JP2020160984A - Data collection side device, data use side device, and communication method - Google Patents

Abstract

To provide a data collection side device represented by an IoT apparatus that mitigates security risks without impairing users' convenience.SOLUTION: A data collection side device 10 includes: a command reception unit 11 for receiving a port open command that has designated a port from a data use side device 20 via a wireless communication network; an authentication processing unit 12 for performing authentication processing on the data use side device which is the transmission source of the port open command; a command execution unit 13 for executing the port open command to open the port if the authentication of the data use side device is a success; and a data communication unit 14 for performing data communication using the port in response to a request from the data use side device.SELECTED DRAWING: Figure 1

Description

The present invention relates to a data collection side device, a data utilization side device, and a communication method.

With the spread of IoT (Internet of Things) devices, the security of IoT devices and management servers for remote access (hereinafter referred to as "remote management servers") that relay data from IoT devices has become a problem.

One of them is the problem of authentication of a local client (hereinafter, also referred to as "client") that operates an IoT device. Patent Document 1 proposes a configuration in which a server (first arithmetic processing device) that authenticates a client is provided prior to communication with an IoT device (second device). According to the document, if the client is successfully authenticated, the server transmits the third key to the IoT device by encrypted communication using the common key. Further, the IoT device transmits the third key to the client by encrypted communication using the second key. After that, the client and the IoT device perform encrypted communication using the third key, and the client remotely controls the device section of the second device.

Further, Patent Document 2 discloses a home appliance remote control system using a mobile phone as a client. Specifically, the interface unit of this home appliance remote control system extracts the control command and personal authentication information of the controlled device from the short message (SMS) transmitted from the mobile phone, and performs the authentication process based on the personal authentication information. carry out. Then, the home appliance control unit of this home appliance remote control system controls the control target device based on the control command included in the SMS.

Japanese Unexamined Patent Publication No. 2018-152796 JP-A-2006-203306

The following analysis is given by the present invention. In the method of Patent Document 1, since access is permitted only to the authorized client, there is a protective effect from unauthorized access. However, in order to authenticate, the IoT device of Patent Document 1 needs to always open the access port and listen so that it can be connected from the Internet or the like even when the client is not accessing. is there. There is a problem that this communication port is always the target of attacks.

Further, since the method of Patent Document 2 does not use the Internet, there is no risk of attacking the listening port. However, since it is easy to automatically send a short message to the interface part of the home appliance remote control system, there is a problem that spoofing attacks cannot be prevented.

As a countermeasure for these, it is conceivable to disconnect the IoT device from the Internet or the network of the mobile communication carrier and connect it only when necessary, but there is a problem that convenience is impaired.

The present invention can contribute to reducing the security risk of the data collection side device represented by the above-mentioned IoT device without impairing the convenience of the user. The data collection side device, the data use side device, the communication method and the program. The purpose is to provide.

According to the first viewpoint, the command receiving unit that receives the port open command for which the port is specified from the data user device via the wireless communication network and the data user device that is the source of the port open command are authenticated. The authentication processing unit that executes processing, the command execution unit that executes the port open command to open the port when the data user side device is successfully authenticated, and the data user side device in response to a request from the data user side device. A data collection side device including a data communication unit that performs data communication using a port is provided.

According to the second viewpoint, a control content receiving unit that receives the control content for the data collecting side device from the user and a port opening command that specifies the port of the data collecting side device are generated based on the control content. After the authentication process of the command transmission unit that transmits to the data collection side device via the wireless communication network, the authentication processing unit that executes the authentication process of the data collection side device, and the data collection side device, the said A data utilization side device including a remote control unit that performs data communication using the port based on the control content received from the user is provided.

According to the third viewpoint, a port open command for which a port is specified is received from the data user device via the wireless communication network, and the data user device that is the source of the port open command is authenticated. Provided is a communication method in which when the authentication of the data user side device is successful, the port open command is executed to open the port, and data communication using the port is performed in response to a request from the data user side device. Will be done. This method is linked to a specific machine called a data collection side device that performs data communication using the port in response to a request from the data utilization side device.

