[go: up one dir, main page]

HK1077142B - Cipher key setting system, access point, and cipher key setting method - Google Patents

Cipher key setting system, access point, and cipher key setting method Download PDF

Info

Publication number
HK1077142B
HK1077142B HK05111729.0A HK05111729A HK1077142B HK 1077142 B HK1077142 B HK 1077142B HK 05111729 A HK05111729 A HK 05111729A HK 1077142 B HK1077142 B HK 1077142B
Authority
HK
Hong Kong
Prior art keywords
access point
terminal
encryption
station
encryption key
Prior art date
Application number
HK05111729.0A
Other languages
Chinese (zh)
Other versions
HK1077142A1 (en
Inventor
田村佳照
Original Assignee
巴比禄股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2004125150A external-priority patent/JP4606055B2/en
Application filed by 巴比禄股份有限公司 filed Critical 巴比禄股份有限公司
Publication of HK1077142A1 publication Critical patent/HK1077142A1/en
Publication of HK1077142B publication Critical patent/HK1077142B/en

Links

Description

Encryption key setting system, access point, and encryption key setting method
Technical Field
The invention relates to an encryption key setting system, an access point and an encryption key setting method.
Background
In the case of constructing a wireless communication network that passes through an access point as a relay for wireless LAN, it is necessary to highly secure security in the same network in order to prevent unauthorized intrusion into the network and leakage of communication data to a third party. Therefore, there are many various security technical proposals regarding wireless LAN.
For example, there is proposed a technique of registering a MAC (media access control) address, which is a unique identification number assigned in advance to a wireless LAN connection device (for example, a wireless LAN adaptor) mounted in a terminal, in an access point, authenticating the MAC address by the access point at the same time as access from the terminal, and rejecting a connection request from the terminal if the MAC address is other than the registered MAC address (see, for example, patent document 1). There is also proposed a technique in which a WEP (wired equivalent privacy) key is set as a common encryption key in a terminal and an access point, and the contents of data exchanged between the terminal and the access point are encrypted using the WEP key, so that even when data leaks, it is difficult to analyze the contents of the data, and the contents of the data are not known (see, for example, patent document 2).
In addition, the applicant of the present application has already made an invention application for easily and safely performing registration of a relevant MAC address and setting of an encryption key represented by a WEP key (japanese patent application 2003-408011). That is, according to this application, when registering a MAC address to an access point and setting a terminal of an encryption key, a user can easily perform necessary security setting while preventing leakage of data indicating the encryption key even when a terminal using a wireless LAN is newly added, without requiring a complicated input operation.
However, the invention described in the above application has the following problems to be solved. That is, when a new terminal is added to the network, the encryption scheme and encryption key used in the network are set according to a predetermined security policy, and the set encryption scheme and encryption key are saved until the next terminal is added to the network. Therefore, even in the case where the number of terminals participating in the network is reduced, the setting of the encryption method and the encryption key is maintained. As a result, after a certain terminal leaves the network, it is not always possible to establish an optimal security environment that can be set between wireless LAN devices participating in the network.
Patent document 1: japanese patent laid-open publication No. 2001-320373;
patent document 2: japanese patent laid-open No. 2001-345819.
Disclosure of Invention
The present invention has been made in view of the above problems, and an object of the present invention is to provide an encryption key setting system, an access point, and an encryption key setting method that flexibly cope with changes in devices constituting a wireless LAN and can set an optimal security environment for each wireless LAN device at that time.
In order to achieve the above object, according to a first aspect of the present invention, there is provided an encryption method and an encryption key for use in encrypting wireless communication data to be wirelessly communicated before communication between an access point serving as a wireless LAN repeater and a terminal having a wireless LAN connection device, the encryption method and the encryption key being characterized in that: the terminal includes: a terminal side encryption scheme transmission means for wirelessly transmitting an encryption scheme to which the terminal can be associated to the access point; and a terminal-side encryption scheme selection unit configured to detect an encryption scheme used by the access point and to select the detected encryption scheme, wherein the access point includes: a connection terminal detection means for determining a terminal which has joined the wireless LAN via the access point and detecting whether or not the joined terminal has changed; and an access point side encryption scheme selection unit that selects and adopts a predetermined encryption scheme based on a predetermined determination criterion from among encryption schemes that the access point can support and encryption schemes that the terminals participating in the wireless LAN can commonly support when the connected terminal detection unit detects that the terminals participating in the wireless LAN have changed.
In the first aspect of the present invention configured as described above, the encryption method and the encryption key used for encryption are set between the access point serving as the wireless LAN repeater and the terminal having the wireless LAN connection device, before communication of wireless communication data communicated by wireless is performed.
Here, the terminal wirelessly transmits an encryption scheme that the terminal can support to the access point via the terminal-side encryption scheme transmission unit. When recognizing an encryption scheme to which each terminal can correspond, an access point identifies a terminal participating in a wireless LAN via the access point by a connected terminal detection means, detects whether the terminal participating in the wireless LAN has changed, and when detecting that the terminal participating in the wireless LAN has changed, an access point-side encryption scheme selection means selects and adopts a predetermined encryption scheme based on a predetermined criterion from among encryption schemes to which the access point can correspond and encryption schemes to which the terminals participating in the wireless LAN can commonly correspond.
The terminal detects the encryption scheme used by the access point in the terminal-side encryption scheme selection unit, and selects the detected encryption scheme. Thereafter, the terminal and the access point participating in the wireless LAN perform wireless communication using the encryption key basically used in the encryption scheme employed as long as the terminal participating in the wireless LAN does not change.
As described above, according to the present invention, the setting of the encryption scheme to be used is updated every time a change in the configuration of the device constituting the wireless LAN is detected. Therefore, even if the device participating in the wireless LAN is changed, the optimum encryption method can be automatically selected from the encryption methods that can be used between the devices participating in the wireless LAN, and the security environment can always be optimized.
In the encryption key setting system according to the second aspect of the present invention, in the encryption key setting system according to the first aspect, the access point-side encryption scheme selecting means selects the encryption scheme having the higher security level when the connected terminal detecting means detects that the terminal participating in the wireless LAN has changed and the terminals participating in the wireless LAN can collectively support the encryption scheme having the higher security level than the encryption scheme used up to that point.
In the second aspect of the present invention, when the connected terminal detecting means detects that the terminal participating in the wireless LAN has changed, the access point-side encryption scheme selecting means selects an encryption scheme having a higher security level when the terminals participating in the wireless LAN can commonly support an encryption scheme having a higher security level than the encryption scheme used up to that point. That is, when the access point detects a change in the configuration of the device which desires to continue communication via the wireless LAN, the access point updates whether or not the device which desires to continue communication can adopt an encryption scheme having a higher security level than the encryption scheme used up to that point. By implementing the correlation update, for example, among the encryption schemes that can be supported by the access point, a scheme that can be commonly supported by terminals participating in the wireless LAN can be always selected, and the encryption scheme can be an encryption scheme with a high security level.
In the encryption key setting system according to the third aspect of the present invention, in the encryption key setting system according to any one of the first or second aspects, the connection terminal detection means repeats the following operations at predetermined time intervals: the terminal participating in the wireless LAN is identified based on the identification information unique to each terminal, and the number of terminals participating in the wireless LAN is detected to decrease by comparing the unique identification information of each identified terminal with the unique identification information of each terminal acquired in the previous identification operation.
That is, as a specific configuration when detecting a change in the terminal participating in the wireless LAN, the connected terminal detecting means repeats the following operation every predetermined time, and detects whether or not the number of terminals participating in the wireless LAN has decreased. The connected terminal detection means identifies the terminals participating in the wireless LAN based on the identification information unique to each terminal, and detects a decrease in the number of terminals by comparing the identified unique identification information of each terminal with the unique identification information of each terminal acquired in the previous identification operation. Therefore, when the access point determines a terminal to join the wireless LAN, it is necessary to store a correlation list of the determined terminals at least until the next determination of the terminal to join the wireless LAN.
By this means, the change in the number of terminals participating in the wireless LAN is constantly monitored at predetermined intervals, and when the number of devices participating in the wireless LAN decreases, the setting of the encryption scheme can be reliably updated.
In the encryption key setting system according to the fourth aspect of the present invention, in the encryption key setting system according to any one of the first to third aspects, the connected terminal detecting means may repeat the following operation at predetermined intervals, specify the terminal to be added to the wireless LAN based on the identification information unique to each terminal, and detect the occurrence of the replacement of the terminal to be added to the wireless LAN by comparing the identification information unique to each terminal specified with the identification information unique to each terminal acquired in the previous specifying operation.
