JP2011019005A - Method of relaying network, and network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method of relaying a network capable of relaying an information piece transmitted from a first terminal to a second terminal via a network without requiring troublesome management while protecting the network from DOS attack for increasing the volume of traffic, and a network system.SOLUTION: When relaying an information piece transmitted from a first communication terminal to a second communication terminal via a network, only a third communication terminal having detected the presence of a fourth communication terminal out of respective third communication terminals belonging to the network is set while being capable of relaying the information piece to the second communication terminal side.

Description

  The present invention relates to a relay control method for information pieces via a network and a network system for performing relay control according to the information relay control method.

  Currently, information communication terminals (hereinafter simply referred to as “terminals”) not only directly communicate with each other, but also wireless communication that enables information communication with terminals in areas where radio waves do not reach by passing through other terminals. As a network, a multi-hop network has attracted attention.

  A multi-hop network consists of multiple terminals connected to each other without intervening access points. Packets sent from the source terminal are transmitted to the destination terminal by relaying each terminal. To do. At this time, in the multi-hop network, in order to prevent unauthorized communication, the authentication management terminal performs encryption of communication information and message authentication (tamper detection). As an encryption method, there are encryption using a “link key” shared only between one terminal and one authentication management terminal, and “network key shared by all terminals belonging to one network”. There are two types of encryption using "." In message authentication, each node in the communication path exchanges path information with surrounding nodes, and by using the network key, whether or not the transmitted packet is issued from a peer, that is, It is determined whether or not the transmission source terminal has the correct network key. At this time, if it is determined that the source terminal does not have the correct network key, the packet being communicated is excluded.

  Here, when participating in the multi-hop network described above, the device that desires to participate transmits a participation request message that urges a node on the multi-hop network to request participation. The node that has received the participation request message inquires about participation by transferring the participation request message to the authentication management terminal.

  However, according to such a structure, a denial-of-service attack (hereinafter referred to as a DOS attack), which increases the amount of traffic to the authentication management terminal by simultaneously sending participation request messages from a large number of points, is set up. There was a problem.

  Therefore, in order to prevent malicious DOS attacks using participation requests, a network construction system has been proposed that performs distributed management of authentication by issuing a network certificate on the premise of a public key management infrastructure ( For example, see Patent Document 1). In such a network construction system, a device certificate signed with a network certificate unique to the network is issued for each device constituting the network. At this time, a device having a device certificate signed by a network certificate is given the eligibility to participate in the network without inquiring the authentication management terminal by having the device certificate verified. It is said that

  By the way, in order to perform distributed management as described above, it is necessary to perform public key cryptography calculation processing using a public key management infrastructure. However, in the public key cryptographic calculation process, the program size and the required memory capacity are increased as compared with the case where the common key cryptographic calculation process is performed. Therefore, it is difficult to reduce the size in mounting, and the processing time becomes long. As a result, when an application that requires real-time processing is used, time is spent on the cryptographic operation processing for verifying the participation request, and real-time processing may not be performed.

  In view of this, a method has been proposed in which a network is protected from a DOS attack that reduces communication performance by simultaneously transmitting a large number of participation request messages without using a public key management infrastructure (see, for example, Non-Patent Document 1). . In this method, each device configuring the network has a function for setting whether or not to accept a connection request message transmitted first by a node that desires to participate. At this time, only the user of the management terminal can perform a setting for accepting a connection request message for a desired device. According to such a function, it is possible to set only a legitimate device that wants to participate in the network to a state where the connection request message can be accepted. In other words, since the participation request message from an unauthorized device can be rejected, the network can be protected from a DOS attack.

  However, in such a method, when the number of nodes connected to the network increases, it is necessary to manually set whether or not each node can accept a connection request message. There was a problem that network management was troublesome.

JP 2007-74393 A

ZigBee Alliance, “ZigBee 2007 specification”

  The present invention can protect a network from a DOS attack and can relay a piece of information emitted from a first terminal to a second terminal via the network without requiring cumbersome management. It is an object to provide a relay method and a network system.

  The network relay method according to the present invention is a network relay method for relaying an information piece transmitted from a first communication terminal to a second communication terminal via a network, wherein the first communication terminal sends the information piece to the network. A first step of transmitting to the third communication terminal to which the third communication terminal belongs, and the information piece received by the third communication terminal only when the third communication terminal detects the presence of a predetermined fourth communication terminal. A second step of relaying to the terminal.

  The network system according to the present invention is a network in which a first communication terminal that is a transmission source of a predetermined information piece, a second communication terminal that is a transmission destination of the information piece, and a plurality of third communication terminals are connected. And only the third communication terminal that has detected the presence of a predetermined fourth communication terminal in each of the third communication terminals receives the information piece transmitted from the first communication terminal. Relay to second communication terminal.

