JP5152354B2 - Wireless communication apparatus, network system, and communication method - Google Patents

Description

The present invention, for example, applicable wireless communication equipment to connect a home network to the Internet, to a Netw network system and a communication method.

  Content sent to the home via the Internet is usually sent to a personal computer. The personal computer stores downloaded compressed music data, image data, and the like. The user tries to reproduce these contents that have arrived at the personal computer by AV (audio and / or visual) equipment other than the personal computer. However, if there is no home network, it is difficult to realize such a request.

  As a network architecture, an Internet protocol system commonly called TCP / IP used in the Internet and an OSI reference model are known. The OSI reference model consists of seven layers: the first layer is the physical layer, the second layer is the data link layer, the third layer is the network layer, the fourth layer is the transport layer, the fifth layer is the session layer, The layer is a presentation layer, and the seventh layer is an application layer. The physical layer provides physical interconnection. Here, data is treated as a bit string. The data link layer secures a physical communication path with the communication partner and performs contention control. Here, data is handled in units such as more structured frames.

  TCP / IP is composed of four conceptual layers: a network interface layer, an Internet layer, a transport layer, and an application layer. These are built on the physical layer. Corresponding to the OSI reference model, data link layer → network interface layer, network layer → Internet layer, transport layer → transport layer, session layer / presentation layer / application layer → application layer. The network interface layer is a layer that ensures communication within one subnetwork. For example, PPP (Point-to-Point Protocol) that performs communication between two points corresponds.

  PPP (Point-to-Point Protocol) is a standard protocol used in dial-up IP connection. Data communication by a plurality of protocol authentications is provided on a line connected one-to-one. As a connection procedure, a link is established through 1) a link establishment request (2) authentication of a connected person and 3) information exchange for each protocol.

  As home networks, IEEE (Institute of Electrical and Electronics Engineers) 1394, Ethernet and other wired systems, and several wireless transmission systems have been proposed. IEEE 802.11, Bluetooth, Wireless 1394, etc. have been proposed as wireless transmission methods.

In recent years, the number of terminal devices connected to home networks has increased, and each terminal device is not limited to simply communicating with a specific target, but is also connected to the Internet, exceeding the LAN (Local Area Network). You can also refer from other networks. In order for a terminal device to participate in such a network, at least information can be passed from one LAN to another LAN, and information can be exchanged with other terminal devices in the network to which the terminal device is connected. A terminal device called a router is used.

  The general network architecture described above, for example, the TCP / IP protocol is also applied to the home network. It is desired from the viewpoint of protecting personal information that the home network is a secure network. Traditionally, a firewall has been set up between the public and private networks. This is to prevent unauthorized entry into a network called a cracker. However, such a home network is dependent on the installed firewall, and the home network is not open, which hinders the development of a wide variety of applications.

Accordingly, an object of the present invention, without installing a firewall, a wireless communication equipment capable of constructing a secure network, and to provide a Netw network system and a communication method.

To solve the problems described above, the invention of claim 1, the first identification information for identifying the end terminal device that will be connected by radio communication is read, and a control unit which performs authentication of the terminal device,
And a communication unit which is connected via a network to an information processing apparatus that associates and stores the second identification information for identifying the first identification information and the wireless communication device,
When communicating between terminal devices, an inquiry is made to the information processing device via the communication unit as to whether or not both of the terminal devices belong to the same group identified by the second identification information, and the result of the inquiry A wireless communication device that establishes terminal authentication when it is determined that both of the terminal devices belong to the same group .
The invention of claim 4 is a network system comprising an information processing device and a wireless communication device connected to the information processing device via a network, wherein a terminal device is connected to the wireless communication device by wireless communication. ,
The wireless communication device
First identification information for identifying the end terminal device that will be connected by radio communication is read, and a control unit which performs authentication of the terminal device,
And a communication unit which is connected via a network to an information processing apparatus that associates and stores the second identification information for identifying the first identification information and the wireless communication device,
When communicating between terminal devices, an inquiry is made to the information processing device via the communication unit as to whether or not both of the terminal devices belong to the same group identified by the second identification information, and the result of the inquiry If it is determined that both of the terminal devices belong to the same group, terminal authentication is established,
Information processing device
A communication unit connected via a network to a wireless communication device to which a terminal device is connected by wireless communication;
Storage means for associating and storing first identification information for identifying a terminal device and second identification information for identifying a wireless communication device ;
An inquiry about whether or not the first identification information of a plurality of terminal devices belongs to the same group of groups distinguished by the second identification information is received from the wireless communication device via the communication unit, and a determination for the inquiry is received from the communication unit. It is a network system which transmits to a wireless communication device via the network.