That is, even when some terminals participating in the wireless LAN are replaced, there is room for updating the encryption scheme that can be used between the devices participating in the wireless LAN. Therefore, if an update is made, it is sometimes possible to use an encryption scheme with a higher security level than the encryption scheme used before the terminal replacement.
A fifth aspect of the present invention provides the encryption key setting system according to any one of the first to fourth aspects, wherein the access point includes access point-side encryption key transmission means for wirelessly transmitting, from among the encryption schemes that the access point can support, to the terminal, an encryption scheme selected by the encryption scheme transmitted by the terminal-side encryption scheme transmission means and an encryption key used in each of the selected encryption schemes; the terminal includes a terminal-side encryption key storage unit that stores encryption keys of the respective encryption schemes transferred from the access point in a predetermined storage area.
In the fifth aspect of the present invention, the access point-side encryption key transmission means wirelessly transmits, to the terminal, the encryption scheme selected by the encryption scheme transmitted by the terminal-side encryption scheme transmission means and the encryption key used for each of the selected encryption schemes, from among the encryption schemes that can be handled by the access point. The terminal-side encryption key storage unit stores the encryption keys of the respective encryption schemes transferred from the access point in a predetermined storage area. As a result, each terminal can acquire the encryption scheme that can be commonly used between itself and the access point and the encryption key used in each scheme. Further, by transmitting the selected encryption scheme and the encryption key used for the selected encryption scheme from the access point to the terminal side in advance, even if the access point changes the encryption scheme later, it is not necessary to notify the encryption key again. This eliminates the trouble of notification, and also prevents a reduction in security associated with the notification of the encryption key.
In the encryption key setting system according to the sixth aspect of the present invention, the access point-side encryption key transmission means may transmit the selected encryption scheme and the encryption key used in each of the selected encryption schemes to the terminal only once when the encryption scheme is transmitted by the terminal-side encryption scheme transmission means of the terminal. That is, if the selected encryption scheme and encryption key are transmitted from the access point to the terminal only once, the access point does not need to notify the encryption key again even if the encryption scheme is changed later.
This eliminates the trouble of notification, and also prevents a reduction in security associated with the notification of the encryption key.
It is sometimes necessary to determine the encryption scheme by notifying the terminal side of any one of the encryption schemes and the encryption key corresponding thereto.
As one of the preferable examples in this case, according to the seventh invention, in the encryption key setting system according to any one of the fifth or sixth invention, the access point side encryption scheme selection means changes the station ID in accordance with a change in the encryption scheme when the encryption scheme to be used is changed in accordance with a change in the terminal to be added to the wireless LAN.
In the invention relating to the seventh aspect, when the encryption scheme to be used is changed in accordance with a change in the terminal participating in the wireless LAN, the station ID is changed in accordance with the change in the encryption scheme. The terminal side can easily detect that the encryption scheme has been changed by detecting the changed station ID, and therefore, can easily follow up the selection of the encryption scheme on the access point side.
As a more specific configuration example, according to the invention of the eighth aspect, in the encryption key setting system according to any one of the fifth to seventh aspects, the access point side encryption key transmission means specifies different station IDs of encryption schemes that the access point can correspond to, and wirelessly transmits the specified station ID and the encryption key to the terminal at the same time for each of the added encryption schemes; the terminal-side encryption scheme selection means acquires a station ID from a connectable access point, and when the station ID matches a station ID stored in advance in the terminal-side encryption key storage means, uses an encryption scheme and an encryption key corresponding to the station ID.
In the eighth aspect of the present invention configured as described above, the access point-side encryption key transmission unit specifies different station IDs of encryption schemes that the access point can support, and wirelessly transmits the station IDs specified for the selected encryption schemes and the encryption keys to the terminal at the same time for each of the selected encryption schemes. In this way, the access point-side encryption scheme selection means uses a station ID corresponding to the encryption scheme used between the devices constituting the wireless LAN at that time.
The terminal-side encryption scheme selection means acquires a station ID from an access point to which the terminal can connect, and determines whether or not the station ID matches a station ID stored in advance in the terminal-side encryption key storage means. When the station ID matches the station ID, the access point can determine that the encryption scheme and encryption key corresponding to the station ID are used, and therefore the terminal also uses the encryption scheme and encryption key. In this way, since there is no need to perform special notification for specifying the encryption scheme between the access point and the terminal, it is possible to eliminate the complexity of notification and prevent a reduction in security due to the notification of the encryption key.
Similarly, when the encryption scheme to be used is changed, there is no need to make a special notification between the access point and the terminal for specifying the encryption scheme.
In the encryption key setting system according to the ninth aspect of the invention, in the encryption key setting system according to the eighth aspect of the invention, the terminal-side encryption scheme selecting means acquires a station ID from a connectable access point again when the wireless communication with the access point cannot be maintained based on the determined station ID, and when the station ID matches the station ID stored in advance in the terminal-side encryption key storing means, adopts the encryption scheme and the encryption key corresponding to the station ID.
In the invention according to the ninth aspect, the terminal-side encryption scheme selection unit acquires the station ID from the connectable access point again when the wireless communication with the access point cannot be maintained based on the specified station ID. In this way, when the station ID matches the station ID stored in the terminal-side encryption key storage unit in advance, the encryption method and encryption key corresponding to the station ID are used. That is, even when the encryption scheme to be used is changed due to a decrease or replacement of terminals participating in the wireless LAN, the access point does not need to notify the terminals that are going to continue wireless communication of the encryption scheme to be used again. Since each terminal can automatically track the change of the encryption scheme, it is possible to eliminate the trouble of notification and to prevent the security from being lowered due to the notification of the encryption key.
The encryption key setting system can be grasped not only as the access point and the entire system constituted by the terminals, but also as the invention of the access point which is a constituent element thereof.
Therefore, the tenth aspect of the present invention is an access point as a wireless LAN repeater for a plurality of encryption schemes in wireless LAN communication, wherein, when an encryption scheme and an encryption key used for encryption are set before wireless communication data is communicated with a terminal having a wireless LAN connection device, the access point comprises: and an access point side encryption scheme selection means for selecting and using a predetermined encryption scheme based on a predetermined criterion from among encryption schemes which can be associated with the access point and which can be commonly associated with terminals participating in the wireless LAN, based on data on encryption schemes which can be associated with each station and which are transmitted from a plurality of terminals in advance, when the connected terminal detection means detects that the terminal participating in the wireless LAN has changed.
It is needless to say that a terminal as a constituent element of the encryption key setting system can be understood as the present invention.
The present invention can be grasped from the aspect of an apparatus as a wireless communication system, and the present invention can also be grasped from the aspect of the execution order of the system.
Therefore, the eleventh aspect of the present invention is an encryption key setting method for setting an encryption scheme and an encryption key used for encryption before communication of wireless communication data communicated by wireless between an access point serving as a wireless LAN repeater and a terminal having a wireless LAN connection device, the terminal wirelessly transmitting an encryption scheme to which the terminal can support to the access point; the access point identifies a terminal which is added to the wireless LAN through the access point, detects whether the added terminal is changed, and selects and adopts a given encryption mode according to a given judgment reference from the encryption modes which can be corresponded by the access point and the encryption modes which can be corresponded by the terminals added to the wireless LAN in the case of detecting that the added terminal is changed; the terminal detects an encryption scheme used by the access point and selects the detected encryption scheme.
It is needless to say that the inventions pertaining to the tenth and eleventh aspects can be grasped in the same manner as the inventions pertaining to the second to ninth aspects pertaining to the first aspect.
Effects of the invention
As described above, according to the present invention, when the device participating in the wireless LAN changes, the encryption scheme can be reset, and the optimum encryption scheme such as the encryption scheme with the highest security among the encryption schemes that can be used between devices participating in the wireless LAN can be automatically selected, so that an optimum security environment can be always established between devices participating in the wireless LAN
Drawings
Fig. 1 is an explanatory diagram showing a hardware configuration of a related encryption key setting system according to embodiment 1 of the present invention.
Fig. 2 is an explanatory diagram showing a configuration of an access point.
Fig. 3 is a flowchart showing a single-tap registration procedure in the encryption key setting system.
Fig. 4 is a flowchart showing the procedure of packet switching processing and determining the encryption scheme.
Fig. 5 is a flowchart showing a processing procedure of the connection monitoring mode.
Fig. 6 is a flowchart showing an addition process of the terminal.
Fig. 7 is a flowchart showing a procedure of determining an encryption scheme with a decrease in the number of terminals.
Fig. 8 is a flowchart showing a procedure of determining an encryption scheme according to the terminal replacement.
Fig. 9 is a flowchart showing a procedure of changing the encryption method.
In the figure: 11-CPU, 12-ROM, 13-RAM, 14-storage, 15-display controller, 16-input-output controller, 17-WAN port, 18-wireless communication interface, 20-access point, 22-LAN port, 25-transmitter, 26-receiver, 28-router, 50, 60, 70-terminal, 52, 62, 72-wireless LAN adaptor, 127-login button, AR 1-wireless communication area