  According to the present invention, in relaying the information piece transmitted from the first communication terminal to the second communication terminal via the network, the presence of the fourth communication terminal is detected in each of the third communication terminals belonging to the network. Only the third communication terminal that has been able to do so is automatically set to a state in which the information piece can be relayed. Therefore, even if the third communication terminal that cannot detect the presence of the fourth communication terminal receives the information piece transmitted from the first communication terminal, the third communication terminal discards it. Therefore, even if a person other than the legitimate installer performs a DOS attack in which a large number of pieces of information are simultaneously transmitted maliciously, it is very unlikely that the third communication terminal is set to the relay-permitted state. The network can be protected from a DOS attack without using a key management infrastructure. Furthermore, since only the third communication terminal that has been able to detect the presence of the fourth communication terminal is automatically set in a state in which the information piece can be relayed, the installer himself / herself manually sets a plurality of third communication terminals. Compared with the case where whether or not to give relay permission to each communication terminal is set, network management and operation becomes easier.

It is a figure which shows an example of the multihop network system which employ | adopted the network relay method by this invention. It is a figure which shows an example of each internal structure of authentication management terminal AU1-AU5 shown in FIG. It is a figure which shows an example of each internal structure of participating terminals EU1-EU5 shown in FIG. It is a figure which shows an example of an internal structure of the participation request | requirement terminal SU shown in FIG. It is a figure which shows an example of an internal structure of the certification | authentication terminal CU shown in FIG. It is a figure which shows the format of the relay permission message MTX. It is a communication flow figure showing the communication operation | movement performed when an installer joins the participation request | requirement terminal SU in network NW1 in the multihop network system shown in FIG. It is a figure which shows another example of the multihop network system which employ | adopted the network relay method by this invention. It is a figure which shows an example of each internal structure of participating terminal GU1-GU5 shown in FIG. It is a figure which shows the format of the certification | authentication terminal search message STX. It is a figure which shows an example of an internal structure of the certification | authentication terminal QU shown in FIG. FIG. 9 is a communication flow diagram showing a communication operation performed when an installer causes a participation request terminal SU to participate in a network NW1 in the multi-hop network system shown in FIG.

  In relaying the information piece transmitted from the first communication terminal to the second communication terminal via the network, only the third communication terminal that detects the presence of the fourth communication terminal in each of the third communication terminals belonging to the network. Then, the information piece is set in a state where it can be relayed to the second communication terminal side.

  FIG. 1 is a diagram showing an example of the configuration of a network system employing a network relay method according to the present invention.

  The network system shown in FIG. 1 includes networks NW1 to NW3 as first to third wireless multi-hop networks, authentication management terminals AU1 to AU3, joined terminals EU1 to EU5, and a participation request terminal SU as a terminal to be joined in the future. And a certification terminal CU.

  The authentication management terminal AU1 belongs to the network NW1, and performs authentication management for each device connected to the network NW1. The authentication management terminal AU2 belongs to the network NW2, and performs authentication management for each device connected to the network NW2. The authentication management terminal AU3 belongs to the network NW3, and performs authentication management for each device connected to the network NW3. Each of the authentication management terminals AU1 to AU3 is installed at a position separated from the joined terminals in the networks NW1 to NW3 by a plurality of hops.

  As shown in FIG. 2, each of the authentication management terminals AU1 to AU3 includes a link key storage unit 21, a network key storage unit 22, a network key management unit 23, a mutual authentication unit 24, and a transmission / reception unit 25.

  In FIG. 2, the link key storage unit 21 stores in advance a link key for each device shared with each device (including a participating terminal and a participation requesting terminal) to be managed by the authentication management terminal. The link key is a one-to-one relationship with an authentication management terminal (AU1, AU2, or AU3) before a device participating in the network starts a network participation sequence, for example, at the time of manufacturing the device. Shared and assigned at. The network key storage unit 22 stores in advance a network key shared in the network to which the authentication management terminal belongs. The network key management unit 23 executes various types of management related to the network key of the terminal participating in the network to which the authentication management terminal belongs, for example, periodic updating of the network key via the transmission / reception unit 25. The mutual authentication unit 24 shares the link key, for example, by challenge and response authentication based on the participation request message MRQC (described later) supplied from the transmission / reception unit 25 and the link key read from the link key storage unit 21. Mutual authentication is performed with the terminal that performs the authentication, and an authentication result message MK (described later) representing the authentication result is supplied to the transmission / reception unit 25. The challenge and response authentication is an authentication method that prevents a password or the like from being wiretapped during communication by performing a special process on a character string used for user authentication. When the transmission / reception unit 25 receives the participation request message MRQC transmitted from the participating terminal, the transmission / reception unit 25 supplies the participation request message MRQC to the mutual authentication unit 24, while supplying the authentication result message MK supplied from the mutual authentication unit 24 to the participation request terminal. Send.