The invention of claim 7 comprises an information processing device and a wireless communication device connected to the information processing device via a network, wherein the terminal device is connected to the wireless communication device by wireless communication.
In the wireless communication device, first identification information for identifying a terminal device connected by wireless communication is read, and the terminal device is authenticated,
In the information processing device, the first identification information for identifying the terminal device and the second identification information for identifying the wireless communication device are stored in association with each other,
When performing communication between terminal devices, an inquiry is made to the information processing device via the communication unit as to whether both of the terminal devices belong to the same group identified by the second identification information,
When the information processing apparatus both of the terminal device is determined to belong to that group of same to a communication method to establish the terminal authentication.

According to the present invention, it is determined whether or not the identifier of the partner is in the same group as that of the user by looking at the identifier of the partner with which communication is performed. If they are in the same group, it is determined that inter-terminal authentication has been established, and a link is established. A secure network can be constructed and a home network can be opened without installing a firewall.
In the present invention, a secure network can be configured without installing a firewall. Therefore, there is an advantage that the home network is dependent on the firewall installed, and the problem that the home network does not become open does not occur.

1 is a block diagram showing a network system configuration according to an embodiment of the present invention. 1 is a block diagram showing a network system configuration according to an embodiment of the present invention. It is a block diagram which shows the structural example of the router in one Embodiment of this invention. In one Embodiment of this invention, it is a flowchart for demonstrating the authentication process of a data link level. 1 is a block diagram showing a network system configuration according to an embodiment of the present invention. In one Embodiment of this invention, it is a flowchart for demonstrating a terminal authentication process. 1 is a block diagram showing a network system configuration according to an embodiment of the present invention. 1 is a block diagram showing a network system configuration according to an embodiment of the present invention.

  Hereinafter, an embodiment of the present invention will be described. FIG. 1 shows an example of a system according to an embodiment. Reference numeral 1 indicates the Internet, and reference numeral 2 is an ISP (Internet Service Provider) as a server connected to the Internet 1. The ISP 2 includes a mail server, a DNS server, a proxy server, and the like, provides a normal Internet connection function, and includes an authentication database 3.

  Reference numeral 11 indicates a home, and reference numeral 12 indicates a home gateway such as a router. The ISP 2 and the router 12 are connected by ISDN (Integrated Services Digital Network), dedicated line, xDSL (x Digital Subscriber Line) such as ADSL (Asymmetric Digital Subscriber Line), and bidirectional access line 4 such as optical fiber. . When using ISDN, a DSU (Digital Service Unit) is inserted between the router 12 and the ISDN.

  It is also possible to use a cable TV line as the bidirectional access line 4 and connect a cable TV service company. The service company distributes audio and / or visual content via a cable television base station and a digital set-top box provided in the home 11. Such a cable TV service company is also a kind of ISP 2 that provides a connection service to the Internet.

  In one embodiment, a wired LAN indicated by reference numeral 13 and a wireless LAN indicated by reference numeral 14 are installed in the home 11. These wired LAN 13 and wireless LAN 14 constitute a home network. As the wireless LAN 14, IEEE802.11, Bluetooth, Wireless1394, or the like can be used. Note that the home network may include other networks. For example, a mobile phone may be connected via a wireless LAN, and the mobile phone and another device may be connected via Bluetooth. Although the present invention is characterized by connection control of devices connected wirelessly, in the present embodiment, an apparatus that is mixed with those connected by wire will be described.

  Terminal devices TE1, TE2, and TE3 are connected to the wired LAN 13. TE4 indicates a terminal device that is newly connecting to the wireless LAN. As terminal devices, audio equipment such as personal computers (desktop or notebook), CD (Compact Disc) players, television-related devices such as tuners and displays, and video recorders such as DVD (Digital Versatile Disc or Digital Video Disc) devices / Players, portable information devices, etc. can be connected. Furthermore, home appliances such as air conditioners and refrigerators can be connected to the home network.