According to the fourth viewpoint, the control content for the data collection side device is received from the user, and a port opening command for designating the port of the data collection side device is generated based on the control content to form a wireless communication network. It is transmitted to the data collection side device via the data collection side device, the authentication process of the data collection side device is executed, and after the authentication process with the data collection side device, the port based on the control content received from the user is used. A communication method for performing the data communication that was used is provided. This method is linked to a specific machine called a data utilization side device that opens a port of the data collection side device to perform communication in response to a request from a user.

According to the fifth viewpoint, a computer program that realizes the functions of the above-mentioned data collection side device or the above-mentioned data utilization side device is provided. This program is input to a computer device from an input device or from the outside via a communication interface, stored in a storage device, and drives a processor according to a predetermined step or process. In addition, this program can display the processing result including the intermediate state step by step via the display device, or can communicate with the outside via the communication interface, if necessary. Computer devices for this purpose, for example, typically include a processor, a storage device, an input device, a communication interface, and, if necessary, a display device that can be connected to each other by a bus.

According to the present invention, it is possible to reduce the security risk of the data collecting side device without impairing the convenience of the user.

It is a figure which shows the structure of one Embodiment of this invention. It is a figure for demonstrating operation of one Embodiment of this invention. It is a figure for demonstrating operation of one Embodiment of this invention. It is a figure for demonstrating operation of one Embodiment of this invention. It is a figure for demonstrating operation of one Embodiment of this invention. It is a figure which shows the outline of the 1st Embodiment of this invention. It is a functional block diagram which shows the structure of the 1st Embodiment of this invention. It is a figure which shows an example of the information held in the management database of 1st Embodiment of this invention. It is a figure for demonstrating operation of 1st Embodiment of this invention. It is a functional block diagram which shows the structure of the 2nd Embodiment of this invention. It is a figure for demonstrating operation | movement of the 2nd Embodiment of this invention. It is a figure which shows the structure of the computer which comprises the data use side apparatus / data collection side apparatus of this invention.

First, an outline of one embodiment of the present invention will be described with reference to the drawings. It should be noted that the drawing reference reference numerals added to this outline are added to each element for convenience as an example for assisting understanding, and the present invention is not intended to be limited to the illustrated embodiment. Further, the connecting line between blocks such as drawings referred to in the following description includes both bidirectional and unidirectional. The one-way arrow schematically shows the flow of the main signal (data), and does not exclude interactivity. The program is executed via a computer device, which includes, for example, a processor, a storage device, an input device, a communication interface, and, if necessary, a display device. Further, the computer device is configured to be able to communicate with devices (including a computer) inside or outside the device via a communication interface, whether wired or wireless. Further, although there are ports or interfaces at the input / output connection points of each block in the figure, they are not shown. Further, in the following description, "A and / or B" is used to mean at least one of A and B.

In one embodiment of the present invention, as shown in FIG. 1, a data collecting side device 10 including a command receiving unit 11, an authentication processing unit 12, a command executing unit 13, and a data communication unit 14 Can be realized.

More specifically, as shown in FIG. 2, the command receiving unit 11 receives a port opening command with a designated port from the data user side device 20 via the wireless communication network (wireless communication NW in FIG. 1). To do.

Upon receiving the port open command, the authentication processing unit 12 executes the authentication process of the data user side device 20 that is the source of the port open command, as shown in FIG.

When the authentication of the data utilization side device 20 is successful, the command execution unit 13 executes the port opening command to open the port (communication port 15 in FIG. 1) as shown in FIG.

After opening the port (communication port 15 in FIG. 1), the data communication unit 14 performs data communication using the port in response to a request from the data utilization side device 20. After the data communication, the data collecting side device 10 preferably closes the port (communication port 15 in FIG. 1) at a predetermined timing as shown in FIG. Of course, it is also possible to adopt a configuration in which the port (communication port 15 in FIG. 1) is blocked by receiving the port block command from the data utilization side device 20.

Further, as shown in FIG. 1, the data utilization side device 20 corresponding to the data collection side device 10 includes a control content receiving unit 21, a command transmitting unit 22, an authentication processing unit 23, and a remote control unit 24. To be equipped.

The control content receiving unit 21 receives the control content for the data collecting side device 10 from the user.

The command transmission unit 22 generates a port open command that specifies the port of the data collection side device based on the control content, and transmits the port open command to the data collection side device 10 via the wireless communication network.