  Each of the participating terminals EU1 to EU5 is a terminal that has already participated in the network (for example, NW1), and each has a network key storage unit 31, a network key update unit 32, participation request relay control, as shown in FIG. A unit 33, a time measuring unit 34, and a transmission / reception unit 35 are included.

  In FIG. 3, the network key storage unit 31 stores in advance a network key shared within one network. When the network key designation signal is supplied from the transmission / reception unit 35, the network key update unit 32 rewrites the network key stored in the network key storage unit 31 with the key designated by the network key designation signal.

  The participation request relay control unit 33 performs relay control when the participation request message received by the transmission / reception unit 35 is relayed to the authentication management terminal side. That is, the participation request relay control unit 33 is set to a relay non-permission mode state in which relay of the participation request message is not permitted in the initial state. However, after that, when the relay permission message MTX is supplied from the transmission unit 35, the state of the relay permission mode is only during the effective period T1 (described later) indicated by the relay permission message MTX from the supply start time. Set to At this time, if the participation request message MRQ is supplied from the transmission / reception unit 35 while the participation request relay control unit 33 is in the relay permission mode, the network key storage unit 31 responds to the participation request message MRQ. The participation request message MRQC is generated by performing an encryption process based on the network key stored in and a predetermined message authentication encoding process. Then, the transmission / reception unit 35 is controlled to transmit the participation request message MRQC to the authentication management terminal side. Thereby, the transmission / reception unit 35 transmits the participation request message MRQC to the authentication management terminal side only while the relay permission mode is set as described above. On the other hand, while the relay disapproval mode is set as described above, even if the participation request message MRQ is supplied from the transmission unit 35, the participation request relay control unit 33 sends the participation request message to the transmission / reception unit 35. The control for transmitting the MRQC is not executed. That is, the participation request message transmitted from the terminal is discarded. When the transmission / reception unit 35 receives the network key designation signal transmitted from the authentication management terminal, the transmission / reception unit 35 supplies this to the network key update unit 32. Further, when receiving the relay permission message MTX transmitted from the certification terminal CU, the transmission / reception unit 35 supplies this to the participation request relay control unit 33. Further, when the participation request message MRQ transmitted from the external participation request terminal SU is received, the transmission / reception unit 35 supplies the participation request message MRQ to the participation request relay control unit 33. The time measuring unit 34 measures time and supplies time information indicating the current time to the participation request relay control unit 33.

  The participation request terminal SU is a terminal that requests participation in the network (NW1, NW2, or NW3) from now on. As shown in FIG. 4, the participation request message generation unit 41, the link key storage unit 42, the mutual authentication unit 43, and And a transmission / reception unit 44.

  In FIG. 4, the participation request message generator 41 generates a participation request message MRQ including a link key corresponding to the participation request terminal SU and supplies it to the transmission / reception unit 44. The link key storage unit 42 stores in advance a link key corresponding to the participation request terminal SU. Based on the link key read from the link key storage unit 42, the mutual authentication unit 43 performs mutual authentication with a terminal sharing the link key, for example, by challenge and response authentication, and sends the authentication result to the transmission / reception unit. 44. The transmission / reception unit 44 transmits a participation request message MRQ to a participating terminal on the network as a participation target, and transmits the authentication result as described above to the authentication management terminal.

  The certification terminal CU is a terminal used when the installer causes the participation requesting terminal SU to participate in the multi-hop network. As shown in FIG. 5, the certification terminal CU is a network key acquisition unit 51, a network key storage unit 52, and a time counting unit 53. The relay permission message generation unit 54 and the transmission / reception unit 55 are included.

  In FIG. 5, a network key acquisition unit 51 receives an input of a network key by an operator, that is, an input of a network key of a network (NW 1, NW 2, or NW 3) desired to participate, and supplies this to the network key storage unit 52. . The network key storage unit 52 stores the network key. The time counting unit 53 counts the time, and supplies time information indicating the current time to the relay permission message generating unit 53.

  As illustrated in FIG. 6, the relay permission message generation unit 53 generates a relay permission message MTX that respectively represents a relay permission message identification code, a message generation time, a validity period T1, and a message authentication code. The relay permission message identification code is a code for allowing the terminal that has received this message to identify that this message is a message indicating relay permission. The message generation time is the current time indicated by the time information supplied from the time counting unit 53 when this message is generated. The valid period T1 designates a valid period from the message generation time when the participation request message MRQ is relayed. The message authentication code is encrypted by a keyed hash function using the relay permission message identification code, message generation time, and valid period T1 as input parameters. The relay permission message generation unit 53 supplies the relay permission message MTX as described above to the transmission / reception unit 55. The transmission / reception unit 55 repeats the relay permission message MTX at a predetermined cycle T0 and broadcasts it wirelessly.

  Hereinafter, in the multi-hop network system shown in FIG. 1, a communication operation performed when the installer causes the participation request terminal SU to participate in the network NW1 will be described with reference to the communication flow of FIG.