  Various data is supplied from the ISP 2 via the router 12 to each of the terminal devices connected to the wired LAN 13 and the wireless LAN 14. For example, content data such as audio data and video data is supplied to the router 12. At the same time, terminal devices connected to the wired LAN 13 and / or the wireless LAN 14 can communicate with each other.

  In the case of a home network managed by ISP2, the terminal device has a unique identifier. The identifier is recorded in advance by the ISP 2 on a recording medium that can be attached to and detached from the terminal device (that is, a removable recording medium). As a recording medium, an IC card (also called a memory card) that records information in a flash memory, a magnetic card that records information on a magnetic material, a plastic card that records information as a graphic pattern such as a barcode, etc. An information recording medium that can be held can be used. In this embodiment, an IC card is used. Note that the IC card may have a function of a LAN card or the like in addition to the function of holding the identifier. The router 12 also has an identifier (ID: 0) of the router itself.

  The IC card in which the identifier (ID) is recorded can be attached to the router 12 and each terminal device. (ID: 1) is recorded on the IC card MS1 attached to the terminal device TE1, and (ID: 2) is recorded on the IC card MS2 attached to the terminal device TE2, and is attached to the terminal device TE3. In addition, (ID: 3) is recorded in the IC card MS3. Furthermore, (ID: 4) is recorded in the IC card MS4 attached to the terminal device TE4. It should be noted that the numbers attached to the IDs have the meaning of specifying the IDs and do not mean the data values. The data structure of the ID is a predetermined format such as a bit length, and is preferably encrypted.

  When the user tries to connect the terminal device TE4 to the wireless LAN 14, the ISP 2 issues a new identifier (ID: 4). That is, distribution of the IC card MS4 in which the identifier is recorded is received. FIG. 1 shows a stage where the user has obtained the IC card MS4. Then, the IC card MS4 is attached to the router 12 as shown in FIG. The router 12 reads the identifier (ID: 4) from the IC card MS4 and reads it into the router 12. In other words, (ID: 4) is pre-registered in the router 12.

  When the reading of the identifier of the router 12 is completed, the IC card MS4 is removed from the router 12 and mounted again in the terminal device TE4. When the terminal device TE4 communicates with the router 12, an identifier (ID: 4) is transmitted, whereby data link level authentication between the router 12 and the terminal device TE4 is performed. If necessary, an encryption key may be generated using an identifier (ID: 4), and the content of communication may be encrypted.

  In this manner, the data link level authentication can be performed by inserting the IC card MS4 into the router 12 and then inserting the IC card MS4 into the terminal device TE4. Thereby, it is possible to prevent an unauthorized person from stealing the contents of the communication of the wireless LAN 14. That is, a third party can be prevented from connecting to the wireless LAN 1 from outside the house where the router 12 is installed. Furthermore, in one embodiment, for the purpose of performing terminal authentication, the correspondence relationship between the router ID and the terminal device ID is registered in the database 3 provided in the ISP 2. The ID of the router 12 is denoted as HGWID.

  Information on the combination of the HGW ID of the router 12 and the ID of the terminal device is registered in advance in the database 3 provided in the ISP 2. As an example, the registration process for the database 3 is performed by the ISP 2 and a store when the terminal device is sold. For example, when the user purchases the terminal device TE4, the user brings a card in which the HGWID of the router 12 at home is recorded to the store. , ID: 4) is registered in the database 3 indicating the correspondence relationship. Along with the terminal device TE4, the user acquires the IC card MS4 in which (ID: 4) is recorded in advance.

  Of course, the registration method for the database 3 is not limited to this. For example, when a sales contract is made through the Internet 1 and the ISP 2, the ISP 2 or the order receiver receives the router HGW ID and the terminal device ID based on the information of the router to which the terminal device loaded with the software for communication is connected. Data indicating the correspondence relationship can be registered in the database 3.

  FIG. 3 schematically shows the configuration of the router 12. The router 12 has a wireless media access control unit indicated by reference numeral 21, a route control part indicated by reference numeral 22, a wireless control part indicated by reference numeral 23, an inquiry part indicated by reference numeral 24, and a reference numeral 25. It comprises an IC card interface 25, an access line media access control unit indicated by reference numeral 26, and a wired media access control unit indicated by reference numeral 27. The wireless media access control unit 21 controls transmission of data to the wireless LAN 14. The wired media access control unit 27 controls transmission of data to the wired LAN 13.