The authentication processing unit 23 executes the authentication process of the data collection side device. Then, the remote control unit 24 performs data communication using the port based on the control content received from the user after the authentication process of the data collection side device.

According to the above configuration, it is possible to reduce the security risk of the data collecting side device 10 without impairing the convenience of the user. The reason is that a configuration is adopted in which a port is opened only when necessary by a port opening command via a wireless communication network, and then data is provided to the data user side device 20 after successful authentication.

[First Embodiment]
Subsequently, the first embodiment of the present invention will be described in detail with reference to the drawings. First, the outline of the first embodiment will be described with reference to FIG. With reference to FIG. 6, a configuration is shown in which a user on the data user side can access the operation target device via the carrier network and the Internet. A typical example of the operation target device is an IoT device or a management server for remote access that relays data from the IoT device. In the following description, the operation target device is a management server for remote access, and the description will be made on the premise of a configuration in which the management server is accessed remotely (data user side) and data is transferred.

As shown in FIG. 6, the access port to the operation target device (management server) is normally blocked (port CLOSE in FIG. 6). The operation target device (management server) is provided with a "temporary port access function" that temporarily opens the access port when accessing from a remote (data user side).

This "temporary port access function" is realized by the following first to fourth means. The first means is a means for receiving a port open instruction by an encrypted SMS from the remote side ((1) port open instruction in FIG. 6). Further, this first means has a function of decoding the received SMS and extracting a command to be executed. Therefore, this first means corresponds to the command receiving unit 11 described above.

The second means is a means for inquiring the execution authority to the outside and executing the authentication process by using the SMS reception in the first means as a trigger ((2) authentication in FIG. 6). The authentication process may be performed with a remote (data user side) terminal or the like, or may inquire of a predetermined ACL (Access Control List) server or the like whether or not there is an access right. In this embodiment, it is assumed that the remote (data user side) IoT control server has an IoT device management function. This second means corresponds to the above-mentioned authentication processing unit 12.

The third means is an operation target device (management server) on condition that the validity of the remote (data user side) is confirmed by the two-step authentication process that combines the first means and the second means. It is a means to open the access port to. The access port to the operation target device (management server) is in the open state ((3) port open, port OPEN in FIG. 6). This third means corresponds to the command execution unit 13 described above. After opening the access port, data is provided from the operation target device to the remote (data user side) ((4) control by command execution in FIG. 6 and (5) result acquisition).

The fourth means is a means for blocking the corresponding access port triggered by the termination of communication using the released access port ((6) port blockage, port CLOSE in FIG. 6).

With the above configuration, it is possible to reduce the risk that the communication port for remote access becomes the target of an attack. Further, in the above configuration, the SMS is encrypted and the first means adopts the configuration of decrypting the SMS, so that it is possible to prevent a spoofing attack using the SMS by a malicious third party. It is possible.

Subsequently, the configuration of the above-mentioned first embodiment will be specifically described with reference to an example. FIG. 7 is a functional block diagram showing the configuration of the first embodiment of the present invention. With reference to FIG. 7, a configuration is shown in which the carrier network, the IoT control server 200 positioned as a data utilization side device, and the management server 100 for remote access are connected via the Internet. Further, the IoT device 300 is connected to the management server 100. Therefore, the management server 100 is positioned as a data collection side device.

<IoT control server>
The IoT control server 200 includes a command input unit 201, an encrypted SMS transmission unit 202, and an IoT device management unit 203.

When the command input unit 201 receives the SMS input to be transmitted from the user to the IoT device 300, the command input unit 201 sends it to the encrypted SMS transmission unit 202. In the present embodiment, the command input unit 201 functions as the control content receiving unit 21.

The encrypted SMS transmission unit 202 encrypts the body portion of the SMS using the encryption key information stored in the management database (management DB) 400, and transmits the encrypted SMS to the management server 100. In the present embodiment, the encrypted SMS transmission unit 202 functions as the command transmission unit 22.