  First, before going to the installation site of the participation request terminal SU, the installer inputs the network key of the network NW1 into the certification terminal CU owned by himself / herself in advance. As a result, the input network key is stored in the network key storage unit 52 of the certification terminal CU. At this time, when the update of the network key is confirmed on the way to the installation site of the participation request terminal SU, the installer re-enters this new network key into the certification terminal CU. During the movement, the certification terminal CU may be powered off. Here, FIG. 1 shows the positional relationship of each terminal when the installer arrives at the installation site of the participation request terminal SU and performs the installation work using the certification terminal CU in the vicinity thereof. The physical distance L1 between the certification terminal CU and the participation requesting terminal SU is extremely smaller than the physical distance L2 from the participation requesting terminal SU to the participating terminal EU1 located at the shortest distance. It is assumed that the distance L2 between the participation request terminal SU and the participating terminal EU1 is shorter than the radio wave arrival limit distance of the participation request terminal SU.

  In the state shown in FIG. 1, first, the installer turns on the power of each of the certification terminal CU and the participation request terminal SU. Then, the installer presses a relay permission button (not shown) provided on the certification terminal CU. In response to this, as shown in FIG. 7, the certification terminal CU repeats the relay permission message MTX as shown in FIG. 6 every predetermined period T0 (for example, 10 seconds) and broadcasts wirelessly (step S1). Here, the joined terminal that has received the relay permission message MTX, for example, the joined terminal EU1, decrypts the encryption applied to the message authentication code included in the relay permission message MTX, It is determined whether or not the included relay permission message identification code, message generation time, and validity period T1 are obtained. That is, the participating terminal EU1 determines whether or not the transmitted relay permission message MTX is legitimate (step S2). When it is determined in step S2 that the relay permission message MTX is legitimate, the participating terminal EU1 starts the valid period T1 (for example, 20) indicated by the relay permission message MTX from the time when the relay permission message MTX is received. (Second)), the relay permission mode is set (step S3). The joined terminal that can receive the relay permission message MTX is a joined terminal that exists within the radio wave arrival limit distance of the certification terminal CU (in the circumferential area surrounded by a broken line in FIG. 1). is there.

  Subsequently, the installer performs an operation to instruct a participation request at an operation unit (not shown) of the participation request terminal SU. In response to the participation request, the participation requesting terminal SU transmits a participation request message MRQ to the participating terminal located closest to each of the participating terminals on the network NW1, that is, the participating terminal EU1 (Step S1). S4). When the participation terminal EU1 receives the participation request message MRQ, the participation terminal EU1 belongs to the participation request message MRQC obtained by performing an encryption process based on the network key and a predetermined message authentication encoding process. Relay transmission is performed to the authentication management terminal AU1 of the network NW1 (step S5). However, if it is determined in step S2 that the relay permission message MTX is not legitimate, the participating terminal EU1 does not relay the participation request message MRQC to the authentication management terminal AU1. That is, the participating terminal EU1 discards the relay of the participation request message to the authentication management terminal AU1.

  Here, when the authentication management terminal AU1 receives the above-described participation request message MRQC, the same link key as the link key of the participation request terminal SU that is the transmission source of the MRQ corresponding to the participation request message MRQC is shown in FIG. It is determined whether or not it is stored in the link key storage unit 21. Here, the authentication management terminal AU1 confirms the mutual authentication when the same link key as the link key of the participation requesting terminal SU is stored in the link key storage unit 21, and does not authenticate the mutual authentication when it is not stored. An authentication result message MK indicating confirmation is transmitted to the participation requesting terminal SU side (step S6). When receiving the authentication result message MK, the participation request terminal SU outputs the authentication result indicated by the authentication result message MK in a form that can be confirmed by the installer. For example, when the authentication result message MK indicates mutual authentication confirmation, that is, when participation in the network NW1 is permitted, a blue LED (not shown) provided in the participation request terminal SU is turned on. On the other hand, when the authentication result message MK indicates mutual authentication indefiniteness, that is, when participation in the network NW1 is not permitted, a red LED (not shown) provided in the participation request terminal SU is turned on. The character string representing the authentication result may be displayed on a display unit (not shown) provided in the participation request terminal SU.

  After the above-described authentication confirmation work is completed, the installer moves with the certification terminal CU, and the distance between each participating terminal and the certification terminal CU is larger than the radio wave arrival limit distance of the certification terminal CU. Each of the participating terminals cannot receive the relay permission message MTX. Similarly, when the installer shuts off the power supply of the certification terminal QU after the completion of the authentication confirmation work, each of the participating terminals cannot receive the relay permission message MTX. Therefore, each of the participating terminals automatically transitions from the relay permission mode to the relay disapproval mode in which the relay of the participation request message MRQ is rejected. Further, after receiving the relay permission message MTX, the joined terminal automatically transitions to the relay non-permission mode state even after the validity period T1 indicated by this MTX has elapsed (step S7).

