40 to perform at least one of mutual authentication and encryption/decryption processing, transmits the encrypted information to the server-side communication control device 31, and transmits the decrypted information to the client. Send to the device 10. The server-side communication control device 31 has an IC card 40 and a control unit 33. The control unit 33 requests the IC card 40 to perform at least one of mutual authentication and encryption/decryption processing, transmits the encrypted information to the client-side communication control device 30, and transmits the decrypted information to the server. Send to device 20. In this case, the control unit 33 of the communication control device 30 (31) may cause the IC card 40 to perform only mutual authentication processing, only encryption/decryption processing, or mutual authentication and encryption/decryption. Both the processing and the processing may be performed.

Thereby, the communication control system 1 of the embodiment can improve the safety of the social infrastructure system without changing the social infrastructure system. The HTTPS-imaging data (so-called plain text) transmitted from the client device 10 to the server device 20 is combined with the SSL/TLS protocol by the client-side communication control device 30, for example, to improve the security. It is because it is replaced with. Further, the control data transmitted to the server device 20 or the client device 10 is encrypted, but is decrypted by the client side communication control device 30 and received by the client device 10. It is not necessary to perform the decryption process, and the existing device can be used as it is without modification.

Further, in the communication control system 1 of the embodiment, the client-side communication control device 30 and the server-side communication control device 31 perform mutual authentication, so that the safety is improved as compared with the case where authentication is performed in only one direction. You can In general client terminals and server terminals, since an unspecified large number of client terminals communicate with the server terminal, a legitimate client certificate is issued to the unspecified large number of client terminals and management is continued. That is not realistic. However, in the social infrastructure system, the relationship between the client device 10 and the server device 20 is clearly specified. Therefore, the client-side communication control device 30 and the server-side communication control device 31 can perform mutual authentication, and the safety can be improved.

In the case of a client terminal that does not have a client certificate, in order to communicate with the server terminal, it may be required to input the ID or password issued by the server terminal. In such password authentication, in order to maintain security, a long character string in which letters and numbers are combined may be required for the password, or a password may be regularly changed. However, if the number of passwords that must be remembered increases, management becomes troublesome, and there are cases where passwords are leaked, such as when the password is written in a memo or recorded in a web browser.

On the other hand, in the communication control system 1 of the embodiment, since the client-side communication control device 30 has the client certificate, mutual authentication can be reliably performed with the server device 20. Therefore, password authentication is unnecessary. Therefore, the trouble of entering the password and the trouble of periodically changing and managing the password are eliminated, and the convenience of the user is improved. That is, it is possible to maintain safety without imposing a burden on the user.

In addition, when a client terminal that does not have a client certificate communicates with the server terminal based on authentication using an ID or password, if the ID and password are entered correctly, anyone can communicate with the server terminal. I can do it. Therefore, it becomes possible to illegally take over the client terminal and illegally access the server terminal. Therefore, for example, there is a possibility of being infected with ransomware in which the function of the client terminal is restricted by the server terminal that has been illegally hijacked and a ransom is required to cancel the function.

On the other hand, in the communication control system 1 of the embodiment, mutual authentication is performed between the client device 10 and the server device 20 via the communication control device 30 (31), and the communication partner is based on the address information. The client device 10 and the server device 20 are not illegally hijacked due to the limitation of the client device 10 of FIG. That is, the communication control system 1 of the embodiment can also take measures against ransomware.

Also, for example, if there is a terminal (also called a stray device) for which an administrator is absent in the network, the terminal is illegally hijacked and used as an illegal terminal that attacks malware etc. There were cases. On the other hand, in the communication control system 1 of the embodiment, mutual authentication is performed between the client device 10 and the server device 20 via the communication control device 30 (31), and the communication partner is based on the address information. Even if the administrator inside the network NW is illegally hijacked and used for an attack due to the limitation of the client device 10 of FIG. be able to.

Further, in the communication control system 1 of the embodiment, the server device 20 is connected to the server-side communication control device 31, and the authentication process is not performed inside the server device 20. Therefore, it is not necessary to hold a certificate or the like inside the server device 20, and it becomes clear that the server device 20 connected to the server-side communication control device 31 is under the control of the communication control management device 50. However, if the server device 20 already has a functional unit corresponding to the server-side communication control device 31, the server-side communication control device 31 is not necessarily physically connected between the server device 20 and the network NW. It doesn't have to be. In this case, the functional unit corresponding to the server-side communication control device 31 originally included in the server device 20 performs the authentication process with the client-side communication control device 30.