The IoT device management unit 203 manages the execution authority regarding port opening by the management agent 110 in the management server 100. Specifically, when the IoT device management unit 203 receives a request for acquisition of execution authority information from the management agent 110, the IoT device management unit 203 executes an authentication process using the management agent 110 and the MQTT protocol (first protocol). When the execution authority of the management agent 110 can be confirmed as a result of the authentication process, the IoT device management unit 203 returns the execution authority information stored in the management DB 400 to the management agent 110. Further, the IoT device management unit 203 makes a data transfer request to the management agent 110 using the MQTT protocol. Therefore, in the present embodiment, the IoT device management unit 203 functions as the authentication processing unit 23 and the remote control unit 24. In addition, MQTT is an abbreviation for Message Queuing Telemetry Transport.

<Management server>
The management server 100 requests the SMS decoding unit 101 that decodes the SMS from the IoT control server 200, the command execution unit 104 that executes the port opening process, and the IoT control server 200 to transmit execution authority information. It includes an MQTT communication unit 103 that responds to a data transmission request from the IoT control server 200.

Hereinafter, it is assumed that the management agent 110 for realizing each of the above functions is installed in the management server 100. An ID (agent ID) that is uniquely identified is assigned to the management agent 110. Of course, all or part of the functions realized by the management agent 110 may be configured by other programs or hardware.

The SMS decoding unit 101 extracts the Body unit from the SMS received from the IoT control server 200, performs decoding, and extracts the command. At that time, the SMS decoding unit 101 analyzes the information in the SMS header and discards the SMS from the unauthorized source and the SMS that cannot be decrypted (including the case where it is not encrypted). In this embodiment, the SMS decoding unit 101 functions as the command receiving unit 11.

The MQTT communication unit 103 communicates with the IoT control server 200 by using the MQTT protocol. At the time of this communication, the MQTT communication unit 103 uses the ID of the management agent 110 to perform MQTT authentication between the IoT servers. Therefore, the MQTT communication unit 103 functions as the authentication processing unit 12 and the data communication unit 14 described above.

The command execution unit 104 inspects the command received from the IoT control server 200, and then executes the command. As a result of the above inspection, when it is determined that the command is a normal port opening command, the command execution unit 104 requests the IoT control server 200 to acquire the execution authority information via the MQTT communication unit 103. If it is determined as an invalid command as a result of the inspection, the command execution unit 104 does not request the IoT control server 200 to acquire the execution authority information.

<Management DB>
The management DB 400 holds execution authority information for the management agent 110 to execute port opening, an encryption key used for SMS encryption by the encrypted SMS transmission unit 202, and the like.

FIG. 8 is an example of a table used for managing execution authority information and encryption key in the management DB 400. In the example of FIG. 8, a table that manages the SMS destination, the execution authority information, and the SMS encryption key in association with each agent ID is shown. The agent ID is identification information for uniquely identifying the management agent 110.

In the SMS destination field, a telephone number (MSISDN number) that is the destination of the encrypted SMS addressed to the management server 100 is set. The MSISDN number is an abbreviation for Mobile Subscriber Integrated Services Digital Network Number.

In the execution authority information field, execution authority information such as port opening authority given to the management agent is set. In addition, as this execution authority information, the password corresponding to the port opening authority and the like may be stored.

In the SMS encryption key field, encryption key information for encrypting the body part of SMS is stored.

Of course, the mode of managing the execution authority information and the encryption key is not limited to the above example, and various changes can be made. For example, information other than port opening authority can be set in the execution authority information field.

Subsequently, the operation of the present embodiment will be described in detail with reference to the drawings. FIG. 9 is a diagram for explaining the operation of the first embodiment of the present invention. In the following description, a website (not shown) for users for using each function of the IoT control server 200 has already been constructed, and the user accesses the IoT control server 200 via the website and is required. It is assumed that the instruction is input. Further, the management agent 110 will be described as being installed in the management server 100.

(Step S1) The user inputs a "device data collection command" to the IoT device from the website.

(Step S2) The IoT control server 200 puts a "command to open a port and a port number to open" on the SMS to the management server 100, encrypts it, and then transmits it as an encrypted SMS. Here, it is assumed that the SMS with the command requesting the opening of the port A is transmitted to the SMS destination 08012345678 of FIG.

(Step S3) Upon receiving the encrypted SMS, the management agent 110 of the management server 100 decrypts the body portion of the SMS and retrieves the command. The management agent 110 sends the fetched command to the command execution unit 104.

