KR102140671B1 - Method and apparatus for registering and authenticating a device in a wireless communication system - Google Patents

Abstract

According to an embodiment of the present disclosure, in a wireless communication system, a gateway (GW) broadcasts a discovery advertisement message and, in response to the discovery advertisement message, includes information about the device from the device. Receiving a discovery response message, generating first security information for the device, transmitting a registration request message including information about the device and the first security information to the device, and from the device to the device When a registration response message including information and second security information is received, it is checked whether the second security information corresponds to the first security information, and for communication between the GW and the device based on the verification result The first authentication information to be used is transmitted to the device, the device is registered to the server based on the information on the device, and when the second authentication information for communication between the server and the device is received from the server, the first authentication information is used. 2 The authentication information is transmitted to the device together with the first authentication information.

Description

Method and device for performing device registration and authentication in a wireless communication system{METHOD AND APPARATUS FOR REGISTERING AND AUTHENTICATING A DEVICE IN A WIRELESS COMMUNICATION SYSTEM}

Various embodiments of the present disclosure relate to a method and apparatus for performing device registration and authentication in a wireless communication system.

Conventional gateways (GWs) are not agents for authentication or registration in an indoor environment such as a home or an office, but rather an agent for supporting the connection path between an external server/system and an indoor control device or service device and support them agent).

In addition, a Wi-Fi device that communicates with an indoor GW has several security problems in the process of registering/authenticating an access point (AP). This is because problems such as use of a service set identifier (SSID) and password exposure and key management that can be inferred during the registration/authentication process of the Wi-Fi device generally occur. Therefore, the Wi-Fi device generally uses a separate payload encryption method when transmitting and receiving privacy data through Wi-Fi communication.

In the process of privacy data encryption, a symmetric key generation method is mainly used. The symmetric key generation method generates a symmetric key based on a unique personal identification number (PIN)/key or password, and then uses the corresponding symmetric key as an encryption key through mutual sharing. It is the way.

A Wi-Fi device on a home network where a home service is provided is always assigned an account from a server and uses a corresponding security PIN and password. However, this method has a difficulty in connecting to the server at the time of server maintenance and device registration.

And, in the related art, a registration method using a one-way web server account is used as a method for authentication at the time of service registration of a Wi-Fi device, which has a problem of security vulnerability.

In addition, in the conventional symmetric key generation method for forming a secure channel, the PIN/key can be inferred, and if the symmetric key itself is also exposed to one another between the communication, a problem occurs in the secure channel.

One embodiment of the present disclosure proposes a method and apparatus for performing device registration and authentication in a wireless communication system.

In addition, an embodiment of the present disclosure provides a GW with a certificate issuance function targeting a Wi-Fi device, and enables the GW to perform registration of the Wi-Fi device as a server, thereby providing more secure authentication and high security. It proposes a method and apparatus to enable communication with the.

In addition, an embodiment of the present disclosure proposes a method and apparatus that can enhance authentication information security by using a certificate use method, which is an asymmetric key method, in the device authentication process.

In addition, an embodiment of the present disclosure proposes a method and apparatus for minimizing the possibility of a security threat and applying a more secure and convenient registration and authentication process by applying additional security techniques and technologies during registration and authentication.

Method according to an embodiment of the present disclosure; A method of performing a device registration and authentication by a gateway (GW) in a wireless communication system, in a process of broadcasting a discovery advertisement message, and in response to the discovery advertisement message, from a device to the device Receiving a discovery response message containing information, generating first security information for the device, and transmitting a registration request message including information about the device and the first security information to the device; When a registration response message including information about the device and second security information is received from the device, checking whether the second security information corresponds to the first security information and based on the verification result And transmitting the first authentication information to be used for communication between the GW and the device to the device, registering the device to the server based on information about the device, and from the server to the server and the device And when the second authentication information for inter-communication is received, transmitting the second authentication information together with the first authentication information to the device.

Another method according to an embodiment of the present disclosure; In a method of registering and authenticating a device in a wireless communication system, in a process of receiving a discovery advertisement message broadcast from a gateway (GW), and in response to the discovery advertisement message, to the device Transmitting a discovery response message including information on the GW, receiving a registration request message including information about the device and first security information from the GW, and based on the first security information Generating second security information, transmitting a registration response message including information on the device and the second security information to the GW in response to the registration request message, and the second security information Receiving, from the GW, first authentication information to be used for communication between the GW and the device based on whether or not it corresponds to the first security information, and the first authentication information and the second authentication generated by the server. And receiving information from the GW, communicating with the server based on the second authentication information.

Another method according to an embodiment of the present disclosure; In a method for a server to perform device registration and authentication in a wireless communication system, the method comprising: receiving a first registration request message including information about a gateway (GW) and first security information from the GW; 1 The process of determining whether the security information corresponds to the second security information stored in the server in response to the information on the GW, and the first authentication information for communication between the server and the GW based on the verification result. Generating, transmitting a first registration response message including the first authentication information to the GW, and receiving a second registration request message including the first authentication information and information about the device from the GW And, registering the device based on the information on the device and generating second authentication information for communication between the device and the server, and a second including the first authentication information and the second authentication information. And transmitting a registration response message to the GW.

An apparatus according to an embodiment of the present disclosure; In a gateway (GW) in a wireless communication system, a transmission/reception unit, a discovery advertisement message is broadcast, and in response to the discovery advertisement message, a discovery response message including information about the device from the device Control the transceiver to receive, generate first security information for the device, control the transceiver to send a registration request message containing information about the device and the first security information to the device, When a registration response message including information on the device and the second security information is received from the device, it is checked whether the second security information corresponds to the first security information, and based on the verification result, the GW And control the transceiver to transmit the first authentication information to be used for communication between the devices to the device, register the device to a server based on information about the device, and communicate between the server and the device from the server When receiving the second authentication information for, it includes a control unit for controlling the transmission and reception unit to transmit the second authentication information together with the first authentication information to the device.

