JP3940670B2 - Wireless communication system, wireless communication apparatus, and wireless communication method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a radio communication system, a radio communication apparatus, and a radio communication method, and more particularly to a radio communication system including a plurality of radio terminal apparatuses and access points.
[0002]
[Prior art]
Non-Patent Document 1 discloses a wireless LAN system based on IEEE802.11 (IEEE802.11 system includes IEEE802.11a system and IEEE802.11b system). In this wireless LAN system, a method called WEP (Wired Equivalent Privacy) that can ensure privacy in the same way as wired is applied as an encryption method. Accordingly, the wireless LAN security level based on IEEE 802.11 includes a WEP mode to which WEP is applied and a non-WEP mode to which WEP is not applied.
[0003]
In an actual wireless LAN product conforming to IEEE 802.11, communication is possible in either a WEP mode to which an encryption method called WEP is applied or a non-WEP mode to which WEP is not applied, and WEP is applied. In the WEP mode, there are 64-bit and 128-bit encryption modes having different encryption levels, and any one of them is applied to each communication or each connection link in the wireless LAN to realize communication. Here, it means that the higher the level of encryption, the higher the security level and the stronger the encryption.
[0004]
As one form of a wireless LAN according to IEEE 802.11, it is composed of one access point (hereinafter also referred to as a base station) and a plurality of wireless clients (hereinafter also referred to as terminals) connected to this access point. There is a BSS (Basic Service Set) structural unit, and there is a system in which a plurality of BSSs are prepared and a network is constructed.
[0005]
A structural element that connects the BSSs is called a DS (Distribution System). The base station, that is, the access point has a function of connecting to the DS, and information is transmitted between the BSS and the DS via the access point. Therefore, the terminal can communicate with terminals belonging to other BSS via the access point.
[0006]
A terminal belongs to a BSS, and in order to communicate with a terminal belonging to another BSS via a base station, an authentication procedure and an association procedure are performed with the base station. In addition, a reassociation procedure is executed when the terminal wirelessly reconnects to another access point.
[0007]
In a wireless LAN determined by IEEE 802.11, as a type of frame to be exchanged, a control frame for access control, a management frame including a beacon, and a data frame for data communication (Data frame). Here, a management frame is used for the processing of authentication, association, and rear association.
[0008]
When a terminal transmits / receives a data frame to / from an access point, authentication and association processing is always executed before that.
[0009]
In a wireless LAN determined by IEEE 802.11, the terminal inquires of the base station whether or not to use WEP, which is an encryption method. That is, in the authentication request, the terminal requests the base station to use WEP, and if the base station that has received this request can use WEP, the terminal can The authentication frame is sent and received. WEP can be used based on the transmission and reception of such an authentication frame.
[0010]
As another form of wireless LAN defined in IEEE802.11, there is a BSS that exists independently of the existing infrastructure, and this is referred to as an IBSS (Independent Basic Service Set). In IBSS, no access point is prepared, and IBSS corresponds to a communication mode in which terminals directly communicate with each other. In IBSS, the association process is not executed, and similarly, the rear association process is not executed. In this IBSS, a data frame can be transmitted and received even if authentication processing is not performed between terminals.
[0011]
[Non-Patent Document 1]
ISO / IEC 8802-11: 1999 (E) ANSI / IEEE Std 802.11, 1999 edition
[0012]
[Problems to be solved by the invention]
As described above, in the conventional wireless LAN, communication data is encrypted as one of the security measures. Whether or not to use the encryption function (WEP function) at the time of communication is requested from the side that issued the connection request, for example, the side that received the connection request from the terminal, for example, the access point. Upon receiving this request, the base station side accepts the request and encrypts data communication with the terminal if the WEP function meeting the request can be used. In addition, the security level at which communication is performed is determined on the initiative of the connection requester.
[0013]
In the future, in addition to WEP, it is estimated that a plurality of types of encryption schemes having different encryption levels such as encryption schemes having a higher security level than WEP will be adopted for the wireless LAN. Therefore, it is required that a fine security level can be set according to the type of encryption method, the encryption level, and the like.
[0014]
However, in a conventional wireless LAN, for each BSS, not only can a minimum encryption level be predetermined for ensuring security, but a system that only allows communication with encryption having a higher level cannot be created. During communication, there is a problem that a fine security level according to the type of encryption method, encryption strength, etc. cannot be set.
[0015]
Further, since IBSS does not require authentication when transmitting a data frame, there is a problem that it is not possible to ensure security in the system by transmitting an unencrypted data frame.
[0016]
Also, for each BSS, it is not possible to ensure the security level determined for each BSS in DS communication in which communication is performed between a plurality of BSSs as well as the security level predetermined for the BSS cannot be ensured. There is a problem.
[0017]
The present invention has been made in view of the circumstances described above, and an object of the present invention is to provide a wireless communication system, a wireless communication apparatus, and a wireless communication apparatus that can perform wireless communication while ensuring a minimum security level by encryption predetermined in a communication group. To provide a wireless communication method.
[0018]
[Means for Solving the Problems]
According to this invention,
A receiving unit for receiving a first transmission frame having a first field in which a notification security level is described from a wireless communication device outside the communication group;
A memory unit storing a reference security level selected from an encryption method including non-encryption and a security level depending on the strength of encryption, and assigned to the wireless communication group;
The notification security level is compared with the reference security level to determine connection refusal or connection permission with a wireless communication device outside the wireless communication group, and a second field in which the determined connection refusal or connection permission is described A frame generator for generating a second transmission frame having; and
A transmission unit for transmitting the second transmission frame to a wireless communication device outside the wireless communication group;
A wireless communication device belonging to the wireless communication group is provided.
[0019]
Moreover, according to this invention,
In a wireless communication system including a first wireless communication device belonging to a wireless communication group and a second wireless communication device outside this wireless communication group, the first wireless communication device is
A receiving unit for receiving a first transmission frame having a first field in which a notification security level is described from the second wireless communication device;
A first memory unit storing a reference security level selected from an encryption method including non-encryption and a security level depending on the strength of encryption, and assigned to the wireless communication group;
A second field having a second field in which the notification security level is compared with the reference security level to determine connection refusal or connection permission with the second wireless communication apparatus, and the determined connection refusal or connection permission is described. A first frame generator for generating two transmission frames; and
A transmission unit for transmitting the second transmission frame toward the second wireless communication device;
A wireless communication system is provided.
[0020]
Furthermore, according to the present invention,
Receiving a first transmission frame having a first field in which a notification security level is described from outside the communication group;
Selected from an encryption method including non-encryption and a security level depending on the strength of encryption, and storing a reference security level assigned to the wireless communication group;
The notification security level is compared with the reference security level to determine connection refusal or connection permission with a wireless communication device outside the wireless communication group, and a second field in which the determined connection refusal or connection permission is described Generating a second transmission frame having, and
A wireless communication method is provided, wherein the second transmission frame is transmitted to a wireless communication device outside the wireless communication group.
[0021]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, an embodiment according to a wireless communication system of the present invention will be described with reference to the drawings.
[0022]
First, in the wireless LAN system in the following embodiment, a plurality of types of encryption methods can be applied, the types of the encryption methods are distinguished, and the security level ranking the encryption levels is determined in advance. Assuming that there are different levels in each of the plurality of types of encryption schemes, each encryption level in the certain type of encryption scheme is ranked according to the degree of encryption strength. Security level is set. Therefore, even if the encryption strength is the same, if the type of encryption method is different, a different security level is given. For example, as the security level, enc. 0, enc. 1, enc. 2, ... enc. It is assumed that there are n pieces as in (n-1). Even if there are a plurality of types of encryption methods having the same strength, security levels having different ranks are set for each type. In this way, one type of encryption method corresponds to one security level, and even if there are multiple levels due to differences in encryption strength even in the same type of encryption method, each of them. A security level corresponding to each level is determined.
[0023]
In the wireless LAN system defined in the current IEEE802.11, the minimum level of security corresponds to a level where no encryption is performed, that is, WEP (Wired Equivalent Privacy) is not applied.
[0024]
In the wireless LAN product according to the current IEEE802.11 standard, even when WEP is applied, there are two levels in which WEP is further configured with 64 bits or 128 bits. Therefore, in the example of the following embodiment, (1) “without WEP” and (2) “with WEP” use 64-bit WEP as a plurality of security levels, as in the case of a wireless LAN complying with the current IEEE802.11. A case where there are three levels “, (3)“ use 128-bit WEP with WEP ”will be described as an example. In this case, the highest security is (3) “use 128-bit WEP with WEP”, followed by (4) “use 64-bit WEP with WEP”. Yes. That is, “enc.0” corresponds to (1) “no WEP”, “enc.1” corresponds to (2) “uses WEP and uses 64-bit WEP”, and “enc.2” ( 3) It corresponds to “use 128-bit WEP with WEP”.
[0025]
In the following description, the case of only one type of encryption method called WEP will be described. However, even if the encryption method is other than WEP, as long as a plurality of levels can be set according to the difference in the type of encryption method and the strength of the security, any encryption method can be used as in the description of the following embodiment. The present invention can also be applied to the conversion method.
[0026]
In the following embodiments of the present invention, the case where the present invention is applied to a wireless LAN system defined in IEEE 802.11 will be described. In particular, a case will be described in which the wireless communication apparatus of the present invention is applied to a base station or terminal constituting a wireless LAN system defined in IEEE 802.11.
[0027]
(First embodiment)
First, as a wireless communication system according to the first embodiment of the present invention, a plurality of terminals, for example, two terminals (WL11 to WL12) and a base station AP1 to which the terminals (WL11 to WL12) are wirelessly connected are one BSS. A communication system constituting a (basic service set) will be described.
[0028]
FIG. 1 schematically shows a first BSS (hereinafter simply referred to as BSS1). The BSS1 includes a base station AP1 as an access point and a plurality of terminals connected to the base station AP1, for example, two wireless terminals (hereinafter referred to as terminals) WL11 and WL12.
[0029]
FIG. 1 also shows a base station AP2 belonging to a second BSS (hereinafter simply referred to as BSS2) different from the first BSS1, and a terminal WL13 that has not joined the BSS1 and BSS2.
[0030]
The lowest security level (enc_low) allowed in the BSS1 is set. In the wireless communication system according to this embodiment, the lowest security level (enc_low) allowed in the BSS1 is assumed to be the security level “enc.1”. FIG. 1 shows that the lowest allowable security level (enc_low) is the security level “enc.1”, enc_low = enc. 1 is shown. In addition to the security level “enc.1”, the base station AP1 also supports a security level “enc.2” that is higher than the security level “enc.1”. Therefore, the highest security level (enc_high) that can be used in the BSS1 is “enc.2”. In FIG. 1, enc_high = enc. Indicates that the highest security level (enc_high) is “enc.2”. 2. It is preset in the base station AP1 that the base station AP1 and a terminal or base station connected to the base station AP1 can communicate with each other at a security level of “enc.1” or higher. Similarly, it is set in advance in the base station AP1 that communication with a terminal or base station for relaying the base station AP1 to communicate with other devices is performed at a security level of “enc.1” or higher. Has been.