  As described above, in relaying the participation request message MRQ transmitted from the participation request terminal SU to the authentication management terminal AU1 via the network NW1, the network system shown in FIG. Broadcast wirelessly. At this time, among the plurality of joined terminals (EU1 to EU5) belonging to NW1, the joined terminal that has received this MTX, that is, the joined terminal located within the radio wave reach of the certification terminal CU (for example, Only EU1) is set to a state (relay permission mode) in which the participation request message MRQ can be relayed to the authentication management terminal AU1. That is, among the plurality of joined terminals belonging to the network, only the joined terminal that has detected the existence of the certification terminal is given the right to relay the join request message transmitted from the join request terminal to the authentication management terminal side. It was. As a result, during the non-operation period of the certification terminal CU (power off state), all the joined terminals are in a relay rejection state (relay non-permission mode) of the participation request message MRQ. Further, even during the operation period of the certification terminal CU, the joined terminals located outside the radio signal reachable range of the certification terminal CU are in a relay rejection state of the participation request message. Therefore, even if a person other than the legitimate installer performs a DOS attack in which a large number of participation request messages are simultaneously transmitted in a malicious manner, the joined terminal that has received the participation request message may be set in the relay permitted state. The nature is extremely low. Therefore, it is possible to protect the network from a DOS attack without using a public key management infrastructure. Furthermore, since only the joined terminal that has been able to detect the presence of the certification terminal CU, that is, the joined terminal node located within the radio wave reach of the certification terminal CU, is automatically shifted to the relay permission mode. Compared with the case where the installer himself performs a setting operation to be set to the relay permission mode on the node, the network management operation becomes easier.

  FIG. 8 is a diagram illustrating an example of a configuration of a multi-hop network system employing a network relay method according to another embodiment of the present invention.

  In the multi-hop network system shown in FIG. 8, the joined terminals GU1 to GU5 are adopted instead of the joined terminals EU1 to EU5 shown in FIG. 1, and the certification terminal QU is adopted instead of the certification terminal CU. Since the configuration is the same as that shown in FIG.

  Each of the participating terminals GU1 to GU5 is a terminal that has already participated in the network (for example, NW1), and each has a link key storage unit 91, a network key storage unit 92, and a mutual authentication unit 93, as shown in FIG. , A network key update unit 94, a participation request relay control unit 95, a time counter 96, a certification terminal search unit 97, and a transmission / reception unit 98 are included.

  In FIG. 9, the link key storage unit 91 stores in advance a link key for each device shared with each device (including a participating terminal and a participation requesting terminal) to be managed by the authentication management terminal. The network key storage unit 92 stores in advance a network key shared within one network. The mutual authentication unit 93 is a terminal that shares the link key and the network key by, for example, challenge and response authentication based on the link key read from the link key storage unit 91 and the network key stored in the network key storage unit 92. The authentication result is supplied to the transmission / reception unit 98. When the network key designation signal is supplied from the transmission / reception unit 98, the network key update unit 94 rewrites the network key stored in the network key storage unit 91 with the key designated by the network key designation signal.

  The participation request relay control unit 95 performs relay control when the participation request message received by the transmission / reception unit 98 is relayed to the authentication management terminal side. In other words, when the participation request message MRQ is supplied from the transmission / reception unit 98, the participation request relay control unit 95 encrypts the participation request message MRQ based on the network key stored in the network key storage unit 31. The participation request message MRQC is generated by performing the conversion processing and the predetermined message authentication encoding processing, and temporarily holds this. Thereafter, when the relay permission message MTX is supplied from the transmission unit 98, the time difference between the message generation time (shown in FIG. 6) indicated by the MTX and the current time measured by the time counting unit 96 is calculated. Only when it is within a predetermined value (synchronization error upper limit), the transmission / reception unit 98 is controlled to transmit the participation request message MRQC to the authentication management terminal side. At this time, the participation request relay control unit 95 may discard the participation request message MRQC if the relay permission message MTX is not supplied even after a predetermined period of time has elapsed after receiving the participation request message MRQ. good. The time counting unit 96 measures the time and supplies time information indicating the current time to the participation request relay control unit 95 and the certification terminal search unit 97.

  In response to the participation request message MRQ supplied from the transmission / reception unit 98, the certification terminal search unit 97 generates a certification terminal search message STX for searching for a certification terminal CU existing in the vicinity, and broadcasts it wirelessly. The transmitter / receiver 98 is controlled accordingly. The certification terminal search message STX includes a certification terminal search message identification code, current time information, and a message authentication code as shown in FIG. In this case, the certification terminal search message identification code is a code for allowing the terminal that has received this message to identify that this message is the certification terminal search message. The current time information is information indicating the current time indicated by the time information supplied from the time counting unit 96 when this message is generated. In addition, the message authentication code is generated by, for example, the calculation result of the above-mentioned certification terminal search message identification code and the keyed hash function using the current time information as input parameters.

