JP2019176449A - Communication system and communication method - Google Patents

Abstract

To provide a communication system capable of encrypting communication by a common key encryption system taking the leak of an encryption key into consideration.SOLUTION: A radio terminal 2 reads a temporary AppKey defined in its own program at the time of activation and sets it to itself (S51). It transmits a JoinRequest including a generated random number to a server (S52) and receives a JoinAccept from the server (S53). It then generates a formal AppKey from the JoinRequest, JoinAccept, and temporary AppKey (S55). It reactivates in the state of holding the formal AppKey (S56), transmits a new JoinRequest including a further generated random number to the server (S57), and receives a new JoinAccept from the server (S58). It generates an AppSkey from the new JoinRequest, new JoinAccept, and AppKey (S510) and sets it as a common key for encrypting and decrypting user data.SELECTED DRAWING: Figure 5

Description

    The present invention relates to a communication system and a communication method.

  There is a wireless communication system in which a plurality of wireless terminals are connected to a server, and the wireless terminals transmit information to the server. As means for realizing such a wireless communication system, there is a wireless communication technique that enables long-distance communication with low power consumption. This is generally called LPWA (Low Power Wide Area). A wireless terminal in LPWA uses a sub-giga band of 1 GHz or less such as 920 MHz or a wireless band of several GHz, and performs communication with a propagation distance of several tens to several tens of kilometers with power consumption of several tens of mA. A wireless terminal compatible with LPWA can operate for a long period of time even if it is battery-powered because it requires less power for communication. Even when a large number of wireless terminals are arranged in a wide range, long-distance communication is possible, so that no relay station is required or a small number is required. Thereby, when constructing a wireless communication system for the purpose of collecting sensor information over a wide area and a large number, for example, the economic cost of the wireless communication system can be suppressed by adopting LPWA.

  In a wireless communication system, it is required to provide security for communication so that communication from a wireless terminal to a server is not eavesdropped or tampered with. As a security technique, there is, for example, Patent Document 1. Patent Document 1 describes an information processing system in which a client terminal connects to a server. In the information processing system, the client terminal holds a public key, and the server holds a public key and a secret key to encrypt communication. A public key cryptosystem is used. Further, in Patent Document 1, the server updates the public key and the private key, and the client terminal generates and transmits information necessary for the server to update the secret key and the public key. Will be described.

  Patent Document 1 Japanese Patent Application Laid-Open No. 2015-106842

  The public key cryptosystem described in Patent Document 1 has complicated encryption and decryption processes, and thus requires large power consumption and sophisticated hardware in both the server and the wireless terminal. Therefore, when the public key cryptosystem is adopted in the wireless communication system, the power consumption of the wireless terminal is increased, and the hardware of the wireless terminal is advanced so that the economic cost is increased. Here, in the wireless communication system employing the LPWA, as described above, the wireless terminal is required to operate with low power consumption, and the wireless terminal is required to have low economic cost. Therefore, it is difficult to adopt the public key cryptosystem in the LPWA wireless communication system. For example, there is LoRaWAN (LoRa is a registered trademark) as one of the technical specifications of LPWA, but also in LoRaWAN, communication encryption between a wireless terminal and a server has lower power consumption than public key cryptography. A common key cryptosystem that can be realized with simple hardware is adopted.

  Here, when the common key cryptosystem is adopted in the wireless communication system, it is necessary to hold the encryption key used for encryption in the wireless terminal when the wireless terminal is installed. However, since a large number of wireless terminals are assumed to be installed in a wide range as described above, if the wireless terminal holds the encryption key, the encryption key may be leaked to a third party. When an encryption key for encrypting communication between the wireless terminal and the server is leaked to a third party, the communication from the wireless terminal to the server is decrypted by the third party.

  Accordingly, a communication system and communication capable of performing communication encryption by a common key encryption method considering leakage of the encryption key in order not to impair the low power consumption and low economic cost of the wireless terminal which are advantages of the LPWA wireless communication system There is a need for a method.

  The present invention has been made in view of such circumstances, and proposes a communication system and a communication method capable of performing communication encryption by a common key encryption method considering leakage of an encryption key.

  A first aspect of the present invention is a communication system in which a communication terminal and a server perform cryptographic communication using a common key, and the communication terminal includes first communication means for communicating with the server, first information First requesting means for storing, request information generating means for generating first request information transmitted to the server, and second request information transmitted to the server, via the first communication means First connection processing means for transmitting the first request information to the server and receiving first response information for the first request information from the server via the first communication means; First request means for generating second information using the first request information, the first response information, and the first information, and the first communication means to the server via the first communication means. A second response to the second request information. Second connection processing means for receiving information from the server via the first communication means, the second request information, the second response information, and the second information. Second generation means for generating one common key; first encryption means connected to the first communication means for encrypting transmission data to the server using the first common key; A first decryption unit connected to the first communication unit and decrypting the received data from the server using the first common key, wherein the server communicates with the communication terminal. Communication means, second storage means for storing third information having the same value as the first information, the first response information transmitted to the communication terminal, and the transmission to the communication terminal Response information generating means for generating second response information, via the second communication means Third connection processing means for receiving the first request information from the communication terminal and transmitting the first response information to the communication terminal via the second communication means; the first request information; A third generation unit that generates the fourth information having the same value as the second information by using the first response information and the third information, and the second communication unit. Fourth connection processing means for receiving the second request information from the communication terminal and transmitting the second response information to the communication terminal via the second communication means, the second request information And a second generation means for generating a second common key having the same value as the first common key using the second response information and the fourth information, and the second information A second cipher that is connected to the communication means and encrypts transmission data to the communication terminal using the second common key And a second decryption unit that is connected to the second communication unit and decrypts the received data from the communication terminal using the second common key.

  The second aspect of the present invention includes a communication terminal including a first storage unit that holds the first information, and a second storage unit that holds the third information having the same value as the first information. A communication method for performing cryptographic communication with a server using a common key, wherein the communication terminal transmits first request information to the server, and the server receives the first request information. A second step of transmitting first response information to the communication terminal, wherein the communication terminal uses the first request information, the first response information, and the first information to A third step of generating information, wherein the server uses the first request information, the first response information, and the third information, and the fourth value is the same value as the second information In response to the execution of the fourth step and the third step of generating A fifth step in which the terminal transmits second request information to the server; a sixth step in which the server receives the second request information and transmits second response information to the communication terminal; A seventh step in which the communication terminal generates a first common key using the second request information, the second response information, and the second information; and the server requests the second request. An eighth step of generating a second common key having the same value as the first common key using the information, the second response information, and the fourth information; Encryption of transmission data to the server and decryption of reception data from the server are performed using the first common key, and the server transmits the transmission data to the communication terminal using the second common key. A ninth unit that performs encryption and decryption of data received from the communication terminal. Characterized in that it comprises a-up.

  ADVANTAGE OF THE INVENTION According to this invention, the communication system and communication method which can encrypt the communication by the common key encryption system in consideration of leakage of the encryption key are provided.

1 is a configuration diagram illustrating an overall configuration of a wireless communication system 1A according to a first embodiment. 2 is a block diagram showing an internal configuration of a wireless terminal 2. FIG. 3 is a block diagram showing an internal configuration of a network server 4. FIG. It is a figure which shows the basic mechanism of the encryption key generation in LoRaWAN. FIG. 6 is a sequence diagram showing a flow of data transmission / reception between the wireless terminal 2 and the network server 4. It is a figure which shows the transition of each information and encryption key in the radio | wireless terminal 2 and the network server 4. FIG. 4 is a flowchart showing the operation of the wireless terminal 2. 3 is a flowchart showing the operation of the network server 4. It is a block diagram which shows the whole structure of the radio | wireless communications system 1B in 2nd Embodiment. It is a sequence diagram which shows the flow of data transmission / reception in the wireless terminal 2-1, the wireless terminal 2-2, and the network server 4. It is a figure which shows the transition of each information in the radio | wireless terminal 2-1, the radio | wireless terminal 2-2, and the network server 4. FIG.

(1) First Embodiment A first embodiment of the present invention will be described with reference to FIGS. In the first embodiment, an example will be described in which a part of a method defined in LPRa technical specifications LoRaWAN (LoRa Wide Area Network: LoRa is a registered trademark) is used.

(A) Hardware (A-1) Overall Configuration of Radio Communication System FIG. 1 is a configuration diagram showing an overall configuration of a radio communication system 1A according to the first embodiment. In FIG. 1, a wireless communication system 1A includes a wireless terminal 2, a base station 3, a network server 4, and a host device 5. The number of wireless terminals 2 may be arbitrary n (n is an integer equal to or greater than 1), but in the first embodiment, an embodiment in which there is one wireless terminal 2 (n = 1) will be described. A mode in which there are two or more wireless terminals 2 will be described in the second embodiment.