[0031]
On the other hand, the security level of the terminal WL11 is “enc.0” and “enc.1”, and the security level of the terminal WL12 is “enc.0”, “enc.1”, and “enc.2”. To do.
[0032]
FIG. 2 shows a block diagram of a circuit configuration of the base station AP1 shown in FIG. In the following description, when it is not necessary to distinguish between the base station AP1 and the base station AP2, or when the description is common to both, it is simply referred to as the base station AP.
[0033]
In FIG. 2, the reception unit 11 receives a transmission signal from the terminal by the antenna 20, and generates a reception signal by processing including demodulation and decoding. The transmission unit 12 generates transmission signals to be transmitted to the terminal via the antenna 20, and these transmission signals are supplied to the antenna 20.
[0034]
The reception signal from the reception unit 11 is input to the reception control unit 13, for example, an IEEE802.11 system (in the following description, the IEEE802.11 system is an IEEE802.11a system, an IEEE802.11b system, and an IEEE802 to be developed in the future). .11 system is also included). The reception control unit 13 executes a decoding process corresponding to each of a plurality of security levels supported by the base station, and the received signal is decrypted and converted into composite data. The composite data is supplied to the information processing unit 15 and divided into video, audio, text, and other types of data, and necessary processing is performed.
[0035]
The transmission control unit 14 generates predetermined data to be transmitted to the terminal based on the data supplied from the information processing unit 15 or to be transmitted by unicast. To implement. The transmission control unit 14 applies encryption processing corresponding to each of a plurality of security levels supported by the base station to data to be transmitted. Data generated by the transmission control unit 14 is transmitted to the terminal as a transmission signal via the transmission unit 12. The security table 21 shown in FIG. 2 will be described later.
[0036]
FIG. 3 schematically shows an example of the circuit configuration of the terminals WL11, WL12, and WL13 shown in FIG. 1 in blocks. In the following description, when it is not necessary to distinguish the terminals WL11, WL12, WL13, or the like, or when the description is common to all terminals, they are simply referred to as terminals WL.
[0037]
The terminal WL includes an antenna 100, a reception unit 101 that receives a reception signal via the antenna 100, a reception control unit 105 that controls the reception unit 101, a transmission unit 107 that transmits a transmission signal via the antenna 100, and the transmission unit 107. A transmission control unit 106 that controls the data, or a data processing unit that generates data to be transmitted or processes received data, for example, displays on a display unit (not shown), and a security table 110.
[0038]
The information processing unit 108 receives data from the wired network 109 connected to the information processing unit 108 or creates transmission data based on data generated by a user operation. The transmission data is transmitted to the transmission unit 107 in response to the transmission request when a transmission request is generated by the user instructing transmission of the transmission data. In the transmission unit 107, this transmission data is converted into digital data defined by the standard, for example, an IP packet is converted into a MAC frame (medium access control frame) defined by IEEE 802.11, and a MAC frame as digital data is converted into a digital data. It is converted into a radio signal having a predetermined frequency, for example, 2.4 GHz, and is transmitted as a radio wave from the antenna 100.
[0039]
On the other hand, the received signal received by the antenna 100 is converted into a MAC frame as digital data by the receiving unit 101, and the received data is extracted from the information field in this MAC frame and sent to the information processing unit 108. The information processing unit 108 performs processing such as displaying received data on a display. Note that the information processing unit 108 may perform various types of information processing other than the above. The security table 110 will be described later.
[0040]
As shown in FIG. 4, a MAC frame defined by IEEE 802.11 has a MAC header of up to 30 bytes containing various control information, a data field (frame body) containing data of up to 2312 bytes, and data It consists of a frame check sequence (FCS) field to check whether it was sent correctly. The MAC header includes a frame control field in which information for controlling the MAC frame is stored, a waiting time (duration) until the terminal can send data, or an ID of the terminal referred to as an association ID in IEEE 802.11 Duration / IDfield in which is described. If the BSS includes the base station AP, the MAC address of the base station AP is described as the ID of the BSS. In the MAC header, a field from address 1 to a field from address 4 and a sequence control field are prepared. When a data frame is transmitted from one access point to another access point, addresses 1 to 4 are assigned as follows. That is, the MAC address of the final destination (Destination Address) in the communication system is described in the address 1 field, and the MAC address of the transmission source (Source Address) in the communication system is described in the address 2 field. In the address 3 field, the MAC address of the transmission destination that directly sends the MAC frame is described. In the address 4 field, the MAC address of the transmission source that directly sends the MAC frame is described.
[0041]
In the frame control of the MAC frame, a protocol version field in which a protocol version is described is provided, followed by a type field and a subtype field. There are the following three types of MAC frames, and these types are described in the type field (2 bits) in the frame control. Also, the subtype of that type is shown in more detail in the subtype field (4 bits). That is, there are (1) management frame, (2) control frame for access control, and (3) data communication data frame as types. (1) The management frame includes a beacon (Beacon), an authentication (Authentication) frame, an association (Association) frame, an association request frame, an association response frame, and the like. Also, (2) control frames include control frames such as ACK (Acknowledgement), RTS (Return To Send), and CTS (Clear To Send) as subtypes. In the subtype field (4 bits), the subtype in the specific kind of MAC frame as described above is shown in more detail.
[0042]
The frame control includes a To DS field (1 bit) and a From DS field (1 bit). These are used when the MAC frame is a data frame. In other types of frames, for example, authentication or association frames, “0” is always written and used. Not. When the MAC frame is a data frame, if the data destination is a wired LAN, access point or DS, 1 bit is described in this To DS field, and the data transmission source is a wired LAN, access point or DS. If so, a 1 bit is described in the From DS field. The frame control further includes other fields such as a reserved field, a WEP field, and an order field. Information can be written in a reserved field that has not yet been specified by the user. As shown in FIG. 4, some fields are reserved according to either the frame type and subtype or the frame type and subtype. In the embodiment of the present invention, as described later, an encryption level may be described in this reserved field. This encryption level is determined according to the attribute of the transmission data. If the content data requires confidentiality, a high encryption level is determined, and the encryption level is described in the reserved field. The encryption level of the reserved field may be used when handshaking between the access point and the terminal. In the WEP field, 1 bit is set when WEP is used.
[0043]
The BSS 1 will be described with reference to FIG. 1 again.
[0044]
In the BSS1 shown in FIG. 1, it is predetermined that communication is executed at a minimum security level (here, “enc.1”) predetermined for the BSS1. That is, each of the base station AP1 and the terminals WL11 to WL12 configuring the BSS1 has a security level “enc.1” or “enc.1” or higher within the range of the security level supported by the base station AP1. Communication at the security level is executed.
[0045]
Each of the base station AP1 and the terminals WL11 to WL12 includes a storage unit, and a security table is provided in the storage unit. In the security table of the base station AP1, which security level is supported by the base station AP1 itself, which of the security levels is the lowest security level in the BSS1, and each of the terminals WL11 to WL12 supports it. The security level is stored. Preferably, it is information necessary for encryption / decryption at each security level, such as an encryption key or seed information for generating an encryption key (information necessary for such encryption / decryption). Are also simply referred to herein as cryptographic parameters). Each of the terminals WL11 to WL12 also includes a storage unit in which a security table is stored, and the lowest security level among the security levels supported by the BSS1, security levels supported by other terminals, Encryption parameters and the like corresponding to the security level are stored in the security table.
[0046]
As shown in FIG. 5, in the security table 21 of the base station AP1, the security level supported by the BSS1 to which the base station AP1 belongs and the security levels of all the terminals WL11 to WL12 belonging to the BSS1 are encryptions of the respective security levels. -Pre-registered with encryption parameters that are data required for decryption. In the security table 21, a security level set as the lowest security level in the BSS1 to which the base station AP1 belongs is registered so that it can be identified. In FIG. 5, “◯” marks indicating the lowest level are recorded for the security level “enc.1”.
[0047]
For example, in the case of WEP, the encryption parameters are assumed to be secret keys (key1, key2) and IV (Initialization Vector) defined in IEEE802.11. In the following description, the security level and encryption parameters corresponding to the security level may be referred to as security information.
[0048]
FIG. 6 shows the registered contents of the security table 110 of the terminals WL11 to WL12 in the BSS1. As shown in FIG. 6, the security information of each terminal in the BSS1 and the base station AP1 is registered in advance in the security table on the terminal side. As the security information corresponding to the base station AP1, as shown in FIG. 6, only the lowest level security information preset in the BSS1 to which the base station AP1 belongs may be registered. Further, the security table 110 on the terminal side may be exactly the same as the security table 21 on the base station side shown in FIG.
[0049]
Further, the security level of the base station AP1 and each terminal registered in the security table shown in FIGS. 5 and 6 may be higher than the minimum level predetermined in the BSS1. Furthermore, for security information corresponding to each terminal, only the security level used in actual communication may be registered in the BSS1. That is, when each terminal is directly linked to the access point, security information about the access point, or when linked directly to the terminal, security information about the terminal, which is supported by the terminals in the BSS. Each security information can be held in its security table.
[0050]
The security tables shown in FIGS. 5 and 6 are set when the BSS 1 is initialized. At the time of initial setting, for example, tables of the format shown in FIGS. 5 and 6 may be displayed as a setting screen, and setting items may be input on this screen. In the tables shown in FIGS. 5 and 6, AP1, WL1, and WL2 are specified by the MAC addresses of the base station AP1 and the terminals WL1 and WL2, respectively.
[0051]
Note that the security tables shown in FIGS. 5 and 6 do not have to be written with any information at the time of initialization. However, if the access point AP1 and the terminals WL1 and WL2 are linked in the non-encrypted mode as will be described later with reference to FIG. 7, the security information can be written. That is, the access point AP1 and the terminals WL1 and WL2 acquire the security information regarding the access point AP1 and the terminals WL1 and WL2, and write the security information in the respective security tables. Thereafter, the BSS1 is established by the access point AP1 and the terminals WL1 and WL2, and the BSS1. The minimum security level should be set.
[0052]
In the BSS1 shown in FIG. 1, communication is executed between the base station AP1 and the terminals WL11 to WL12 at a security level equal to or higher than the minimum security level “enc.1” preset for the BSS1.
[0053]
Next, the case where the terminal WL13 not subscribed to the BSS1 is connected to the base station AP1 of the BSS1 shown in FIG. 1 will be described with reference to the flowchart shown in FIG.
[0054]
The terminal WL13 receives a beacon frame defined in IEEE 802.11 transmitted from the base station AP1. According to the IEEE 802.11 standard, following reception of a beacon frame, an authentication and association protocol follows, but in the frame for this authentication or association, The security level of the terminal WL13 is written as information notified to the station AP1.
[0055]
FIG. 7 shows a procedure for notifying the base station AP1 of the security level of the terminal WL13 in an authentication frame as an example. In this procedure, it is assumed that the security levels of the terminal WL13 are “enc.0” and “enc.1”.