Further, in the communication control system 1 of the embodiment, the control unit 40B of the IC card 40 causes at least one of mutual authentication and encryption/decryption processing to be performed. Therefore, the device cost of the communication control device 30 (31) can be suppressed.

In the communication control system 1 of the embodiment, an example has been described in which the IC card 40 attached to the communication control device 30 (31) performs at least one of mutual authentication and encryption/decryption processing. However, the functional unit that performs the processing is not limited to the IC card. The IC card 40 of the embodiment has a storage function of storing a private key and a client certificate (or a server certificate), and a processing function of performing at least one of mutual authentication and encryption/decryption processing. It is only necessary that the functional unit has such functions, for example, a SIM card having an IC chip mounted therein.

Further, in the communication control system 1 of the embodiment, the IC card 40 of the client side communication control device 30 is detachably attached to the client side communication control device 30. As a result, in the communication control system 1 of the embodiment, the IC card 40 and the client side communication control device 30 can be separated from each other. Therefore, when either one of them is to be replaced, that one device can be replaced. .. For example, when the IC card 40 and the client-side communication control device 30 are integrated, when the part corresponding to the IC card 40 is replaced, the client-side communication control device 30 must be replaced as a whole. In comparison with this case, the communication control system 1 according to the embodiment can reduce the maintenance cost when a specific part such as the IC card 40 of the client side communication control device 30 is replaced.

The communication control system 1 of the embodiment further includes a communication control management device 50, and the communication control management device 50 stores a private key and a client certificate stored in the IC card 40 mounted on the client side communication control device 30. Is transmitted to the client-side communication control device 30, and the private key stored in the IC card 40 attached to the server-side communication control device 31 and the server certificate are transmitted to the server-side communication control device 31. Thereby, the communication control system 1 of the embodiment can perform the handshake and determine the common key by using the legitimate secret key and the certificate issued by the communication control management device 50, and the above-mentioned effect can be obtained. In addition to playing, the safety of the social infrastructure system can be further improved.

Although the communication control system 1 of the embodiment has been described above, the configuration of the embodiment is not limited to the above example. For example, the communication control device 30 (31) may use an HSM (Hardware Security Module) that realizes the function of the communication control device 30 (31) by hardware based on the processing load.

Further, in the communication control system 1 of the embodiment, the secure communication using the SSL/TLS protocol may be always performed, or it is possible to select whether to perform the communication using the SSL/TLS protocol. Good. Further, among the bidirectional communication between the client device 10 and the server device 20, only the communication in one direction may be the communication using the SSL/TLS protocol. In addition, secure communication using the SSL/TLS protocol may be constantly performed, or whether communication using the SSL/TLS protocol may be selectable. By always performing communication using the SSL/TLS protocol, communication from a device different from the legitimate communication control device 30 (31) authenticated by the communication control device 30 (31) can be blocked. .. Therefore, it is possible to prevent unauthorized access to the client device 10 and the server device 20 and infection of the client device 10 and the server device 20 with malware.

Further, in the communication control system 1 of the embodiment, communication using the SSL/TLS protocol may be constantly performed to store unauthorized access to the client device 10 and the server device 20. In this case, a record of unauthorized access may be transmitted to the communication control management device 50. The communication control management device 50 can recognize the presence/absence of unauthorized access, and can detect and take measures against a sign stage before a large-scale attack on the entire system is started.

Further, in the communication control system 1 of the embodiment, the IC card 40 mounted on the communication control device 30 (31) is equipped with a highly tamper-resistant chip called a secure element that has acquired CC (Common Criteria/ISO15408) certification. You may. By using this chip to store a certificate including a private key and a public key, very high security can be maintained.