  The wireless terminal 2 is installed indoors or outdoors, and detects information collected from various sensors mounted on or connected to the wireless terminal 2 and information collected from electrical devices connected to the wireless terminal 2 upstream of the wireless communication system 1A. This is transmitted to (the upper device 5 side). The radio terminal 4 is connected to the base station 3 by radio. In the first embodiment, it is assumed that the wireless terminal 2 is connected to the base station 3 using a modulation scheme defined in LoRaWAN. The wireless terminal 2 participates in the wireless communication system 1A by executing the operation of the present invention described later.

  The base station 3 relays various information received wirelessly from the wireless terminal 2 to the network server 4. The base station 3 is connected to the wireless terminal 2 by a modulation method defined in LoRaWAN. The base station 3 is connected to the network server 4. The base station 3 and the network server 4 are connected by a cable according to, for example, an existing Ethernet standard (Ethernet is a registered trademark). When connecting by wire, the standard and method used for connection are not limited. Further, the base station 3 and the network server 4 may be connected wirelessly, and the standard and method used for the connection are not limited when connecting wirelessly. The base station 3 is not limited to a specific device as long as it has the capability of wireless and wired conversion and information relay between the wireless terminal 2 and the network server 4. For example, the base station 3 can be used for the purpose of the base station 3. It may be realized by using. In the following description, the internal configuration of the base station 3 is not shown, and the description is omitted.

  The network server 4 relays various information from the wireless terminal 2 received from the base station 3 by wire to the host device 5. Further, the network server 4 controls the participation of the wireless terminal 2 in the wireless communication system 1A by executing the operation of the present invention described later. The connection between the network server 4 and the host device 5 is connected with, for example, a cable according to the existing Ethernet standard, and the standard and method used for the connection are not limited. The network server 4 and the host device 5 may be connected wirelessly, and the standard and method used for the connection are not limited when connecting wirelessly.

  The host device 5 executes various processes based on various information from the wireless terminal 2 received from the network server 4 by wire. The host device 5 is, for example, an application server. For example, the application server accumulates and processes detection information of various sensors transmitted from the wireless terminal 2, and provides a monitoring service to the user of the wireless communication system 1A. As another example, the application server accumulates and processes information collected from the electrical equipment transmitted from the wireless terminal 2 and provides energy management and remote meter reading service to the user of the wireless communication system 1A.

  In FIG. 1, a solid line connecting the devices indicates a wired connection, and a dotted line connecting the devices indicates a wireless connection. As described above, the wireless terminal 2 and the base station 3 are connected wirelessly, and the network server 4 and the base station 3, and the host device 5 and the network server 4 are connected by wire. Here, as described above, the network server 4 and the base station 3, and the higher-level device 5 and the network server 4 are not limited to wired connections but may be connected wirelessly.

(A-2) Configuration of Wireless Terminal 2 and Network Server 4 (A-2-1) Wireless Terminal 2
FIG. 2 is a block diagram showing an internal configuration of the wireless terminal 2. In FIG. 2, the wireless terminal 2 includes a control unit 21, a storage unit 22, a transmission unit 23, a reception unit 24, an encryption unit 25, a decryption unit 26, an external interface 27, and an antenna 28.

  The control unit 21 controls the operation of the wireless terminal 2 and is realized by a CPU (Central Processing Unit) or the like. The control unit 21 further includes a connection processing unit 211, a temporary holding unit 212, a random number generation unit 213, and an encryption key generation unit 214. In FIG. 2, the encryption unit 25 and the decryption unit 26 are provided outside the control unit 21 for the following description, but the control unit 21 may include the encryption unit 25 and the decryption unit 26. In FIG. 2, the control unit 21 is connected to a storage unit 22, an encryption unit 25, a decryption unit 26, and an external interface 27.

  The connection processing unit 211 executes connection processing between the wireless terminal 2 and the network server 4. The temporary holding unit 212 temporarily holds information used for connection processing by the connection processing unit 211, and is realized by, for example, a small-capacity cache memory in the CPU. The random number generator 213 generates a random number used for connection processing by the connection processing unit 211. The encryption key generation unit 214 receives the connection processing by the connection processing unit 211 and generates an encryption key that is common to the network server 4. The connection processing unit 211, temporary holding unit 212, random number generation unit 213, and encryption key generation unit 214 perform connection processing with the network server 4, and encryption that is common to the network server 4 in the wireless terminal 2. A key is generated. Details of the operation of the control unit 21 will be described later.

  The storage unit 22 is a main storage device that stores an operation program for operating the wireless terminal 2, and a primary storage device in the operation of the wireless terminal 2. The storage unit 22 is realized by a nonvolatile memory such as an EEPROM (Electrically Erasable and Programmable Read Only Memory) and a flash memory as a main storage device, and is realized by a memory such as a RAM (Random Access Memory) as a primary storage device. In the operation program stored in the storage unit 22, a temporary AppKey described later is defined in advance. This will be described later together with details of the operation of the wireless terminal 2.

  The transmission unit 23 performs transmission processing for various types of information transmitted from the wireless terminal 2 to the base station 3 for wireless communication. The transmission process of the transmission unit 23 includes a modulation process of various types of information according to the LoRa modulation method defined in LoRaWAN. In FIG. 2, the transmission unit 23 is connected to the encryption unit 25 and the antenna 23.

  The receiving unit 24 receives and processes various information from the base station 3 so that the wireless terminal 2 can process it. The reception process of the reception unit 24 includes a demodulation process of various information according to the LoRa modulation method defined in LoRaWAN. In FIG. 2, the receiving unit 24 is connected to the decoding unit 26 and the antenna 23.

  The encryption unit 25 encrypts various types of information transmitted from the wireless terminal 2 to the base station 3 prior to the transmission process of the transmission unit 23. The encryption unit 25 encrypts various information using an encryption key generated by the encryption key generation unit 214 and shared with the network server 4. The encryption method used in the encryption unit 25 is not limited.

  The decryption unit 26 decrypts various information received from the base station 3 received and processed by the reception unit 24. The decryption unit 26 decrypts various types of information using an encryption key common to the network server 4 generated by the encryption key generation unit 214, in other words, the same encryption key used by the encryption unit 25. Note that the encryption method used in the decryption unit 26 is the same as that of the encryption unit 25.

  The external interface 27 is an interface that connects the wireless terminal 2 and an external device. Here, the external device is, for example, various sensors, electric devices, or the like. The external interface may conform to an existing standard, for example, an adapter conforming to the USB (Universal Serial Bus) standard or the Ethernet standard.

  The antenna 28 is connected to the transmission unit 23 and the reception unit 24, and transmits / receives radio waves to / from the base station 3.

  In correspondence with the claims, the wireless terminal 2 corresponds to a communication terminal. Correspondence between each functional unit in the wireless terminal 2 and the claims is as follows. The connection processing unit 211 corresponds to a first connection processing unit and a second connection processing unit. The encryption key generation unit 214 corresponds to the first generation unit and the second generation unit. The random number generator 213 corresponds to a first random number generator. The storage unit 22 corresponds to a first storage unit. The transmission unit 23 and the reception unit 24 correspond to a first communication unit. The encryption unit 25 corresponds to the first encryption unit. The decoding unit 26 corresponds to the first decoding unit.

(A-2-2) Configuration of Network Server 4 FIG. 3 is a block diagram showing the internal configuration of the network server 4. 3, the network server 4 includes a control unit 41, a storage unit 42, a transmission unit 43, a reception unit 44, an encryption unit 45, a decryption unit 46, an external interface 47, and an interface 48.

  The control unit 41 controls the operation of the network server 4 and is realized by a CPU or the like. The control unit 41 further includes a connection processing unit 411, a temporary storage unit 412, a random number generation unit 413, and an encryption key generation unit 414. In FIG. 3, the encryption unit 45 and the decryption unit 46 are provided outside the control unit 41 for the following explanation, but the control unit 41 may include the encryption unit 45 and the decryption unit 46. In FIG. 3, the control unit 41 is connected to a storage unit 42, an encryption unit 45, a decryption unit 46, and an external interface 47.

  The connection processing unit 411 executes connection processing performed with the wireless terminal 2 in order to cause the wireless terminal 2 to participate in the wireless communication system 1A. The temporary holding unit 412 temporarily holds information used for connection processing by the connection processing unit 411, and is realized by, for example, a small-capacity cache memory in the CPU. The random number generation unit 413 generates a random number used for connection processing by the connection processing unit 411. The encryption key generation unit 414 receives the connection processing by the connection processing unit 411 and generates an encryption key that is common to the wireless terminal 2. The connection processing unit 411, temporary holding unit 412, random number generation unit 413, and encryption key generation unit 414 perform connection processing with the wireless terminal 2, and the network server 4 has a common encryption with the wireless terminal 2. A key is generated. Details of the operation of the control unit 41 will be described later.

  The storage unit 42 is a main storage device that stores an operation program for operating the network server 4 and a primary storage device in the operation of the network server 4. The storage unit 42 is realized by a hard disc drive (HDD) or a solid state drive (SSD) as a main storage device, and is realized by a memory such as a RAM as a primary storage device. In the operation program stored in the storage unit 42, a temporary AppKey described later is defined in advance. This will be described later together with details of the operation of the control unit 41.