Another device according to an embodiment of the present disclosure; In a device in a wireless communication system, a discovery advertisement message broadcast from a transmission/reception unit and a gateway (GW) is received, and in response to the discovery advertisement message, discovery includes information about the device Sends a response message to the GW, controls the transceiver to receive a registration request message including information about the device and first security information from the GW, and controls the second security information based on the first security information. Create, and in response to the registration request message, transmits a registration response message including information about the device and the second security information to the GW, and whether the second security information corresponds to the first security information Controls the transceiver to receive the first authentication information to be used for communication between the GW and the device from the GW based on whether the first authentication information and the second authentication information generated by the server are received from the GW When it does, it includes a control unit for controlling the transceiver to perform communication with the server based on the second authentication information.

Another apparatus according to an embodiment of the present disclosure; In a server in a wireless communication system, the transmission/reception unit controls the transmission/reception unit to receive a first registration request message including information about a gateway (GW) and first security information from the GW, and the first security Check whether the information corresponds to the second security information stored in the server in response to the information about the GW, generate first authentication information for communication between the server and the GW based on the verification result, and The first registration response message including the first authentication information is transmitted to the GW, and the transmission/reception unit is controlled to receive a second registration request message including the first authentication information and information on the device from the GW, and the Register the device based on information on the device, generate second authentication information for communication between the device and the server, and receive a second registration response message including the first authentication information and the second authentication information. It includes a control unit for controlling the transceiver to transmit to the GW.

According to an embodiment of the present disclosure, since the GW acts as a registration of a Wi-Fi device to a server in a wireless communication system such as a home network, registration of the Wi-Fi device may be performed even in a server offline environment. . Accordingly, in one embodiment of the present disclosure, there is an effect of reducing the setting and registration time for the Wi-Fi device.

In addition, according to an embodiment of the present disclosure, when a plurality of Wi-Fi devices that want to register as a server for service subscription exist, the GW can collectively register the plurality of Wi-Fi devices to the server. Therefore, there is an effect of reducing maintenance and repair costs.

In addition, in one embodiment of the present disclosure, since the registration process is performed based on a specific interface, security at the time of registration can be improved. In addition, an embodiment of the present disclosure has an advantage of enhancing security on a corresponding channel by performing mutual authentication through a certificate after device registration, and easily expanding a service based on a certificate.

1 is a view showing the configuration of a wireless communication system according to an embodiment of the present disclosure,
2 is a signal flow diagram illustrating a process in which a GW is registered with a server in a wireless communication system according to an embodiment of the present disclosure,
3 is a signal flow diagram illustrating a process in which a headless Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure,
4 is a signal flow diagram illustrating a process in which a display Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure,
5 is a signal flow diagram illustrating a process of GW registering a Wi-Fi device in a server in a wireless communication system according to an embodiment of the present disclosure;
6 is a flowchart illustrating an operation in which a GW is registered with a server in a wireless communication system according to an embodiment of the present disclosure,
7 is a flowchart illustrating an operation in which a server registers a GW in a wireless communication system according to an embodiment of the present disclosure,
8 is a flowchart illustrating an operation in which a headless Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure,
9 is a flowchart illustrating an operation in which a GW registers a headless Wi-Fi device in a wireless communication system according to an embodiment of the present disclosure,
10 is a flowchart illustrating an operation in which a display Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure,
11 is a flowchart illustrating an operation in which a GW registers a display Wi-Fi device in a wireless communication system according to an embodiment of the present disclosure,
12 is a flowchart illustrating an operation in which a GW registers a Wi-Fi device to a server in a wireless communication system according to an embodiment of the present disclosure,
13 is a flowchart illustrating an operation in which a server registers a Wi-Fi device through GW in a wireless communication system according to an embodiment of the present disclosure;
14 is a block diagram of a Wi-Fi device according to an embodiment of the present disclosure,
15 is a block diagram of a GW according to an embodiment of the present disclosure,
16 is a block diagram of a server according to an embodiment of the present disclosure.

Hereinafter, operation principles of various embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. In the following description of various embodiments of the present disclosure, when it is determined that detailed descriptions of related well-known functions or configurations may unnecessarily obscure the subject matter of various embodiments of the present disclosure, detailed descriptions thereof will be omitted. And terms to be described later are terms defined in consideration of functions in various embodiments of the present disclosure, which may vary according to a user's or operator's intention or practice. Therefore, the definition should be made based on the contents throughout this specification.

Various embodiments of the present disclosure provide a method and apparatus for device registration and authentication in a wireless communication system. The devices proposed in various embodiments of the present disclosure may be home appliances such as washing machines, refrigerators, and televisions capable of wireless communication, mobile phones, or tablet PCs. However, the device is not limited to the above device and can be variously changed.

Hereinafter, as an example, the device is a device that performs Wi-Fi communication, and a method and apparatus for performing a registration and authentication process based on Wi-Fi communication will be described. However, the method and apparatus proposed in various embodiments of the present disclosure may be applied and used in a wireless communication system in which other communication is used in addition to the Wi-Fi communication. On the other hand, it should be noted that in the following, the terms certificate and authentication information may be used interchangeably.

Hereinafter, a wireless communication system according to an embodiment of the present disclosure will be described with reference to FIG. 1.

1 is a view showing the configuration of a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 1, the wireless communication system may be configured in the form of a home network as an example, and includes a Wi-Fi device 100, a gateway (GW) 120, and a server 140.