  When the transmission / reception unit 98 receives the network key designation signal transmitted from the authentication management terminal, the transmission / reception unit 98 supplies the signal to the network key update unit 94. Further, when receiving the relay permission message MTX transmitted from the certification terminal CU, the transmission / reception unit 98 supplies this to the participation request relay control unit 95. In addition, when the transmission / reception unit 98 receives the participation request message MRQ transmitted from the external participation request terminal SU, the transmission / reception unit 98 supplies the participation request message MRQ to the participation request relay control unit 95 and the certification terminal search unit 97. Further, when the participation request message MRQC is supplied from the participation request relay control unit 95, the transmission / reception unit 98 transmits this to the authentication management terminal side. Further, when the certification terminal search message STX is supplied from the certification terminal search unit 97, the transmission / reception unit 98 broadcasts it wirelessly.

  The certification terminal QU is a terminal used when the installer causes the participation requesting terminal SU to participate in the multi-hop network. As shown in FIG. 11, a network key acquisition unit 101, a network key storage unit 102, and a time counting unit 103 are used. A relay permission message generation unit 104, a search response unit 105, and a transmission / reception unit 106.

  In FIG. 11, a network key acquisition unit 101 receives an input of a network key by an operator, that is, an input of a network key of a network (NW1, NW2, or NW3) desired to participate, and supplies this to the network key storage unit 102. . The network key storage unit 102 stores the network key. The time counting unit 103 measures time and supplies time information indicating the current time to the relay permission message generation unit 104 and the search response unit 105.

  In response to the relay permission message generation command supplied from the search response unit 105, the relay permission message generation unit 104 receives the relay permission message identification code, message generation time, validity period T1, and message authentication code as shown in FIG. Each relay permission message MTX is generated. The relay permission message identification code is a code for allowing the terminal that has received this message to identify that this message is a message indicating relay permission. The message generation time is the current time indicated by the time information supplied from the time counting unit 103 when this message is generated. The valid period T1 designates a valid period from the message generation time when the participation request message MRQ is relayed. The message authentication code is encrypted by a keyed hash function using the relay permission message identification code, message generation time, and valid period T1 as input parameters. The relay permission message generation unit 104 supplies the relay permission message MTX as described above to the transmission / reception unit 106.

  When the verification terminal search message STX is supplied from the transmission / reception unit 55, the search response unit 105 first determines whether the message authentication code shown in FIG. 10 included in the verification terminal search message STX is appropriate. Determine. Furthermore, the search response unit 105 determines that the time difference between the current time indicated by the certification terminal search message STX as shown in FIG. 10 and the current time measured by the time counting unit 103 is an upper limit value that is allowed as a synchronization error. It is determined whether it is within the range. Here, when it is determined that the message authentication code is proper and the time difference is within the upper limit allowed as a synchronization error, the relay permission message generation command is sent to the relay permission message generation unit 104 described above. Supply.

  When receiving the certification terminal search message STX transmitted from the joined terminal, the transmission / reception unit 106 supplies this to the search response unit 105. In addition, when the relay permission message MTX is supplied from the relay permission message generation unit 104, the transmission / reception unit 106 repeats this at a predetermined period T0 and broadcasts it wirelessly.

  Hereinafter, in the multi-hop network system shown in FIG. 8, a communication operation performed when the installer causes the participation request terminal SU to participate in the network NW1 will be described with reference to the communication flow of FIG.

  First, before going to the installation site of the participation request terminal SU, the installer inputs the network key of the network NW1 in advance to the certification terminal QU owned by the installer. As a result, the input network key is stored in the network key storage unit 102 of the certification terminal QU. At this time, when the update of the network key is confirmed on the way to the installation site of the participation requesting terminal SU, the installer re-enters this new network key into the certification terminal QU. During the movement, the power supply of the certification terminal QU may be cut off. Here, FIG. 8 shows the positional relationship of each terminal when the installer arrives at the installation site of the participation request terminal SU and performs the installation work using the certification terminal QU in the vicinity thereof.

  In the state shown in FIG. 8, first, the installer turns on the power of each of the certification terminal QU and the participation request terminal SU. Subsequently, the installer performs an operation to instruct a participation request at an operation unit (not shown) of the participation request terminal SU. In response to the participation request, as shown in FIG. 12, the participation requesting terminal SU requests the participation terminal GU1, which is the nearest terminal among the participating terminals on the network NW1, that is, the participating terminal GU1. Message MRQ is transmitted (step S11). At this time, when receiving the participation request message MRQ, the participating terminal GU1 broadcasts a certification terminal search message STX as shown in FIG. 10 by radio (step S12). Further, during this time, the participating terminal GU1 generates a participation request message MRQC obtained by performing an encryption process based on the network key and a predetermined message authentication encoding process on the participation request message MRQ, and holds this. Keep it.