Further, in the communication control system 1 of the embodiment, the program of the client device 10 may be updated from the server device 20, the communication control management device 50, or the like via the communication control device 30 (31). By updating the program (updating the firmware) via the communication control device 30 (31), the function of the client device 10 can be safely updated. When the firmware is transmitted from the server device 20 to the client device 10 in this manner, the firmware transmitted from the server device 20 is attached with the signature of the server device 20 encrypted by the server-side communication control device 31, for example. To be done. In this case, in the client device 10, the signature is decrypted by the client-side communication control device 30, and thus it is possible to determine that the transmitted firmware is definitely the firmware transmitted from the server device 20. As a result, even if the unauthorized firmware is transmitted to the client device 10 from an unauthorized terminal that pretends to be the server device 20, the client device 10 is erroneously based on the unauthorized firmware. It is possible to exclude that updates are made.

Further, since the communication is performed via the communication control device 30 (31) in this manner, the firmware can be safely updated from the server device 20, the communication control management device 50, or the like to the client device 10, so that the worker It is also possible to reduce the work cost as compared with a case where a plurality of client devices 10 are physically moved to a place where each client device 10 is installed to perform firmware update work.

In addition, in the communication control system 1 of the embodiment, the client device 10 may be started or stopped from the server device 20, the communication control management device 50, or the like via the communication control device 30 (31). By starting or stopping (remote activation) via the communication control device 30 (31), the function of the client device 10 can be safely updated, and secure remote control can be realized.

In the communication control system 1 of the above-described embodiment, an example in which the client-side communication control device 30-1 communicates with the server-side communication control device 31-1 has been described, but the communication destination of the client-side communication control device 30 is It is not limited to this. For example, the client side communication control device 30-1 may communicate with the client side communication control device 30-2. When the client-side communication control device 30-1 receives the communication start signal from the client-side communication control device 30-2, first, mutual authentication is performed with the client-side communication control device 30-2 to perform client-side communication control. Confirm that the device 30-2 is a valid communication terminal. Then, when mutual authentication is correctly performed, the client-side communication control device 30-1 outputs the information received from the client-side communication control device 30-2 to the client device 10. By adding an authenticator to the transmission data using encryption, it is possible to detect falsification of communication information and specify the sender. Therefore, in the communication control system 1 of the present embodiment, in communication between the client-side communication control device 30 and the server-side communication control device 31 and communication between the client-side communication control devices 30, "from the correct partner", " You can ensure that you receive "data that has not been tampered with."

While some embodiments of the present invention have been described, these embodiments are presented as examples and are not intended to limit the scope of the invention. These embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. The embodiments and their modifications are included in the scope of the invention and the scope thereof, as well as in the invention described in the claims and the scope of equivalents thereof.

DESCRIPTION OF SYMBOLS 1... Communication control system, 10... Client device, 20... Server device, 30... Client side communication control device, 31... Server side communication control device, 33A... Mediation processing part, 33B... Communication control part, 33C... Judgment part, 33D … Log creation unit, 33E… Notification control unit

Claims (8)

A communication control device that communicates with a client device including a first wireless communication unit using the second wireless communication unit and uploads information acquired from the client device to a server device via a network;
A communication space for communication between the first wireless communication unit and the second wireless communication unit is formed by a material that blocks electric waves and covers at least the first wireless communication unit and the second wireless communication unit. A shield cover to shield from
And a communication control unit. The communication control device,
A third wireless communication unit that wirelessly communicates with the server device via the network,
The third wireless communication unit,
Disposed outside the communication space shielded by the shield cover,
The communication control unit according to claim 1. The communication control device,
A blocking wall for blocking radio waves is further provided between the second wireless communication unit and the third wireless communication unit.
The communication control unit according to claim 2. The communication control device,
The information transmitted by the second wireless communication unit is received by the third wireless communication unit, or the information transmitted by the third wireless communication unit is received by the second wireless communication unit. In this case, it is determined that a part of the shield cover is open,
The communication control unit according to claim 2 or 3. The shield cover includes an operation window that can be opened and closed,
The communication control device determines whether or not a part of the shield cover is in an open state, based on a detection result from a detection unit that detects opening/closing of the operation window.
The communication control unit according to any one of claims 1 to 4. The communication control device,
When it is determined that a part of the shield cover is in an open state, log information indicating that is created,
The communication control unit according to claim 4 or 5. The communication control device,
When it is determined that a part of the shield cover is in the open state, the fact is notified to the server device or an external device communicating through the network,
The communication control unit according to claim 4 or 5. The client device is a camera,
The shield cover is made of a light-transmissive material while blocking a radio wave at a portion that covers the lens of the camera.
The communication control unit according to any one of claims 1 to 7.

Images