The Wi-Fi device 100 represents a device included in the home network and capable of receiving and using a home network service from the server 140 based on Wi-Fi communication. The Wi-Fi device 100 is a Wi-Fi device including a display unit such as a mobile terminal and a TV (hereinafter referred to as a “display Wi-Fi device”) and a Wi-Fi device that does not include a display unit such as a refrigerator and a washing machine. Fi device (hereinafter referred to as a'headless (headless) Wi-Fi device').

The Wi-Fi device 100 needs to be registered with the server 140 connected to an external network and an access point (AP) in order to receive a service. In order for the Wi-Fi device 100 to be registered with the server 140, the registration process for the GW 120 of the Wi-Fi device 100 must be performed first. This is because when the Wi-Fi device 100 is registered with the GW 120, the GW 120 performs a registration process with the server 140 for the Wi-Fi device 100. That is, registration of the Wi-Fi device 100 to the server 140 is performed through the GW 120.

When the Wi-Fi device 100 is registered, the GW 120 transmits information about the Wi-Fi device 100 to the server 140. Then, the server 140 allocates unique authentication information to the Wi-Fi device 100 and transmits the authentication information to the GW 120, thereby transmitting the authentication information to the Wi-Fi device 100. To be able to.

The above process may be performed in a background mode, and authentication information between the Wi-Fi device 100 and the GW 120 and authentication information between the GW 120 and the server 140 may be performed. It can be performed through a secure channel based.

To this end, the GW 120 has a function of issuing a self-signed certificate, and assigns authentication information 115 to the Wi-Fi device 100 to be registered. The authentication information 115 of the Wi-Fi device 100 is a public authority of a certificate authority (CA) or a sub CA that issued the corresponding authentication information of the GW 120 ( 115), which may be provided through an SDK or the like.

When the authentication information 115 is obtained, the Wi-Fi device 100 is obtained. Based on the authentication information 115, a one-way authentication channel may be formed that is authenticated by the GW 120 and performs registration with the GW 120. And, as the server 140 and the GW 120 have authentication information 135 and 145 issued from the same root/sub CA, a channel for two-way authentication is formed upon mutual access. can do.

Meanwhile, the Wi-Fi device 100 and the GW 120 may each include interfaces 110 and 130 that generate a registration event for performing a registration process. The interface 110 or 130 may be a physical button or a specific menu capable of selecting (inputting or clicking) from a user configured in a web page or application.

The Wi-Fi device 100 and the GW 120 may perform a registration process for a preset time when the registration event occurs, and a registration process for other times (eg, after a preset time). Do not perform. To this end, the Wi-Fi device 100 and the GW 120 may each drive a timer having a preset time when a registration event occurs.

Hereinafter, a method of registering and authenticating a Wi-Fi device performed in the wireless communication system as shown in FIG. 1 will be described in detail.

In one embodiment of the present disclosure, in order for the Wi-Fi device 100 to be registered in the server 140, the following four processes must be largely performed. (Processes (2-1) and (2-2) of the following four processes may alternatively be performed depending on the characteristics (with or without display) of the Wi-Fi device.)

(1) The process in which the GW 120 is registered in the server 140

(2-1) The process of registering the Wi-Fi device (headless Wi-Fi device) 100 to the GW 120

(2-2) The process of registering the Wi-Fi device (display Wi-Fi device) 100 to the GW 120

(3) The process of the GW 120 registering the Wi-Fi device 100 to the server 140

Hereinafter, the above four processes will be described with reference to FIGS. 2 to 5, respectively.

(1) The process in which the GW 120 is registered in the server 140

2 is a signal flow diagram illustrating a process in which a GW is registered with a server in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 2, when the user 150 wants to register the GW 120 as the new GW to the server 140, the user name and password associated with the GW 120 are newly registered. Generated as GW information. In addition, the user 150 transmits the new GW information to the server 140 to register the new GW information in step 200. Then, the server 140 receives and registers the new GW information, and provides the user 150 with registration status information indicating whether the new GW information is registered in step 202.

The operation between the user 150 and the server 140 may be performed based on a server management web page (or application). For example, the user 150 selects a menu that allows a new GW to be registered by logging in to the server management web page. Then, the user 150 transmits the new GW information to the server 140 through the selected menu, and the server 140 displays the registration result of the new GW information on the corresponding web page, thereby allowing the user ( 150) may provide the registration status information.

When it is confirmed that the new GW information is registered in the server 140 through the registration status information, the user 150 generates a registration event in step 206. As described above, the registration event may be generated by the user 150 through a separate interface. Hereinafter, it will be described as an example that the registration event is generated by the push (or touch) of the "registration button".

The GW 120 enters a registration mode when the registration event occurs, and drives a timer in step 208. The timer may be set to a duration (duration time, for example, 3 minutes) in which the registration process can be continued. Depending on the implementation, the duration of the timer may be adjusted.

When the GW 120 enters the registration mode, the user 150 accesses the web page of the GW 120 in step 210 to input the user name and password as the new GW information registered in the server 140. Enter. Then, in step 212, the GW 120 transmits a registration request message including the user name, password, and MAC address of the GW 120 to the server 140. Here, the registration request message may be transmitted to the server 140 in the form of HTTP Send Post (HTTPS) using the HTTP Post method.

When the registration request message is received, the server 140 determines whether the user name and password included in the registration request message match the previously registered user name and password. The server 140, if it is determined that the user name and password included in the registration request message matches the previously registered user name and password, the GW 120 as the authentication information identifier (identifier: ID) and password Assigns

In addition, the server 140 transmits the assigned ID and password to the GW 120 through an HTTP POST message or the like in step 214. On the other hand, the ID assigned to the GW 120 may be a unique ID or a Jabber ID, and the assigned password is a GW management password used by the server 140 to manage the GW 120. Can be.