[0056]
FIG. 8A shows the format of the frame body in the authentication frame as the MAC frame shown in FIG. 4 defined in IEEE 802.11. The authentication frame describes an authentication algorithm that distinguishes between an open system that does not use a common encryption key and a common encryption key system that uses a common encryption key. For example, “0” is described in the authentication algorithm number in the open system, and “1” is described in the common encryption key system. In the open system identified by the authentication algorithm number 0, as shown in FIG. 8B, frames of ATSN (Authentication Transaction Sequence Number) = 1 and = 2 are prepared as authentication request frames. The authentication frame of ATSN = 1 is sent from the terminal WL to the base station AP1, and its status code field (Status Code field) is reserved. An authentication frame of ATSN = 2 is sent from the base station AP1 to the terminal WL, and a connection rejection or connection permission code is written in the status code (Status Code). In the open system identified by the authentication algorithm number 0, the challenge text to be encrypted is not prepared for the authentication frame. In the common encryption key system, frames of ATSN (Authentication Transaction Sequence Number) = 1 to 4 are prepared as an authentication request frame (authentication request). An authentication frame of ATSN = 1 and ATSN = 3 is sent from the terminal WL to the base station AP1, and its status code is reserved. An authentication frame of ATSN = 2 and ATSN = 4 is sent from the base station AP1 to the terminal WL, and a connection rejection or connection permission code is written as the status code. In the common encryption system, the challenge text for encryption is prepared for the authentication frames of ATSN = 2 and 3, and the authentication frame of ATSN = 3 is encrypted. On the other hand, the challenge text for encryption is not prepared in the authentication frames of ATSN = 1 and 4.
[0057]
The authentication frame specified by ATSN = 1 is transmitted from the connection requesting side. In this request frame, the status code field is reserved and is currently unused. Therefore, the security level “enc.1” or “enc.2” of the connection requesting side can be written in this status code field. In the following description of the embodiment, it is assumed that the security level “enc.1” or “enc.2” on the side that issues the connection request is written in the Statuscode field. In the authentication frame of ATSN = 1, data indicating the security level (for example, “enc. 1”) that the transmission unit 107 of the terminal WL13 wants to use in communication with the base station AP1 is included in the status code section. The ATSN = 1 authentication frame is written and transmitted to the base station AP1 as shown in step S2 of FIG. This security level may be written in one of the reserved fields in the MAC frame shown in FIG.
[0058]
The processing operation of the base station AP1 that has received the ATSN = 1 authentication frame will be described. As already described, the beacon frame that is always transmitted from the base station AP1 is detected by the terminal WL13 as shown in step S1. After this detection, the transmission control unit 106 of the terminal WL13 prepares an authentication frame with ATSN = 1, and refers to the security table 110 to set the security level in a predetermined position of the frame, for example, the status code in the frame body. Write “enc.1” or “enc.2”. In the authentication frame in which the security level is written, the base station AP1 corresponding to the beacon frame detected by the transmission control unit 106 of the terminal WL13 is designated as the destination address 2 and the base station AP1 is instructed as shown in step S2. Sent. The base station AP1 receives the authentication frame, and the reception control unit 13 of the base station AP1 is written in a predetermined location of the received ATSN = 1 authentication frame, for example, a status code in the frame body. The security level “enc.1” or “enc.2” of the terminal WL13 is taken out and compared with the lowest security level “enc_low” of the BSS1 registered in the security table 21 of the base station AP1. As shown in step S3, the security level “enc.1” or “enc.2” of the terminal WL13 notified from the terminal WL13 is the security level “enc.1” or “enc.2” supported by the base station AP1. If it is 2 ”and the security level is“ enc_low ”, which is the lowest level in the BSS1, it is determined that the connection of the terminal WL13 is permitted. When the security level of the terminal WL13 is not the security level supported by the base station AP1, or when the security level is supported by the base station AP1, but less than the security level of the lowest level “enc_low” in the BSS1 It is determined that the connection of the terminal WL13 is rejected.
[0059]
In step S3, when the base station AP1 rejects the connection of the terminal WL13, an authentication frame of ATSN = 2 is prepared by the transmission control unit 12 in accordance with the provisions of IEEE802.11. A code to that effect is written, and an authentication frame of ATSN = 2 is returned to the terminal WL13 as shown in step S4. The terminal WL13 determines whether or not the ATSN = 2 authentication frame for which connection is refused as shown in step S5 is received for the Nth time. This N times corresponds to the number of security levels (= N) written in the security table 110 on the terminal side. Initially, the terminal WL13 notifies the base station of the low security level as the security level supported by the base station AP1 is low, and if it is rejected, the terminal WL13 increases the security level, as shown in step S2. The notified security level is notified. When N security levels supported by the security table 110 on the terminal side are notified, and the authentication frame of ATSN = 2 is received N times as shown in step S5, the terminal WL13 receives: It is determined that the connection is rejected from the base station AP1, and the connection procedure is interrupted at this stage as shown in step S15.
[0060]
On the other hand, when permitting the connection of the terminal WL13, the base station AP1 conforms to the provisions of IEEE 802.11 as shown in step S6 in order to share the encryption parameter corresponding to the security level notified from the terminal WL13 with the terminal WL13. Prepare an ATSN = 2 authentication frame for transmitting the challenge text, and write a code indicating that the ATSN = 1 authentication frame has been successfully received to the status code of the authentication frame; It returns to the terminal WL13 as shown in S6.
[0061]
When the terminal WL13 receives the authentication frame of ATSN = 2, the security level between the base station AP1 and the terminal WL13, for example, the security level “enc.1” is determined. Further, the terminal WL13 uses the IV or private key acquired in advance by the user as the encryption parameter corresponding to the security level, and the frame body including the challenge text in accordance with the provisions of IEEE802.11 as shown in step S7. Encryption is performed using the WEP function of the terminal WL13. Further, the terminal WL13 prepares an authentication frame with ATSN = 3, and copies the challenge text from the authentication frame with ATSN = 2 to the frame body. This terminal WL13 encrypts the frame and transmits it to the base station AP1 as shown in step S8.
[0062]
In the base station AP1 that has received the authentication frame of ATSN = 3, the ATSN received as shown in step S9 with the secret key that the base station AP1 has shared with the terminal WL13 in accordance with IEEE 802.11. = 3 authentication frame is decrypted and the stored encrypted challenge text is extracted. The decrypted challenge text is compared with the transmitted challenge text, and the encryption / decryption is verified based on the comparison result as shown in step S10.
[0063]
If the verification result is “failure”, an authentication frame of ATSN = 4 notifying that is prepared in accordance with the same IEEE 802.11 specification, and that the verification result is “failure”. The code is written, and an authentication frame of ATSN = 4 is returned to the terminal WL13 as shown in step S11. The “failure” in the verification result means that the encryption method is different between the base station AP1 and the terminal WL13. Accordingly, as shown in step S14, it is confirmed that the ATSN = 4 authentication frame is within M times, the encryption method in the terminal WL13 is changed, and the process returns to step S2, and steps S2 to S10 are repeated. It is. Here, M times correspond to the number of encryption schemes prepared by the terminal WL13, and the terminal WL13 can receive the authentication frame of M times ATSN = 4. As described above, if the encryption scheme does not match even if the terminal WL13 receives the authentication frame of M times ATSN = 4, the terminal WL13 determines that the connection with the base station AP1 is rejected. Therefore, on the terminal side, assuming that the encryption scheme provided by the base station AP1 is not prepared, the connection procedure is terminated as shown in step S15.
[0064]
On the other hand, if the verification result in step S10 is “successful”, the base station AP1 sends an authentication frame of ATSN = 4 that notifies that to the terminal WL13 in accordance with the same IEEE802.11 as shown in step S12. Send to. Upon receiving this frame, the terminal WL13 starts an association defined in IEEE 802.11, which is the next procedure, as shown in step S12. That is, the terminal WL13 sends an association request frame as shown in step S13 to the base station AP1, and in response to this request, the base station AP1 returns processing to the association response terminal WL13 in accordance with the standard defined in IEEE 802.11. The action is executed. After the association ends normally, a data frame is transmitted and received between the terminal WL13 and the base station AP1. The transmitted / received data frame is encrypted by a predetermined encryption by the above procedure, for example, a 64-bit WEP function corresponding to a security level of “enc.1 = enc.low”.
[0065]
In the terminal WL13 and the base station AP1, the mutual security information is registered in the security tables 21 and 110 when the security level and encryption parameters of communication between the terminal WL13 and the base station AP1 are determined. That is, in the terminal WL13, the security information of the base station AP1 is registered in the security table 110 after acquiring the encryption parameter in step S7 shown in FIG. In the base station AP1, the security information of the terminal WL13 is registered in the security table 21 after the verification is successful in step S10 in FIG. That is, by selecting an appropriate address field indicating the address of the terminal WL13 in the MAC frame shown in FIG. 4, security information is registered in the security table 21 of the access point AP1 in relation to this address. In the security table of the base station AP1, as shown in FIG. 10, security information whose “connection destination” is the terminal WL13 is newly registered. Similarly, security information whose “connection destination” is the base station AP1 is newly registered in the security table of the terminal WL13. That is, by selecting an appropriate address field indicating the address 1 of the base station AP1 in the MAC frame shown in FIG. 4, security information is registered in the security table 110 of the terminal WL13 in relation to this address. The security level of the security information in the newly added terminal WL13 corresponds to the security level requested by the terminal WL13 in step S2 of FIG.
[0066]
Further, if the security information of the base station is registered in the security table on the terminal side, the terminal can select in advance a security level equal to or higher than the minimum level of the base station, and as a result, in step S3, The connection is not rejected by the base station. Here, the security information of the base station has at least a security level equal to or higher than the minimum level predetermined for the BSS to which the base station belongs. In other words, when the terminal reconnects to the base station, the security level higher than the minimum level determined by the base station is selected from the security levels supported by the terminal itself for the base station. This security level may be notified to the base station as shown in S2.
[0067]
Further, it is preferable that security information of a security level equal to or higher than the lowest level enc_low predetermined in at least the BSS to which the base station belongs is registered as security information regarding the terminal WL in the security table of the base station AP. In this registration, regarding the BSS to which the base station belongs, the BSS is specified by the address described in the appropriate address field in the MAC frame shown in FIG. 4, and this address and the security level are described in the security table. If there is such BSS registration, the security level used for unicast communication from the base station to the terminal can be selected in advance so that the security level can be supported by the terminal at the minimum level or higher. . Also, the security level in multicast communication and broadcast communication to the terminal WL in the BSS to which the base station AP belongs is equal to or higher than the minimum level enc_low, and the security level is supported by all terminals that should receive it. Things can be pre-selected. That is, as shown in step S5 of FIG. 7, when the connection is rejected from the base station AP1, a security level different from the previously notified security level, preferably a higher security level is notified, and the connection is re-established. Can be requested. While notifying the security level of the terminal WL13 one by one, a connection request can be made a maximum of a predetermined number M.