(Step S4) When the command execution unit 104 confirms that the command is a formal command, the command execution unit 104 indicates its own agent ID AAA to the IoT control server 200 and requests execution authority information. Here, as the execution authority information, a password corresponding to the port opening authority or the like can also be used. In this case, the command execution unit 104 requests the IoT control server 200 to input the password.

(Step S5) The IoT control server 200 searches the management DB 400 using the agent ID received from the management agent 110 as a key, and authenticates by confirming the corresponding execution authority information or the corresponding password. Here, since the execution authority information "port A open authority" or the password of the agent ID AAA is found, the IoT control server 200 returns the execution authority information or the password.

(Step S6) The management agent 110 opens the port A of the number specified by SMS based on the execution authority information or the password. Further, the management agent 110 notifies the IoT control server 200 that the port A has been opened.

(Step S7) The IoT control server 200 executes the “device data collection command” specified by the user. As a result, the IoT device is accessed using the opened port A.

(Step S8) The management agent 110 transmits the execution result (device data) of the “device data collection command” to the IoT control server 200 in response to the “device data collection command”.

(Step S9) When the management agent 110 detects that the corresponding port is in a non-communication state for a certain period of time, it blocks the communication port 105 (port A). That is, the management agent 110 realizes a port blocking function that closes the port used for communication with the IoT control server (data utilization side device) at a predetermined timing.

According to the combination of the IoT control server 200 and the management server that operate as described above, it is possible to operate the management server separately from the Internet (close the port) without impairing convenience.

Further, according to the present embodiment, since the SMS is encrypted, it is possible to prevent spoofing attacks.

[Second Embodiment]
Although the above-described first embodiment has been described on the premise of remote access from the IoT control server 200 side, the scope of application of the present invention is not limited to this. FIG. 10 is a diagram showing a configuration of a second embodiment of the present invention. The difference from the first embodiment shown in FIG. 7 is that the management server 100a has an encrypted SMS transmission function, and the IoT control server 210 opens and closes a data reception port.

More specifically, the encrypted SMS transmission unit 111a, the MQTT communication unit 113a, and the data transmission unit 114a are arranged on the management server 100a side. The encrypted SMS transmission unit 111a and the MQTT communication unit 113a on the management server side have the same functions as the encrypted SMS transmission unit 202 and the MQTT communication unit 103 of the first embodiment. Further, the data transmission unit 114a transmits the data collected from the IoT device 300 to the IoT control server 210. Further, as in the first embodiment, each function on the management server 100a side is configured by the management agent 110a.

Further, on the IoT control server 210 side, an SMS decoding unit 212, an IoT device management unit 213, a command execution unit 214, and a communication port 205 are arranged, and a management DB 400 is connected to them. Further, the SMS decoding unit 212, the IoT device management unit 213, and the command execution unit 214 on the IoT control server 210 side are the same as the SMS decoding unit 101, the IoT device management unit 203, and the command execution unit 104 of the first embodiment, respectively. It has the function of. Further, in the following description, it is assumed that the communication port 205 of the IoT control server 210 is the port A. Further, the management DB 400 holds execution authority information for the management agent 110a to execute port opening, an encryption key used for SMS encryption by the encrypted SMS transmission unit 111a, and the like, as in the first embodiment. ..

In this second embodiment, as described below, the management server 100a actively transmits the data collected from the IoT device 300 to the IoT control server 210. Hereinafter, the operation of the present embodiment will be described in detail with reference to FIG.

(Step S11) When uploading data, the management server 100a encrypts the body including the command to open the communication port 205 of the IoT control server 210 to the IoT control server 210, and then uses it as an encrypted SMS. Send. It is assumed that the encryption key used for SMS encryption here is distributed to the management server 100a in advance.

(Step S12) Upon receiving the encrypted SMS, the SMS decoding unit 212 of the IoT control server 210 decodes the SMS Body unit, extracts the command, and sends the extracted command to the command execution unit 214.

(Step S13) When the command execution unit 214 confirms that the command is a formal command, the command execution unit 214 requests the agent ID from the management server 100a via the IoT device management unit 213.