  The transmitting unit 43 transmits various information from the network server 4 to the base station 3. The transmission process of the transmission unit 23 is, for example, information packetization. In FIG. 3, the transmission unit 43 is connected to the encryption unit 45 and the interface 48.

  The receiving unit 44 receives and processes various information from the base station 3 so that the network server 4 can process it. The reception process of the reception unit 44 is, for example, information extraction from a packet. In FIG. 3, the receiving unit 44 is connected to the decoding unit 46 and the interface 48.

  The encryption unit 45 encrypts various types of information transmitted from the network server 4 to the base station 3 prior to the transmission process of the transmission unit 43. The encryption unit 45 encrypts various types of information using an encryption key that is generated by the encryption key generation unit 414 and is common to the wireless terminal 2. The encryption method used in the encryption unit 45 is not limited.

  The decrypting unit 46 decrypts and decrypts various information from the base station 3 received by the receiving unit 44. The decrypting unit 46 decrypts various types of information using an encryption key common to the wireless terminal 2 generated by the encryption key generating unit 414, in other words, the same encryption key used by the encrypting unit 45. Note that the encryption method used in the decryption unit 46 is the same as that of the encryption unit 45.

  The external interface 47 is an interface that connects the network server 4 and the host device 5. Here, the host device 5 is, for example, an application server as described above. The external interface 47 may be appropriately selected in accordance with the mode of the host device 5. If the host device 5 is an application server as described above, the external interface 47 may be an adapter that complies with the Ethernet standard, for example.

  The interface 48 is an adapter that is connected to the transmission unit 43 and the reception unit 44 and connects the network server 4 and the base station 3 according to, for example, the Ethernet standard.

In correspondence with the claims, the network server 4 corresponds to the server. Correspondence between each functional unit in the network server 4 and the claims is as follows. The connection processing unit 411 corresponds to a third connection processing unit and a fourth connection processing unit. The encryption key generation unit 414 corresponds to a third generation unit and a fourth generation unit. The random number generator 413 corresponds to a second random number generator. The storage unit 42 corresponds to a second storage unit. The transmission unit 43 and the reception unit 44 correspond to a second communication unit. The encryption unit 45 corresponds to the second encryption unit. The decoding unit 46 corresponds to the second decoding unit.

The correspondence between each functional unit in the network server 4 and the second aspect of the present invention is as follows. The connection processing unit 411 and the encryption key generation unit 414 correspond to the first processing unit and the second processing unit. The temporary holding unit 412 corresponds to a storage unit. The transmission unit 43 corresponds to the transmission unit. The receiving unit 44 corresponds to the receiving unit. The encryption unit 45 corresponds to the encryption unit. The decoding unit 46 corresponds to the decoding unit.

(B) Operation With reference to FIG. 4, a method defined in the LoRaWAN used in the operation of the first embodiment will be described. The flow of information exchange and encryption key generation between the wireless terminal 2 and the network server 4 will be described with reference to FIGS. Details of operations of the wireless terminal 2 and the network server 4 will be described with reference to FIGS. 7 and 8.

(B-1) Mechanism of key generation in LoRaWAN FIG. 4 is a diagram showing a basic mechanism of encryption key generation in LoRaWAN. In the first embodiment, a mechanism in which an AppSkey (Application session key), which is a common encryption key between the end device and the network server, is generated among the mechanisms shown in FIG. In the first embodiment, the wireless terminal 2 corresponds to an end device, and the network server 4 corresponds to a network server. In FIG. 4, information surrounded by a dotted line among information in each of the end device and the network server is information not related to the present embodiment, and the description thereof is omitted. In addition, NwkSKey (Network session key) surrounded by a two-dot chain line in each of the end device and the network server is not involved in the present embodiment, and thus the description thereof is omitted.

  AppKey (Application key) 90, which is common information between the end device and the network server, is preset. AppKey is set by an operator who operates the end device and the network server, and AppKey is information that serves as a base (seed, route) for generating AppKey. On the other hand, AppSKey is generated based on AppKey in each of the end device and the network server, and is used for encryption and decryption of user data communicated between the end device and the network server. AppSKey is valid until the connection between the end device and the network server is cancelled. When the connection between the end device and the network server is canceled, a new connection is established when the connection between the end device and the network server is reestablished. AppSKey is generated.

  When the end device joins the network, it transmits a JoinRequest to the network server. This JoinRequest includes at least a DevEUI (End-device identifier) 94 that is an identifier (address) unique to the end device and a DevNonce 92 that is a random number generated by the end device.

  When the network server receives the JoinRequest from the end device, the network server extracts the DevEUI 94 and DevNonce 92 included in the JoinRequest. Then, the end device is identified based on the DevEUI 94, and the NetID (Network identifier) 96 corresponding to the end device that is the transmission source of the JoinRequest is specified. NetID is an identifier (address) assigned when an end device joins a network. Further, the network server generates a random number and sets it as AppNonce98. The network server transmits JoinAccept including at least NetID 96 and AppNonce 98 to the end device.

  When the end device receives JoinAccept from the network server, the end device extracts NetID 96 and AppNonce98 included in JoinAccept. Then, the end device gives AppKey 90 common to the network server, DevNonce 92 transmitted to the network server, NetID 96 and AppNonce 98 received from the network server to the computer, and generates AppSkey 910. The computer generates AppSKey using an arithmetic expression common to the network server.

  On the other hand, when the network server transmits JoinAccept, AppNetwork is generated in the same manner as the end device. That is, the network server gives AppKey 90 common to the end device, DevNonce 92 received from the end device, NetID 96 and AppNonce 98 transmitted to the end device to the computer, and generates AppSkey 910.

  When the end device and the network server each generate AppSKey, the end device enters a state of joining the network. Thereafter, the end device and the network server perform communication by encrypting and decrypting user data to be transmitted and received using AppKey.

  As described above, in LoRaWAN, an end device and a network server acquire DevNance, NetID, and AppNonce by transmitting and receiving JoinRequest and JoinAccept, and generate AppSky. In the first embodiment, this mechanism is used. However, the handling of AppKey is different in the first embodiment.

(B-2) Information exchange between wireless terminal and network server and encryption key generation Next, referring to FIG. 5 and FIG. 6, information exchange between wireless terminal 2 and network server 4 and encryption key generation The flow will be described. FIG. 5 is a sequence diagram showing a flow of data transmission / reception between the wireless terminal 2 and the network server 4. FIG. 6 is a diagram showing transition of each information and encryption key in the wireless terminal 2 and the network server 4. In FIG. 5, the base station 3 is omitted. Further, alphabets A to F on the right side in FIG. 5 correspond to (A) to (F) in FIG. 6, respectively.

  Unlike the above-mentioned basic premise of LoRaWAN, the wireless terminal 2 in the first embodiment does not have an AppKey set in advance by an operator operating the wireless communication system 1A. The wireless terminal 2 is activated in a state where no AppKey is set in advance (S51). At this time, the wireless terminal 2 reads the temporary AppKey defined in its own program from the program and sets it. This temporary AppKey is not set by the operator, and the program of the wireless terminal 2 is not subject to the operator's interference. In the network server 4, a temporary AppKey is stored in advance in association with the wireless terminal 2 that is not registered to participate in the wireless communication system 1 </ b> A, as in the wireless terminal 2.

  Next, the wireless terminal 2 generates a random number as DevNonce, and transmits JoinRequest including DveNonce and DveEUI to the network server 4 (S52). The state up to S52 in FIG. 5 is shown in FIG. In FIG. 6A, the temporary AppKey: α1 is held in both the wireless terminal 2 and the network server 4, and DevNonce: ε1 is held in the wireless terminal 2.

  When receiving the JoinRequest from the wireless terminal 2, the network server 4 extracts the DveEUI and DevNonce included in the JoinRequest. The network server 4 identifies a NetID corresponding to the wireless terminal 2 based on DevEUI, and generates a random number as AppNonce. The network server 4 transmits JoinAccept including NetID and AppNonce to the wireless terminal 2 (S53). The state up to S53 in FIG. 5 is shown in FIG. In FIG. 6B, DevNonce: ε1 included in JoinRequest is held in the network server 4, and NetID: σ1 and AppNonce: ζ1 specified from DevEUI are further held.

  When the wireless terminal 2 receives JoinAccept from the network server 4, the wireless terminal 2 extracts NetID and AppNonce included in JoinAccept. The wireless terminal 2 generates an encryption key by using the temporary AppKey, the DveNonce transmitted to the network server 4, the NetID and AppNonce received from the network server 4, and uses this as the official AppKey (S55). On the other hand, the network server 4 generates an encryption key using the temporary AppKey, the DveNonce received from the wireless terminal 2, the NetID and AppNonce transmitted to the wireless terminal 2, and uses this as the official AppKey (S56). The state up to S54 and S55 in FIG. 5 is shown in FIG. In FIG. 6 (C), the wireless terminal 2 holds NetID: σ1 and AppNonce: ζ1 included in JoinAccept. Further, both the wireless terminal 2 and the network server 4 hold the AppKey: β1 generated using the temporary AppKey: α1, NetID: σ1, DevNonce: ε1, and AppNonce: ζ1.