[0068]
The base station AP1 notifies the connection request source terminal WL13 of all the security levels of the lowest level enc_low preset in the BSS1 or the minimum level enc_low supported by the base station AP1. Anyway. This notification may be made using a currently unused frame among the management frame and control frame of the MAC frame defined in IEEE 802.11. For example, the management frame corresponds to a frame with subtypes “0110” to “0111”, and the control frame corresponds to a frame with subtypes “0000” to “1001”. In step S4 shown in FIG. 7, when the base station AP1 rejects the connection of the terminal, after transmitting an authentication frame of ATSN = 2, this unused frame is transmitted and the security of the minimum level enc_low or higher is transmitted. All of the levels may be notified to the terminal WL13. Further, in step S4 or step S6, an unused frame may be transmitted before transmitting an ATSN = 2 authentication frame to notify the terminal WL13 of all the security levels above the lowest level enc_low. Further, the access point AP1 transmits an unused frame at an appropriate time, such as during authentication processing or association processing, or before data frame transmission / reception starts, and has a security level higher than the minimum level enc_low. You may make it notify all to the terminal WL13.
[0069]
As shown in FIGS. 9 (a), 9 (b), and 9 (c), the MAC frame association frame defined in IEEE 802.11 includes “capability information (Capability)” of the frame body. information) ”is provided with a reserved field as an unused area. Using this unused area, the base station AP1 sends all the security levels enc_low at the lowest level of the BSS1 to the terminal WL13 that is the connection request source, or all the security levels above the minimum level enc_low supported by the base station AP1. May be notified to the terminal WL13.
[0070]
As described above, in the first embodiment, when the terminal WL13 that does not belong to the BSS1 other than the terminals WL11 and Wl12 that belong to the BSS1 tries to connect to the base station AP1, first,
(1) This terminal WL13 notifies the security level of the terminal WL13 itself to the base station AP1. In the flow shown in FIG. 7, this notification uses an authentication frame.
[0071]
(2) In the base station AP1, when the security level notified from the terminal WL13 is a security level supported by the base station AP1, and when it is equal to or higher than the security level of the lowest level enc_low predetermined in the BSS1, The connection of the terminal WL13 is permitted and the processing operation for connection is continued. However, when the security level notified from the terminal WL13 is less than the minimum security level predetermined in the BSS1, the connection of the terminal WL13 is rejected.
[0072]
(3) When permitting a connection from the terminal WL13, recognition processing for sharing information for encryption / decryption, that is, encryption parameters, is executed as necessary.
[0073]
As described above, according to the first embodiment, for each basic group of wireless LAN, such as BSS, wireless communication that secures a minimum security level by encryption predetermined for each group is realized. .
[0074]
Preferably, in the case of (1) above, if the terminal WL13 is notified of the security level of the highest level enc_high among the security levels supported by the terminal WL13 itself, the base station AP1 connects the terminal WL13. There are fewer opportunities to refuse. Further, if the security level of the highest level enc_high is notified to the base station AP1, it is possible to determine whether or not it is possible to connect to the base station AP1 with a single connection request, and as a result, useless traffic can be reduced.
[0075]
In addition, the base station or each terminal in the BSS1 registers security information having a security level equal to or higher than the minimum level enc_low previously set in the BSS1 used when communicating with the base station or terminal in the BSS1. Is preferred. The base station or each terminal refers to this security table and selects in advance a minimum security level that is not refused connection as a security level to be notified when a connection request is made to a desired terminal or base station specified by an address. be able to.
[0076]
In the first embodiment, in step S2, only one security level that the terminal WL13 desires to use for communication with the base station AP1 is notified to the base station AP1, but this is limited to this case. Clearly not. The terminal WL13 itself may be notified of all or not a plurality of security levels from the terminal WL13 to the base station AP1. Also, only the highest security level enc_high among the security levels supported by the terminal WL13 may be notified from the terminal WL13 to the base station AP1.
[0077]
The processing operation of the base station AP1 when notifying all or not all of the terminal WL13 itself in step S2 will be described.
[0078]
In step S2 shown in FIG. 7, a plurality of security levels possessed by the terminal WL13 itself are transmitted to the base station. In step S3, the base station AP1 determines whether this security level includes a security level equal to or higher than the security level enc_low corresponding to the lowest level in the BSS1 and supported by the own device. to decide. The base station AP1 determines that the connection of the terminal WL13 is permitted when the supported security level is included. Further, the base station AP1 determines that the connection of the terminal WL13 is rejected when the supported security level is not included. When the connection of the terminal WL13 is rejected, the process proceeds to step S4. When permitting the connection of the terminal WL13, the base station AP1 next selects a security level equal to or higher than the lowest level enc_low in the BSS1 among the security levels supported by both the terminal WL13 and the base station AP1. When there are a plurality of security levels equal to or higher than the lowest level enc_low in the BSS1, the base station AP1 selects one of them. Regarding this selection, there are the lowest, highest, and other various selection criteria. Any one of them may be selected. The base station AP1 sets the selected one security level as the security level used for communication with the terminal WL13. For example, if the security levels notified from the terminal WL13 are “enc. 0” and “enc. 1”, the connection of the terminal WL13 to the base station AP1 is permitted, and the connection between the terminal WL13 and the base station AP1 is allowed. The security level of communication is selected as “enc. 1”.
[0079]
When it is necessary to notify the terminal WL13 of the selected security level, for example, before transmitting the authentication frame of ATSN = 2 in step S6 of FIG. Of the prescribed MAC frame management frame and control frame, a currently unused frame may be used.
[0080]
In response to the notification of the selected security level, the terminal WL13 can prepare for subsequent processing.
[0081]
In the BSS1, if the security level is equal to or higher than the lowest level enc_low predetermined for the BSS1, it is not always necessary to communicate at the same security level.
[0082]
In the BSS1, communication may be performed with different security levels depending on the connection partner. That is, here, the base station AP1 is not particularly limited with respect to communicating with which terminal at which security level as long as the security level is equal to or higher than the minimum level enc_low predetermined for the BSS1. Since the base station AP1 communicates at a different security level for each terminal, it is possible to improve the confidentiality of wireless communication.
[0083]
FIG. 7 illustrates the operation at the time of connection between the terminal WL13 not subscribed to BSS1 and the base station AP1, but the above-described terminal WL13 is replaced with each of the terminals WL11 to WL12 subscribed to BSS1. May be. Even when each of the terminals WL11 to WL12 tries to connect to the base station AP1, according to the procedure shown in FIG. 7, a different security level is notified each time in step S2 of FIG. The security level can be changed according to the purpose. In this case, since the minimum security level of BSS1 is registered in the security table of each terminal, a security level higher than this minimum level is selected from the security levels supported by each terminal, and this is the step. Notification is made at S2. Even if the security level is not changed, the encryption parameters (such as a secret key or IV in the case of WEP) can be changed during subsequent authentication.
[0084]
Similarly, the procedure for requesting connection from the terminal to the base station in FIG. 7 can also be applied as a procedure for requesting connection from the base station to the base station belonging to different BSSs. That is, the terminal WL13 illustrated in FIG. 7 can be replaced with the base station AP1, and the base station AP2 can be replaced with a base station belonging to another BSS different from the BSS1, for example, the base station AP2 of the BSS2 here. As described above, according to the first embodiment, communication between base stations, that is, DS communication, can be realized at a minimum security level or more.
[0085]
When a terminal in the BSS1, for example, the terminal WL11 communicates with another terminal in the same BSS1, for example, the terminal WL12, the terminal may communicate with the base station AP1 via the base station AP1. Alternatively, direct communication may be performed between terminals without going through the base station AP1.
[0086]
When the terminals WL11 to WL12 and the base station AP1 try to connect to the other parties registered in the respective security tables, the authentication for transmitting and receiving the security level and the encryption parameter may be omitted. If the transmission source of the frame is registered in its own security table, the side receiving the connection request refers to the security table and uses a security level equal to or higher than the minimum level predetermined in BSS1. Communicate with the requester.
[0087]
In the security tables of the base station AP1 and the terminals WL11 to WL12, for each connection partner, only the security information of the security level used in the past communication may be registered. This registered security information corresponds to a security level equal to or higher than the lowest level enc_low in the BSS1.
[0088]
At the time of initial setting, the security tables of the base station AP1 and the terminals WL11 to WL12 in the BSS1 are all described with the same contents, and each of them supports each device constituting the BSS1 as shown in FIG. Security information of all security levels and the security level set as the lowest level in the BSS 1 may be registered.
[0089]
In the BSS1, the base station AP1 and the terminals WL11 to WL12 also support “enc. 1” which is the lowest security level allowed in the BSS1. Therefore, when any of the terminals WL11 to WL12 multicasts or broadcasts a data frame or the like in the BSS1, the frame body of the frame is assumed to be encrypted with the lowest allowable security level. As a result, the lowest allowable security level can be secured for the BSS1.
[0090]
In the first embodiment, IEEE802.11 defines the security level supported by the connection request source and the recognition process for sharing the encryption parameter between the connection request source and the connection request destination. It is done together at the time of authentication. However, these two processes can be divided and the former can be executed at the time of association defined in IEEE 802.11. It is also conceivable that the association is performed first and then the authentication is performed. In this case, the above two processes may be performed together at the time of authentication, or may be performed separately at the time of association and at the time of authentication. However, when the above two processes are divided, it is preferable to check the security level prior to the recognition process for sharing the encryption parameter in order to ensure security.
[0091]
(Second Embodiment)
A communication system according to a second embodiment in which the base station of the BSS1 as shown in FIG. 1 in which the minimum security level is predetermined will broadcast the minimum security level determined by the BSS1 will be described. In this description, in the communication system according to the second embodiment, the same description as that of the first embodiment is omitted, and different points will be described with reference to FIG.
[0092]
In the communication system according to the second embodiment, the minimum security level of the BSS is written in a beacon frame defined in IEEE 802.11, and this beacon frame is transmitted.
FIG. 11 shows a frame body format of a beacon frame having a MAC frame structure defined in IEEE 802.11. In the “capability information” of this beacon frame, a reserve field is provided as an unused area. The base station AP1 writes the security level at the lowest level of the BSS1, all the security levels above the lowest level supported by the base station AP1, or a plurality of security levels, if not all, in the reserved field, and the security level. To the terminal WL.
[0093]
The transmission control unit 14 of the base station AP1 sets the security level of the lowest level of the BSS1 in the beacon frame, all the security levels higher than the minimum level supported by the base station AP1, or a plurality of security levels if not all. Write and broadcast. As shown in step S21 of FIG. 12, the terminal receives this beacon frame. The beacon frame can also be received by a terminal that has not joined the BSS1, for example, the terminal WL13 shown in FIG.