(Step S14) The management server 100a transmits an agent ID to the IoT control server 210.

(Step S15) The IoT control server 210 searches the management DB 400 using the agent ID received from the management server 100a as a key, and authenticates by confirming the corresponding execution authority information. Here, since the execution authority information "port A open authority" of the agent ID AAA is found, the IoT control server 210 opens the communication port 205 (port A) by using the execution authority information. Further, the IoT control server 210 notifies the management agent 110a that the port A has been opened.

(Step S16) The management agent 110a of the management server 100a uploads data to the IoT control server 210 using the opened port A.

(Step S17) When the IoT control server 210 detects that the corresponding port is in a non-communication state for a certain period of time, it blocks the communication port 205 (port A).

As described above, also in the present embodiment, as in the first embodiment, it is possible to perform an operation in which the port is closed except when necessary without impairing the convenience.

Further, in step S15, the IoT control server 210 may notify the management agent 110a of the opened port. By dynamically specifying the communication port in this way, security can be further improved.

Although each embodiment of the present invention has been described above, the present invention is not limited to the above-described embodiment, and further modifications, substitutions, and adjustments are made without departing from the basic technical idea of the present invention. Can be added. For example, the network configuration, the configuration of each element, and the expression form of the message shown in each drawing are examples for assisting the understanding of the present invention, and are not limited to the configurations shown in these drawings.

For example, in the above-described embodiment, the management servers 100 and 100a for remote access are arranged between the IoT control servers 200 and 210 and the IoT device 300. However, the present invention has been applied. The scope is not limited to these forms. For example, by installing the same management agent as the management servers 100 and 100a in the IoT device 300, it is possible to realize the same port opening and closing and data transfer as in the first and second embodiments.

In addition, the procedure shown in the first and second embodiments described above realizes the functions as these devices in the computers (9000 in FIG. 12) that function as the management servers 100 and 100a and the IoT control servers 200 and 210. It can be realized by the program to make it. Such a computer is exemplified in a configuration including a CPU (Central Processing Unit) 9010, a communication interface 9020, a memory 9030, and an auxiliary storage device 9040 in FIG. That is, the CPU 9010 in FIG. 12 may execute the SMS encryption program or the authentication processing program, and update the calculation parameters held in the auxiliary storage device 9040 or the like.

That is, each part (processing means, function) of the management server and the IoT control server shown in the first to second embodiments described above uses the hardware of the processor mounted on these devices as described above. It can be realized by a computer program that executes each process.

Finally, a preferred embodiment of the present invention is summarized.
[First form]
(Refer to the data collection side device from the first viewpoint above)
[Second form]
The data collection side device described above preferably includes a port closing portion that closes the port at a predetermined timing.
[Third form]
The port open command with the specified port is preferably transmitted by using the short message service.
[Fourth form]
The port open command for which the port is designated is encrypted by a predetermined encryption method, and it is preferable that the authentication processing unit starts the authentication processing when the decryption is successful.
[Fifth form]
It is preferable that the authentication of the data utilization side device and the data communication with the data utilization side device are performed by using the MQTT protocol.
[Sixth form]
A command transmitter that sends a port open command with a specified port to the data user device via the wireless communication network.
An authentication processing unit that executes the authentication processing of the data user side device, and
After the authentication process of the data user side device, a data transmission unit that transmits data to the data user side device using the port,
Data collection side device equipped with.
[7th form]
(Refer to the data user side device from the second viewpoint above)
[8th form]
It is preferable that the above-mentioned data utilization side device transmits a port open command specifying the port by using the short message service.
[9th form]
It is preferable that the command transmission unit of the data utilization side device described above encrypts the port opening command by a predetermined encryption method and then transmits the command.
[10th form]
A command receiver that receives a port open command with a specified port from a data collection device via a wireless communication network.
An authentication processing unit that executes the authentication processing of the data collection side device, and
When the authentication of the data collection side device is successful, the command execution unit that executes the port open command to open the port, and
A data receiving unit that receives data using the port in response to a request from the data collecting side device, and a data receiving unit.
Data user side device equipped with.
[11th form]
(Refer to the communication method from the third viewpoint above)
[12th form]
(Refer to the communication method from the fourth viewpoint above)
[13th form]
(Refer to the program from the fifth viewpoint above)
The 11th to 13th forms can be developed or transformed into the 2nd to 6th and 8th to 10th forms in the same manner as the 1st and 7th forms.