Detailed Description
The following description will explain embodiments of the present invention in the following order.
1. Outline constitution for realizing encryption key setting system
2. Specific contents of encryption key setting system
2-1. cases relating to increasing the number of terminals
2-2. cases relating to reducing the number of terminals
3. Modification example
4. Summary of the invention
1. Outline constitution for realizing encryption key setting system
Fig. 1 is an explanatory diagram illustrating a hardware configuration of a related encryption key setting system according to embodiment 1 of the present invention. Fig. 2 is an explanatory diagram illustrating the configuration of the access point 20.
In the encryption key setting system, encryption key data indicating the contents of encryption keys is loaded onto a radio wave between a predetermined terminal and an access point 20 in a wireless communication area AR1 of a wireless LAN, and encryption keys used for wireless communication between the predetermined terminal and the access point 20 are set by wireless communication.
As shown in fig. 1, the wireless communication area AR1 is provided with an access point (wireless base station) 20 as a wireless LAN repeater. As shown in fig. 2, the access point 20 includes a CPU11, a ROM12, a RAM13, a nonvolatile storage device 14 such as a hard disk, a WAN port 17 as a network interface, a LAN port 22 for connection of a wired LAN, a wireless communication interface 18, a display controller 15, and an input/output controller 16, which are connected to the CPU11 via a bus.
The ROM12 stores various programs related to communication with the terminals 50, 60, and 70 IN the wireless communication area AR1 and connection to the internet IN, and data necessary for executing the programs. The input/output controller 16 is connected to a push-type registration button 127. The registration button 127 is in a state where its pressing portion is exposed from the outer case surface of the access point 20. Various display lamps 19 are connected to the display controller 15, and the various display lamps 19 are turned on and off to show the connection state and communication state of the wireless LAN.
The wireless communication interface 18 is connected to a transmitter 25 for transmitting radio waves and a receiver 26 for receiving radio waves. The transmitter 25 and the receiver 26 are built in the access point 20 in a state in which they can transmit and receive radio waves to and from the outside. In fig. 1, a range where the radio wave transmitted from the transmitter 25 arrives and the receiver 26 can receive the radio wave from the terminals 50, 60, and 70 with the output of the transmitter 25 or the reception sensitivity of the receiver 26 as a standard setting value is represented as a wireless communication area AR 1. By providing the access point 20 as described above, a wireless LAN having a normal communication range within the wireless communication area AR1 is configured.
Further, ROM12 stores, in advance, as programs relating to communication with terminals 50, 60, and 70, an output value changing program in which a process for temporarily changing the standard setting value of the output of transmitter 25 is recorded, and a reception sensitivity value changing program in which a process for temporarily changing the standard setting value of the reception sensitivity of receiver 26 is recorded. The process of changing the set value is specifically realized by an arithmetic process of multiplying the standard set value by 1/n (n is a predetermined constant). The CPU11 executes the output value changing program and the reception sensitivity value changing program to output the changed output value or reception sensitivity to the transmitter 25 and the receiver 26 via the wireless communication interface 18. In this way, the output of the radio wave transmitted by the transmitter 25 and the radio wave reception sensitivity in the receiver 26 are changed.
The terminals 50, 60, and 70 are known notebook personal computers, and mainly include a control device including a CPU, ROM, RAM, and the like, and a hard disk or CD-ROM drive as a storage device. Of course, other terminals such as a portable information terminal (Personal Digital Assistant) may be used.
The terminals 50, 60, and 70 are equipped with wireless LAN adapters 52, 62, and 72 as wireless LAN connection devices that transmit and receive radio waves to and from the access point 20. By incorporating the device driver of the wireless LAN adaptor 52, 62, 72 into the terminal 50, 60, 70 can recognize the mounted wireless LAN adaptor 52, 62, 72 and control the wireless LAN adaptor 52, 62, 72. The wireless LAN adapters 52, 62, and 72 are given MAC addresses as adapter-specific identification numbers. In the following description, when the MAC address of a terminal is referred to, the MAC address of the terminal to which the wireless LAN adapter is attached is also referred to.
The terminals 50, 60, and 70, which are computers that enter the wireless communication area AR1, wirelessly communicate with the access point 20 by transmitting and receiving radio waves between the attached wireless LAN adapters 52, 62, and 72 and the access point 20. The access point 20 and the wireless LAN adapters 52, 62, 72 can convert the exchanged data into a form suitable for communication, that is, a so-called packet, and thus, data can be exchanged between the terminals 50, 60, 70 and the access point 20 offline (in a state where the internet is not connected) in theory.
Next, a configuration for connecting the access point 20 to the internet IN will be described. As shown in fig. 1, the WAN port 17 of the access point 20 is connected to a router 28 having a modem built therein via a cable. The router 28 can specify and distinguish the respective terminals 50, 60, 70 in the wireless LAN network based on the MAC addresses of the wireless LAN adapters 52, 62, 72, respectively. The modem IN the router 28 is connected to the internet IN via a broadband communication line CL such as a CATV line or an xDSL line, or a dedicated line of a provider PV. That is, the router 28 has a function as a gateway for connecting the wireless LAN to the internet IN.
In the present embodiment, a terminal having a wireless LAN adaptor in the wireless communication area AR1 whose MAC address is registered in the access point 20 (hereinafter referred to as a registration terminal) is permitted to connect to a wireless LAN. The owner of the registered terminal can connect his/her terminal to the internet IN via the access point 20, and acquire various information such as network contents stored IN the server SV on the internet IN. Further, a terminal whose MAC address is not registered in the access point 20 (referred to as a non-registered terminal) cannot connect to the wireless LAN even if the terminal is located in the wireless communication area AR 1. That is, the wireless communication area AR1 supports a service IN which only the owner of the registered terminal is connected to the internet IN. In fig. 1, the terminals 50 and 60 correspond to registered terminals, and the terminal 70 corresponds to a non-registered terminal.
The registration terminal and the access point 20 transmit and receive data of various contents (hereinafter, referred to as data with contents) including a protocol, a service, and the like by being loaded on a radio wave. In the present embodiment, a device on the transmitting side (the login terminal, the access point 20) that transmits data with contents encrypts the data with contents using a predetermined encryption key before transmission, and transmits the encrypted data with contents (hereinafter, referred to as encrypted data) to a device on the receiving side (the access point 20, the login terminal). The receiving-side device decrypts the received encrypted data using a predetermined encryption key to obtain data with content.
Here, a WEP key may be used as an encryption key. The WEP key is an encryption technique used for the key encryption scheme of IEEE802.11 (both encryption of data and decryption of encrypted data use the same encryption key). There are a system (WEP) using a 64-bit WEP key as an encryption key and a system (WEP128) using a 128-bit WEP key. Even when a radio wave to which content-containing data is loaded is detected in the wireless communication area AR1 by the encryption using the WEP key, it is difficult to analyze the data, and the communication content can be prevented from leaking to a third party. In addition to the Encryption method using the WEP key, an Encryption method such as tkip (temporal key integrity protocol) or aes (advanced Encryption standard) having a higher security level may be used. The WEP64, WEP128, TKIP, AES systems described above have higher security levels in the future.
2. Specific contents of encryption key setting system
A method of sequentially setting the encryption keys in the terminals 50 and 60 and a method of resetting the encryption keys in the case where the terminal 60 of the terminals 50 and 60 is detached from the wireless LAN will be described below.
2.1 cases on increasing the number of terminals
Here, a general wireless LAN device does not correspond to all encryption schemes. In the present embodiment, the access point 20 can employ WEP64, WEP128, TKIP, AES, the wireless LAN adapter 52 corresponds to WEP64, WEP128, TKIP, and the wireless LAN adapter 62 corresponds to WEP64, WEP 128. Hereinafter, a description will be given of a case where the MAC address of the terminal 50 is first registered in the access point 20, the encryption key is set in the terminal 50, and the wireless LAN is constructed, and then the terminal 60 is added to the wireless LAN.
The ROM12 of the access point 20 stores in advance a program related to MAC address registration (MAC address registration program) of the wireless LAN adapters 52 and 62 and an encryption scheme selection program as programs related to communication with the terminals 50 and 60. The application programs installed in the terminals 50 and 60 when the wireless LAN is used include programs related to the encryption method and the setting of the encryption key (encryption key setting program).
The wireless LAN adapters 52 and 62 also have a predetermined login button, not shown, which is realized by switching hardware, as with the login button 127 of the access point 20. The pressed state of the login button can be judged by software via the interface.
Fig. 3 and 4 are flowcharts illustrating the MAC registration procedure, the encryption scheme selection procedure, and the encryption key setting procedure performed by the access point 20 and the terminals 50 and 60. The access point 20 performs encryption scheme selection processing and MAC address registration processing in parallel. In the following flowchart, the terminals 50 and 60 are denoted as STAs, and the access point 20 is denoted as an AP.
The access point 20 and the terminals 50 and 60 perform the one-touch mode by pressing the respective login buttons, and start the corresponding processing. That is, the terminal 50 detects the pressing of the login button in step S310 shown in fig. 3, and starts the processing in step S312 and the processing thereafter, and the access point 20 detects the pressing of the login button 127 in step S410, and starts the one-touch login mode in step S412 and the following.
After entering the single-touch entry mode, the terminal 50 searches for the access point 20 entering the single-touch entry mode in step S316. Specifically, after entering the single-click mode in the access point 20, the station ID (ESSID) is changed to a predetermined specific station ID, and a beacon is transmitted, so that the terminal 50 attempts to connect to the access point of the specific ESSID. In addition, it is also possible to search for connectable access points, acquire the state of each connectable access point, and determine whether or not the mode is the one-touch registration mode based on the state.
In the processing of step S314, the search for the access point 20 in the single-touch entry mode is limited to a predetermined time, and after the predetermined time has elapsed, the flow proceeds to step S334 to end the execution of the single-touch entry mode.