In step 216, the GW 120 stores the ID and password allocated from the server 140 as authentication information for mutual authentication with the server 140. In addition, the server 140 stores the ID and password of the GW 120 in step 218 and registers the GW 120 as a new GW. On the other hand, when the timer expires in step 220, the GW 120 releases the registration mode and ends all registration processes.

When the GW 120 is registered in the server 140 through the above process, and the ID and password are stored as authentication information for the GW 120 in the GW 120 and the server 140, respectively. In step 222, the GW 120 and the server 140 may form a channel capable of mutual authentication based on the authentication information to perform communication.

(2-1) Above Wi - Fi device( Headless Wi - Fi device)( 100) remind GW(120) Course to be registered

3 is a signal flow diagram illustrating a process in which a headless Wi-Fi device is registered with a GW in a wireless communication system according to an embodiment of the present disclosure.

In FIG. 3, the case where the Wi-Fi device 100 is a headless Wi-Fi device will be described.

Referring to FIG. 3, in order for the Wi-Fi device 100 to be registered to the GW 120, network pairing must first be performed. To this end, the Wi-Fi device 100 performs an operation for pairing the network with the AP 160 in the home network, as shown in steps 300 to 308.

Specifically, in the Wi-Fi device 100 and the AP 160, the registration button (eg, a Wi-Fi protected setup (WPS) button) is pressed by the user 150 in steps 300 and 302. Accordingly, when a registration event occurs, each timer is started and the registration mode is entered.

The Wi-Fi device 100 obtains a Wi-Fi network Internet protocol (IP) from the GW 120, and the AP 160 based on the obtained Wi-Fi network IP in step 304 Connect to. When the Wi-Fi device 100 is connected, the AP 160 assigns an IP address to the Wi-Fi device 100 in step 306. Then, the Wi-Fi device 100 performs network pairing based on the assigned IP address in step 308.

When the Wi-Fi device 100 is network-paired, the user 150 may generate a registration event by pressing the registration buttons of the Wi-Fi device 100 and the GW 120. The Wi-Fi device 100 and the GW 120 drive a timer for performing a registration process when a registration event occurs in steps 310 and 312, respectively.

The user 150 may access the GW management web page (or application) and request the GW 120 to provide information about the currently registerable Wi-Fi device in a product registration page menu or the like. Accordingly, the GW 120 performs a discovery operation for detecting the corresponding Wi-Fi device. The discovery operation may be performed based on a simple service discovery protocol (SSDP)/multicast domain name system (mDNS) or another discovery protocol.

In step 314, the GW 120 broadcasts a discovery advertisement message. Then, the Wi-Fi device 100 receives the discovery advertisement message and transmits the discovery response message to the GW 120 in step 316. Here, the discovery response message may include information about the Wi-Fi device 100 (eg, a Wi-Fi MAC address, IP address, etc.).

When the discovery response message is received, the GW 120 may provide information on the detected Wi-Fi device to the user 150 as shown in Table 1 below.

Device information MAC address Unique ID Node ID Status information OK button Ref...etc IEEE address - IP address Preparations
(Ready) [Selection] ... ... ... ... ... ...

Referring to Table 1, the device information indicates an identification number of the Wi-Fi device 100, device type information, etc., and the MAC address indicates a MAC address of the Wi-Fi device 100, and the Unique ID represents the ID assigned from the server 140 (because the Wi-Fi device 100 is registered to the GW 120, the corresponding information is not included in Table 1), and the Node ID is Represents the IP address of the Wi-Fi device 100, and the status information indicates information indicating whether the Wi-Fi device 100 can be registered with the GW 120 (or is in a registration mode). The confirmation button indicates an interface for the user 150 to select the Wi-Fi device 100 as a device to be registered with the GW 120. When the user 150 selects the Wi-Fi device 100 as a device to be registered to the GW 120 through the confirmation button, the GW 120 determines the Wi-Fi device 100 in step 318. Send a registration request message. Here, the registration request message may include a password for checking message integrity and may be transmitted. The password may be randomly generated by the GW 120.

When the registration request message is received, the Wi-Fi device 100 includes a password included in the registration request message in step 320, a device type of the Wi-Fi device 100, a Wi-Fi MAC address, and the like. The registered registration response message is transmitted to the GW 120. Here, the registration response message may be transmitted in the form of an HTTP Post message. And, as the registration response message is transmitted, a one-way transport layer security (TLS) session may be established between the Wi-Fi device 100 and the GW 120.

The GW 120 performs an integrity check on the registration response message based on whether the password included in the registration response message and the password included in the registration request message transmitted in step 318 are the same. When the two passwords are the same, the GW 120 determines that the registration response message has integrity. And the GW 120 generates a certificate and a private key (PKCS#12 or PEM) as authentication information for the Wi-Fi device 100 in step 322, and the generated certificate in step 324 and The secret key is transmitted to the Wi-Fi device 100.

Then, the Wi-Fi device 100 stores the certificate and the secret key in step 326, and after the registration process is over, a channel capable of mutual authentication with the GW 120 based on the certificate and secret key in step 328. By establishing (bidirectional TLS session), communication can be performed.

(2-2) Above Wi - Fi Device (display Wi - Fi device)( 100) remind GW(120) Course to be registered

4 is a signal flow diagram illustrating a process in which a display Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure.

In FIG. 4, the case where the Wi-Fi device 100 is a display Wi-Fi device will be described.

Referring to FIG. 4, in order for the Wi-Fi device 100 to be registered to the GW 120, network pairing must first be performed. To this end, the Wi-Fi device 100 performs an operation for pairing the network with the AP 160 in the home network, as shown in steps 400 to 404.

