1. Field of the Invention
The present invention relates to an area restricted network technique, and particularly relates to an area restricted network management method and device as well as an area key receipt method and device.
2. Description of the Related Art
With the development of wireless communications technologies, various applications of mobile devices such as cellular phones, notebook computers, tablet computers, smart phones, and game machines have been developed. As a result, for example, in the field of Peer to Peer (P2P) wireless communications, it is necessary to study the communications security of the mobile devices.
In U.S. Pat. No. 8,350,666 B2, a method including receiving wireless signals from a device at a wireless access point associated with a wireless network is disclosed. The method also includes estimating a location of the device and determining whether the estimated location is within a specified area. In addition, the method includes allowing the device to communicate over the wireless network in response to determining that the estimated location is within the specified area. However, in the method, only the device is considered whether or not to enter the specified area. That is to say, the method cannot solve the security issues of communications devices in a case where a hierarchical area restricted network including plural area restricted networks located in different layers exists.
In U.S. Pat. No. 8,305,935 B2, a system for dynamic information exchange on mesh network devices is disclosed. The dynamic information exchange includes allowing a mesh network device to communicate location information with a network device at predetermined physical location and invite social contacts of the mesh network device to come to the predetermined physical location. The network device sends various types of electronic messages on a mesh network and to social network sites. However, in the system, only the mesh network and mesh network device are used for determining the location of the network device, and the physical location of only one network device is taken into account. That is to say, the system cannot solve the security issues of communications devices in a case where a hierarchical area restricted network including plural area restricted networks located in different layers exists.
Moreover, in U.S. Pat. No. 7,676,236 B2, an ad hoc network with distributed hierarchical scheduling is disclosed. The ad hoc network may be organized into a tree topology. Distributed, hierarchical scheduling is provided where parents schedule communications with children while respecting already scheduled transmissions to/from interferers and to/from interferers of their respective children. However, in the ad hoc network, only data transmissions between the interferers in various mesh networks are considered. That is to say, the ad hoc network cannot solve the security issues of communications devices in a case where a hierarchical area restricted network including plural area restricted networks located in different layers exists.
According to a first aspect of the present invention, an area restricted network management method is provided. The method includes:
a step of detecting, in a first area restricted network, one or more second area keys sent from one or more second area restricted networks;
a step of generating a first hierarchical area key which is related to a first area key generated by the first area restricted network as well as at least one of the detected one or more second area keys; and
a step of transmitting the first hierarchical area key to the inside of the first area restricted network.
According to a second aspect of the present application, an area key receipt method is provided.
The method includes:
a step of receiving, in a first area restricted network, one or more second hierarchical area keys sent from one or more second area restricted networks, wherein, the one or more second hierarchical area keys are managed by the area restricted network management method according to the first aspect of the present invention;
a step of analyzing the one or more second hierarchical area keys so as to determine in which second area restricted network or networks a device within the first area restricted network is located; and
a step of communicating, by the node within the first area restricted network, with one or more devices in the determined second area restricted network or networks by utilizing a first hierarchical area key managed by the area restricted network management method according to the first aspect of the present invention or the one or more second hierarchical area keys.
According to a third aspect of the present invention, an area restricted network management device is provided. The device includes:
a detection part configured to detect, in a first area restricted network, one or more second area keys sent from one or more second area restricted networks;
a generation part configured to generate a first hierarchical area key which is related to a first area key generated by the first area restricted network as well as at least one of the detected one or more second area keys; and
a transmission part configured to transmit the first hierarchical area key to the inside of the first area restricted network.
According to a fourth aspect of the present invention, an area key receipt device is provided. The device includes:
a receipt part configured to receive, in a first area restricted network, one or more second hierarchical area keys sent from one or more second area restricted networks, wherein, the one or more second hierarchical area keys are managed by the area restricted network management method according to the first aspect of the present invention;
an analysis part configured to analyze the one or more second hierarchical area keys so as to determine in which second area restricted network or networks the area key receipt device is located; and
a communications part configured to communicate with one or more devices in the determined second area restricted network or networks by utilizing a first hierarchical area key managed by the area restricted network management method according to the first aspect of the present invention or the one or more second hierarchical area keys.