In addition, in the case where the access point 20 in the single-press login mode is found within a given time, an attempt is made to connect to the found access point in step S318. Specifically, the terminal 50 specifies the MAC address of the wireless LAN adapter 52, adds the MAC address as header information to data indicating a command to join the wireless LAN, and transmits the packet to the access point 20. The number of such connection attempts is prevented from exceeding the requirement in step S320, and if the given number of connection attempts is exceeded, the process proceeds to step S334 as a retry end, and execution of the one-touch login mode is ended.
If the terminal 50 can connect to the access point 20 without retry completion, the exchange process between the access point 20 and the security packet is performed in step S322.
In addition, in step S416, the access point 20 reads the MAC address from the header information of the received packet, and temporarily stores the read MAC address in the buffer area of the RAM 13. In step S418, security information is generated in accordance with the processing of the terminal 50, and packet exchange processing is executed. The security packet exchange processing is performed as shown below in steps S350 and S450 of fig. 4.
First, the specific contents of the packet switching process are as follows.
Procedure 1. a request for generation of security information is sent from the terminal 50 to the access point 20.
Procedure 2. a reply is sent from the access point 20 to the terminal 50 indicating the requested requirement. In addition, when the access point 20 first receives the request for generating the security information, it determines the ESSID and the value of the encryption key for each encryption scheme corresponding to the access point 20. For example, "ESSID 1" and "DATA 1" are set for the encryption method WEP64, "ESSID 2" and "DATA 2" are set for the encryption method WEP128, "ESSID 3" and "DATA 3" are set for the encryption method TKIP, and "ESSID 4" and "DATA 4" are set for the encryption method AES. "ESSID 1" to "ESSID 4" are station IDs determined at random based on random numbers or the like, and "DATA 1" to "DATA 4" are values determined at random corresponding to the respective encryption schemes.
Procedure 3. data indicating the corresponding encryption scheme in the terminal 50 is transmitted from the terminal 50 to the access point 20. In this case, the wireless LAN adapter 52 installed in the terminal 50 transmits the 3 encrypted representations in the data corresponding to WEP64, WEP128, and TKIP.
And 4, the access point 20 can detect the encryption mode corresponding to the terminal 50 according to the received data, and therefore, the encryption mode corresponding to the access point is screened according to the encryption mode. Specifically, in the case of the terminal 50, WEP64, WEP128, TKIP are screened. Therefore, in each of these encryption schemes, data indicating the determined ESSID and the value of the encryption key is transmitted from the access point 20 to the terminal 50. Specifically, "ESSID 1" and "DATA 1" corresponding to the encryption system WEP64, "ESSID 2" and "DATA 2" corresponding to the encryption system WEP128, and "ESSID 3" and "DATA 3" corresponding to the encryption system TKIP are transmitted.
In this way, the terminal 50 which has received data indicating the ESSID and the value of the encryption key, which are encryption schemes that the access point 20 can commonly correspond to, from the access point 20 stores the corresponding data in a predetermined storage area.
This is the exchange processing of the security packet in step S350 in the terminal 50 and step S450 in the access point 20. It is sufficient that the packet switching process is performed once between 1 terminal and the access point 20. That is, there is no need to exchange data indicating the encryption scheme and encryption key between the access point 20 and the terminal later, and the terminal can determine the encryption scheme to be used based on the beacon signal transmitted by the access point 20, as will be described later. The packet exchange processing described above is to perform encrypted communication after specifying the destination MAC address. Specifically, the terminal 50 generates a seed (InitID) for encryption and transmits the seed together with the reply, and then, communication is performed between the access point 20 and the terminal 50 by performing encryption and decryption using a VPN function based on the InitID.
After the process of exchanging the security packet, the access point 20 selects the scheme with the highest security level from among the encryption schemes notified from the terminal 50 in step S452. The terminal 50 notifies WEP64, WEP128, and TKIP as the encryption scheme, and TKIP is the highest security level, and one of them should be selected as a candidate (the highest level at the next time). In step S454, the access point 20 compares the candidate selected in step S452 with the current highest level. Here, the highest level at present refers to the scheme with the highest security level among the encryption schemes selected by the encryption scheme that the terminal can support, among the encryption schemes corresponding to the access point 20, as described above.
When the exchange processing between the terminal 50 and the security packet is performed for the first time, the security level in the encryption scheme notified by the terminal 50 is the highest, and therefore, both are identical. However, when a terminal is added later, the encryption scheme that can be supported by the previously registered terminal is selected, and therefore, the encryption scheme does not always match the encryption scheme.
In response to the determination in step S454, if yes (higher than the current highest level), the current highest level is maintained, and if no (lower than or equal to the current highest level), the encryption scheme selected in step S452 is adopted as the current highest level. Therefore, the packet exchange result with the terminal 50 is judged to be "equal" as described above. In step S458, "the highest level of this time is adopted", and therefore, the encryption scheme becomes TKIP.
The above divergence represents the security policy set by the user. Here, the security policy is a policy for determining which encryption scheme to use when comparing the encryption scheme that can be handled by the access point 20 with the encryption scheme that can be handled by the terminal.
The above different example shows a security policy (hereinafter referred to as policy 1) that "allows a newly added terminal to join a network even if the security level is lowered" when the security level of the encryption scheme is not as high as that of the encryption scheme before the encryption scheme, in which the security level is the highest that the terminal can correspond to. In addition, the processing in the case where it is determined that both are equal is also executed "not higher than it" and the result is the same as "adopting the current highest rank" in step S456.
In contrast, when the lowest security level is determined, a policy (hereinafter referred to as policy 2) that does not lower the security level may be adopted. In this case, "higher or equal than the lowest safety level? If yes, the process proceeds to step S452 or less, and if no, the process proceeds to step S456.
When special use is considered, a policy (hereinafter, policy 3) for raising the security level to the highest level of security in the new terminal may be adopted, and in step S456, instead of the processing of "adopting the current highest level", the processing of "adopting the current highest level" may be executed. In this way, by preparing different processes for reflecting the security policy selected in advance by the user when a new terminal logs in, it is possible to eliminate the trouble of setting each encryption key and to reflect the security policy selected by the user at all times.
In the above selection, the above policies 1 to 3 are displayed on a screen in a setting program of the access point 20, and the user selects the policy using a mouse or the like, obtains a selection result, and writes the selection result in a register or the like. When the access point 20 performs actual processing, the contents of the register are read, and the branching processing reflecting the written contents is performed. Of course, a hardware switch such as a dip switch may be provided in the access point 20, and the security policy may be selected by operating the switch.
The packet exchange processing of the security information on the access point 20 side is ended by the above operation.
Returning to fig. 3, the access point 20 judges the end of the packet exchange in step S420, except for the case where it judges that a given time has elapsed in step S414 before the end of the packet exchange, and sets the above-determined security information in step S422. That is, the encryption method used in steps S456 and S458 is used, and the station ID and the value of the encryption key corresponding to the encryption method are used for the subsequent encryption and decryption. In addition, in step S422, the MAC address of the terminal 50 is also registered. That is, the access point 20 performs a process of registering the MAC address of the terminal 50 from the RAM13 into the management area of the storage device 14.
Since TKIP is employed in the packet exchange process with the terminal 50, the station ID employs "ESSID 3" and the encryption key of TKIP employs "DATA 3".
Thereafter, the access point 20 ends the one-touch entry mode and switches to the normal wireless communication mode in step S424. After a predetermined time has elapsed during packet exchange, the single-press registration mode is also terminated in step S426, but since registration is not completed, the mode is not switched to the wireless communication processing mode.
In this way, the terminal 50 and the like are not notified of the encryption scheme determined by the access point 20.
After the packet exchange is completed, the terminal 50 searches for the access point 20 in the wireless communication mode among the security information received from the access point 20 and stored in step S328. As described above, the security information received from the access point 20 includes "ESSID 1" and "DATA 1" corresponding to the encryption WEP64, "ESSID 2" and "DATA 2" corresponding to the encryption WEP128, and "ESSID 3" and "DATA 3" corresponding to the encryption TKIP.
First, the terminal 50 acquires station IDs of accessible access points. This operation is performed in accordance with the communication standard of IEEE802.11, and the terminal 50 can receive a beacon from an access point and acquire a station ID of the access point that can now be accessed. As described above, since the access point 20 employs TKIP as an encryption scheme, its station ID is "ESSID 3". Therefore, the terminal 50 acquires the station ID "ESSID 3" from the beacon from the access point 20, and compares it with the previously received security information stored in the given storage area. As a result of the comparison, the site ID "ESSID 3" determines that the encryption scheme is TKIP, and further, it can be detected that "DATA 3" is used in the subsequent encryption and decryption.
In step S330, the security information received from the access point is set in accordance with the state of the discovered access point. That is, the encryption scheme and encryption key corresponding to the found station ID are used in the subsequent encryption and decryption.
In this way, the registration of the MAC address of the wireless LAN adapter 52 in the access point 20 and the setting of the common encryption key between the access point 20 and the terminal 50 are completed. Thereafter, in step S332, the terminal 50 connects to the found access point 20, and thereafter starts a connection monitoring mode, which will be described later.
If the access point 20 cannot be found within the predetermined time in step S328, the mobile station directly accesses step S334 without determining the encryption scheme or the like by the determination in step S326, and interrupts the one-touch login mode.