The Wi-Fi device 100 obtains a Wi-Fi network IP from the GW 120, and accesses the AP 160 based on the obtained Wi-Fi network IP in step 400. When the Wi-Fi device 100 is connected, the AP 160 assigns an IP address to the Wi-Fi device 100 in step 402. Then, the Wi-Fi device 100 performs network pairing based on the assigned IP address in step 404.

When the Wi-Fi device 100 is network-paired, the user 150 may generate a registration event by pressing the registration button of the GW 120. When the registration event occurs in step 406, the GW 120 drives a timer for performing the registration process.

The user 150 may access the GW management web page (or application) and request the Wi-Fi device that can be currently registered from the product registration page menu to the GW 120. Accordingly, the GW 120 performs a discovery operation for detecting a Wi-Fi device. The discovery operation may be performed based on SSDP/mDNS or another discovery protocol.

In step 408, the GW 120 broadcasts a discovery advertisement message. Then, the Wi-Fi device 100 receives the discovery advertisement message and transmits the discovery response message to the GW 120 in step 410. Here, the discovery response message may include information about the Wi-Fi device 100 (Wi-Fi MAC address, IP address, etc.).

When the discovery response message is received, the GW 120 may provide information about the detected Wi-Fi device to the user 150. The detected Wi-Fi information may be provided to the user 150 in the form as shown in Table 1 described above.

When the user 150 selects the Wi-Fi device 100 as a device to be registered in the GW 120 based on the detected information on the Wi-Fi device, the GW 120 is generated in step 411. Create a personal identification number (PIN). The GW 120 transmits the PIN to the Wi-Fi device 100 in step 412 by including the PIN in the registration request message. Here, the PIN may be used to check the integrity of the registration request message, and may be composed of numbers or letters randomly generated by the GW 120.

When the registration request message is received, the Wi-Fi device 100 displays an input window on the display unit capable of receiving the same PIN as the PIN included in the registration request message from the user 150. Then, in step 414, the Wi-Fi device 100, when the user 150 enters a PIN in the input window, the input PIN in step 416 and the device type and Wi-Fi of the Wi-Fi device 100. The registration response message including the Fi MAC address and the like is transmitted to the GW 120. Here, the registration response message may be transmitted in the form of an HTTP Post message, and a one-way TLS session may be formed as the registration response message is transmitted.

The GW 120 performs an integrity check on the registration response message based on whether the PIN included in the registration response message and the PIN included in the registration request message transmitted in step 412 are the same. When the two PINs are the same, the GW 120 determines that the registration response message has integrity. Then, the GW 120 generates a certificate and secret key (PKCS#12 or PEM) for the Wi-Fi device 100 in step 418, and the generated certificate and secret key in step 420 is the Wi-Fi. It transmits to the device 100.

Then, the Wi-Fi device 100 stores the certificate and the secret key in step 422, and after the registration process ends, a channel capable of mutual authentication with the GW 120 based on the certificate and secret key in step 424. By establishing (bidirectional TLS session), communication can be performed.

(3) above GW(120) remind Wi - Fi The process of registering the device 100 to the server 140

As the processes (1), (2-1) or (2-2) are performed, the GW 120 is registered in the server 140, and the Wi-Fi device 100 is connected to the GW 120 ), the GW 120 performs an operation as a registration agent that registers the Wi-Fi device 100 with the server 140. This will be described with reference to FIG. 5 as follows.

5 is a signal flow diagram illustrating a process in which a GW registers a Wi-Fi device to a server in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 5, when the GW 120 establishes a mutual authentication channel with the server 140 in step 500 as a result of the process (1), in step 502, the (2-1) or (2- 2) A registration request message requesting registration for the Wi-Fi device 100 registered through the process is transmitted to the server 140. Here, the registration request message includes information of the Wi-Fi device 100, such as a device type and a Wi-Fi MAC address, of the GW 120 allocated from the server 120 in the process (1). ID and password (hereinafter referred to as'GW authentication information') may be included.

When the registration request message is received, the server 140 determines the integrity of the registration request message by determining whether the GW authentication information included in the registration request message matches the GW authentication information registered in the server 140. Check. If the server 140 determines that the GW authentication information included in the registration request message matches the GW authentication information registered in the server 140, it determines that the registration request message has integrity.

Then, in step 504, the server 140 generates authentication information (ID and password) for the Wi-Fi device 100 according to the registration request message and registers the Wi-Fi device 100. Subsequently, the server 140 transmits the generated authentication information to the GW 120 in step 506, and the GW 120 receives the authentication information in step 508 and transmits it to the Wi-Fi device 100. do. Then, the Wi-Fi device 100 stores the received authentication information in step 510, and then communicates with the server 140 using the stored authentication information.

Next, the operation of each of the Wi-Fi device 100, the GW 120, and the server 140 according to an embodiment of the present disclosure will be described in detail.

6 is a flowchart illustrating an operation in which a GW is registered with a server in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 6, when a registration event occurs in step 600, the GW 120 enters a registration mode in step 602 and drives a timer. And the GW 120 is the user name of the GW 120 that the user 150 registered as new GW information in the server 140 through a web page or a separate application of the GW 120 in step 604. Acquire a password.

Subsequently, the GW 120 transmits a registration request message including the obtained user name and password and the MAC address of the GW 120 to the server 140 for registration with the server 140. In step 608, the GW 120 determines whether authentication information (ID, password) used for mutual authentication between the GW 120 and the server 140 is received from the server 140, and the authentication information is If received, in step 610, the received authentication information is stored. Then, the GW 120 may perform communication by forming a channel capable of mutual authentication with the server 140 based on the stored authentication information.

7 is a flowchart illustrating an operation of a server registering a GW in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 7, when the server 140 receives new GW information including a user name and password from a user through a server management web page (or an application) in step 700, the server 140 stores the received new GW information.