FIG. IC illustrates a process of managing the communications between a master node and a slave node in a single area restricted network;
In order to let those people skilled in the art better understand the present invention, hereinafter the present invention will be concretely described on the basis of the drawings and various embodiments.
Here it should be noted that the so-called “area restricted network (ARN)” (sometimes, also called an “area restricted ad hoc network”) in this specification refers to a kind of network whose area may be limited (determined or defined) and adjusted artificially in a physical way. The area restricted network may be limited by one or more single transmitters. An example of the area restricted network is an area limited by the intersection of infrared rays transmitted by one or more infrared ray transmitters, an area limited by the intersection of light beams transmitted by one or more light transmitters (for example, light emitting diodes (LEDs)), an area limited by the intersection of microwaves transmitted by one or more microwave transmitters, an area limited by utilizing a near field communication (NFC) technique, or an area limited by other signals.
As shown in
That is to say, an area restricted network is a physical layer based concept. The concept of the area restricted network is different from a conventional one on the basis of the wireless fidelity (WiFi or caller “802.11b standard”) or any other wireless communications network. The boundary of the area restricted network is clearer than that of any conventional wireless communications network. The reason is that the area restricted network is limited by, for example, plural signal transmitters having good directionality, located in a physical layer. In addition, the area restricted network is easily established. The reason is that it is possible to arbitrarily select positions for setting, for example, the signal transmitters. As a result, this kind of area restricted network may play an important role in a complicated office environment.
Moreover, the so-called “area key (AK)” in this specification is used to uniquely limit a restricted area. The area key may be transmitted by an area key transmitter. The area key transmitter may be, for example, an IR transmitter, a LED transmitter, or a microwave transmitter. The area key may be carried by, for example, an infrared ray, a light beam, or a microwave. The area key may include but is not limited to an area identifier (ID), a random secret key, a time stamp, and/or other information. The area ID included in the area key may be used to uniquely indicate a restricted area. Aside from indicating a restricted area, the area key is also for carrying out encryption so as to achieve reliable communications. The area key may be predetermined and fixed, and may be changed periodically so as to achieve more reliable communications.
In an office environment, for example, in a conference room, in an isolated region, and on a desktop, plural area restricted networks (for example, wireless ad hoc networks) located in different physical layers may exist simultaneously. The meaning of the different physical layers may be that the coverage of an area restricted network located in a predetermined physical layer includes an area restricted network located in a physical layer lower than the predetermined physical layer.
As shown in
Therefore, in a case where a hierarchical area restricted network including, for example, the above-described area restricted network 10, 20-1, and 20-2 exists, it is necessary to provide a mechanism by which devices in the area restricted networks located in different layers are capable of communicating with each other.
In addition, prior to illustrating the respective embodiments of the present invention, a process of managing the communications between a master node and a slave node in a single area restricted network is given by referring to
Here it should be noted that the so-called “node” in this specification refers to a device, for example, a mobile device such as a cellular phone, a notebook computer, a personal digital assistant (PDA), a tablet computer, a game machine, a printer, a copier, or a projector. Moreover, the so-called “master node” and “slave node” are just named for distinguishing their functions; that is to say, the present invention is not limited to this.
In
Here it should be noted that the communications session may cause another device (or called a “slave node”) latterly or simultaneously entering the single area restricted network to join the communication session managed by the master node, i.e., may cause all devices, which have entered the single area restricted network, to be able to communicate with each other. In addition, as for the communications session managed by the master node, the master node may send a unique area key of the single area restricted network to the respective slave nodes so that the respective slave nodes may utilize the unique area key to carry out reliable communications. This kind of area key may be fixed or changed periodically. Furthermore, in general, this kind of communications may adopt a way of utilizing the area key to carry out authorization. In Chinese Patent Application No. 201310056656.0, an example of how to utilize an area key to carry out authorization is disclosed in detail, and the entire contents of this Chinese patent application are hereby incorporated by reference. Of course, it is also possible to adopt another method to utilize an area key to carry out authorization; that is to say, the present invention is not limited to this.