The connection monitoring mode at the terminal side is shown in fig. 5. The dotted line in the figure merely indicates that the related intensive processing is based on the presence of other processing.
The packet exchange processing is executed in step S322, and the connection monitoring mode in steps S360 to S366 is executed while the access point found is connected in step S332. That is, it is determined whether a predetermined connection monitoring interval has elapsed in step S360, and if it is determined that the predetermined connection monitoring interval has elapsed, it is determined whether the connection state with the access point 20 is maintained in step S362. In other words, it is determined at regular intervals whether or not the connection with the access point 20 is maintained. If the connection is maintained, the process returns to step S360 again, and the same process is repeated every certain time during the connection.
If the connection with the access point 20 is not maintained, the station ID of the accessible access point is acquired from the beacon of the receivable access point in step S364, and the station ID is compared with the station ID of the security information previously received from the access point 20. If they match, it can be detected that the access point 20 has changed the station ID and encryption scheme, and the mode is changed to the wireless communication mode. In step S366, the received security information is set in advance according to the state of the found access point 20. That is, an encryption method and an encryption key corresponding to the converted station ID are used later.
Next, a description will be given of a situation caused by such a change in the encryption scheme, based on processing on the access point 20 side that occurs when the terminal 60 logs in. Fig. 6 shows a procedure of changing the processing contents in accordance with the terminal 60 in the processing in the access point shown in fig. 3.
When the terminal 60 is registered, the terminal 60 and the access point 20 perform packet switching processing in steps S350 and S450, respectively. Note that, even when the terminal 60 newly joins the wireless LAN, the access point 20 executes the MAC registration program described above, and the contents thereof are the same as those in the case of registering the terminal 50, and therefore, the description thereof is omitted.
Since the encryption methods corresponding to the wireless LAN adapter 62 of the terminal 60 are only WEP64 and WEP128, the packet switching process is as follows.
Procedure 1. a request for generation of security information is sent from the terminal 60 to the access point 20.
Procedure 2. a reply is sent from the access point 20 to the terminal 60 indicating the requested requirement. In addition, the access point 20 has already determined the values of the station ID and the encryption key for each of the above-described encryption schemes when receiving a request from the terminal 50.
Procedure 3. data indicating the corresponding encryption scheme in the terminal 60 is transmitted from the terminal 60 to the access point 20. In this case, the wireless LAN adapter 62 installed in the terminal 60 transmits the 2 encryption schemes in data corresponding to WEP64 and WEP 128.
And 4, the access point 20 detects the encryption mode corresponding to the terminal 60 according to the received data, and selects the encryption mode corresponding to the access point according to the encryption mode. Specifically, in the case of the terminal 60, the WEPs 64, 128 are screened. Therefore, in each of these encryption schemes, "ESSID 1" and "DATA 1" corresponding to the encryption scheme WEP64, and "ESSID 2" and "DATA 2" corresponding to the encryption scheme WEP128 are transmitted from the access point 20 to the terminal 60.
That is, unlike the case of the terminal 50, the result of the packet exchange processing is that only "ESSID 1" and "DATA 1" corresponding to the encryption method WEP64 and "ESSID 2" and "DATA 2" corresponding to the encryption method WEP128 are received and stored in a given storage area.
The access point 20 detects that only WEP64 and WEP128 are the encryption methods corresponding to the terminal 60, selects WEP128 having the highest encryption (security) level among them in step S452, and compares it with the highest level used at present in step S452. As described above, since the current highest rank is TKIP, it is determined in the determination of step S454 that it is lower than the current highest rank, and WEP128, which is the highest rank this time, is employed in step S458.
In step S442, the encryption scheme is WEP128, and the site ID is converted into "ESSID 2", and the encryption key is converted into "DATA 2". In addition, in step S424, the mode is switched to the wireless communication mode.
As in the case of the terminal 50, the terminal 60 acquires a station ID from a beacon of a receivable access point, and connects to the access point 20 in step S332 by using the station ID, the encryption scheme, and the encryption key that are matched based on the received security information (steps S328 and S330).
In addition, the terminal 50 determines whether or not the connection with the access point 20 is maintained at regular intervals in steps S360 and S362, and the station ID changes to "ESSID 2" due to the registration of the terminal 60, and therefore, the connection state cannot be maintained with "ESSID 3" as the station ID. As a result, it is detected in step S364 that the station ID of the access point 20 has changed to "ESSID 2" from the beacon of the access point that can be received. Therefore, it is detected that the WEIP128 is used as the encryption scheme and the encryption key is "DATA 2" by the station ID, and the above information is set. Then, in step S332, the access point 20 is connected using the setting information.
In this way, the access point 20 does not need to notify the terminal 50 and the terminal 60 of the encryption scheme determined by the terminal 50 and the terminal 60, and the terminal 50 and the terminal 60 can specify the encryption scheme and the encryption key only from the station ID. This is very effective in situations where the terminals are slowly increasing. This is because, if the conventional method is used, if such a change in the setting information of the access point occurs, it is needless to say that the change is notified to each terminal, but according to the aspect of the present invention, only the station ID is changed, and all terminals can find the access point with which communication is possible according to the communication standard of IEEE 802.11. As a result, the encryption scheme and encryption key that are valid at that time can be set and changed only by the station ID. Therefore, even when the encryption scheme is changed with the increase of terminals, it is not necessary to notify all terminals, and there is an advantage in that security is improved.
By performing the above processing, the security level based on the predetermined security policy is maintained.
Next, security setting in the case where the number of terminals participating in the wireless LAN is reduced will be described.
2-2. cases relating to reduction of the number of terminals
In the above description, when the number of terminals participating in the wireless LAN is increased, the encryption scheme and encryption key used between the access point 20 and each terminal can be changed. Here, in the wireless LAN configured centering on the access point 20, the number of terminals participating in the network changes due to the owner of each terminal. Therefore, when the number of terminals participating in the wireless LAN decreases, the security level of the encryption scheme can be changed to a higher level.
Fig. 7 is a flowchart corresponding to an encryption scheme selection procedure performed by the access point 20 when the number of terminals participating in the wireless LAN decreases.
In the following processing, the access point 20 continues in a state of being switched to the wireless communication mode.
In the wireless communication mode, the access point 20 confirms whether or not the unconfirmed interval has elapsed for a given connection terminal in step S460, and if it is determined that the unconfirmed interval has elapsed, generates a relevant connection terminal list of terminals connected to itself at that time (step S462). That is, the access point 20 regenerates the above-described connected terminal list every given period. Thereafter, the relevant connection terminal list is temporarily stored in the RAM13 or the like at least for a period of time equal to or longer than the connection terminal confirmation interval.
Here, the connection terminal list is generated using the MAC address described above. That is, since the access point 20 registers the MAD address of each terminal in the single-tap registration mode, when generating the connection terminal list, it selects the MAC address of the terminal holding the connection with itself and generates the connection terminal list.
After generating the latest connected terminal list, the access point 20 compares the latest connected terminal list with the stored connected terminal list generated last time, and determines whether or not the number of terminals participating in the wireless LAN decreases (step S464). If the number of terminals is not reduced, the encryption method change operation described below is not performed. This is because, when the number of terminals does not change or increase, when the last terminal is added and registered in the single-tap registration mode, an appropriate encryption scheme is already set according to a predetermined security policy.
When it is determined that the number of terminals decreases, the access point 20 may adopt the access point 20 and select the encryption scheme with the highest security level from among the encryption schemes that can be commonly associated with the respective terminals identified by the latest connected terminal list (step S466).
In step S468, the security level of the encryption scheme currently used is compared with the security level of the encryption scheme selected in step S466.
Here, a case will be described as an example where the terminal 60 is detached from the wireless LAN in a state where the terminals 50 and 60 are attached to the wireless LAN via the access point 20, and the decrease in the terminals is detected in step S464 due to the detachment of the terminal 60. The wireless LAN adapter 52 of the terminal 50 corresponds to WEP64, WEP128, TKIP, and the wireless LAN adapter 62 of the terminal 60 corresponds to WEP64, WEP 128. The encryption scheme corresponding to each of the terminals 50 and 60 can be acquired by the access point 20 in the above-described security packet exchange process. As described above, since the terminal 60 is detached from the wireless LAN, the encryption scheme selected by the access point 20 is TKIP in step S466.
In the one-click login mode, when policy 1 is selected as the security policy at the time of login of the terminals 50 and 60, WEP128 is adopted as the current encryption scheme so that the terminal 60 having the highest level of the encryption scheme that can be supported and lower than the terminal 50 can also participate in the network.
In step S470, if the security level of the selected encryption scheme is higher than that of the current encryption scheme, the selected encryption scheme is adopted. In the above example, since the selected encryption scheme has a higher security level than the current encryption scheme, the selected encryption scheme TKIP is used. At this time, the access point 20 changes the station ID to "ESSID 3" so that the encryption key becomes "DATA 3".
In addition, when the security level of the selected encryption method is not higher than the security level of the current encryption method, the selected security level is maintained and the encryption method is not changed.
That is, with the configuration of the present invention, the security level of the encryption scheme used may be automatically raised in the wireless LAN after the terminal 60 of the terminals 50 and 60 is detached from the wireless LAN.