  Next, the wireless terminal 2 restarts in a state where the official AppKey (β1 in FIG. 6C) generated in S55 is held (S56). The wireless terminal 2 does not read out the temporary AppKey from its own program and starts up while holding the official AppKey in the restart of S56, unlike the above-described startup of S51. By restarting the wireless terminal 2, the connection between the wireless terminal 2 and the network server 4 is canceled. At this time, the network server 4 holds the official AppKey (β1 in FIG. 6C) generated in S54 corresponding to the wireless terminal 2, and erases other information as the connection is canceled.

  Next, the wireless terminal 2 generates a random number as DevNonce, and transmits JoinRequest including DveNonce and DveEUI to the network server 4 (S57). The state up to S57 in FIG. 5 is shown in FIG. In FIG. 6D, AppKey: β1 is held in both the wireless terminal 2 and the network server 4, and DevNonce: ε2 is held in the wireless terminal 2. Note that the temporary AppKey: α1 held in FIG. 6A is deleted in FIG. 6D due to the restart of the wireless terminal 2 and the cancellation of the connection, and DevNonce is a random number. ) DevNonce: ε2 in FIG. 6 is different from DevNonce: ε1 in FIG.

  When receiving the JoinRequest from the wireless terminal 2, the network server 4 extracts the DveEUI and DevNonce included in the JoinRequest. The network server 4 identifies the NetID corresponding to the wireless terminal 2 based on DevEUI, generates a random number, and sets it as AppNonce. The network server 4 transmits JoinAccept including NetID and AppNonce to the wireless terminal 2 (S58). The state up to S58 in FIG. 5 is shown in FIG. In FIG. 6E, DevNonce: ε2 included in JoinRequest is held in the network server 4, and NetID: σ1 and AppNonce: ζ2 specified from DevEUI are further held. Since NetID is an identifier unique to the wireless terminal 2, NetID: σ1 as in FIG. 6B, and AppNonce is a random number, so AppNonce: ζ2 in FIG. 6E is shown in FIG. 6B. AppNonce: a value different from ζ1.

  When the wireless terminal 2 receives JoinAccept from the network server 4, the wireless terminal 2 extracts NetID and AppNonce included in JoinAccept. The wireless terminal 2 generates an encryption key using AppKey, DveNonce transmitted to the network server 4, NetID received from the network server 4, and AppNonce, and sets this as AppSKey (S510). On the other hand, the network server 4 generates an encryption key by using AppKey, DveNonce received from the wireless terminal 2, NetID and AppNonce transmitted to the wireless terminal 2, and designates this as AppSKey (S59). The state up to S59 and S510 in FIG. 5 is shown in FIG. In FIG. 6F, the wireless terminal 2 holds NetID: σ1 and AppNonce: ζ2 included in JoinAccept. In addition, AppSkey: γ1 generated using AppKey: β1, NetID: σ1, DevNonce: ε2 and AppNonce: ζ2 is held in both the wireless terminal 2 and the network server 4. Since DevNonce: ε2 and AppNonce: ζ2 are random numbers, the values are different from DevNonce: ε1 and AppNonce: ζ1 in FIG. 6C, respectively. Therefore, AppSKey: γ1 generated using DevNonce: ε2 and AppNonce: ζ2 is different from AppKey: β1.

  When the AppKey (γ1 in FIG. 6F) is generated in each of the wireless terminal 2 and the network server 4, the wireless terminal 2 and the network server 4 go to the normal operation of encrypting and decrypting user data using the AppKey (S511). Since AppSKey is valid until the connection between the wireless terminal 2 and the network server 4 is cancelled, when the connection between the wireless terminal 2 and the network server 4 is canceled, the operations from S51 to S510 are executed, and S52 To S55 (FIGS. 6A to 6C), a new AppKey is generated, and S56 to S510 (FIGS. 6D to 6F), a new AppKey is generated.

  In the correspondence relationship between the first invention and the second invention, the above-mentioned temporary AppKey corresponds to the first information, the official AppKey corresponds to the second information, and AppSKey corresponds to the encryption key.

(B-3) Operation Flow of Wireless Terminal With regard to information exchange and encryption key generation between the wireless terminal and the network server described with reference to FIGS. 5 and 6, the details of the operation will be described focusing on the wireless terminal 2. . FIG. 7 is a flowchart showing the operation of the wireless terminal 2.

  When the wireless terminal 2 is activated, the control unit 21 tries to read the AppKey from the storage unit 22 (S700). Then, it is determined whether AppKey is stored in the storage unit 22 (S702). As described above, since the wireless terminal 2 is activated in a state where no AppKey is set in advance, the AppKey is not held in the storage unit 22. Accordingly, the determination is negative (S702: No).

  If the determination in S702 is negative, the control unit 21 reads the temporary AppKey (α1 in FIG. 6A) defined in the operation program stored in the storage unit 22 from the operation program and stores the temporary AppKey in the temporary storage unit 212. (S704). Since this temporary AppKey is defined by the operation program, an operator who operates the wireless communication system 1A cannot interfere, and thus the operator cannot know the temporary AppKey.

  The control unit 21 reads DevEUI from the storage unit 22 (not shown) and holds it in the temporary holding unit 212 (S708). In addition, the control unit 21 generates a random number in the random number generation unit 213 and stores the random number as DevNonce (ε1 in FIG. 6A) in the temporary storage unit 212 (S710).

  The control unit 21 causes the connection processing unit 211 to create a JoinRequest command including DevEUI and DevNonce (S712). The JoinRequest command may be created using, for example, a method defined by LoRaWAN. When the JoinRequest command is created by the connection processing unit 211, the control unit 21 transmits the JoinRequest to the network server 4 via the transmission unit 23 (S714). Note that JoinRequest may be encrypted by the encryption unit 25. When the Join Request is encrypted by the encryption unit 25, it may be encrypted using, for example, a temporary AppKey.

  If JoinRequest is transmitted to the network server 4 via the transmission part 23, the radio | wireless terminal 2 will wait for reception of JoinAccept from a network server (S716).

  When the wireless terminal 2 receives JoinAccept from the network server 4 (S716: Yes), the control unit 21 obtains NetID (δ1 in FIG. 6C) and AppNonce (ζ1 in FIG. 6C) included in the received JoinAccept. Extracted and held in the temporary holding unit 212 (S718).

  Next, the control unit 21 causes the encryption key generation unit 214 to store the temporary AppKey (α1 in FIG. 6C), DevNonce (ε1 in FIG. 6C), NetID (FIG. 6C) held in the temporary holding unit 212. ) And δ1) and AppNonce (ζ1 in FIG. 6C) are generated (S720).

  When the encryption key is generated, the control unit 21 determines again whether the AppKey is held in the storage unit 22 (S722). The determination in S722 is the same as the determination in S702 described above. Here, since AppKey is held in the storage unit 22, the determination is negative (S722: No).

  If the determination in S722 is negative, the control unit 21 holds the encryption key generated in S720 in the storage unit 22 as a formal AppKey (β1 in FIG. 6C) (S724).

  Next, the control unit 21 restarts the wireless terminal 2 while holding the AppKey in the storage unit 22 (S726). This restart may be a hard reset in which the power of the wireless terminal 2 is turned off and then turned on again, or a soft reset in which the software is restarted while the power of the wireless terminal 2 is maintained. When the wireless terminal 2 is restarted, the processing returns to the top of the flowchart shown in FIG. 7 (indicated by a circle A in FIG. 7).

  When the wireless terminal 2 is restarted, the control unit 21 tries to read the AppKey from the storage unit 22 (S700). Then, it is determined whether AppKey is stored in the storage unit 22 (S702). Here, since AppKey (β1 in FIG. 6D) is held in the storage unit 22, the determination is affirmed (S702: Yes).

  If the determination in S702 is affirmative, the control unit 21 holds the AppKey (β1 in FIG. 6D) held in the storage unit 22 in the temporary holding unit 212 (S706).

  Thereafter, the operations of the control unit 21, the random number generation unit 213, and the encryption key generation unit 214 are the same as the operations in S708 to S720 described above. However, in the second week of the flow of FIG. 7, the random number generated by the random number generation unit 213 is DevNonce: ε2 of FIG. 6D, and the JoinAccept received from the network server 4 has the NetID of FIG. δ1 and AppNonce: ζ2 are included, and the encryption key generation unit 214 generates an encryption key using AppKey; β1, DevNonce: ε2, NetID: δ1, and AppNonce: ζ2 in FIG.

  When the encryption key is generated, the control unit 21 determines again whether the AppKey is held in the storage unit 22 (S722). The determination in S722 is the same as the determination in S702 described above. Here, since AppKey: β1 is held in the storage unit 22, the determination is affirmed (S722: Yes).