The disclosures of the above patent documents shall be incorporated into this document by citation. Within the framework of the entire disclosure (including the scope of claims) of the present invention, it is possible to change or adjust the embodiments or examples based on the basic technical idea thereof. Further, within the framework of the disclosure of the present invention, various combinations or selections (parts) of various disclosure elements (including each element of each claim, each element of each embodiment or embodiment, each element of each drawing, etc.) (Including target deletion) is possible. That is, it goes without saying that the present invention includes all disclosure including claims, various modifications and modifications that can be made by those skilled in the art in accordance with the technical idea. In particular, with respect to the numerical range described in this document, it should be interpreted that any numerical value or small range included in the range is specifically described even if there is no other description.

10 Data collection side device 11 Command reception unit 12 Authentication processing unit 13 Command execution unit 14 Data communication unit 15, 105, 205 Communication port 20 Data user side device 21 Control content reception unit 22 Command transmission unit 23 Authentication processing unit 24 Remote control unit 100, 100a Management server 101, 212 SMS decoding unit 103, 113a MQTT communication unit 104, 214 Command execution unit 110, 110a Management agent 111a, 202 Encrypted SMS transmission unit 114a Data transmission unit 200, 210 IoT control server 201 Command input unit 203, 213 IoT device management department 300 IoT device 400 management database 9000 computer 9010 CPU
9020 Communication interface 9030 Memory 9040 Auxiliary storage

Claims (10)

A command receiver that receives a port open command that specifies a port from a data user device via a wireless communication network.
An authentication processing unit that executes authentication processing for the data user side device that is the source of the port open command, and
When the authentication of the data user side device is successful, the command execution unit that executes the port open command to open the port, and
A data communication unit that performs data communication using the port in response to a request from the data user side device, and
Data collection side device equipped with. Further, the data collection side device according to claim 1, further comprising a port closing function for closing the port at a predetermined timing. The port open command for which the port is specified is the data collection side device according to claim 1 or 2, which is transmitted by using the short message service. The port open command for which the port is designated is encrypted by a predetermined encryption method, and the authentication processing unit starts the authentication processing when the decryption is successful. Any one of claims 1 to 3. Data collection side device. The data collection side device according to any one of claims 1 to 3, wherein the data user side device is authenticated and data communication with the data user side device is performed by using the MQTT protocol. A command transmitter that sends a port open command with a specified port to the data user device via the wireless communication network.
An authentication processing unit that executes the authentication processing of the data user side device, and
After the authentication process of the data user side device, a data transmission unit that transmits data to the data user side device using the port,
Data collection side device equipped with. A control content receiver that receives control content from the user to the data collection side device,
A command transmission unit that generates a port open command that specifies a port of the data collection side device based on the control content and transmits the port to the data collection side device via the wireless communication network.
An authentication processing unit that executes the authentication processing of the data collection side device, and
After the authentication process of the data collection side device, a remote control unit that performs data communication using the port based on the control content received from the user, and a remote control unit.
Data user side device equipped with. A command receiver that receives a port open command with a specified port from a data collection device via a wireless communication network.
An authentication processing unit that executes the authentication processing of the data collection side device, and
When the authentication of the data collection side device is successful, the command execution unit that executes the port open command to open the port, and
A data receiving unit that receives data using the port in response to a request from the data collecting side device, and a data receiving unit.
Data user side device equipped with. Receive a port open command with a specified port from the data user device via the wireless communication network.
The authentication process is executed using the data user side device that is the source of the port open command and the first protocol.
If the authentication of the data user side device is successful, the port open command is executed to open the port.
Using the first protocol, data communication using the port is performed in response to a request from the data user side device.
Communication method. Receive the control content for the data collection side device from the user,
Based on the control content, a port open command that specifies the port of the data collection side device is generated and transmitted to the data collection side device via the wireless communication network.
The authentication process is executed using the data collection side device and the first protocol.
After the authentication process with the data collection side device, data communication using the port based on the control content received from the user is performed.
Communication method.

Images