Up to here, how to manage the communications of devices in a single area restricted network has been described. In what follows, the respective embodiments of the present invention will be given by referring to the related drawings.
As shown in
In general, in an area restricted network, there may be plural signal transmitters by which the area restricted network may be determined. In addition, in the area restricted network, there is also an area key generator that is capable of generating an area key of the area restricted network itself on the basis of the respective signals transmitted by the signal transmitters. For more information about how to generate the area key, for example, it is possible to refer to the above-mentioned Chinese Patent Application No. 201310056656.0. Here it should be noted that of course, aside from the respective signals transmitted by the signal transmitters, the area key may also be generated on the basis of other information by utilizing a conventional area key generation method; that is to say, the present invention is not limited to this.
Moreover, in general, in a case where there is only a single area restricted network, an area key generator in the single area restricted network is capable of generating an area key of the single area restricted network itself, and is capable of transmitting the generated area key to devices located in the single area restricted network so as to let the devices communicate with each other.
However, in a case where a hierarchical area restricted network exists, for example, in a case where one or more second area restricted networks include the above-mentioned first area restricted network, a hierarchical area key generator (that is a device used to generate a hierarchical area key, and may have other names) in the first area restricted network may detect one or more second area keys transmitted from the one or more second area restricted networks (STEP S201).
After that, in STEP S202, the hierarchical area key generator may generate a first hierarchical area key which is related to a first area key generated by the area key generator in the first area restricted network as well as at least one of the detected one or more second area keys. As described above, the area key generator in the first area restricted network is capable of generating a first area key of the first area restricted network, and the generated first area key does not include information of the one or more second area restricted networks covering the first area restricted network. In other words, only by the first area key, it is impossible to know in which second area restricted network(s) the first area restricted network is located. On the other hand, in STEP S202, the first hierarchical area key is generated which is related to the first area key of the first area restricted network itself as well as at least one of the generated one or more second area keys. In this way, the first hierarchical area key may include the information of the one or more second area restricted networks covering the first area restricted network, so that a device, which has received the first hierarchical area key, in the first area restricted network may determine, by analyzing the first hierarchical area key, by which second area network(s) the device itself is covered. That is to say, it is possible to obtain the topological structure of a hierarchical area restricted network.
After that, in STEP S203, it is possible to transmit, by the first hierarchical area key generator, the first hierarchical area key to the inside of the first area restricted network. In this way, various devices (a master node and one or more slave nodes) within the first area restricted network may communicate with each other by utilizing the first hierarchical area key. At the same time, since the first hierarchical area key also includes the information of the one or more second area restricted area networks, when a device in the first area restricted network wants to communicate with another device in a second area restricted network covering the first area restricted network, the device in the first area restricted network may utilize the first hierarchical area key or the detected second area key of the second area restricted network to communicate with the other device within the second area restricted network.
In a case where the device in the first area restricted network utilizes the detected second area key of the second area restricted network to communicate with the other device in the second area restricted network, only by utilizing the detected second area key, it is possible to communicate with the other device within the second area restricted network. The reason is that the other device in the second area restricted network has known the second area key. In addition, the device in the first area restricted network may utilize the received first hierarchical area key to communicate with the other device in the second area restricted network. In this case, when the device receives the first hierarchical area key from the first area restricted network, it is also possible to grasp, by analyzing the first hierarchical area key, by which second area restricted network(s) the device in the first area restricted network is covered. For example, it is possible to obtain the second area key of the second area restricted network by analyzing the first hierarchical area key. As a result, it is possible to authorize the device within the first area restricted network to communicate with the other device in the second area restricted network.
In addition, as described above, in the first area restricted network, a device in the first area restricted network may utilize the received first hierarchical area key to communicate with another device in the first area restricted network.