  If the determination in S722 is affirmed, the control unit 21 stores the encryption key generated in S720 in the storage unit 22 as AppSKey (γ1 in FIG. 6F) (S728).

  Thereafter, the wireless terminal 2 uses the AppSKey (γ1 in FIG. 6F) stored in the storage unit 22 as an encryption key, and shifts to a common operation for performing communication with the network server 4 (S730). In normal operation, data transmitted from the wireless terminal 2 to the network server 4 is encrypted by the encryption unit 25 using AppSKey. In normal operation, the data received from the network server 4 is decoded by the decoding unit 26 using AppSKey.

(B-4) Operation Flow of Network Server Details of the operation of the information exchange and encryption key generation between the wireless terminal and the network server described with reference to FIGS. 5 and 6 will be described focusing on the network server 4. . FIG. 8 is a flowchart showing the operation of the network server 4.

  The network server 4 waits for the reception of JoinRequest from the wireless terminal 2 (S800).

  When the control unit 41 (FIG. 3) of the network server 4 receives the JoinRequest from the wireless terminal 2 (S800: Yes), whether the AppKey corresponding to the wireless terminal 2 that is the transmission source of the JoinRequest is held in the storage unit 42. Determination is made (S802). Here, since the AppKey corresponding to the wireless terminal 2 is not held in the storage unit 42 (FIG. 6A), the determination is negative (S802: No). The wireless terminal 2 is specified using DevEUI included in JoinRequest.

  If the determination in S802 is negative, the control unit 41 reads the temporary AppKey (α1 in FIG. 6A) defined in the operation program stored in the storage unit 42 from the operation program and stores the temporary AppKey in the temporary storage unit 412. (S804). This temporary AppKey is defined in the operation program in the same manner as the wireless terminal 2.

  Next, the control unit 41 identifies the wireless terminal 2 based on DevEUI (not shown) included in the received JoinRequest, and reads the NetID (δ1 in FIG. 6B) corresponding to the wireless terminal 2 from the storage unit 42. Then, it is held in the temporary holding unit 412 (S808). In addition, the control unit 41 generates a random number in the random number generation unit 413 and stores the generated random number as AppNonce (ζ1 in FIG. 6B) in the temporary storage unit 212 (S810).

  The control unit 41 causes the connection processing unit 411 to create a JoinAccept command including NetID and AppNonce (S812). For example, a method defined in LoRaWAN may be used to create the JoinAccept command. When the JoinAccept command is created by the connection processing unit 411, the control unit 41 transmits JoinAccept to the wireless terminal 2 via the transmission unit 43 (S814). Note that JoinAccept may be encrypted by the encryption unit 45. When the JoinAccept is encrypted by the encryption unit 45, for example, the temporary AppKey may be used for encryption.

  Next, the control unit 41 extracts DevNonce (ε1 in FIG. 6B) included in the JoinRequest received from the wireless terminal 2 and holds it in the billion unit 412 for a period of time (S816). Note that the process of S816 may be performed at an arbitrary timing from the time when JoinRequest is received from the wireless terminal 2 (S800: Yes) to the time when JoinAccept is transmitted to the wireless terminal 2 (S814). In FIG. 8, for the sake of explanation, the process of S816 is performed after the process of S814 for convenience.

  Next, the control unit 41 causes the encryption key generation unit 414 to store the temporary AppKey (α1 in FIG. 6C), DevNonce (ε1 in FIG. 6C), and NetID (FIG. 6C) held in the temporary holding unit 412. ) 1) and AppNonce (ζ1 in FIG. 6C), an encryption key is generated (S818).

  When the encryption key is generated, the control unit 41 determines again whether or not the AppKey corresponding to the wireless terminal 2 is held in the storage unit 42 (S820). The determination in S820 is similar to the determination in S802 described above. Here, since the AppKey corresponding to the wireless terminal 2 is held in the storage unit 42, the determination is negative (S820: No).

  If the determination in S820 is negative, the control unit 41 stores the encryption key generated in S818 in the storage unit 42 as the official AppKey (β1 in FIG. 6C) (S822).

  Next, the processing of the network server 4 returns to the top of the flowchart shown in FIG. 8 (illustrated by A in a circle in FIG. 8), and the network server 4 waits for the reception of JoinRequest from the wireless terminal 2 (S800).

  When receiving the JoinRequest from the wireless terminal 2 (S800: Yes), the control unit 41 determines whether the AppKey corresponding to the wireless terminal 2 that is the transmission source of the JoinRequest is stored in the storage unit 42 (S802). Here, since AppKey: β1 corresponding to the wireless terminal 2 is held in the storage unit 42 (FIG. 6D), the determination is affirmed (S802: Yes). The wireless terminal 2 is specified using DevEUI included in JoinRequest.

  If the determination in S802 is affirmed, the control unit 41 holds the AppKey (β1 in FIG. 6D) held in the storage unit 42 in the temporary holding unit 412 (S806).

  Thereafter, the operations of the control unit 41, the random number generation unit 413, and the encryption key generation unit 414 are the same as the operations from S808 to S818 described above. However, in the second week of the flow of FIG. 8, JoinAccept transmitted from the network server 4 to the wireless terminal 2 includes AppNonce: ζ2 of FIG. 6E as a random number generated by the random number generation unit 413, NetID: δ1 (FIG. 6E) corresponding to the wireless terminal 2 is included. The JoinRequest received from the wireless terminal 2 includes DevNonce: ε2 in FIG. Then, the encryption key generation unit 414 generates an encryption key using AppKey; β1, DevNonce: ε2, NetID: δ1, and AppNonce: ζ2 in FIG.

  When the encryption key is generated, the control unit 41 determines again whether the AppKey is stored in the storage unit 42 (S820). The determination in S820 is similar to the determination in S802 described above. Here, since AppKey: β1 is held in the storage unit 42, the determination is affirmed (S820: Yes).

  If the determination in S820 is affirmed, the control unit 41 holds the encryption key generated in S818 in the storage unit 42 as AppSKey (γ1 in FIG. 6F) (S824).

  Thereafter, the network server 4 shifts to a common operation for performing communication with the wireless terminal 2 using the AppKey (γ1 in FIG. 6F) held in the storage unit 42 as an encryption key (S826). In normal operation, data transmitted from the network server 4 is encrypted by the encryption unit 45 using AppSKey. Data received from the wireless terminal 2 is decoded by the decoding unit 46 using AppSKey.

(C) Effect in the first embodiment According to the first embodiment described above, it is not necessary to cause the wireless terminal 2 to hold the AppKey in advance. In the past, when an operator installed the wireless terminal 2, it was necessary to cause the wireless terminal 2 to hold the AppKey, so that the AppKey might leak from the operator. On the other hand, in the first embodiment, as described above, the wireless terminal 2 starts up in a state where no AppKey is set, and the wireless terminal 2 uses the temporary AppKey (α1 in FIG. 6) defined in its own program as the program. Read from and set to itself. Since the program of the wireless terminal 2 is not subject to the interference of the operator who installs the wireless terminal 2, in the first embodiment, the provisional AppKey is unlikely to be leaked to third parties including the operator. In the first embodiment, the security is improved in terms of AppKey management compared to the previous embodiment.

  In the first embodiment, both the wireless terminal 2 and the network server 4 generate a formal AppKey (β1 in FIG. 6) using the temporary AppKey (α1 in FIG. 6) inside the apparatus, and further form a formal AppKey. AppSKey (γ1 in FIG. 6) is generated inside the apparatus using (β1 in FIG. 6), and communication is encrypted using the AppSkey (γ1 in FIG. 6). As described above, since the temporary AppKey is difficult to leak to a third party, the official AppKey and AppSKey are more difficult to leak and analyze, and the first embodiment is more secure in terms of AppKey management than before. It has improved.

  Furthermore, in the first embodiment, as described above, security is improved in terms of AppKey management and AppSKey management, but the encryption method used in the wireless communication system 1A is a common key encryption method. The first embodiment does not use a public key cryptosystem that causes an increase in power consumption of the wireless terminal 2 and hardware advancement. Therefore, the first embodiment uses a common key cryptosystem, and wireless communication with improved security compared to the conventional one without losing the low power consumption and low economic cost of the wireless terminal 2 which are the advantages of the LPWA wireless communication system. System 1A is realized.

(2) Second Embodiment A second embodiment of the present invention will be described with reference to FIGS. In the first embodiment, the configuration and operation when one wireless terminal 2 is connected to the network server 4 have been described. In the second embodiment, a case where a plurality of wireless terminals 2 are connected to the network server 4 are described. The configuration and operation will be described. In the second embodiment, the AppKey generation mechanism defined in LoRaWAN shown in FIG. 4 is also used. In the following description, the same configuration and operation as those in the first embodiment may be described with reference to FIGS. 1 to 8 as appropriate, or a part of the description may be omitted.

(D) Hardware (D-1) Overall Configuration of Radio Communication System FIG. 9 is a configuration diagram showing the overall configuration of the radio communication system 1B in the second embodiment. In FIG. 9, the wireless communication system 1B includes a plurality of wireless terminals 2-1 to 2-n (n is an integer of 2 or more), a base station 3, a network server 4, and a host device 5.