The encryption scheme can be updated not only when the number of terminals participating in the wireless LAN decreases but also when the participating terminals are replaced within a predetermined period.
Fig. 8 is a flowchart corresponding to an encryption scheme selection program executed by the access point 20 when a terminal participating in the wireless LAN network is partially replaced. Here, a case will be described as an example where, in a situation where the terminals 50 and 60 join the wireless LAN via the access point 20 within the interval of one connection terminal confirmation, the terminal 70 joins the wireless LAN as a newly registered terminal, and the terminal 60 is detached from the wireless LAN.
That is, in the one-touch login mode, the MAC address of the wireless LAN adaptor 72 is logged in the access point 20, and the terminal 60 is detached from the wireless LAN in a state where the encryption method that can be commonly associated with the terminals 50 to 70 and the encryption key used in the encryption method are set in the terminals 50 to 70. In addition, the wireless LAN adapter 72 of the terminal 70 corresponds to WEP64, WEP128, TKIP. The description will be made centering on a portion different from fig. 7 in the figure.
As shown in the figure, in the case of no branching to step S484, "do not occur any terminal participating in the wireless LAN? "is judged (step S486). Specifically, the latest connection terminal list generated in step S482 is compared with the stored connection terminal list generated last time, and it is determined whether or not the terminal added to the wireless LAN has been replaced, based on the terminal MAC addresses constituting the respective lists. In the present embodiment, since the terminals 50 and 60 are displayed in the connection terminal list generated last time and the terminals 50 and 70 are displayed in the latest connection terminal list, the process proceeds to the processing below step S488 and the encryption scheme is changed.
If the determination in step S486 is no, that is, if there is no terminal which is going out of the wireless LAN and only the number of terminals is increased, or if there is no change in the terminal which is entering the wireless LAN, the operation of changing the encryption scheme is not performed. This is because, in this case, when the last terminal is added and registered in the single-tap registration mode, the appropriate encryption scheme is already set in accordance with the predetermined security policy.
The processing from step S488 onward is the same as the processing from step S466 onward in fig. 7. As described above, since the terminal 70 is added and the terminal 60 is detached from the wireless LAN in the connected terminal confirmation interval, the encryption scheme selected by the access point 20 is changed to TKIP in step S488. In the one-click login mode, when policy 1 is selected as the security policy at the time of login of the terminal 50 or 60, WEP128 is adopted as the current encryption scheme. Therefore, the result of the change of the encryption scheme in step S490 is that the encryption scheme TKIP is used in the above example, and the security level is improved. In this way, the security level of the encryption scheme used can be automatically increased by the related configuration of fig. 8.
In addition, when the encryption scheme is selected in steps S466 and S488, it is not necessary to adopt the policy of "selecting the encryption scheme with the highest security level among the encryption schemes that can be used by the access point 20 and that can be commonly associated with the respective terminals identified by the latest connected terminal". For example, when the communication speed is excessively sacrificed due to the high security setting, the upper limit of the security level of the encryption scheme that can be selected may be set in the steps S466 and S488, thereby avoiding the inconvenience of the communication speed being lowered.
Even when an encryption scheme and an encryption key used are changed by a certain terminal being disconnected from a network or replaced with a trigger, another terminal desiring to continue connection to the network can easily follow the change. That is, as shown in fig. 5, even when the access point 20 changes the encryption scheme and changes the station ID, a terminal that wishes to maintain a connection to the network can detect the changed station ID while in the connection monitoring mode. Then, the terminal detects that the new TKIP is used as the encryption scheme and the encryption key is "DATA 3" in the above example, and can maintain the connection with the access point 20 using the above information.
In addition, in the case where there is room for improvement in the security level, the processing shown in fig. 9 may be executed.
First, in step S, the access point 20 transmits a confirmation packet for confirming the encryption scheme that can be applied to all terminals that have issued the encryption key (key).
On the other hand, each terminal returns a response packet indicating the encryption scheme that can be handled at this time in step S380. In this case, the encryption scheme may be transmitted back, or the security level previously associated with each encryption scheme may be transmitted back.
On the access point 20 side, in step S502, the encryption scheme having the highest security level common to all terminals that have responded this time is compared with the encryption scheme used by the current access point 20, and it is determined that the security level is not to be lowered. When the security level has a margin to be increased, the encryption method is changed to the encryption method with the increased security level in step S504, and the setting information is changed to the setting information in step S506. In this case, it is also not necessary to notify each terminal of the change, and in the connection monitoring mode of each terminal, it is possible to switch to the appropriate encryption scheme and encryption key depending on the presence or absence of the change in the station ID of the access point 20.
3. Modification example
While embodiment 1 of the present invention has been described above, it is needless to say that the present invention can be implemented in various forms other than the above-described forms without departing from the scope of the present invention.
For example, although WEP or the like is used as a technique for encrypting the content of data exchanged between the terminal and the access point, other encryption techniques may be used. For example, an encryption technique using a public key encryption scheme (a scheme in which an encryption key is used for encryption of data and for decryption of encrypted data) may be used. Also, WPA (Wi-Fi Protected Access), which is a high-strength encryption technology, may be considered.
In the above embodiment, the setting is realized by the transmission and reception of the radio wave between the wireless LAN adapter 52 mounted on the terminal 50 and the transmitter 25 and the receiver 26 of the access point 20, but the setting may be performed by communication using a wireless system other than the above radio wave. As the other wireless systems, infrared rays, light, sound signals, ultrasonic waves, weak radio waves, and the like can be considered. The wireless communication between the terminal 50 and the access point 20 can be realized by using a short-range characteristic such as bluetooth (trademark).
In the configuration of the above embodiment, data may be transmitted by using the other wireless methods described above. As an example, a configuration for data transmission using infrared rays in combination will be described below. The difference from the above-described embodiment is that the access point 20 is provided with an infrared receiving interface connected to the CPU11 via a bus and an infrared receiving unit connected to the infrared receiving interface, and the terminal 50 is provided with an infrared transmitting interface connected to the CPU via a bus and an infrared transmitting unit connected to the infrared transmitting interface.
The infrared transmitting unit on the access point 20 side is constituted by a photodiode having sensitivity in the infrared region, and the infrared transmitting unit of the terminal 50 is constituted by an LED that outputs light having a wavelength in the infrared region. The infrared transmission interface on the terminal 50 side converts the command signal from the CPU into a transmission wave on which the command signal is superimposed. The converted transmission wave is transmitted from the infrared transmission unit. When the transmission wave transmitted from the terminal 50 is within the safe reception area (area where the transmission wave can be received by the infrared receiving unit) of the terminal 50, the transmission wave is received by the infrared receiving unit on the access point 20 side. The infrared receiving interface that receives the received transmission wave converts the transmission wave into a 2-valued command signal, and transmits the converted command signal to the CPU 11.
The infrared transmission interface and the infrared transmission unit may be implemented by being incorporated in the terminal 50 in advance, or by connecting an infrared transmitter to an audio output terminal of the terminal 50.
While the above description has been made by taking as an example a configuration in which data transmission by infrared rays is used in combination with data communication using radio waves, data transmission by other wireless means than infrared rays (for example, light, sound signals, ultrasonic waves, and weak radio waves) may be used in combination with data communication using radio waves. In addition, when data transmission by visible light is used in combination, the light-emitting device can be used as a liquid crystal display portion of a personal computer, a portable information terminal, or the like. In this way, the optical signal on which the MAC address information is superimposed can be transmitted from the liquid crystal display unit of the terminal to the access point 20.
In the above-described embodiment, the wireless communication range during the setting is limited, and such limitation of the wireless communication range is not limited to the above-described setting, and can be applied to other information set by the exchange between the access point 20 and the terminal 50. For example, in the free support of charged contents transmitted only to a specific person, information (for example, a name, an ID, and a password of the terminal owner) for authenticating whether the owner of the access terminal is the specific person may be registered in advance in the access point 20 and the terminal 50. Such registration of information for authenticating an individual can be performed by wireless communication while limiting the wireless communication range between the access point 20 and the terminal 50. Thus, it is not necessary to manually set information for authenticating an individual, such as an ID and a password.
4. Summary of the invention
In this way, the access point 20 repeats the operation at regular intervals, detects the terminal connected to the wireless LAN by itself, and updates the encryption scheme used when the number of terminals participating in the wireless LAN decreases or when a terminal is replaced. In the correlation update, the encryption scheme is adopted according to the policy of selecting the encryption scheme with the highest security level among the encryption schemes commonly adopted among the apparatuses constructing the network, thereby preventing maintenance of unnecessary security settings of a lower level after a terminal is disconnected from the network or after the replacement occurs. Further, when the number of terminals is increased, security setting is performed based on the security policy, and when the number of terminals is decreased or the replacement is performed, the security setting is updated based on the policy, so that an optimum security environment at that time can be always obtained regardless of changes in the terminal configuration constituting the network.