[0094]
The receiving unit 101 of the terminal WL13 takes out the lowest security level of the BSS1 written in the received beacon frame as shown in step S22, and sets the security level supported by the terminal WL13 as shown in step S23. Check if there is anything above the minimum level. Here, all the security levels supported by the terminal WL13 may be registered in advance in the security table of the terminal WL13. When the security level of the terminal WL13 is not higher than the minimum level of the BSS1, the connection with the base station AP1 is stopped and the connection process is terminated.
[0095]
Here, the lowest security level of BSS1 is “enc.1”, and since terminal WL13 supports “enc.0” and “enc.1”, terminal WL13 is connected to base station AP1. Is possible. Since the security level of the terminal WL13 is higher than the minimum level of the BSS1, the terminal WL13 selects the security level “enc.1” and starts a connection request to the base station AP1. That is, the process proceeds to step S2 in FIG. 7 to notify the selected security level, and thereafter, the same operation as described in the first embodiment is performed.
[0096]
However, in this case, since it can be expected that the terminal WL side always notifies the security level of the minimum level or higher, the base station AP1 may omit step S3 in FIG. In step S2, the terminal WL13 selects a security level equal to or higher than the lowest level of the BSS1 notified by the beacon frame from the security levels of the terminal WL13 itself (when there are a plurality of such security levels). , All of them, or some desired one of them, or one of them, for example, the highest security level, the lowest security level, or the desired one may be selected.) What is necessary is just to notify base station AP1.
[0097]
In this way, the base station AP1 of the BSS1 whose minimum security level is predetermined broadcasts the minimum security level of the BSS, so that the terminal WL13 can connect with the security level supported by itself. Since the connection is started after selecting in advance, unnecessary traffic can be reduced.
[0098]
In addition, the terminal WL13 can transmit a probe request frame to the base station AP1, and the base station AP1 can notify the security level by a probe response frame (probe response).
[0099]
(Third embodiment)
In the first embodiment, the case where the authentication and the association defined in IEEE 802.11 are performed in this order has been described. However, it is also assumed that the authentication is performed after the association is performed first. Is done. In the third embodiment, this case will be described with reference to the flowchart shown in FIG. 13 by taking the case of the BSS1 shown in FIG. 1 as an example.
[0100]
Here, as in the first embodiment, the case where the terminal WL13 not subscribed to the BSS1 requests connection to the base station AP1 of the BSS1 will be described, and only the parts different from the first embodiment will be described.
[0101]
The terminal WL13 receives the beacon frame transmitted from the base station AP1 as shown in step S31, and then transmits an association request frame to the base station AP1 as shown in step S32 in order to connect to the base station AP1. .
[0102]
As described above, as shown in FIGS. 9A, 9B, and 9C, the MAC frame association frame defined in IEEE 802.11 has a “capacity” of the frame body. An unused area, that is, a reserve field is prepared in the “ability information” (Capability information). The transmission unit 107 of the terminal WL13 writes at least one desired security level supported by the terminal WL13 in this reserved field in this reserved field, and transmits it to the base station AP1 as shown in step S32. For example, in this case, the transmitting unit 107 of the terminal WL13 writes data indicating “enc.1” of all security levels (“enc.0” and “enc.1”) of the terminal WL13 in the reserved field. Suppose that it transmits to base station AP1.
[0103]
The processing operation of the base station AP1 that has received this is the same as in the first embodiment. That is, the reception control unit 13 of the base station AP1 extracts the security level of the terminal WL13 written in the received association request frame (Association Request), and this security level is registered in the security table 21 of the base station AP1. Compare with the lowest security level of the existing BSS1. When the security level of the terminal WL13 notified from the terminal WL13 is the security level supported by the base station AP1 and is equal to or higher than the lowest security level in the BSS1, the connection of the terminal WL13 is shown as shown in step S33. Is determined to be permitted. When the security level is lower than the lowest security level of the BSS1, it is determined that the connection of the terminal WL13 is rejected as shown in step S33. That is, when refusing the connection of the terminal WL13, for example, in accordance with the IEEE 802.11 standard, a code indicating that the connection is unsuccessful is written in an association response frame (Association Response Status code) as shown in step S34. To the terminal WL13. By receiving this frame, the terminal WL13 determines that the connection is rejected from the base station AP1, and interrupts the connection procedure at this stage.
[0104]
On the other hand, when the connection of the terminal WL13 is permitted, the response of the association is performed in accordance with the provisions of IEEE802.11 for communication using “enc. 1” which is the lowest security level of the BSS1 notified from the terminal WL13. A code indicating that the connection is successful is written in the frame (Status Code of Association Response), and is returned to the terminal WL13 as shown in Step S36.
[0105]
In response to this, the terminal WL13 transmits an authentication frame as shown in step S37 for authentication processing for sharing the encryption parameters between the terminal WL13 and the base station AP1 in accordance with the IEEE 802.11 standard. To do. The authentication process after the transmission of the authentication frame is executed according to the IEEE 802.11 standard. Since this processing complies with the IEEE 802.11 standard, its description is omitted.
[0106]
In the case of the third embodiment, it is possible to expect the same effect as in the case of the first embodiment, and it goes without saying that many variations as described in the first embodiment can be applied. Nor.
[0107]
(Fourth embodiment)
Next, in the case where a certain terminal communicates while moving between areas of a plurality of base stations, a technique for securing the security level for each area, that is, for each BSS will be described by taking the wireless LAN system shown in FIG. 1 as an example. To do. In the fourth implementation, a technique for ensuring a predetermined minimum security level for the BSS to which each base station belongs even in a situation where the terminal WL is moved, that is, in a so-called mobile environment. This will be described in the form. Basically, as described in the first embodiment, when receiving a connection request from a terminal, the base station of each BSS is notified of the security level from the terminal, and this is sent to the own BSS. Only when the security level is equal to or higher than a predetermined minimum security level, the connection of the terminal is permitted, and the authentication process for sharing the encryption parameter between the base station and the terminal is the same.
[0108]
For example, in the wireless LAN system defined in IEEE 802.11, when the terminal WL13 in FIG. 1 is connected to the base station AP2, when the terminal WL13 moves into the area of the base station AP1, the terminal WL13 and the base station A reassociation is executed with the AP1. When this reassociation procedure ends normally, a data frame is transmitted / received.
[0109]
In the fourth embodiment, the security level of the terminal WL13 is notified from the terminal WL13 to the base station AP1 by using an unused area in the reassociation request frame (Reassociation Request).
[0110]
Hereinafter, in the wireless LAN system shown in FIG. 1, the terminal WL13 moves from the area of the base station AP2 to the area of the base station AP1 and the reassociation is performed on the base station AP1, the flowchart shown in FIG. The description will be given with reference. In FIG. 15, the same parts as those in FIG. 13 are denoted by the same reference numerals, description thereof is omitted, and different procedures are described.
[0111]
After receiving the beacon frame transmitted from the base station AP1 as shown in step S31, the terminal WL13 transmits a reassociation request frame to the base station AP1 as shown in step S51 in order to connect to the base station AP1. .
[0112]
As shown in FIGS. 14A to 14C, an unused area in the “Capability information” of the frame body, that is, a reserved field, is included in the reassociation frame of the MAC frame defined in IEEE 802.11. Is prepared.
[0113]
As shown in step S51, the transmission unit 107 of the terminal WL13 writes at least one desired security level supported by the terminal WL13 in this reserved field, and transmits it to the base station AP1. For example, in this case, the transmitter 107 of the terminal WL13 writes data indicating “enc.1” out of all the security levels (“enc. Send.
[0114]
Since the processing operation of the base station AP1 that has received this reassociation frame is the same as that described in FIG. 13, refer to the description regarding step S33 in FIG. However, when the connection of the terminal WL13 is rejected in step S33, a code indicating that the connection is unsuccessful is written in the status code of the reassociation response frame in accordance with the provisions of IEEE 802.11, as shown in step S52. It is returned to the terminal WL13. Further, when the connection of the terminal WL13 is permitted, a code indicating that the connection is successful is written in the status code of the reassociation response frame in accordance with the standard of IEEE 802.11, and is returned to the terminal WL13 as shown in step S53. Is done.
[0115]
When the base station AP1 permits the connection of the terminal WL13, it is necessary that the encryption parameter is shared between the base station AP1 and the terminal WL13. Therefore, as shown in step S37 to step S44 in FIG. 15, as in FIG. 13, an authentication process for sharing encryption parameters between the terminal WL13 and the base station AP1 in accordance with the provisions of IEEE 802.11, That is, an authentication procedure may be performed.
[0116]
Further, the reassociation request frame from the terminal WL13 describes the address of the base station to which the terminal WL13 is currently connected, that is, the base station AP2. This address corresponds to the “current AP address” shown in FIGS. 14A to 14C. Therefore, as shown in FIG. 15, the authentication procedure is not performed, and the base station AP1 connects to the base station AP2 based on the “current AP address”. Then, the base station AP1 requests transfer of security information for the terminal WL13 registered in the security table of the base station AP2, and registers the security information in the security table after the transfer of the security information. good. As a result, the encryption parameter is shared between the base station AP1 and the terminal WL13. Therefore, after the terminal WL13 is permitted to connect from the base station AP1 shown in step S53, the terminal WL13 is encrypted with the same security level as in the communication between the terminal WL13 and the base station AP2. The data frame can be transmitted / received to / from the base station AP1.
[0117]
In the communication system according to the fourth embodiment, the same effect as that in the first embodiment can be expected, and many variations as described in the first embodiment can be applied. Needless to say.
[0118]
(Fifth embodiment)
As described above, in the communication systems according to the first to fourth embodiments, the terminal WL13 communicates with the base station AP1 at a security level equal to or higher than the minimum level predetermined for the BSS1 to which the base station AP1 belongs. It becomes possible to do. However, when the terminal WL13 communicates with the base station AP1 and at the same time the terminal WL13 communicates with a terminal that is not subscribed to the BSS1 other than the base station AP1 or with another wireless station, the security level of the communication between the terminals WL13 is predetermined as BSS1 As a result, it cannot be said that the lowest security level of the BSS1 is secured. Therefore, in the communication system according to the fifth embodiment, even when the terminal WL13 has already made a wireless connection with a certain terminal WL14 as shown in FIG. 16, even if the terminal WL13 makes a connection request to the base station AP1. In accordance with the procedure described below, it is possible to ensure the minimum level of security that is predetermined for the BSS1.
[0119]
When the terminal WL13 is wirelessly connected to another terminal or base station at a security level lower than the minimum security level predetermined for the BSS1, the terminal WL13 communicates with the base station or terminal in the BSS1. The basic rule is to prevent connection. Therefore, in order to connect to a terminal or a base station in the BSS1, such a wireless connection with a low security level is disconnected in advance, or the security level of the wireless connection is raised to the minimum level of the BSS1 or higher. Is needed.
[0120]
Hereinafter, the procedure for this will not be described for the common procedures described in the first to fourth embodiments, and different procedures will be described.