  The functions and roles of each of the wireless terminals 2-1 to 2-n, the base station 3, the network server 4, and the host device 5 are the same as those described in the first embodiment. Regarding the connection relationship in FIG. 9, each of the wireless terminals 2-1 to 2-n is wirelessly connected to the base station 3 by a modulation scheme defined in LoRaWAN. That is, in the second embodiment, the base station 3 and the wireless terminals 2-1 to 2-n are connected in a 1: n relationship.

(D-2) Configuration of radio terminals 2-1 to 2-n and network server 4 (D-2-1) Radio terminals 2-1 to 2-n
The internal configuration of the wireless terminals 2-1 to 2-n in the second embodiment is the same as the internal configuration (FIG. 2) of the wireless terminal 2 in the first embodiment.

(D-2-2) Configuration of network server 4

  The internal configuration of the network server 4 in the second embodiment is the same as the internal configuration (FIG. 3) of the network server 4 in the first embodiment. However, the storage unit 42 of the network server 4 is provided with a logical structure (not shown) so that various information can be stored in each of the plurality of wireless terminals 2-1 to 2-n.

(E) Operation With reference to FIG. 10 and FIG. 11, a flow of information exchange and encryption key generation between the plurality of wireless terminals 2-1 to 2-n and the network server 4 will be described. Also in the second embodiment, the encryption key generation method defined in LoRaWAN described with reference to FIG. 4 is used between the network server 4 and one wireless terminal 2. Further, in the following description, among the plurality of wireless terminals 2-1 to 2-n, two wireless terminals 2-1 and 2-2 will be described as representatives.

(E-1) Information exchange and encryption key generation between a plurality of wireless terminals and a network server FIG. 10 is a sequence diagram showing a flow of data transmission / reception in the wireless terminal 2-1, the wireless terminal 2-2 and the network server 4. FIG. 11 is a diagram illustrating transition of each information in the wireless terminal 2-1, the wireless terminal 2-2, and the network server 4. In FIG. 10, the base station 3 is omitted. Further, alphabets A to F on the right side in FIG. 10 correspond to (A) to (F) in FIG. 11, respectively.

  In the second embodiment, the wireless terminal 2-1 and the wireless terminal 2-2 do not operate in synchronization. Therefore, communication between each wireless terminal 2 and the network server 4 is performed at an appropriate timing, and processing inside the wireless terminal 2-1, the wireless terminal 2-2, and the network server 4 is also performed at an appropriate timing. In FIG. 10, for convenience of explanation, the communication timing and processing timing of the wireless terminal 2-1 and the wireless terminal 2-2 have a context, but the context of each processing timing is limited to FIG. It is not something.

  In FIG. 10, the flow of information exchange and encryption key generation between the wireless terminal 2-1 and the wireless terminal 2-2 with the network server 4 is shown in FIGS. 5 and 6 in the first embodiment. This is the same as that described using. However, the network server 4 generates and manages AppKey, AppKey, NetID, DevNonce, and AppNonce for each of the wireless terminal 2-1 and the wireless terminal 2-2.

  In the wireless terminal 2-1 and the wireless terminal 2-2, AppKey is not set in advance by an operator who operates the wireless communication system 1 </ b> B. The wireless terminal 2-1 and the wireless terminal 2-2 are activated in a state where no AppKey is set in advance (S100, S102). At this time, the wireless terminal 2-1 and the wireless terminal 2-2 read the temporary AppKey defined in its own program from the program and set it to itself. Note that the same temporary AppKey is defined in the programs installed in the wireless terminal 2-1 and the wireless terminal 2-2. Similarly, even if the number of the wireless terminals 2 is n or more, the same temporary AppKey is defined in the programs of the wireless terminals 2-1 to 2-n. On the other hand, the network server 4 uniformly stores the same temporary AppKey for each of the wireless terminal 2-1 and the wireless terminal 2-2 that are not registered to participate in the wireless communication system 1B.

  Next, each of the wireless terminal 2-1 and the wireless terminal 2-2 generates a random number as DevNonce, and transmits JoinRequest including DevNanceEUI to the network server 4 (S104, S106). The state up to S106 in FIG. 10 is shown in FIG. In FIG. 11A, both the wireless terminal 2-1 and the network server 4 hold the temporary AppKey: α1, and both the wireless terminal 2-2 and the network server 4 hold the temporary AppKey: α1. . Further, DevNonce: ε1 is held in the wireless terminal 2-1, and DevNonce: ε2 is held in the wireless terminal 2-2. Since DevNonce is a random number, ε1 and ε2 are different unrelated values.

  When the network server 4 receives the JoinRequest from the wireless terminal 2-1, the network server 4 extracts the DveEUI and DevNonce included in the JoinRequest. The network server 4 identifies a NetID corresponding to the wireless terminal 2-1 based on DevEUI, generates a random number, and sets it as AppNonce. The network server 4 transmits JoinAccept including NetID and AppNonce to the wireless terminal 2-1 (S108). Similarly, the network server 4 identifies the NetID corresponding to the wireless terminal 2-2 based on DevEUI, generates a random number as AppNonce, and sets JoinAccept including NetID and AppNance to the wireless terminal 2-2. It transmits to 2-2 (S1010). The state up to S1010 in FIG. 10 is shown in FIG. In FIG. 11B, DevNonce: ε1 is held in the network server 4 in association with the wireless terminal 2-1, and NetID: σ1 and AppNonce: ζ1 specified from DevEUI are held. Further, DevNonce: ε2 is held in the network server 4 in association with the wireless terminal 2-2, and NetID: σ2 and AppNonce: ζ2 specified from DevEUI are held. Here, since AppNonce is a random number, ζ1 and ζ2 are different unrelated values.

  When receiving the Join Accept from the network server 4, the wireless terminal 2-1 extracts the NetID and AppNonce included in the Join Accept. The wireless terminal 2-1 generates an encryption key using the temporary AppKey, the DveNonce transmitted to the network server 4, the NetID and AppNonce received from the network server 4, and sets this as the official AppKey (S1014). On the other hand, the network server 4 generates an encryption key using the temporary AppKey, the DveNonce received from the wireless terminal 2-1, the NetID transmitted to the wireless terminal 2-1, and the AppNonce, and sets this as the official AppKey (S1012).

  When receiving the Join Accept from the network server 4, the wireless terminal 2-2 extracts the NetID and AppNonce included in the Join Accept. The wireless terminal 2-2 generates an encryption key by using the temporary AppKey, the DveNonce transmitted to the network server 4, the NetID and AppNonce received from the network server 4, and sets this as the official AppKey (S1018). On the other hand, the network server 4 generates an encryption key using the temporary AppKey, the DveNonce received from the wireless terminal 2-2, the NetID and AppNonce transmitted to the wireless terminal 2-2, and sets this as the official AppKey (S1016).

  The state from S1012 to S1018 in FIG. 10 is shown in FIG. In FIG. 11C, the wireless terminal 2-1 holds NetID: σ1 and AppNonce: ζ1 included in JoinAccept, and both the wireless terminal 2-1 and the network server 4 have provisional AppKey: α1, NetID: AppKey: β1 generated using σ1, DevNonce: ε1 and AppNonce: ζ1 is retained. In FIG. 11C, the wireless terminal 2-2 holds NetID: σ2 and AppNonce: ζ2 included in JoinAccept, and both the wireless terminal 2-2 and the network server 4 have temporary AppKey: α1, NetID. : AppKey: β2 generated using: σ2, DevNonce: ε2, and AppNonce: ζ2. Here, AppKey: β1 for the wireless terminal 2-1 and AppKey: β2 for the wireless terminal 2-2 are generated based on different NetID and random number values (DevNonce, AppNonce), respectively, so that β1 and β2 are not related to each other. Value.

  Next, the wireless terminal 2-1 restarts in a state where the official AppKey (β1 in FIG. 11C) generated in S1014 is held (S1020). In this restart, the wireless terminal 2 does not read the temporary AppKey from its own program, but starts the official AppKey while it is different from the above-described start of S100. The connection between the wireless terminal 2-1 and the network server 4 is canceled by restarting the wireless terminal 2-1. At this time, the network server 4 holds the official AppKey (β1 in FIG. 11C) generated in S1012 corresponding to the wireless terminal 2-1, and erases other information when the connection is canceled.

  Similarly, the wireless terminal 2-2 restarts in a state where the official AppKey (β2 in FIG. 11C) generated in S1018 is held (S1022). In this restart, the wireless terminal 2-2 does not read the temporary AppKey from its own program, but starts the official AppKey while it is different from the above-described start of S102. The connection between the wireless terminal 2-2 and the network server 4 is canceled by restarting the wireless terminal 2-2. At this time, the network server 4 holds the official AppKey (β2 in FIG. 11C) generated in S1016 corresponding to the wireless terminal 2-2, and erases other information as the connection is canceled.