Claims (18)

1. An encryption key setting system for setting an encryption method and an encryption key used when encrypting wireless communication data communicated in a wireless manner before communication between an access point serving as a wireless LAN repeater and a terminal having a wireless LAN connection device, the encryption key setting system comprising:
the terminal includes:
a terminal side encryption scheme transmission means for wirelessly transmitting an encryption scheme to which the terminal can be associated to the access point; and
a terminal side encryption scheme selection means for detecting the encryption scheme used by the access point and selecting the detected encryption scheme,
the access point includes:
a connection terminal detection means for determining a terminal which has joined the wireless LAN via the access point and detecting whether or not the joined terminal has changed; and
when the connected terminal detection means detects that the terminal participating in the wireless LAN has changed, access point side encryption scheme selection means selects and adopts a predetermined encryption scheme, based on a predetermined criterion, from among the encryption schemes that the access point can support and the encryption schemes that the terminals participating in the wireless LAN can support in common.
2. The encryption key setting system according to claim 1, wherein:
the access point side encryption scheme selecting means selects an encryption scheme having a higher security level when the connected terminal detecting means detects that the terminal participating in the wireless LAN has changed and the terminals participating in the wireless LAN can commonly support an encryption scheme having a higher security level than the encryption scheme used up to that time.
3. The encryption key setting system according to claim 1 or 2, wherein:
the connection terminal detection means repeats the following operations at given intervals: the terminal participating in the wireless LAN is identified based on the identification information unique to each terminal, and the number of terminals participating in the wireless LAN is detected to decrease by comparing the unique identification information of each identified terminal with the unique identification information of each terminal acquired in the previous identification operation.
4. The encryption key setting system according to claim 1 or 2, wherein:
the connection terminal detection means repeats the following operations at given intervals: the terminal participating in the wireless LAN is identified based on the identification information unique to each terminal, and the replacement of the terminal participating in the wireless LAN is detected by comparing the identified unique identification information of each terminal with the unique identification information of each terminal acquired in the previous identification operation.
5. The encryption key setting system according to claim 1 or 2, wherein:
an access point side encryption key transmission means for wirelessly transmitting, from among the encryption methods that the access point can support, to the terminal, an encryption method selected by the encryption method transmitted by the terminal side encryption method transmission means and an encryption key used in each of the selected encryption methods;
the terminal includes a terminal-side encryption key storage unit that stores encryption keys of the respective encryption schemes transferred from the access point in a predetermined storage area.
6. The encryption key setting system according to claim 5, wherein:
the access point side encryption key transmission means performs a process of transmitting the selected encryption scheme and the encryption key used in each of the selected encryption schemes to the terminal only once when the terminal side encryption scheme transmission means of the terminal transmits the encryption scheme.
7. The encryption key setting system according to claim 5, wherein:
the access point side encryption scheme selection means changes the station ID of the access point in accordance with a change in the encryption scheme when the encryption scheme to be used is changed in accordance with a change in the terminal participating in the wireless LAN.
8. The encryption key setting system according to claim 6, wherein:
the access point side encryption scheme selection means changes the station ID of the access point in accordance with a change in the encryption scheme when the encryption scheme to be used is changed in accordance with a change in the terminal participating in the wireless LAN.
9. The encryption key setting system according to claim 5, wherein:
the access point side encryption key transmission means for determining station IDs of different access points of encryption schemes that the access point can correspond to, and wirelessly transmitting the station ID of the determined access point to a terminal together with the encryption key for each of the selected encryption schemes;
the terminal-side encryption scheme selection means acquires a station ID of an access point from an access point that can be connected to the terminal, and when the station ID of the access point matches a station ID of an access point that is stored in advance in the terminal-side encryption key storage means, uses an encryption scheme and an encryption key corresponding to the station ID of the access point.
10. The encryption key setting system according to claim 6, wherein:
the access point side encryption key transmission means for determining station IDs of different access points of encryption schemes that the access point can correspond to, and wirelessly transmitting the station ID of the determined access point to a terminal together with the encryption key for each of the selected encryption schemes;
the terminal-side encryption scheme selection means acquires a station ID of an access point from an access point that can be connected to the terminal, and when the station ID of the access point matches a station ID of an access point that is stored in advance in the terminal-side encryption key storage means, uses an encryption scheme and an encryption key corresponding to the station ID of the access point.
11. The encryption key setting system according to claim 7, wherein:
the access point side encryption key transmission means for determining station IDs of different access points of encryption schemes that the access point can correspond to, and wirelessly transmitting the station ID of the determined access point to a terminal together with the encryption key for each of the selected encryption schemes;
the terminal-side encryption scheme selection means acquires a station ID of an access point from an access point that can be connected to the terminal, and when the station ID of the access point matches a station ID of an access point that is stored in advance in the terminal-side encryption key storage means, uses an encryption scheme and an encryption key corresponding to the station ID of the access point.
12. The encryption key setting system according to claim 8, wherein:
the access point side encryption key transmission means for determining station IDs of different access points of encryption schemes that the access point can correspond to, and wirelessly transmitting the station ID of the determined access point to a terminal together with the encryption key for each of the selected encryption schemes;
the terminal-side encryption scheme selection means acquires a station ID of an access point from an access point that can be connected to the terminal, and when the station ID of the access point matches a station ID of an access point that is stored in advance in the terminal-side encryption key storage means, uses an encryption scheme and an encryption key corresponding to the station ID of the access point.
13. The encryption key setting system according to claim 9, wherein:
the terminal-side encryption scheme selection means acquires a station ID of an access point from connectable access points again when wireless communication with the access point cannot be maintained based on the station ID of the specified access point, and uses an encryption scheme and an encryption key corresponding to the station ID of the access point when the station ID matches the station ID of the access point stored in advance in the terminal-side encryption key storage means.
14. The encryption key setting system according to claim 10, wherein:
the terminal-side encryption scheme selection means acquires a station ID of an access point from connectable access points again when wireless communication with the access point cannot be maintained based on the station ID of the specified access point, and uses an encryption scheme and an encryption key corresponding to the station ID of the access point when the station ID matches the station ID of the access point stored in advance in the terminal-side encryption key storage means.
15. The encryption key setting system according to claim 11, wherein:
the terminal-side encryption scheme selection means acquires a station ID of an access point from connectable access points again when wireless communication with the access point cannot be maintained based on the station ID of the specified access point, and uses an encryption scheme and an encryption key corresponding to the station ID of the access point when the station ID matches the station ID of the access point stored in advance in the terminal-side encryption key storage means.
16. The encryption key setting system according to claim 12, wherein:
the terminal-side encryption scheme selection means acquires a station ID of an access point from connectable access points again when wireless communication with the access point cannot be maintained based on the station ID of the specified access point, and uses an encryption scheme and an encryption key corresponding to the station ID of the access point when the station ID matches the station ID of the access point stored in advance in the terminal-side encryption key storage means.
17. An access point as a wireless LAN repeater for supporting a plurality of encryption schemes in wireless LAN communication, comprising:
when an encryption method and an encryption key used for encryption are set before communication of wireless communication data with a terminal having a wireless LAN connection device,
a connection terminal detection means for determining a terminal which has joined the wireless LAN via the access point and detecting whether or not the joined terminal has changed; and
when the connected terminal detection means detects that the terminal participating in the wireless LAN has changed, access point side encryption scheme selection means selects and adopts a predetermined encryption scheme from among encryption schemes that can be handled by the access point and encryption schemes that can be commonly handled by terminals participating in the wireless LAN, based on data relating to encryption schemes that can be handled by the respective stations and transmitted from the plurality of terminals in advance, in accordance with a predetermined criterion.
18. An encryption key setting method for setting an encryption method and an encryption key used when encrypting wireless communication data communicated in a wireless manner before communication between an access point serving as a wireless LAN repeater and a terminal having a wireless LAN connection device, the encryption key setting method comprising:
the terminal wirelessly transmits an encryption mode which can be corresponding to the terminal to the access point;
the access point identifies a terminal which is added to the wireless LAN via the access point, detects whether the added terminal has changed, and selects and adopts a given encryption scheme according to a given judgment reference from among encryption schemes which the access point can correspond to and encryption schemes which the terminals added to the wireless LAN can commonly correspond to when the change of the added terminal is detected;
the terminal detects an encryption scheme used by the access point and selects the detected encryption scheme.
HK05111729.0A 2004-04-21 2005-12-20 Cipher key setting system, access point, and cipher key setting method HK1077142B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004125150A JP4606055B2 (en) 2004-04-21 2004-04-21 Encryption key setting system, access point, and encryption key setting method
JP2004-125150 2004-04-21