  A plurality of terminal devices are connected to each other wirelessly by the wireless control unit 23. The route control unit 22 is connected to the bidirectional access line 4. The inquiry unit 24 communicates with the ISP 2 via the wireless media access control unit 21, the route control unit 22, and the access line media access control unit 26, and inquires the ISP 2 about whether or not a new terminal device can be connected. The IC card interface 25 is an IC card interface and can read an identifier recorded in a predetermined format. Further, key data or the like can be recorded on the IC card as necessary.

  The data link level authentication process will be described with reference to the flowchart of FIG. This processing flow is a program that is installed in the router 12 or another computer and controls the wireless LAN 14. This program is recorded on a computer-readable recording medium as necessary. However, step S0 is a process of registering an ID in the database 3 in advance as described above, and is performed separately from the subsequent processes.

  In the first step S1, an IC card is inserted into the router 12. An identifier, for example, (ID: 4) recorded on the IC card is read via the IC card interface 25 of the router 12. Next, the IC card is returned (attached) to the terminal device TE4. At the time of communication, the terminal device TE4 notifies the router 12 of (ID: 4). The router 12 recognizes that it has the same ID as the ID read by the terminal device TE4. In this way, data link level authentication between the router 12 and the terminal device TE4 is established.

  Next, terminal authentication is performed. Terminal authentication is required regardless of whether it is wired or wireless, and is a process necessary for building a secure network even if a firewall is not installed. Hereinafter, terminal authentication will be described.

  FIG. 5 shows that the terminal devices TE1, TE2, and TE3 connected to the wired LAN 13 are equipped with IC cards MS1, MS2, and MS3, respectively, and the identifiers recorded on these IC cards are stored in the database 2 of ISP2. Indicates that it is registered. As a method for registering the identifier of the terminal device connected to the wired LAN 13 in the database 3, the same method as described above is possible.

  The flow of terminal authentication processing will be described with reference to FIG. This processing flow is a program that is installed in the router 12 or another computer and controls the wired LAN 13 and the wireless LAN 14. This program is recorded on a computer-readable recording medium as necessary. An ID registration process for the database is performed in advance.

  As an example, a case where the terminal device TE4 (ID: 4) performs communication with the terminal device TE3 (ID: 3) will be described. In step S11, the terminal device TE4 requests the terminal device TE3 to establish a link. In step S12, the terminal device TE3 that has received this request inquires the ISP 12 via the router 12 whether or not the terminal device TE4 belongs to the same group. The inquiry unit 24 of the router 12 cooperates to transmit the identifier (ID: 0) of the router 12 to the ISP 12. Desirably, the communication for authentication is encrypted.

  In step S13, the ISP 2 refers to the database 3. In step S14, it is checked whether (ID: 3) and (ID: 4) are in the same group. In the database 3, (1, 2, 3, 4) is registered as an ID with respect to (HGW ID: 0). Therefore, (ID: 3) and (ID: 4) are determined to be the same group.

  This result is transmitted from the ISP 2 to the router 12 via the bidirectional access line 4, the access line medium access control unit 26 and the route control unit 22, and further transmitted from the router 12 to the terminal device TE3. In the case of the same group, terminal authentication is established (step S15). In step S16, security between the terminal devices TE3 and TE4 is established. If it is determined in step S14 that they are not in the same group, terminal authentication is not established (step S17). In that case, security is not established. If the IC card is removed from the terminal device after the link is established in order to ensure the security of the home network, the establishment of security is invalidated.

  FIG. 7 shows a situation where a terminal device registered in another person's home network has brought it into their home network. The other terminal device is represented as TE10, the IC card is represented as MS10, and the identifier is represented as (ID: 10). In this case, the IC card MS10 is attached to the router 12, and the router 12 is made to read (ID: 10). As a result, authentication at the data link level is established. However, (ID: 10) is not registered in the database 2 of ISP 2 as the same group as the router 12 (HGW ID: 0). Therefore, terminal authentication is not established.