  Next, the wireless terminal 2-1 and the wireless terminal 2-2 generate random numbers as DevNonce, and transmit JoinRequest including DevNanceEUI to the network server 4 (S1024, S1026). The state up to S1026 in FIG. 10 is shown in FIG. In FIG. 11D, AppKey: β1 is held in both the wireless terminal 2-1 and the network server 4, and DevNonce: ε3 is held in the wireless terminal 2-1. Note that the temporary AppKey: α1 held in FIG. 11A is deleted in FIG. 11D due to the restart of the wireless terminal 2-1 and the cancellation of the connection. In FIG. 11D, AppKey: β2 is held in both the wireless terminal 2-2 and the network server 4, and DevNonce: ε4 is held in the wireless terminal 2-2. The temporary AppKey: α1 held in FIG. 11A is deleted in FIG. 11D due to the restart of the wireless terminal 2-2 and the cancellation of the connection. Since DevNonce is a random number, ε3 and ε4 are different unrelated values.

  When the network server 4 receives the JoinRequest from the wireless terminal 2-1, the network server 4 extracts the DveEUI and DevNonce included in the JoinRequest. The network server 4 identifies a NetID corresponding to the wireless terminal 2-1 based on DevEUI, generates a random number, and sets it as AppNonce. The network server 4 transmits JoinAccept including NetID and AppNonce to the wireless terminal 2-1 (S1028). Similarly, the network server 4 identifies the NetID corresponding to the wireless terminal 2-2 based on DevEUI, generates a random number as AppNonce, and sets JoinAccept including NetID and AppNance to the wireless terminal 2-2. It transmits to 2-2 (S1030). The state up to S1030 in FIG. 10 is shown in FIG. In FIG. 11E, DevNonce: ε3 is held in the network server 4 in association with the wireless terminal 2-1, and NetID: σ1 and AppNonce: ζ3 specified from DevEUI are held. Since NetID is an identifier unique to the wireless terminal 2-1, it is NetID: σ1 as in FIG. 11B. Further, DevNonce: ε4 is held in the network server 4 in association with the wireless terminal 2-2, and NetID: σ2 and AppNonce: ζ4 specified from DevEUI are held. Since NetID is an identifier unique to the wireless terminal 2-2, it is NetID: σ2 as in FIG. Here, since AppNonce is a random number, ζ3 and ζ4 are different unrelated values.

  When receiving the Join Accept from the network server 4, the wireless terminal 2-1 extracts the NetID and AppNonce included in the Join Accept. The wireless terminal 2-1 generates an encryption key using AppKey, DveNonce transmitted to the network server 4, NetID and AppNonce received from the network server 4, and sets this as AppSKey (S1034). On the other hand, the network server 4 generates an encryption key using AppKey, DveNonce received from the wireless terminal 2-1, NetID and AppNonce transmitted to the wireless terminal 2-1, and sets this as AppSKey (S1032).

  When receiving the Join Accept from the network server 4, the wireless terminal 2-2 extracts the NetID and AppNonce included in the Join Accept. The wireless terminal 2-2 generates an encryption key using AppKey, DveNonce transmitted to the network server 4, NetID received from the network server 4, and AppNonce, and sets this as AppSKey (S 1038). On the other hand, the network server 4 generates an encryption key using AppKey, DveNonce received from the wireless terminal 2-2, NetID and AppNonce transmitted to the wireless terminal 2-2, and sets this as AppSKey (S1036).

  The state from S1032 to S1038 in FIG. 10 is shown in FIG. In FIG. 11F, the wireless terminal 2-1 holds NetID: σ1 and AppNonce: ζ3 included in JoinAccept, and both the wireless terminal 2-1 and the network server 4 have AppKey: β1, NetID: σ1. AppSKey: γ1 generated using DevNonce: ε3 and AppNonce: ζ3 is retained. In FIG. 11C, the wireless terminal 2-2 holds NetID: σ2 and AppNonce: ζ4 included in the JoinAccept, and both the wireless terminal 2-2 and the network server 4 have AppKey: β2, NetID: AppSKey: γ2 generated using σ2, DevNonce: ε4 and AppNonce: ζ4 is retained. Here, AppSkey: γ1 for the wireless terminal 2-1 and AppSKey: γ2 for the wireless terminal 2-2 are generated based on different AppKey, NetID, and random number values (DevNonce, AppNonce), respectively. There are no different values.

  When AppSkey (γ1 in FIG. 11F) is generated in each of the wireless terminal 2-1 and the network server 4, the wireless terminal 2-1 and the network server 4 shift to normal operation of encrypting and decrypting user data using the AppSKey (S 1040). . In addition, when AppSkey (γ2 in FIG. 11F) is generated in each of the wireless terminal 2-2 and the network server 4, the wireless terminal 2-2 and the network server 4 shift to a normal operation in which user data is encrypted and decrypted using the AppSKey (S1042). ). Here, AppSKey: γ1 and γ2 are effective until the connection between the wireless terminal 2-1 and the wireless terminal 2-2 and the network server 4 is canceled, so the wireless terminal 2-1 or the wireless terminal 2- 2 and the network server 4 are canceled, the connection operation between the wireless terminal 2 and the network server 4 for which the connection has been canceled is executed, and a new operation is performed in phase 1 of FIGS. An AppKey is generated, and a new AppSkey is generated in phase 2 of FIGS.

(E-2) Operation Flow of Wireless Terminal The operations of the wireless terminal 2-1 and the wireless terminal 2-2 in the second embodiment are the same as the operations of the wireless terminal 2 described in the first embodiment. . That is, the operations of the wireless terminal 2-1 and the wireless terminal 2-2 in the second embodiment are described with reference to the flowchart of FIG.

(E-3) Operation Flow of Network Server The operation of the network server 4 in the second embodiment with respect to each of the wireless terminal 2-1 and the wireless terminal 2-2 is the network server 4 described in the first embodiment. The operation is the same. That is, the operation of the network server 4 in the second embodiment is described with reference to the flowchart of FIG. As described above, since the wireless terminal 2-1 and the wireless terminal 2-2 do not operate synchronously, the network server 4 appropriately performs the operation shown in the flowchart of FIG. 8 on the wireless terminal 2-1. The operation shown in the flowchart of FIG. 8 is appropriately performed on the wireless terminal 2-2.

(F) Effects in the Second Embodiment According to the second embodiment described above, the same effects as in the first embodiment can be obtained. That is, there is no need to hold the AppKey in advance in each of the wireless terminal 2-1 and the wireless terminal 2-2, and each of the wireless terminal 2-1 and the wireless terminal 2-2 receives the temporary AppKey defined in its own program. Since it is read from the program and set in itself, as in the first embodiment, the second embodiment has improved security in terms of AppKey management compared to the previous embodiment. In the second embodiment, as in the first embodiment, the security is improved in terms of AppSKey management as compared with the previous embodiment. Further, the second embodiment uses a common key cryptosystem, and wireless communication with improved security compared to the conventional one without losing the low power consumption and low economic cost of the wireless terminal 2 which are the advantages of the LPWA wireless communication system. System 1B is realized.

  A point peculiar to the second embodiment is that each of the wireless terminal 2-1 and the wireless terminal 2-2 does not hold the AppKey in advance in each of the wireless terminal 2-1 and the wireless terminal 2-2. The AppKey is generated regardless of manpower. As described above, when the common key cryptosystem is adopted in the wireless communication system, it is necessary to hold the encryption key (AppKey) in the wireless terminal 2 when the wireless terminal 2 is installed. That is, in the past, a person who builds a wireless communication system holds a different encryption key (AppKey) for each of a large number of wireless terminals 2, and each network server 4 also has a different encryption key (AppKey) corresponding to the wireless terminal 2. Must be registered, and it takes a lot of trouble.

  On the other hand, in the second embodiment, it is not necessary for each of the wireless terminal 2-1 and the wireless terminal 2-2 to hold the AppKey in advance, and is defined in each program of the wireless terminal 2-1 and wireless terminal 2-2. The temporary AppKey to be used may be the same value regardless of the number of wireless terminals 2 (α1 in FIG. 11). In the second embodiment, a formal AppKey that is different for each wireless terminal 2 is generated in the wireless terminal 2 and the network server 4 in the process in which the wireless terminal 2-1 and the wireless terminal 2-2 communicate with the network server 4. (Β1 and β2 in FIG. 11). That is, according to the second embodiment, it is possible to reduce time and labor for holding different AppKeys for each of the plurality of wireless terminals 2 and also for holding the AppKey in the network server 4 as compared with the past. This effect becomes more prominent as the number of wireless terminals 2 participating in the wireless communication system 1B increases.

(3) Other Modifications The following modifications may be applied to the first embodiment and the second embodiment.

(G-1) As described above, after the AppSKey is generated in each of the wireless terminal 2 and the network server 4, when the connection between the wireless terminal 2 and the network server 4 is canceled, the wireless terminal 2 and the network server 4 In each case, generation of a formal AppKey based on the temporary AppKey and generation of an AppKey based on the formal AppKey are performed again. Here, each of the wireless terminal 2 and the network server 4 retains the AppSkey value (referred to as the old AppSkey value) used until immediately before the connection is canceled, and in the reconnection after the connection is canceled, An AppKey may be generated based on the old AppKey value, and a new AppKey may be generated based on the AppKey.