That is to say, the method 200 may further include a step of utilizing the first hierarchical area key to carry out authorization with respect to an authorized device newly entering the first area restricted network. As described above, in a single area restricted network, a master node may perform authorization on an unauthorized device newly entering the single area restricted network. Similarly, in the first area restricted network within the hierarchical area restricted network, it is also possible to conduct authorization with respect to an unauthorized device in the first area restricted network. For more information about this kind of authorization, for example, it is possible to refer to the above-mentioned Chinese Patent Application No. 201310056656.0. Here it should be noted that of course, it is also possible to adopt a conventional method to carry out this kind of authorization. In others words, as long as the above-described area key is utilized, any authorization method may be adopted in the present invention.
In an example, the first area key generated by the first area restricted network may be related to an identifier (ID) of the first area restricted network as well as an area security key used in the first area restricted network for carrying out communications.
In an example, the first hierarchical area key may be a set of the first area key and at least one of the detected one or more second area keys.
In an example, the detected one or more second area keys may be one or more second hierarchical area keys. That is to say, the one or more second area restricted networks may be located in one or more third area restricted networks. As a result, in this case, the one or more second area keys (i.e., the one or more second hierarchical area keys) may be second hierarchical area keys which are related to one or more third area keys sent from the one or more third area restricted networks as well as one or more second area keys generated by the one or more second area restricted networks themselves.
In this case, at least one of the detected one or more second area keys may be a second hierarchical area key of a second area restricted network located in the upper layer of the first area restricted network. That is to say, in a case where the detected one or more second area keys may be one or more second hierarchical area keys, STEP S201 may further include a step (not shown in the drawings) of determining which second area key of the detected one or more second area keys is one sent from the area restricted network located in the upper layer of the first area restricted network. As described above, since the first and second hierarchical area keys include the information of one or more area restricted networks covering the first and second area restricted networks, it is possible to obtain, according to these kinds of hierarchical area keys, the topological structure of the hierarchical area restricted network. As a result, it is possible to know which second area key of the detected one or more second area keys is one sent from the area restricted network located in the upper layer of the first area restricted network.
In this case, STEP S202 may include a step (not shown in the drawings) of generating a first hierarchical area key which is related to a second area key, that is determined as sent from an area restricted network located in the upper layer of the first area restricted network, as well as a first area key generated by the first area restricted network. For example, if there are three area restricted networks in a hierarchical area restricted network, then the three area restricted networks are located in three layers, respectively. For example, if a first area restricted network is located in the bottom layer, a second area restricted network is located in the middle layer (the second area restricted network covers the first area restricted network), and another second area restricted network is located in the top layer (the other second area restricted network covers the first and second area restricted networks), then the first area restricted network may detect a hierarchical area key (including information of the other second area restricted network covering the second area restricted network) sent from the second area restricted network as well as area keys respectively sent from the second area restricted network and the other second area restricted network. As a result, by analyzing the detected respective area keys, it is possible to obtain the topological structure of the hierarchical area restricted network, i.e., it is possible to grasp that the first area restricted network is located in the bottom layer, the second area restricted network is located in the middle layer, and the other second area restricted network is located in the top layer. Hence, it is easy to know that the second area restricted network is an area restricted network located in the upper layer of the first area restricted network. As a result, in this step (not shown in the drawings), a first hierarchical area key is generated which is related to a second area key (sometimes a hierarchical area key), that is determined as sent from an area restricted network located in the upper layer of the first area restricted network, as well as a first area key generated by the first area restricted network itself.