[0121]
In FIG. 16, the same parts as those in FIG. It is assumed that the security level supported by the terminal WL14 shown in FIG. 16 is only “enc. 0”. When the terminal WL13 starts a connection request to the base station AP1, it is assumed that the terminal WL13 is already wirelessly connected to the terminal WL14, and the communication security level therebetween is “enc.0”.
[0122]
A case where the terminal WL13 starts a connection request to the base station AP1 of the BSS1 in such a state will be described.
[0123]
First, as described in the second embodiment, a case in which a predetermined minimum security level is notified to BSS1 in a beacon frame will be described with reference to the flowchart shown in FIG. In this case, the terminal WL13 knows that the lowest security level that can be wirelessly connected to the base station AP1 from the received beacon frame is “enc.1”. Therefore, the terminal WL13 executes the processing operation shown in FIG. 17 before proceeding to step S32 in FIG.
[0124]
In step S61 in FIG. 17, it is confirmed whether the security level of the terminal WL13 is provided with a security level equal to or higher than the lowest level “enc.1” permitted by the BSS1. When a security level of “enc.1” or higher is prepared in the terminal WL13, the process proceeds to step S62. In this step S62, whether or not the security level of communication between the terminal WL13 and the terminal WL14, that is, the terminal WL14 and the terminal WL13, is at least the lowest level “enc.1” permitted by the BSS1. Is checked. If the security level of communication between the terminal WL13 and the terminal WL14 is equal to or higher than the lowest level “enc.1” permitted by the BSS1, the process proceeds to step S64, and a connection procedure between the terminal WL13 and the base station AP1 is started. Is done. That is, in the terminal WL13, the processes after step S32 in FIG. 13 are executed. On the other hand, when the security level between the terminal WL13 and the terminal WL14 is less than the lowest level (“enc.1”) permitted by the BSS1, the process proceeds to step S63, and the wireless connection between the terminal WL13 and the terminal WL14 is established. Is cut off, and the process proceeds to step S64.
[0125]
As described above, since the security level of communication between the terminal WL13 and the terminal WL14 is “enc.0”, the process proceeds from step S62 to step S63, and the wireless connection between the terminal WL13 and the terminal WL14 is disconnected. The Thereafter, the terminal WL13 finishes the deauthentication defined in IEEE 802.11, and proceeds to step S64.
[0126]
As described above, when the security level between the terminal WL13 and the currently connected terminal WL14 is lower than the security level broadcast from the base station AP1 that is requested to connect, the terminal WL13 and the terminal WL14 are connected in advance. The terminal WL13 is disconnected and a connection request is made to the base station AP1. Therefore, the wireless connection between the terminal WL13 and the base station AP1 is reliably executed while maintaining the minimum security level of the BSS1.
[0127]
In step S63, after the wireless connection between the terminal WL13 and the terminal WL14 is once disconnected, the terminal WL13 and the terminal WL14 may be wirelessly connected again with a security level equal to or higher than the lowest level of the BSS1.
[0128]
In the above description, the case where the terminal WL13 is wirelessly connected to only one of the terminals WL14 has been described. However, even when the terminal WL13 is wirelessly connected to a plurality of terminals or a plurality of base stations, in the same manner as described above, Each of these security levels is checked. If the security level is not higher than the lowest level of BSS1, the connection between the terminal WL13 and the other terminal is temporarily disconnected, the terminal WL13 is set to the security level higher than the lowest level of BSS1, and the connection to the base station AP1 is started. May be.
[0129]
In the above description, the case of the terminal WL13 wirelessly connected to the terminal WL14 has been described as an example. However, the above-described series of procedures may be applied to the processing operation of the base station AP2 of another BSS2 different from the BSS1. it can. In this way, when both the side that issued the connection request and the side that received the connection request are not base stations but base stations, DS communication with a minimum security level is ensured in each of the plurality of BSSs. When the side that issued the connection request is a base station, the base station may be wirelessly connected to a plurality of terminals and base stations. If the access point does not exceed the lowest level of the BSS to be connected, the access point may once disconnect from the terminal WL and other access points. Thereafter, if necessary, the access point may set a security level equal to or higher than the lowest level of the BSS to be connected, and then start connection to the desired base station.
[0130]
Next, as described in the first, third, and fourth embodiments, the flow chart shown in FIG. 18 is used for checking the security level of the terminal WL13 at the time of authentication, association, and reassociation. The description will be given with reference. The processing operation shown in FIG. 18 corresponds to step S3 in FIG. 7, step S33 in FIGS.
[0131]
When checking the security level of the terminal WL13, as described above, the terminal WL13 writes the security level of the terminal WL13 in an unused area on the authentication request frame or the association or reassociation request frame. Then, at least one item of the following (1) to (2) is written in the unused area or another unused area.
[0132]
(1) Presence / absence of a terminal or base station to which the terminal WL13 is wirelessly connected.
[0133]
(2) Security level between the terminal WL13 and the currently connected terminal or base station
Here, when the terminal WL13 is wirelessly connected to a plurality of terminals or base stations, the security levels for all of them are written in the unused area.
[0134]
The base station AP1 receives the frame as shown in step S71, and first checks the security level of the terminal WL13 as shown in step S72. When the security level of the terminal WL13 does not satisfy the minimum security level defined in BSS1, the process proceeds to step S73, and the connection is rejected. That is, as described in the first, third, and fourth embodiments, the connection rejection is notified to the terminal WL13 in the authentication, association, and reassociation frames.
[0135]
On the other hand, when the security level of the terminal WL13 is the security level supported by the base station AP1 and is equal to or higher than the minimum security level defined in the BSS1, the process proceeds to step S74. If it is determined from the information (1) or (2) that there is no terminal or base station that is currently wirelessly connected to the terminal WL13, the process proceeds to step S75, where the wireless connection of the terminal WL13 is permitted. That is, as described in the first, third, and fourth embodiments, the wireless connection permission is notified to the terminal WL13 in the authentication, association, and reassociation frames, and the subsequent processing is described above. Is executed in the same way as This processing corresponds to step S6 in FIG. 7, step S36 in FIG. 13, step S53 in FIG. If it is determined from the information (1) or (2) that there is a terminal or base station that is currently wirelessly connected to the terminal WL13, the process proceeds to step S76.
[0136]
In step S76, if the information received in step S71 includes the "security level between terminal WL13 and terminal WL14 currently connected wirelessly" shown in (2), the security level is Checked. When the security level with the terminal WL14 is equal to or higher than the lowest security level defined in the BSS1, the process proceeds to step S75, and the wireless connection of the terminal WL13 is permitted. On the other hand, when the security level with the terminal WL14 is less than the minimum security level defined in the BSS1, or when the information received in step S71 does not include the information shown in (2) above. That is, when the security level with the terminal WL14 is unknown, the process proceeds to step S77, and the connection request from the terminal WL13 is rejected. As described in the first, third, and fourth embodiments, the rejection of the connection request is notified to the terminal WL13 in the authentication, association, and reassociation frames.
[0137]
In step S77, instead of notifying that the connection request is rejected, a request for instructing disconnection of the wireless connection with the terminal WL14 is made in the authentication, association, and reassociation frames in the same manner. May be notified. In this case, the terminal WL13 can immediately determine that it can connect to the base station AP1 if the wireless connection with the terminal WL14 is disconnected. Therefore, after the terminal WL13 disconnects the wireless connection with the terminal WL14, for example, after terminating the deauthentication specified in IEEE802.11, the terminal WL13 can request connection to the base station AP1 again. .
[0138]
In addition, after the connection request is rejected in step S77, in the case of a currently unused frame among the management frame and control frame of the MAC frame defined in IEEE802.11. In the case of a frame such as “0110” to “0111” and a control frame, the lowest security level allowed in the BSS1 is notified by using a frame such as “0000” to “1001” of the subtype. Also good. If there is a notification of the minimum security level allowed in the BSS1, if the terminal WL14 can support the minimum security level, the terminal WL13 reconnects to the security level and then makes a connection request to the base station AP1 again. It can be carried out.
[0139]
In the above description, the case where the terminal WL13 is wirelessly connected to only one of the terminals WL14 is described as an example. However, even when a plurality of terminals and base stations are wirelessly connected, in the same manner as described above, the terminal WL13 has the presence or absence of terminals or base stations already connected, preferably one by one. The security level may be notified. When a plurality of already connected wireless communication security levels are notified from the terminal WL13, the base station AP1 may check the security level for each of them in step S76.
[0140]
As described above, even if the side that issued the connection request is already wirelessly connected to another terminal or base station, the security level of this wireless connection is unknown, or the side that received the connection request When the minimum security level is not satisfied, the minimum security level on the side receiving the connection request can be ensured by rejecting the connection request. Although the above description has been given by taking the case of the terminal WL13 wirelessly connected to the terminal WL14 as an example, it can also be applied as a processing operation of the base station AP2 of another BSS2 different from the BSS1. In this way, when both the side that issued the connection request and the side that received the connection request are not base stations but base stations, DS communication in which a minimum security level is secured in each of a plurality of BSSs is possible. When the side that issued the connection request is a base station, the base station may be wirelessly connected to a plurality of terminals or base stations. In such a case as well, in the same manner as described above, it is preferable that the side that has issued the connection request notifies the presence / absence of a terminal or base station that has already been connected, preferably the security level for each. When the connection request side is notified of a plurality of already connected wireless communication security levels from the connection requesting side, the security level for each of them may be checked in step S76. .
[0141]
(Sixth embodiment)
In the wireless system according to the first embodiment, the case where a connection request is made to the base station has been described, but the same technique can be applied to the case where a connection request is made from the terminal to the terminal. Here, as shown in FIG. 19, a case where a terminal WL15 not subscribed to BSS1 makes a connection request to a terminal WL12 belonging to BSS1 will be described as an example. The security level that can be supported by the terminal WL15 is only “enc. 0”. Since the terminal WL12 is subscribed to the BSS1, when the terminal WL12 communicates, it is necessary to ensure a minimum security level predetermined for the BSS1. For this purpose, a processing operation similar to that shown in FIG. 7 between the terminal and the base station is performed between the terminal WL12 and the terminal WL15.
[0142]
FIG. 20 shows a processing procedure between the terminal WL12 and the terminal WL15 when a connection request is made from the terminal WL15 to the terminal WL12. In FIG. 20, the same parts as those in FIG. 7 are denoted by the same reference numerals, description thereof is omitted, and different points will be described below.
[0143]
In FIG. 20, the processing operation at the base station shown in FIG. 7 corresponds to the processing operation at the terminal WL12. Therefore, step S1 for transmitting a beacon frame is not necessary. The other steps S2 to S12 are the same as in FIG. The association procedure is not necessary.
[0144]
As shown in FIG. 20, when setting the connection between the terminal WL12 and the terminal WL15, the terminal WL12 on the side receiving the connection request checks the security level of the terminal WL15 on the side issuing the connection request. . Here, the security level of the terminal that issued the connection request is the security level supported by the device that has received the connection request, and more than the minimum security level of the BSS1 to which the terminal that has received the connection request belongs. If so, the connection of the terminal WL15 is permitted. If the security level of the terminal that issued the connection request is not a security level that is supported by the device that received the connection request, or if it is below the minimum security level of the BSS1 to which the terminal that received the connection request belongs The connection of the terminal WL15 is rejected. If the connection is permitted, a manual processing operation for sharing the encryption parameter corresponding to the security level is executed.