  As described in the first embodiment and the second embodiment, the old AppSKey value used immediately before the connection is canceled is the temporary AppKey defined in the program of the wireless terminal 2 or the network server 4 and the disturbance. It is generated inside the wireless terminal 2 and the network server 4 using numerical values. Accordingly, there is a low possibility that the old AppSKey value is grasped by a third party, or the old AppSKey value is derived by calculation by a third party. Therefore, if the old AppKey value is used in reconnection between the wireless terminal 2 and the network server 4, the AppKey and AppKey generated based on the old AppSKKey value are more confidential to a third party.

(G-2) In the first embodiment and the second embodiment, NwkSKey surrounded by a two-dot chain line in FIG. 4 was not involved. Here, NwkSKey is used for encryption and decryption of standard command data communicated between the end device and the network server in FIG. 4, and NwkSKey is generated based on AppKey in the same manner as AppSkey. . As a modification, AppSKey may be generated by the above-described procedure, and NwkSKey may be generated by a similar procedure. In this case, in the generation of AppSKey, AppSKey is generated based on five values obtained by adding the first fixed value X1 to the above-mentioned four official AppKey, NetID, DevNonce, and AppNonce. Further, in the generation of NwkSKey, NwkSKey is generated based on five values obtained by adding the second fixed value X2 to the above-mentioned official AppKey, NetID, DevNonce, and AppNonce. According to this modification, in addition to the first embodiment and the second embodiment, the security can be improved in terms of NwkSKey management.

(G-3) In the first embodiment and the second embodiment, the form using the encryption key generation mechanism defined in LoRaWAN has been described. However, the present invention can be applied to other wireless protocols other than the LoRaWAN protocol. That is, a common key cryptosystem is adopted in communication between the upstream server and the downstream terminal of the communication system, and the downstream terminal is registered in the upstream server by communication between the upstream server and the downstream terminal, and communication is performed. The configuration and operation of the present invention can be applied to any communication system that generates a used encryption key.

1A, 1B ... wireless communication system, 2 (2-1 to 2-n) ... wireless terminal, 3 ... base station,
4 ... Network (NW) server, 5 ... Host device,
21: Control unit, 212: Connection processing unit, 212 ... Temporary holding unit, 213 ... Random number generation unit,
214 ... Encryption key generation unit, 22 ... Storage unit, 23 ... Transmission unit, 24 ... Reception unit,
25 ... Encryption unit, 26 ... Decryption unit,
27 ... external interface, 28 ... antenna,
41 ... Control unit, 412 ... Connection processing unit, 412 ... Temporary holding unit, 413 ... Random number generating unit,
414 ... Encryption key generation unit, 42 ... Storage unit, 43 ... Transmission unit, 44 ... Reception unit,
45 ... Encryption unit, 46 ... Decryption unit, 47 ... External interface, 48 ... Interface,
90 ... AppKey, 92 ... DevNonce, 94 ... DevEUI,
96 ... AppNonce, 98 ... NetID, 910 ... AppSKey

Claims (7)

A communication system in which a communication terminal and a server perform cryptographic communication using a common key,
The communication terminal is
A first communication means for communicating with the server;
First storage means for storing first information;
Request information generating means for generating first request information transmitted to the server and second request information transmitted to the server;
The first request information is transmitted to the server via the first communication means, and first response information for the first request information is received from the server via the first communication means. First connection processing means,
First generation means for generating second information using the first request information, the first response information, and the first information;
The second request information is transmitted to the server via the first communication means, and second response information for the second request information is received from the server via the first communication means. Second connection processing means,
Second generation means for generating a first common key using the second request information, the second response information, and the second information;
A first encryption unit connected to the first communication unit and encrypting transmission data to the server using the first common key;
A first decryption unit connected to the first communication unit and decrypting data received from the server using the first common key;
With
The server
A second communication means for communicating with the communication terminal;
Second storage means for storing third information having the same value as the first information;
Response information generating means for generating the first response information transmitted to the communication terminal and the second response information transmitted to the communication terminal;
Third connection processing for receiving the first request information from the communication terminal via the second communication means and transmitting the first response information to the communication terminal via the second communication means means,
Third generation means for generating fourth information having the same value as the second information using the first request information, the first response information, and the third information,
A fourth connection process for receiving the second request information from the communication terminal via the second communication means and transmitting the second response information to the communication terminal via the second communication means; means,
Fourth generation for generating a second common key having the same value as the first common key by using the second request information, the second response information, and the fourth information means,
A second encryption unit connected to the second communication unit and encrypting transmission data to the communication terminal using the second common key;
A second decryption unit connected to the second communication unit and decrypting data received from the communication terminal using the second common key;
A communication system comprising: The first storage means holds an operation program of the communication terminal,
The communication system according to claim 1, wherein the communication terminal includes a derivation unit that derives the first information from the operation program. The communication terminal generates and receives the second information by the first generation unit, maintains the state where the second information is held in the first storage unit, and restarts the communication terminal. A restarting means for canceling the connection between the communication terminal and the server,
The second connection processing means receives the restart of the communication terminal, and transmits the second request information to the server via the first communication means.
The communication system according to claim 1 or 2. Each of the first storage means and the second storage means stores an arithmetic expression,
The first generation means generates the second information by setting the first request information, the first response information, and the first information in the arithmetic expression,
The third generation means generates the fourth information by setting the first request information, the first response information, and the third information in the arithmetic expression,
The second generation unit generates the first common key by setting the second request information, the second response information, and the second information in the arithmetic expression, and generating the first common key. The generating means sets the second request information, the second response information, and the fourth information in the arithmetic expression to generate the second common key.
The communication system according to any one of claims 1 to 3, wherein: The communication terminal includes first random number generation means for generating a random number,
The first storage means stores terminal identification information unique to the communication terminal,
The first request information includes the terminal identification information and a first random number value by the first random number generation means,
The second request information includes the terminal identification information and a second random value generated by the first random number generation unit,
The server includes second random number generating means for generating a random number,
The second storage means stores a communication identifier for each terminal identification information,
The first response information includes the communication identifier and a third random number value by the second random number generation means,
The second response information includes the communication identifier and a fourth random value generated by the second random number generation unit.
The communication system according to any one of claims 1 to 4, characterized in that: The communication terminal is plural,
The first generation means of the plurality of communication terminals includes the first information, the first request information including a random number value that differs for each of the plurality of communication terminals, and a disorder that differs for each of the plurality of communication terminals. Using the first response information including a numerical value, the second information different for each of the plurality of communication terminals is generated,
Each of the third generation means of the server includes the third information, the first request information including a random number value different for each of the plurality of communication terminals, and a random number value different for each of the plurality of communication terminals. And the first response information including, generating the fourth information different for each of the plurality of communication terminals,
The second generation means of the plurality of communication terminals includes the second information different for each of the plurality of communication terminals, the second request information including a random number value different for each of the plurality of communication terminals, Using the second response information including a random number value different for each of the communication terminals, and generating the first common key different for each of the plurality of communication terminals,
Each of the fourth generation means of the server includes the fourth information that is different for each of the plurality of communication terminals, the second request information that includes a random number value that is different for each of the plurality of communication terminals, Using the second response information including a random number value different for each communication terminal, and generating the second common key different for each of the plurality of communication terminals,
The first encryption unit and the first decryption unit in the plurality of communication terminals respectively encrypt the transmission data to the server using the first common key generated for each of the plurality of communication terminals. And decrypting data received from the server,
Each of the second encryption means and the second decryption means of the server uses the second common key generated for each of the communication terminals that are communication destinations to transmit data to the communication terminal. Performing encryption and decryption of received data from the communication terminal;
The communication system according to claim 5. A communication terminal including a first storage unit that stores first information and a server including a second storage unit that stores third information having the same value as the first information use a common key. Communication method for performing encrypted communication,
A first step in which the communication terminal transmits first request information to the server;
A second step of transmitting first response information to the communication terminal when the server receives the first request information;
A third step in which the communication terminal generates second information using the first request information, the first response information, and the first information;
A fourth step in which the server generates fourth information having the same value as the second information using the first request information, the first response information, and the third information; ,
A fifth step in which the communication terminal transmits second request information to the server in response to execution of the third step;
A sixth step in which the server receives the second request information and transmits second response information to the communication terminal;
A seventh step in which the communication terminal generates a first common key using the second request information, the second response information, and the second information;
The server uses the second request information, the second response information, and the fourth information to generate a second common key having the same value as the first common key. Steps,
The communication terminal encrypts transmission data to the server and decrypts data received from the server using the first common key, and the server uses the second common key to transmit the communication terminal. A ninth step of performing encryption of transmission data to and decryption of reception data from the communication terminal;
Including a communication method.

Images