In addition, when the registration request message is received from the specific GW (eg, the GW 120) in step 702, the server 140 includes the user name, password and the stored user name included in the registration request message in step 704. , Compare whether the password is the same.

If the user name, password and the stored user name and password included in the registration request message are the same in step 706, the server 140 proceeds to step 708 to generate authentication information (ID, password) for a specific GW. In step 710, the generated authentication information is transmitted to a specific GW. The generated authentication information may then be used to form a channel capable of mutual authentication with the GW 120 to perform communication.

8 is a flowchart illustrating an operation in which a headless Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 8, the headless Wi-Fi device performs a network pairing operation through communication with the AP 160 in step 800, and determines whether a registration event occurs in step 802. When the registration event occurs, the headless Wi-Fi device enters the registration mode in step 804 and drives a timer.

Then, when the discovery advertisement message is received from the GW 120 in step 806, the headless Wi-Fi device transmits a discovery response message to the GW 120. Here, the discovery response message may include information about the headless Wi-Fi device (Wi-Fi MAC address, IP address, etc.).

In step 808, the headless Wi-Fi device determines whether a registration request message is received from the GW 120. When the registration request message is received, the headless Wi-Fi device detects a password for checking the integrity of the message included in the registration request message. Then, the headless Wi-Fi device transmits a registration response message including the detected password, the device type of the headless Wi-Fi device, and the Wi-Fi MAC address to the GW 120 in step 810.

When the message integrity of the registration response message is checked based on the detected password, the headless Wi-Fi device receives and stores a certificate and a secret key from the GW 120 in step 812. Then, the headless Wi-Fi device can perform communication by forming a channel capable of mutual authentication with the GW 120 based on the stored certificate and secret key after the registration process is completed.

9 is a flowchart illustrating an operation in which a GW registers a headless Wi-Fi device in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 9, when the registration event occurs in step 900, the GW 120 enters the registration mode in step 902 and drives a timer. The GW 120 broadcasts a discovery advertisement message in step 904 when a request for information on a Wi-Fi device that can be registered from the user 150 is requested. Meanwhile, the user 150 may access the GW management web page (or application) and perform the above request through a product registration page menu.

The GW 120 determines whether a discovery response message is received in operation 906. When the discovery response message is received, the GW 120 provides the user with information about the Wi-Fi device that has transmitted the discovery response message in operation 908. Then, when the headless Wi-Fi device is selected by the user 150 in step 910, the GW 120 requests a registration including a password for checking the integrity of the message to the selected headless Wi-Fi device in step 912. Send a message.

Subsequently, when the registration response message including the device type, the Wi-Fi MAC address and the password is received from the headless Wi-Fi device in step 914, the GW 120 requests the registration from the password included in the registration response message. The integrity of the registration response message is checked based on whether it is the same as the password included in the message. When the GW 120 determines that the registration response message has integrity as a result of the check in step 916, the GW 120 generates a certificate and a secret key for the headless Wi-Fi device to generate the headless Wi-Fi device 100. ). The generated certificate and secret key may be used to form a channel capable of mutual authentication between the GW 120 and the headless Wi-Fi device.

10 is a flowchart illustrating an operation in which a display Wi-Fi device is registered in a GW in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 10, the display Wi-Fi device performs a network pairing operation through communication with the AP 160 in step 1000. In addition, when a discovery advertisement message is received from the GW 120 in step 1002, the display Wi-Fi device transmits a discovery response message to the GW 120. Here, the discovery response message may include information about the display Wi-Fi device (Wi-Fi MAC address, IP address, etc.).

In step 1004, the display Wi-Fi device determines whether a registration request message is received from the GW 120. When the registration request message is received, the display Wi-Fi device detects a PIN for checking the integrity of the message included in the registration request message. In addition, the display Wi-Fi device displays an input window capable of receiving the same PIN as the detected PIN from the user 150 on the display unit. The display Wi-Fi device receives a PIN from the user 150 through the input window in step 1006, the input PIN in step 1008, the device type of the display Wi-Fi device, and a Wi-Fi MAC address The registration response message including the like is transmitted to the GW 120.

When the message integrity of the registration response message is checked based on the input PIN, the display Wi-Fi device receives and stores a certificate and a secret key from the GW 120 in step 1010. Then, the display Wi-Fi device can perform communication by forming a channel capable of mutual authentication with the GW 120 based on the stored certificate and secret key after the registration process is completed.

11 is a flowchart illustrating an operation in which a GW registers a display Wi-Fi device in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 11, when the registration event occurs in step 1100, the GW 120 enters the registration mode in step 1102 and drives a timer. The GW 120 broadcasts a discovery advertisement message in step 1104 when a request for information on a Wi-Fi device that can be registered from the user 150 is requested. Meanwhile, the user 150 may access the GW management web page (or application) and perform the above request through a product registration page menu.

In step 1108, the GW 120 determines whether a discovery response message is received. When the discovery response message is received, the GW 120 provides the user with information about the Wi-Fi device that has transmitted the discovery response message in step 1110. Then, when the display Wi-Fi device is selected by the user 150 in step 1112, the GW 120 sends a registration request message including a PIN for checking message integrity to the selected display Wi-Fi device in step 1114. Send.

Subsequently, when the registration response message including the device type, Wi-Fi MAC address and PIN is received from the display Wi-Fi device in step 1116, the GW 120 receives the registration request message from the PIN included in the registration response message. The integrity of the registration response message is checked based on whether it is the same as the PIN included in.

Then, when it is determined in step 1118 that the registration response message has integrity as a result of the check, in step 1118, a certificate and a secret key for the display Wi-Fi device are generated and transmitted to the display Wi-Fi device. The generated certificate and secret key may be used to form a channel capable of mutual authentication between the GW 120 and the display Wi-Fi device.