In an example, the step, of determining which one of the one or more second area keys is one sent from an area restricted network located in the upper layer of the first area restricted network, may include a step of selecting one, whose number of related area keys is maximum (i.e., which has a maximum number of related area keys), from the one or more second area keys, and letting the selected one serve as the second area key sent from the area restricted network located in the upper layer of the first area restricted network. The reason is that as described above, in an example, the first hierarchical area key may be a set of at least one of the detected one or more second area keys and the first area key. Similarly, the second hierarchical area key may also be a set of at least one of the detected or one or more third area keys and the second area key (here, the one or more third area keys are transmitted from an area restricted network located in the upper layer of the second area restricted network). That is to say, the hierarchical area key of each area restricted network may be generated in this way. As a result, according to the number of related area keys in the set of the corresponding hierarchical area key, it is possible to determine in which layer the corresponding area restricted network is located. For example, if the number of the related area keys in the set of the corresponding hierarchical area key is two, then it is possible to determine that the corresponding area restricted network is located in a second layer from the top layer in which a root area restricted network is located. The reason is that one of the two area keys is sent from the root area restricted network, and another is generated by the current area restricted network itself. Again, for example, if the number of the related area keys in the set of the corresponding hierarchical area key is three, then it is possible to determine that the corresponding area restricted network is located in a third layer from the top layer. The reason is that among the three area keys, one is sent from the root area restricted network, one is generated by the area restricted network located in the second layer, and one is generated by the current area restricted network itself. Here it should be noted that of course, the step, of determining which one of the one or more second area keys is one sent from an area restricted network located in the upper layer of the first area restricted network, may also be achieved by adopting another method. The reason is that these kinds of second (hierarchical) area keys include information of the corresponding hierarchical area restricted network. As a result, it is possible to find a method by which this kind of hierarchical information can be extracted, so that it is possible to determine which is an upper layer of the current layer in which the first area restricted network is located.
In this way, by generating a hierarchical area key including information of one or more area restricted networks covering a current area restricted network, it is possible to inform a device, which has received the hierarchical area key, of the topological structure of the corresponding hierarchical area network, so that the device may communicate with another device in the current area restricted network or one or more devices in the one or more area restricted networks covering the current area restricted network. For example, as shown in
As a result, according to the embodiments of the present invention, in a case where a hierarchical area restricted network exists, it is possible to ensure that devices within the respective area restricted networks of the hierarchical area restricted network may communicate with each other, and it is also possible to achieve reliable communications in the hierarchical area restricted network.
As shown in
As shown in
In an example, the HAK generator 303 may simply combine the received area key or hierarchical area key with the generated area key to generate a hierarchical area key. For example, it is possible to generate a set including the received area key or hierarchical area key and the generated area key in this order, so as to serve as the generated hierarchical area key. In other words, as long as it is possible to obtain the received area key or hierarchical area key as well as the generated area key of the area restricted area itself by analyzing the generated hierarchical area key, it is possible to adopt any method to obtain the generated hierarchical area key.
As shown in
As shown in
That is to say, the received HAKi-1 is a set of the area key AKroot generated by the possible root area restricted network and the area keys AK1, . . . , AKk, . . . , Aki-1 sent from other area restricted networks 1, . . . , k, . . . , i−1 to the possible root area restricted network.
In STEP S3002, the area restricted sensor generates its own area key Aki.
In an instance, Aki=(AIDi,ASKi(Twindow))
Here, AIDi refers to a unique ID of the current area restricted network i in which the area restricted sensor is located. ASKi (Twindow) refers to an area security key of the current area restricted network i within the time window of a time point Twindow, and may be unique within the time window. In other words, for the sake of security, ASKi(Twindow) may change in different time windows, i.e., may change according to time. Here it should be noted that it is possible to adopt any conventional method to generate ASKi(Twindow); that is to say, the present invention is not limited to this. In addition, in a case where there is only one single area restricted network, nodes in the single area restricted network have been able to utilize the generated ASKi (Twindow) for carrying out authorization, data encryption, reliable communications, and so on.
In STEP S3003, it is possible to use the received parent HAKi-1 and the generated AKi to generate a hierarchical area key HAKi-1 for the current area restricted network in which the area restricted sensor is located.
In an instance,
HAKi=HAKi-1⊚{AKi}={AKroot,AK1, . . . ,AKk, . . . ,AKi-1,AKi}.
That is to say, in this instance, HAKi is a set obtained by inserting the generated AKi after AKi-1 in the received HAKi-1.