  The certification terminal QU that has received the certification terminal search message STX broadcast as described above has a time difference between the current time indicated by the STX and the current time measured by the time counting unit 103 as a predetermined value (a synchronization error). It is determined whether it is within the upper limit). Here, when the time difference is within the predetermined value, the certification terminal QU broadcasts the relay permission message MTX as shown in FIG. 6 by radio (step S13). Here, the participating terminal that has received the relay permission message MTX, that is, the participating terminal GU1 existing within the radio wave arrival limit distance of the certification terminal QU (in the circumferential area surrounded by the broken line in FIG. 8), for example, Then, by decrypting the encryption applied to the message authentication code included in the MTX, it is determined whether or not the relay permission message identification code, the message generation time, and the valid period T1 included in the MTX are obtained. Further, whether or not the time difference between the message generation time (shown in FIG. 6) indicated by the relay permission message MTX and the current time measured by the time counting unit 96 is within a predetermined value (upper limit value of synchronization error). Determine whether. At this time, as a result of decrypting the encryption applied to the message authentication code, the relay permission message identification code, the message generation time and the valid period T1 are obtained, and the message generation time and the current time counted by the time counting unit 96 are obtained. When the time difference from the time is within a predetermined value, it is determined that the relay permission message MTX that has been transmitted is authentic. That is, according to the above determination, the participating terminal GU1 determines whether or not the relay permission message MTX that has been transmitted is authentic (step S14). If it is determined in step S14 that the relay permission message MTX is legitimate, the joined terminal GU1 transmits the join request message MRQC to the authentication management terminal AU1 of the network NW1 to which the joined terminal GU1 belongs ( Step S15). However, if it is determined in step S14 that the relay permission message MTX is not legitimate, the participating terminal GU1 does not relay the participation request message MRQC to the authentication management terminal AU1. That is, the participating terminal GU1 discards the relay of the participation request message to the authentication management terminal AU1.

  When receiving the participation request message MRQC, the authentication management terminal AU1 receives the link key storage unit shown in FIG. 2 that has the same link key as the link key of the participation request terminal SU that is the transmission source of the MRQ corresponding to the participation request message MRQC. It is determined whether or not it is stored in 21. Here, when the same link key as the link key of the participation request terminal SU is stored in the link key storage unit 21, the authentication management terminal AU1 sends an authentication result message MK indicating the mutual authentication confirmation to the participation request terminal. While transmitting to the SU side, if not stored, an authentication result message MK indicating mutual authentication indefinite is transmitted to the participation requesting terminal SU side (step S16). When receiving the authentication result message MK, the participation request terminal SU outputs the authentication result indicated by the authentication result message MK in a form that can be confirmed by the installer. For example, when the authentication result message MK indicates mutual authentication confirmation, that is, when participation in the network NW1 is permitted, a blue LED (not shown) provided in the participation request terminal SU is turned on. On the other hand, when the authentication result message MK indicates mutual authentication indefiniteness, that is, when participation in the network NW1 is not permitted, a red LED (not shown) provided in the participation request terminal SU is turned on. The character string representing the authentication result may be displayed on a display unit (not shown) provided in the participation request terminal SU.

  After the above-described authentication confirmation work is completed, the installer moves with the certification terminal QU, and the distance between each participating terminal and the certification terminal QU is larger than the radio wave arrival limit distance of the certification terminal QU. Each of the participating terminals cannot receive the relay permission message MTX. Similarly, when the installer shuts off the power supply of the certification terminal QU after the completion of the authentication confirmation work, each of the participating terminals cannot receive the relay permission message MTX. That is, each participating terminal automatically enters a state in which the participation request message MRQ cannot be relayed. Further, after receiving the relay permission message MTX, the joined terminal automatically becomes incapable of relaying the participation request message MRQ even after the validity period T1 indicated by the MTX has elapsed.

  As described above, in the network system shown in FIG. 8, the participation request message transmitted from the participation request terminal only to the participating terminal that has detected the existence of the certification terminal CU among the plurality of participating terminals (GU1 to GU5). In giving the right to relay the MRQ to the authentication management terminal (AU1) side, the presence of the certification terminal QU is detected by the following method. That is, the joined terminal that has received the authentication request message MRQ broadcasts the certification terminal search message STX wirelessly, thereby triggering a trigger to broadcast the relay permission message MTX to the certification terminal QU existing in the vicinity. It was. At this time, only the joined terminals that have been able to receive the relay permission message MTX broadcast (wired) from the certification terminal QU in response to the trigger, that is, the joined terminals that are located within the radio wave reachable range of the certification terminal QU. The presence of the certification terminal QU is detected. Therefore, according to such a network system, the certification terminal QU does not need to repeatedly transmit the relay permission message MTX, and therefore, as compared with a system that needs to repeatedly transmit the relay permission message MTX as in the first embodiment, It becomes possible to reduce the power consumption spent at the time of transmission. In the system shown in FIG. 8, the certification terminal QU automatically transmits a relay permission message MTX in response to the certification terminal search message STX. Therefore, the operation becomes easier as compared with the certification terminal CU of the first embodiment, which requires an operation by the installer when the transmission of the relay permission message MTX is started. Furthermore, since a dedicated operation unit for starting transmission of the relay permission message MTX is not required, the manufacturing cost of the certification terminal QU can be reduced.