  This means that the terminal device TE10 can be connected to the Internet 1 and the person's home network via the router 12, but cannot communicate with the terminal device connected to the wired LAN 13 and the wireless LAN 14. means. That is, a terminal device having a data link level authentication mechanism using an IC card has an advantage that communication with the outside is possible via another home network having a similar mechanism.

  Further, FIG. 8 shows an example in which a terminal device such as TE4 is taken out of the home and communication is performed via the public access point 31. The terminal device TE4 is loaded with an IC card MS4 in which (ID: 4) is recorded. However, in this case, it is impossible to attach the IC card MS4 to the router 12 at a distant place, so that data link level authentication is omitted. However, it is possible for the public access point 31 to have a configuration capable of accepting pre-registration of an identifier using an IC card.

  The terminal device TE4 can access the Internet 1 through the public access point 31, and further can communicate with the terminal device of the home network of its own home. In that case, terminal authentication as described above is performed, and security is established only when terminal authentication is established. Thus, even a terminal device used in a home network can be taken out of the home and used.

  The present invention is not limited to the above-described embodiment of the present invention, and various modifications and applications can be made without departing from the gist of the present invention. For example, in the above-described embodiment, an example of a home network has been described. However, the present invention can be applied to a network in a company as well as a home.

DESCRIPTION OF SYMBOLS 1 ... Internet, 2 ... UNSP, 3 ... Database, 12 ... Router, 13 ... Wired LAN, 14 ... Wireless LAN, TE1-TE4, TE10 ... Terminal device, MS1 ~ MS4, MS10 ... IC card

Claims (8)

First identification information for identifying a terminal device connected by wireless communication is read, and a control unit that authenticates the terminal device;
A communication unit connected via a network to an information processing apparatus that stores the first identification information and second identification information for identifying the wireless communication apparatus in association with each other;
When communicating between the terminal devices, an inquiry is made to the information processing device via the communication unit as to whether or not both of the terminal devices belong to the same group identified by the second identification information. A wireless communication apparatus that establishes terminal authentication when it is determined as a result of the inquiry that both of the terminal apparatuses belong to the same group.   The wireless communication apparatus according to claim 1, wherein communication is encrypted using the first identification information.   The wireless communication apparatus according to claim 1, further comprising a wired communication unit. A network system comprising an information processing device and a wireless communication device connected to the information processing device via a network, wherein a terminal device is connected to the wireless communication device by wireless communication,
The wireless communication device
First identification information for identifying a terminal device connected by wireless communication is read, and a control unit that authenticates the terminal device;
A communication unit connected via a network to an information processing apparatus that stores the first identification information and second identification information for identifying the wireless communication apparatus in association with each other;
When communicating between the terminal devices, an inquiry is made to the information processing device via the communication unit as to whether or not both of the terminal devices belong to the same group identified by the second identification information. , If it is determined as a result of the inquiry that both of the terminal devices belong to the same group, the terminal authentication is established,
The information processing apparatus includes:
A communication unit connected via a network to a wireless communication device to which a terminal device is connected by wireless communication;
Storage means for associating and storing first identification information for identifying the terminal device and second identification information for identifying the wireless communication device;
An inquiry about whether or not the first identification information of a plurality of the terminal devices belongs to the same group of groups distinguished by the second identification information is received from the wireless communication device via the communication unit, and the inquiry A network system that transmits a determination on the wireless communication device via the communication unit.   The network system according to claim 4, wherein communication is encrypted using the first identification information.   The network system according to claim 4, further comprising a wired communication unit. In a network system comprising an information processing device and a wireless communication device connected to the information processing device via a network, wherein a terminal device is connected to the wireless communication device by wireless communication,
In the wireless communication device, first identification information for identifying a terminal device connected by wireless communication is read, and the terminal device is authenticated,
In the information processing device, first identification information for identifying the terminal device and second identification information for identifying the wireless communication device are stored in association with each other,
When communicating between the terminal devices, an inquiry is made to the information processing device via the communication unit as to whether or not both of the terminal devices belong to the same group identified by the second identification information. ,
A communication method for establishing terminal authentication when the information processing device determines that both of the terminal devices belong to the same group.   The communication method according to claim 7, wherein communication is encrypted using the first identification information.

Images