12 is a flowchart illustrating an operation in which a GW registers a Wi-Fi device to a server in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 12, when the Wi-Fi device 100 is registered in step 1200 and a mutual authentication channel is established with the server 140, the GW 120 registers the Wi-Fi device 100. A request message (device type, Wi-Fi MAC address, GW authentication information) is transmitted to the server 140. Here, the GW authentication information is transmitted to the server 140 as information for message integrity of the registration request message.

When the authentication information (ID and password) for the Wi-Fi device 100 is received from the server 140 in step 1202, the GW 120 receives the received authentication information (ID and password) in step 1204. It transmits to the Wi-Fi device 100.

13 is a flowchart illustrating an operation in which a server registers a Wi-Fi device through GW in a wireless communication system according to an embodiment of the present disclosure.

Referring to FIG. 13, the server 140 establishes a mutual authentication channel with the GW 120 in step 1300, and a registration request message for the Wi-Fi device 100 from the GW 120 in step 1302. (Device type, Wi-Fi MAC address, GW authentication information).

Then, the server 140 checks the integrity of the registration request message based on the GW authentication information in step 1304, and based on the check result in step 1306, that is, if it is determined that the registration request message has integrity, the The authentication information (ID, password) for the Wi-Fi device 100 is generated and the Wi-Fi device 100 is registered. Subsequently, the server 140 transmits authentication information (ID, password) for the Wi-Fi device 100 to the GW 120 in step 1308.

Next, an internal configuration of each of the Wi-Fi device 100, the GW 120, and the server 140 according to an embodiment of the present disclosure will be described in detail.

14 is a block diagram of a Wi-Fi device according to an embodiment of the present disclosure.

Referring to FIG. 14, the Wi-Fi device 100 includes a wireless unit 1400, a display unit 1402, a key input unit 1404, a memory 1406, and a control unit 1408.

The wireless unit 1400 is a component for performing wireless communication of the Wi-Fi device 100 and may include an interface for Wi-Fi communication.

In addition, the display unit 1402 displays various information generated according to the operation of the Wi-Fi device 100, and the key input unit 1404 is a component unit for receiving input from a user.

The display unit 1402 and the key input unit 1404 may exist as one physical configuration unit when the Wi-Fi device 100 is a touch screen type device. In addition, the display unit 1402 may not be included in the Wi-Fi device 100 when the Wi-Fi device 100 is a headless Wi-Fi device.

The memory 1406 stores authentication information (ID and password, etc.) obtained during the registration and authentication process of the Wi-Fi device 100 and various information generated according to the operation of the Wi-Fi device 100. .

The control unit 1408 controls the overall operation of the Wi-Fi device 100 by controlling the wireless unit 1400, the display unit 1402, the key input unit 1404, and the memory 1406. In particular, the control unit 1408 controls the components so that the operation of the Wi-Fi device according to the above-described steps (2-1), (2-2) and (3) is performed.

15 is a block diagram of a GW according to an embodiment of the present disclosure.

Referring to FIG. 15, the GW 120 includes a wireless unit 1500, a key input unit 1504, a memory 1506 and a control unit 1508.

The wireless unit 1500 is a component for performing wireless communication of the GW 120 and may include an interface for performing communication with the Wi-Fi device 100 and the server 140.

In addition, the key input unit 1504 may include a key that generates a registration event to enter a registration mode, for example, as a configuration unit for receiving input from a user.

The memory 1506 stores authentication information (ID and password, etc.) obtained during the registration and authentication process of the GW 120 and various information generated according to the operation of the GW 120.

The control unit 1508 controls the overall operation of the GW 120 by controlling the wireless unit 1500, the key input unit 1504, and the memory 1506. In particular, the control unit 1508 controls the components to perform the operation of the GW according to the processes (1), (2-1), (2-2), and (3) described above.

16 is a block diagram of a server according to an embodiment of the present disclosure.

Referring to FIG. 16, the server 140 includes a wireless unit 1600, a memory 1606, and a control unit 1608.

The wireless unit 1600 is a component for performing wireless communication of the server 140 and may include an interface for performing communication with the GW 120.

In addition, the memory 1606 may be generated according to the authentication information (ID and password, etc.) obtained during the registration and authentication process of the GW 120 and the Wi-Fi device 100 and the operation of the server 140. Store information.

The control unit 1608 controls the overall operation of the server 140 by controlling the wireless unit 1600 and the memory 1606. In particular, the control unit 1608 controls the components to perform the operation of the server according to the above-described processes (1) and (3).

On the other hand, in the detailed description of the present disclosure, specific embodiments have been described, but various modifications are possible without departing from the scope of the present disclosure. Therefore, the scope of the present disclosure should not be limited to the described embodiments, but should be determined not only by the scope of the claims described below, but also by the scope and equivalents of the claims.

Claims (24)