  In the above embodiment, the operation when the participation request message for prompting the participation request to the network is relayed to the authentication management terminal side by the terminal already participating in the network has been described. However, the present invention is not limited to this configuration.

  In short, the present invention relays the information piece (participation request message) transmitted from the first communication terminal (participation request terminal) to the second communication terminal (authentication management terminal) via the network. Only the third communication terminal that detects the presence of the fourth communication terminal (certification terminal) in each communication terminal (participated terminal) is set in a state in which the information piece can be relayed to the second communication terminal side. is there. With such a configuration, while protecting the network from a DOS attack, the information piece emitted from the first communication terminal is relayed to the second communication terminal via the third communication terminal belonging to the network without requiring cumbersome management. It made it possible.

33, 95 Participation request relay control unit 41 Participation request message generation unit 54, 104 Relay permission message generation unit 97 Proof terminal search unit 105 Search response unit AU1-AU3 Authentication management terminal
CU, QUA certification terminals EU1 to EU5, GU1 to GU5 Participated terminals NW1 to NW3 Network SU Participation request terminal

Claims (12)

A network relay method for relaying an information piece transmitted from a first communication terminal to a second communication terminal via a network,
A first step in which the first communication terminal transmits the piece of information to a third communication terminal belonging to the network;
A second step of relaying the piece of information received by the third communication terminal to the second communication terminal only when the third communication terminal detects the presence of a predetermined fourth communication terminal. A characteristic network relay method.   The second step includes a determination step of determining that the fourth communication terminal exists when the third communication terminal receives a predetermined first message wirelessly transmitted from the fourth communication terminal. The network relay method according to claim 1.   The determination step determines that the fourth communication terminal is present when the third communication terminal receives the first message repeatedly broadcast from the fourth communication terminal by radio. 3. The network relay method according to 2.   In the determining step, the third communication terminal broadcasts a predetermined second message wirelessly, and the fourth communication terminal broadcasts the first message wirelessly only when the second message is received. 3. The network relay method according to claim 2, comprising: a step; and a step of determining that the fourth communication terminal exists when the third communication terminal receives the first message. The first message includes an authentication code subjected to a predetermined cryptographic process,
The second step determines whether or not the first message is authentic based on a result of decrypting the encryption of the authentication code included in the first message received by the third communication terminal; The network relay method according to any one of claims 2 to 4, wherein the information piece is relayed to the second communication terminal only when it is determined to be legitimate.   In the second step, after the third communication terminal receives the first message, the third communication terminal is set in a state in which the information piece can be relayed to the second communication terminal for a predetermined period. The network relay method according to claim 2, wherein the network relay method is performed. A network system having a first communication terminal that is a transmission source of a predetermined piece of information, a second communication terminal that is a transmission destination of the information piece, and a network to which a plurality of third communication terminals are connected. ,
Only the third communication terminal that has detected the presence of a predetermined fourth communication terminal in each of the third communication terminals relays the information piece transmitted from the first communication terminal to the second communication terminal. Network system. The fourth communication terminal broadcasts a predetermined first message wirelessly;
8. The network system according to claim 7, wherein only the third communication terminal that has received the first message in each of the third communication terminals relays the information piece to the second communication terminal.   9. The network system according to claim 8, wherein the fourth communication terminal broadcasts the first message repeatedly and wirelessly at a predetermined period. The first communication terminal transmits the information piece to one third communication terminal of each of the third communication terminals,
The first third communication terminal wirelessly broadcasts a second message to be searched for the fourth communication terminal in response to reception of the information piece,
9. The network system according to claim 8, wherein the fourth communication terminal transmits the first message to the first third communication terminal only when the second message is received. The first message includes an authentication code subjected to a predetermined cryptographic process,
The third communication terminal determines whether or not the first message is authentic based on a result of decrypting the encryption of the authentication code included in the received first message, and is authentic The network system according to any one of claims 8 to 10, wherein the information piece is relayed to the second communication terminal only when it is determined.   The said 3rd communication terminal will be in the state which can relay the said information piece to the said 2nd communication terminal only for a predetermined period after reception of the said 1st message. The network system according to any one of the above.

Images