[0145]
When the terminal WL12 receives a connection request from the terminal WL13, the terminal WL12 executes the processing operation shown in FIG. 20 regardless of whether or not the terminal WL12 is wirelessly connected to the base station AP1. .
[0146]
In FIG. 19, the terminal WL15 may be applied with a mode in which a data frame is directly transmitted to the terminal WL12. This mode is referred to as an ad hoc mode. This ad hoc mode can be executed without authenticating. Regarding the ad hoc mode, the processing operation at the terminal WL12 will be described with reference to the flowchart shown in FIG.
[0147]
The terminal WL12 receives the data frame addressed directly to the terminal WL12 without going through the base station from the terminal WL15 as shown in step S81). For example, according to the IEEE 802.11 standard, such a data frame can be easily obtained because “To DS” and “From DS” in the frame control of the MAC frame shown in FIG. 4 are both “0”. I can judge.
[0148]
When receiving the data frame, the receiving unit 101 of the terminal WL12 checks whether security information corresponding to the transmission source address is registered in the security table 110 of the terminal WL12, as shown in step S82. Is done.
[0149]
The fact that the security information of the terminal WL15 is registered in the security table means that the terminal WL15 has communicated with the terminal WL12 in the past at a security level equal to or higher than the minimum level predetermined for the BSS1 registered in the security table. This means that it is predetermined to communicate at such a security level. Accordingly, the process proceeds to step S83, and the terminal WL12 transmits, for example, an ACK frame for the received data frame specified in EEE802.11 to the terminal WL15, and starts data transmission / reception with the terminal WL15.
[0150]
On the other hand, if the security information of the terminal WL15 is not registered in the security table in step S82, the security level of the terminal WL15 is unknown as it is, so that the terminal WL12 cannot communicate with the terminal WL15. Accordingly, the process proceeds to step S84, and the terminal WL15 is notified that the authentication is requested without transmitting the ACK frame. This notification is a MAC frame management frame defined in IEEE 802.11, a currently unused frame among control frames, for example, a management frame, subtypes such as “0110” to “0111” In the case of a frame or a control frame, the subtype may be notified using a frame such as “0000” to “1001”.
[0151]
Upon receiving this notification, the terminal WL15 may start the processing operation after step S2 shown in FIG. In step 84 described above, the terminal WL12 transmits an ACK frame, and the terminal WL15 may start the process of step S2, and then the steps shown in FIG. 20 may be executed.
[0152]
In the communication procedure according to the fifth embodiment, when the terminal WL13 is already wirelessly connected to a certain terminal WL14 as shown in FIG. 16, when the base station AP1 makes a connection request, the base station AP1 The method for ensuring the minimum level of security predetermined for the BSS1 has been described. Correspondingly, as shown in FIG. 22, a case where the terminal WL15 makes a connection request to the terminal WL12 when the terminal WL15 is already wirelessly connected to the existing terminal WL16 will be described.
[0153]
Here, the security level that can be supported by the terminal WL16 is only "enc. 0". Since the terminal WL12 is subscribed to the BSS1, when the terminal WL12 starts communication, it is necessary to secure a minimum security level predetermined for the BSS1. For this purpose, the same processing operation as that shown in FIG. 18 may be performed at the terminal WL12.
[0154]
FIG. 23 shows a processing procedure between the terminal WL12 and the terminal WL15 when a connection request is made from the terminal WL15 to the terminal WL12. In FIG. 23, the same parts as those in FIG. 18 are denoted by the same reference numerals, description thereof is omitted, and different parts will be described. That is, in FIG. 23, the processing operations in the base station and the terminal WL13 in FIG. 18 correspond to the processing operations in the terminal WL12 and the terminal WL15, respectively, and substantially the same processing as the processing procedure shown in FIG. 18 is performed. . Therefore, the description with reference to FIG. 23 can be understood if the base station and the terminal WL13 in the above description in FIG. 18 are replaced with the terminal WL12 and the terminal WL15, respectively, without specific description.
[0155]
In FIG. 22, when the terminal WL15 tries to directly transmit a data frame to the terminal WL12 without passing through the authentication, the terminal WL12 performs the processing operation shown in the flowchart of FIG. A processing operation as shown may be performed. Preferably, when the terminal WL12 receives a data frame addressed directly to the terminal WL12 from the terminal WL15 in step S81 of FIG. 21 without going through the base station, the terminal WL12 immediately proceeds to step S84, and the terminal WL15 In order to ensure security, it is desirable to notify the request for authentication and to perform the processing operation shown in FIG. Since the security information of the terminal WL15 is registered in the security table of the terminal WL12, the terminal WL15 does not always communicate with a wireless connection with a terminal other than the terminal WL12 at a level higher than the minimum security level of the BSS1 to which the terminal WL12 belongs. Because there is no.
[0156]
In the above description, the case where the terminal WL15 is wirelessly connected to only one of the terminals WL16 has been described as an example. However, when the terminal WL15 is wirelessly connected to a plurality of terminals or base stations, the terminal The WL 15 notifies the presence / absence of terminals and base stations already connected, preferably the security level for each. When a plurality of security levels for wireless communication already connected are notified from the terminal WL15, the terminal WL12 may check the security level for each of them in step S76.
[0157]
As described above, according to the sixth embodiment, even in communication between a plurality of terminals, when one of the terminals is a terminal in the BSS in which a security level to be protected at least is determined in advance, The security level can be ensured.
[0158]
(Seventh embodiment)
In the first to sixth embodiments, the case where the security level of the BSS is ensured has been described. A similar method can be applied to securing a security level in IBSS.
[0159]
In the seventh embodiment, an IBSS 1 configured as shown in FIG. 24 will be described as an example.
[0160]
In FIG. 24, IBSS1 is composed of a plurality of, for example, three terminals WL31 to WL33. The terminal WL31 supports security levels “enc.0” and “enc.1”, and the terminal WL32 supports security levels “enc.0”, “enc.1”, “enc.2”, and the terminal WL33. Support security levels “enc.0” and “enc.1”.
[0161]
According to the IEEE 802.11 standard, an IBSS can directly transmit and receive data frames between a plurality of terminals in the IBSS without going through an authentication process without going through a base station. If each terminal in IBSS1 has a security table, the security information of each terminal constituting IBSS1 is registered in this security table, and communication is performed at a minimum security level predetermined in IBSS1 or more. The minimum security level can be secured between terminals in the IBSS 1.
[0162]
Accordingly, processing operation when a connection request is received from a terminal WL34 that is not subscribed to IBSS1 in one of a plurality of terminals constituting the IBSS1, for example, the terminal WL31, that is, not registered in the security table. explain.
[0163]
Also in this processing operation, as in the sixth embodiment, the terminal WL31 preferably performs the processing operation as shown in FIG. 21, and the security information of the transmission source of the received data frame is stored in its own security table. If not registered, a notification to request authentication is transmitted to the transmission source of the data frame, that is, the terminal WL34. Thereafter, when an authentication frame is transmitted from the terminal WL34, a processing operation as shown in FIG. 23 is preferably performed. However, the terminal WL15 shown in FIG. 23 may be replaced with the terminal WL34. That is, the terminal WL34 writes the security level of the terminal WL34 in the authentication frame, writes at least one of the above (1) to (2), and transmits it to the terminal WL31. The terminal WL31 may receive the authentication frame from the terminal WL34 and perform the same processing operation as that of the terminal WL12 illustrated in FIG.
[0164]
In this way, even in the IBSS, it is possible to ensure a minimum security level predetermined for the IBSS.
[0165]
Also, in communication between a plurality of terminals, when one of the terminals is a terminal in the IBSS in which a security level to be protected at least is determined in advance, the security level can be ensured.
[0166]
As described in the first to seventh embodiments, each of the wireless communication devices constituting the wireless LAN, such as the base station and the terminal, has at least one (preferably a plurality of) security levels, and the following ( By providing the features shown in x1) to (x8), for example, wireless communication that secures a minimum security level by encryption predetermined for each basic group of wireless LAN such as BSS and IBSS, that is, for each communication group Can be realized. Further, in communication between a plurality of wireless communication devices, at least one of the plurality of wireless communication devices is a communication group in which a minimum security level, in other words, a minimum security level is predetermined, for example, When the wireless communication device is in the BSS or IBSS, a security level higher than the minimum level can always be ensured. In addition, among the following (x1) to (x8), the features that are not clearly described as being a base station are preferably functions that both the base station and the terminal should have in common.
[0167]
(X1) When a connection request is issued from the own apparatus to the first wireless communication apparatus, which is another wireless communication apparatus, the first wireless communication apparatus includes the first wireless communication function among the security levels of the own apparatus. At least one first security level that is a security level used in communication with the communication device is notified.
[0168]
(X2) When making a connection request to the first wireless communication device, the device itself is already connected to a second wireless communication device that is another wireless communication device different from the first wireless communication device Sometimes, a second security level, which is a security level used in communication with the second wireless communication apparatus, is notified.
[0169]
(X3) When the first wireless communication apparatus is a base station and the lowest security level connectable to the first wireless communication apparatus is broadcast, the lowest security level of the own apparatus is A security level higher than the level is selected, and this is notified when a connection request is made to the first wireless communication apparatus.
[0170]
(X4) When the first wireless communication apparatus is a base station, when a plurality of security levels connectable to the first wireless communication apparatus are broadcast, the broadcast of the security levels of the own apparatus A security level that matches any one of the plurality of security levels is selected, and the selected security level is notified when a connection request is made to the first wireless communication apparatus.
[0171]
(X5) When the own apparatus receives a connection request from a fourth wireless communication apparatus which is another wireless communication apparatus, A and at least the fourth wireless communication apparatus notified from the fourth wireless communication apparatus The third security level, which is the security level used for communication with the own device, is the security level of the own device, and the minimum is predetermined for the communication group (ie, BSS or IBSS) to which the own device belongs. When the level is equal to or higher than the level, the connection of the fourth wireless communication apparatus is permitted. (B) When at least the third security level is less than the minimum level, the connection with the fourth wireless communication apparatus is permitted. A third means for rejecting is provided.
[0172]
(X5 ′) In the third means, A the third security level is equal to or higher than a minimum level predetermined for a communication group to which the device belongs, and the fourth wireless communication device The security level used for communication with the fifth wireless communication device when already connected to the fifth wireless communication device, which is another wireless communication device different from the wireless communication device. When the security level of 4 is equal to or higher than the lowest level, connection with the fourth wireless communication device is permitted, and (b) when the third security level is lower than the lowest level, or 4 when the security level of 4 is less than the minimum level, or when the fourth wireless communication apparatus is already connected to the fifth wireless communication apparatus. When is unknown, it rejects the connection between the fourth wireless communication apparatus.