In the gateway (GW) in the wireless communication system to perform the device registration and authentication,
The process of broadcasting a discovery advertisement message,
In response to the discovery advertisement message, receiving a discovery response message containing information about the device from the device,
Generating first security information for the device, and transmitting a registration request message including information on the device and the first security information to the device,
Confirming whether the second security information corresponds to the first security information when a registration response message including information about the device and second security information is received from the device;
Transmitting first authentication information to be used for communication between the GW and the device to the device based on the verification result;
Registering the device to a server based on the information on the device,
And when the second authentication information for communication between the server and the device is received from the server, transmitting the second authentication information together with the first authentication information to the device.
According to claim 1,
The process of generating the first security information,
And randomly generating a password for the device as the first security information.
According to claim 1,
The first authentication information is a device registration and authentication method characterized in that it comprises a certificate and a secret key generated by the GW.
According to claim 1,
The process of broadcasting the discovery advertisement message,
A method of registering and authenticating a device, comprising: when the registration event occurs, broadcasting the discovery advertisement message, and the registration event occurs when a specific interface is selected in the GW.
According to claim 1,
The process of registering the device to the server,
And transmitting information about the device and third authentication information to the server, wherein the third authentication information indicates authentication information for communication between the GW and the server allocated from the server. How to register and perform authentication.
In the method for the device to perform registration and authentication in a wireless communication system,
Receiving a discovery discovery message broadcast from a gateway (GW);
In response to the discovery advertisement message, transmitting a discovery response message including information about the device to the GW;
Receiving a registration request message including information on the device and first security information from the GW;
Generating second security information based on the first security information;
In response to the registration request message, transmitting a registration response message including information on the device and the second security information to the GW;
Receiving, from the GW, first authentication information to be used for communication between the GW and the device based on whether the second security information corresponds to the first security information,
And receiving the first authentication information and the second authentication information generated by the server from the GW, and communicating with the server based on the second authentication information.
The method of claim 6,
The first security information includes a device randomly generated in the GW (password), characterized in that the device registration and authentication method performed
The method of claim 6,
The first authentication information is a device registration and authentication method characterized in that it comprises a certificate and a secret key generated by the GW.
The method of claim 6,
The process of receiving the discovery advertisement message,
And receiving a discovery advertisement message when a registration event occurs, wherein the registration event occurs when a specific interface is selected on the device.
In the method for the server to perform device registration and authentication in a wireless communication system,
Receiving a first registration request message including information on a gateway (GW) and first security information from the GW;
Confirming whether the first security information corresponds to the second security information stored in the server in response to the information on the GW;
Generating first authentication information for communication between the server and the GW based on the verification result, and transmitting a first registration response message including the first authentication information to the GW;
Receiving a second registration request message including the first authentication information and device information from the GW;
Registering the device based on the information on the device and generating second authentication information for communication between the device and the server;
And transmitting a second registration response message including the first authentication information and the second authentication information to the GW.
The method of claim 10,
The first authentication information includes an identifier (ID) and password assigned to the GW, and the second authentication information includes an ID and password assigned to the device. .
The method of claim 10,
The second registration request message is received from the GW when the first registration response message is received before the registration mode expires in the GW, and the registration mode is maintained for a preset period from a time when a specific interface is selected in the GW. Device registration and authentication method characterized in that.
In a gateway (GW) in a wireless communication system,
Transceiver,
Broadcasting a discovery advertisement message, and in response to the discovery advertisement message, controlling the transmitting and receiving unit to receive a discovery response message including information about the device from the device,
Generating first security information for the device, controlling the transceiver to transmit a registration request message including information about the device and the first security information to the device,
When a registration response message including information on the device and the second security information is received from the device, it is checked whether the second security information corresponds to the first security information, and based on the verification result, the GW And control the transceiver to transmit first authentication information to be used for communication between the devices to the device,
Registering the device with a server based on the information on the device, and receiving second authentication information for communication between the server and the device from the server, the second authentication information together with the first authentication information GW including a control unit for controlling the transceiver to transmit to the device.
The method of claim 13,
GW, characterized in that the control unit randomly generates a password for the device as the first security information.
The method of claim 13,
GW, characterized in that the first authentication information includes a certificate and a secret key generated by the control unit.
The method of claim 13,
The control unit controls the transmission/reception unit to broadcast the discovery advertisement message when a registration event occurs, and the registration event is generated when a specific interface is selected in the GW.
The method of claim 13,
The control unit controls the transmission/reception unit to transmit information about the device and third authentication information to the server to register the device with the server, and the third authentication information includes the GW and the server allocated from the server. GW characterized in that it indicates authentication information for inter-communication.
In a device in a wireless communication system,
Transceiver,
A discovery discovery message broadcast from a gateway (GW) is received, and in response to the discovery advertisement message, a discovery response message including information about the device is transmitted to the GW, and the device is transmitted to the GW. Control the transmitting and receiving unit to receive a registration request message containing the information and the first security information from the GW,
The second security information is generated based on the first security information, and in response to the registration request message, a registration response message including information about the device and the second security information is transmitted to the GW. Control the transceiver to receive the first authentication information to be used for communication between the GW and the device from the GW based on whether the second security information corresponds to the first security information,
And a control unit controlling the transmission/reception unit to perform communication with the server based on the second authentication information when the first authentication information and the second authentication information generated by the server are received from the GW.
The method of claim 18,
The first security information comprises a password (password) generated randomly in the GW.
The method of claim 18,
And the first authentication information includes a certificate and a secret key generated by the GW.
The method of claim 18,
The control unit controls the transmission/reception unit to receive the discovery advertisement message when a registration event occurs, and the registration event is generated when a specific interface is selected in the device.
In a server in a wireless communication system,
Transceiver,
Control the transceiver to receive a first registration request message including information on a gateway (GW) and first security information from the GW,
Check whether the first security information corresponds to the second security information stored in the server in response to the information about the GW, and based on the verification result, the first authentication information for communication between the server and the GW Create,
The first registration response message including the first authentication information is transmitted to the GW, and the transmission/reception unit is controlled to receive a second registration request message including the first authentication information and information about the device from the GW,
Register the device based on the information on the device and generate second authentication information for communication between the device and the server,
A server including a control unit for controlling the transmitting and receiving unit to transmit a second registration response message containing the first authentication information and the second authentication information to the GW.
The method of claim 22,
The first authentication information includes an identifier (ID) and password assigned to the GW, and the second authentication information comprises an ID and password assigned to the device.
The method of claim 22,
The second registration request message is received from the GW when the first registration response message is received before the registration mode expires in the GW, and the registration mode is maintained for a preset period from a time when a specific interface is selected in the GW. Server characterized by.

Images