Of course, it is also possible to adopt another method for generating the hierarchical area key HAKi. For example, in another instance, at a time point T, the received parent HAKi-1 may be a string “001A0EFDCE00”, wherein, “001A” refers to an ID of the possible parent area restricted network, and “0EFDCE00” refers to an area security key of the possible parent area restricted network at the time point T; and the generated AKi may be a string “001B878CCDEE”, wherein, “001B” refers to the ID of the current area restricted network i, and “878CCDEE” refers to an area security key of the current area restricted network i at the time point T. In this case, an example of the combination of the two may be MergedKey=“001A0EFDCE00#001B878CCDEE”, wherein, “#” refers to a predetermined separator. Of course, those people skilled in the art may adopt any conventional method to combine the two; that is to say, the present invention is not limited to this.
In STEP S3004, it is possible to broadcast the generated HAKi to the inside of a physical area covered by the current area restricted network i. This physical area may include one or more devices or possible child area restricted networks.
Moreover, in order to establish a hierarchical area restricted network, it is possible to define the following rules. However, it should be noted that the present invention is not limited to this.
(1) Each area restricted network is capable of receiving an area key or hierarchical area key (if it exists) from another area restricted network, generating its own area key, and broadcasting a hierarchical area key generated by itself to a physical area covered by itself by using, for example, wireless signals of itself. The respective area restricted networks are located in layers of the hierarchical area restricted network. It should be noted that in which layer an area restricted work is located is determined by the signal receiving ability of an area restricted sensor in the area restricted work as well as the signal coverage size of signal transmitters for defining the area restricted network.
(2) Any two area restricted networks located in a same layer of the hierarchical area restricted network do not have an overlap zone. In a case where there is an overlap zone, it is possible to prescribe in advance one of the two area restricted networks to manage the overlap zone. In this way, it is possible to avoid collision.
(3) The maximum number of child area restricted networks of each area restricted network may be determined on the basis of the signal coverage size of the corresponding area restricted network divided by the signal coverage size of one child area restricted network. Of course, actually, the maximum number of child area restricted networks of each area restricted network may also relate to, for example, signal coverage strength and attenuation.
As a result, it is possible to grasp in which layer of the hierarchical area restricted network each area restricted network is located.
In particular, in an example, it is possible to adopt the following equation to know, by analyzing the hierarchical area key HAKi of the current area restricted network i, a position (a layer) POSi in which the current area restricted network i is located.
POSi=POS(HAKi)=|HAKj|
Here, |*| refers to the number of elements of the set corresponding to the hierarchical area key HAKi. That is to say, as described above, the hierarchical area key HAKi of the current area restricted network i is made by inserting the generated AKi after the last element of the received HAKi-1. As a result, it is possible to determine, on the basis of the number of elements of the set corresponding to HAKi, in which layer of the hierarchical area restricted network the current area restricted network i is located. Of course, the present invention is not limited to this. For example, in a case where the hierarchical area key HAKi is generated by using another method, it is also possible to adopt another approach based the other method to determine in which layer of the hierarchical area restricted network the current area restricted network i is located.
The area security key ASKj of a parent area restricted network j may be obtained by utilizing the following equation.
ASKj=f(HAKi),root≦j≦i
That is to say, it is possible to analyze the hierarchical area key HAKi of the current area restricted network i so as to acquire the area security key ASKj of the parent area restricted network j of the current area restricted network i. The reason is that the hierarchical area key HAKi of the current area restricted network i has included information of the area key AKj (or the hierarchical area key HAKj) of the parent area restricted network j, and the area key AKj (or the hierarchical area key HAKj) has contained the area security key ASKj of the parent area network j itself as described above, i.e., AKi=(AIDi,ASKi(Twindow)). In other words, as long as the hierarchical area key HAKi of the current area restricted network i is received, it is possible to know in which layer the parent area restricted network j of the current area restricted network i is located, and to know what the area security key ASKj of the parent area restricted network is. In this way, a node in the current area restricted network i may communicate with each node in the parent area restricted network j by utilizing the hierarchical area key HAKi of the current area restricted network i.