Publications (2)

Publication Number Publication Date
HK1077142A1 HK1077142A1 (en) 2006-02-03
HK1077142B true HK1077142B (en) 2008-07-11

Family

ID=

Similar Documents

Publication Publication Date Title
KR100701495B1 (en) Encryption Key Setting System, Access Point and Encryption Key Setting Method
KR100688128B1 (en) Cipher key setting system, access point, wireless lan terminal, and cipher key setting method
KR101954852B1 (en) Method and Apparatus for Content Protection in Wi-Fi Direct Network
US8150372B2 (en) Method and system for distributing data within a group of mobile units
KR101650581B1 (en) Wireless communication device, wireless communication system, computer-readable storage medium storing a program therein and wireless communication method
US20180069726A1 (en) Communication device, communication method, communication system, and computer program product
ES2356833T3 (en) METHOD AND SYSTEM FOR DETECTION OF THE DATA TRANSMISSION MODE OF AN ACCESS POINT.
US10321516B2 (en) Communication device, system, and computer program product
US20170048700A1 (en) Self-configuring wireless network
TWI651978B (en) Communication system and communication method
US20060171388A1 (en) Communication apparatus and method having function of transmitting notification signal while hiding group identification information
US20090274065A1 (en) Method and apparatus for setting wireless local area network by using button
KR20140084258A (en) One-click connect/disconnect feature for wireless devices forming a mesh network
US7822412B2 (en) System and method for accessing a wireless network
JP6895273B2 (en) Information processing equipment, information processing programs, wireless communication systems, and communication methods
CN112188488A (en) Network distribution method, device and system
CN103874067B (en) Certification and data safety for wireless network
JP2006135874A (en) Communication control information setting system for wireless portable terminal
JP4494121B2 (en) Wireless LAN connection system, wireless LAN connection method, and access point
JP2007202112A (en) System and method for configuring electronic device to access wireless local area network
JP5175898B2 (en) Wireless communication apparatus, connection release method, and program
HK1077142B (en) Cipher key setting system, access point, and cipher key setting method
WO2016139922A1 (en) Communication device, communication method, communication system, and computer program product
WO2016139920A1 (en) Communication device, system, and computer program product