[0173]
(X7) When the own device is a base station, a fourth means for broadcasting a minimum security level predetermined for a communication group to which the own device belongs or a plurality of security levels equal to or higher than the lowest level is provided.
[0174]
(X8) When a plurality of security levels are notified from the fourth wireless communication apparatus, if the plurality of security levels are higher than the minimum level predetermined for the communication group to which the own apparatus belongs, And a fifth means for notifying the fourth wireless communication apparatus of the selected one.
[0175]
The method of the present invention described in the embodiment of the present invention is a program that can be executed by a computer, such as a magnetic disk (floppy disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a semiconductor memory, etc. It can be stored in a medium and distributed.
[0176]
【The invention's effect】
As described above, according to the present invention, for each basic group (communication group) of wireless LAN, such as BSS and IBSS, wireless communication that secures a minimum security level by encryption predetermined for each group. Can be done. Further, in communication between a plurality of wireless communication devices, at least one of the plurality of wireless communication devices has a communication group (for example, BSS) in which a security level (minimum security level) to be protected at least is determined in advance. Or IBSS), the security level must be higher than the minimum level.
Can be kept.
[Brief description of the drawings]
FIG. 1 is a schematic diagram schematically showing a communication system according to an embodiment of the present invention.
2 is a block diagram showing an example of a circuit configuration of the base station shown in FIG. 1. FIG.
3 is a block diagram illustrating an example of a circuit configuration of the wireless terminal illustrated in FIG. 1;
4 is a schematic diagram showing a structure of a MAC frame defined in IEEE 802.11 that is transferred between a base station and a terminal in the communication system shown in FIG. 1. FIG.
5 is a table showing a specific example of a security table provided in a base station or a terminal in the communication system shown in FIG.
6 is a table showing another specific example of a security table for a base station or a terminal in the communication system shown in FIG. 1. FIG.
FIG. 7 is a flowchart for explaining an example of processing operations of a base station and a terminal in the communication system shown in FIG. 1;
8A is a schematic diagram showing an authentication frame structure defined in IEEE 802.11, which is transferred between a base station and a terminal in the communication system shown in FIG. 1, and FIG. 8B. These are tables showing the contents described in the frame items shown in (a).
9A to 9C show the structure of an association request frame and an association response frame defined in IEEE 802.11 transferred between a base station and a terminal in the communication system shown in FIG. It is a schematic diagram.
10 is a table showing a specific example of an updated security table provided in a base station or a terminal in the communication system shown in FIG.
11 is a schematic diagram showing the structure of a beacon frame defined in IEEE 802.11 directed from a base station to a terminal in the communication system shown in FIG. 1;
12 is a flowchart showing a processing procedure in which a base station is notified of a predetermined minimum security level from a base station to a BSS to which the base station belongs in the communication system shown in FIG.
FIG. 13 is a flowchart showing a processing procedure in which a security level is notified using an association response frame transferred between a base station and a terminal in the communication system shown in FIG. 1 and this security level is checked.
14A to 14C are structures of a reassociation request frame and a reassociation response frame defined in IEEE802.11 that are transferred between a base station and a terminal in the communication system shown in FIG. It is the schematic diagram which showed.
15 is a flowchart showing a processing procedure in which a security level is notified using a reassociation response frame transferred between a base station and a terminal in the communication system shown in FIG. 1, and this security level is checked. .
FIG. 16 is a block diagram schematically showing a communication system according to another embodiment of the present invention.
FIG. 17 is an example of a processing procedure on the side that has issued a connection request when a wireless communication device connected to another wireless communication device makes a connection request to another wireless communication device in the communication system shown in FIG. 16; It is a flowchart for demonstrating.
18 is an example of a processing procedure on the side that has issued a connection request when a wireless communication device connected to another wireless communication device further requests connection to another wireless communication device in the communication system shown in FIG. It is a flowchart for demonstrating.
FIG. 19 is a block diagram schematically showing a communication system according to still another embodiment of the present invention.
20 is a flowchart for explaining a processing procedure for wireless connection between terminals in the communication system shown in FIG. 19;
FIG. 21 is a flowchart for explaining an example of processing operations at terminals when wireless connection is established between terminals in the communication system shown in FIG. 19;
FIG. 22 is a block diagram schematically showing a communication system according to still another embodiment of the present invention.
23 is a flowchart for explaining another example of the processing operation in the terminal for wireless connection between the terminals in the communication system shown in FIG.
FIG. 24 is a block diagram schematically showing a communication system according to still another embodiment of the present invention.
[Explanation of symbols]
AP1, AP2 ... Base station (wireless base station device)
WL11 to WL16, WL31 to WL34... Terminal (wireless terminal apparatus)
11 ... Receiver
12 ... Transmitter
13: Reception control unit
14: Transmission control unit
20, 100 ... Antenna
21, 110 ... security table
101: Receiver
107: Transmitter
108 ... Information processing section

Claims (25)

A receiving unit that receives a first transmission frame having a first field in which a notification security level is described from a wireless communication device outside the wireless communication group ;
A memory unit storing a reference security level selected from an encryption method including non-encryption and a security level depending on encryption strength , and assigned to the wireless communication group;
The notification security level is compared with the reference security level to determine connection refusal or connection permission with a wireless communication device outside the wireless communication group, and a second field in which the determined connection refusal or connection permission is described A frame generator for generating a second transmission frame having;
A transmission unit for transmitting the second transmission frame to a wireless communication device outside the wireless communication group;
A wireless communication apparatus belonging to the wireless communication group. The reference security level is selected from first, second, and third security levels, the first security level corresponds to non-encryption, and the second security level is the first encryption in the first encryption. the equivalent to the encryption strength, the third wireless communication apparatus according to claim 1, the security level is equal to or corresponding to the second encryption strength of the first encryption. The frame generation unit determines connection rejection if the notification security level is lower than the reference security level, and determines connection permission if the notification security level is equal to or higher than the reference security level. Wireless communication device.   2. The wireless communication apparatus according to claim 1, wherein in the case of the connection permission, the memory unit holds an address of the wireless communication apparatus outside the wireless communication group and the notification security level. The radio communication apparatus according to claim 1, wherein the second transmission frame includes a third field in which an address specifying the radio communication group is described. In a wireless communication system including a first wireless communication device belonging to a wireless communication group and a second wireless communication device outside this wireless communication group, the first wireless communication device is
A receiving unit for receiving a first transmission frame having a first field in which a notification security level is described from the second wireless communication device;
A first memory unit storing a reference security level selected from an encryption method including non-encryption and a security level depending on encryption strength , and assigned to the wireless communication group;
A second field having a second field in which the notification security level is compared with the reference security level to determine connection refusal or connection permission with the second wireless communication device, and the determined connection refusal or connection permission is described; A first frame generator for generating two transmission frames;
A transmission unit for transmitting the second transmission frame toward the second wireless communication device;
A wireless communication system comprising: The reference security level is selected from first, second, and third security levels, the first security level corresponds to non-encryption, and the second security level is the first encryption in the first encryption. the equivalent to the encryption strength, the third wireless communication system of claim 6 in which the security level is equal to or corresponding to the second encryption strength of the first encryption. The first frame generation unit determines connection refusal if the notification security level is lower than the reference security level, and determines connection permission if the notification security level is equal to or higher than the reference security level. The wireless communication system according to claim 6.   The wireless communication system according to claim 6, wherein in the case of the connection permission, the first memory unit holds the address of the second wireless communication device and the notification security level. The wireless communication system according to claim 6, wherein the second transmission frame includes a third field in which an address for specifying the wireless communication group is described. The wireless communication system according to claim 6, wherein the second wireless communication apparatus includes a second memory unit that holds the reference security level and the address of the first wireless communication apparatus .   When the second wireless communication apparatus receives a second transmission frame having a second field in which connection rejection is described, the second wireless communication apparatus describes a second notification security level. 7. The wireless communication system according to claim 6, wherein a third transmission frame having a fourth field is transmitted to the first wireless communication apparatus.   The first memory holds encryption parameters associated with security levels and encryption levels supported by the first wireless communication device, and the reference security level is selected from the supported security levels. The wireless communication system according to claim 6. When the second wireless communication apparatus receives the second transmission frame having the second field in which connection permission is described, the second wireless communication apparatus stores the encrypted data stored therein. A fourth transmission frame having 5 fields is transmitted to the first wireless communication device, and the first wireless communication device decrypts encrypted data using the encryption parameter. Item 14. The wireless communication system according to Item 13. The first transmission frame has a first field in which a plurality of notification security levels supported by the first wireless communication device are described, and the frame generation unit sets each of the notification security levels. Compared with a reference security level, if all of the notification security levels are lower than the reference security level, a connection refusal is determined, and if one of the notification security levels is equal to or higher than the reference security level, a connection permission is determined. The wireless communication system according to claim 13.   The wireless communication system according to claim 6, wherein the notification security level corresponds to a maximum level of notification security levels supported by the second wireless communication apparatus.   The wireless communication device further comprises a third wireless communication device outside the wireless communication group, the third wireless communication device communicating with the second wireless communication device at the notification security level. Wireless communication system. A fourth wireless communication apparatus belonging to the wireless communication group, further comprising a fourth wireless communication apparatus communicating with the first wireless communication apparatus at a security level equal to or higher than the reference security level. The wireless communication system according to claim 6. A third wireless communication device outside the wireless communication group and communicating with the second wireless communication device at the notification security level;
A fourth wireless communication apparatus belonging to the wireless communication group, further comprising a fourth wireless communication apparatus communicating with the first wireless communication apparatus at a security level equal to or higher than the reference security level. The wireless communication system according to claim 6. The wireless communication system according to claim 6, wherein the first wireless communication apparatus corresponds to an access point. The wireless communication system according to claim 18, wherein the fourth wireless communication apparatus corresponds to an access point. The wireless communication system according to claim 19, wherein the fourth wireless communication apparatus corresponds to an access point. The wireless communication system according to claim 6, wherein the first wireless communication apparatus transmits a beacon frame or a probe response frame having a field in which the reference security level is described. The second wireless communication device is:
A second memory unit for storing a fourth security level including the notification security level and the reference security level extracted from the received beacon frame or probe response frame;
A second frame generation unit configured to determine one security level as the notification security level by comparing the fourth security level with the reference security level and generate the first transmission frame;
24. The wireless communication system according to claim 23, further comprising: Receiving a first transmission frame having a first field in which a notification security level is described from outside the wireless communication group ;
Selected from an encryption method including non-encryption and a security level depending on encryption strength , and storing a reference security level assigned to the wireless communication group;
The notification security level is compared with the reference security level to determine connection refusal or connection permission with a wireless communication device outside the wireless communication group, and a second field in which the determined connection refusal or connection permission is described Generating a second transmission frame having:
The wireless communication method, wherein the second transmission frame is transmitted to a wireless communication device outside the wireless communication group.

Images