As a result, in a case where there is a hierarchical area restricted network, it is possible to ensure that devices in the respective layers of the hierarchical area restricted network are able to normally and safely (reliably) communicate with each other.
On the other hand, in a case where a hierarchical area key of each current area restricted network is not generated on the basis of its parent area key or hierarchical area key as well as an area key of the corresponding area restricted network itself, each area restricted network only broadcasts its own area key. In this case, devices within the corresponding area restricted network and within an area restricted network located in the lower layer of the corresponding area restricted network may receive the same area key of the corresponding area restricted network itself. In this case, the devices within the area restricted network located in the lower layer of the corresponding area restricted network do not know that they are also within the corresponding area restricted network located in their upper layer. As a result, the devices in the area restricted network located in the lower layer of the corresponding area restricted network may directly ignore the received area key, or may regard that the received area key is an invalid one, as described above, thereby not being able to communicate with each device in the corresponding area restricted network located in their upper layer. However, according to the area restricted network management method described in the embodiments of the present invention, although in a case where there is a hierarchical area restricted network, it is possible to guarantee that devices in the respective layers of the hierarchical area restricted network are able to normally and safely communicate with each other.
As shown in
Here it should be noted that the process of STEP S401 may be achieved by adopting the method illustrated on the basis of
As a result, by generating and broadcasting a hierarchical area key, it is possible to let a node that has received the hierarchical area key know the topological structure of the corresponding hierarchical area restricted network, so as to carry out, on the basis of the topological structure of the corresponding hierarchical area restricted network, authorization, routing, communications, and so on. Hence, according to the embodiments of the present invention, in a case where this kind of hierarchical area restricted network exists, it is possible to guarantee that devices in the respective layers may normally and safely communicate with each other.
As shown in
In STEP S503, it is possible to generate, by utilizing the first hierarchical area key or one or more second hierarchical area keys, an area security key for communicating with the devices within the determined area restricted network(s). The reason is that as described above, it is possible to use a first hierarchical area key so as to obtain the area security key ASKj of a parent area restricted network j of a current area restricted network i on the basis of the following equation, and it is also possible to use a second hierarchical area key of a parent area restricted network j of a current area restricted network i so as to obtain the following equation by referring to the above-described equation, i.e., AKi=(AIDi,ASKi (Twindow))
ASKj=f(HAKi),root≦j≦i
In other words, by analyzing a hierarchical area key HAKi used by a node within a current area restricted network i, it is possible to obtain the area security key ASKj of the parent area restricted network j of the area restricted network i. The reason is that the hierarchical area key HAKi of the current area restricted network i includes information of the area key AKj (or the hierarchical area key HAKj) of the parent area restricted area restricted network j, and the area key AKj (or the hierarchical area key HAK) includes the area security key ASKj of the parent area restricted area restricted network j (see the above-described equation, i.e., AKi=(AIDi,ASKi(Twindow))). That is to say, as long as the hierarchical area key HAKi of the current area restricted network i is received, it is possible to grasp its parent area restricted network j as well as the area security key ASKj of its parent area restricted network j, so that it is possible to let a node within the current area restricted network i be able to communicate with a node within its parent area restricted network j by using the hierarchical area key HAKi because the two nodes may obtain the same area security key ASKj.
As a result, according to the embodiments of the present invention, in a case where there is a hierarchical area network, it is possible to ensure that devices located in the respective layers may normally and safely communicate with each other.
As shown in
S={HAK1, . . . ,HAKk},k≧1
The node 600 includes a hierarchical area key selector (HAK selector) 601 which is configured to select, from the set S, a hierarchical area key LPA_HAK of an area restricted network located in the upper layer of the node 600 (i.e., a lowest possible area restricted network of the node 600).
LPA_HAK=fLPA(S)=HAK having max POS(HAK1), . . . ,POS(HAKk)
That is to say, the selected LPA_HAK is a hierarchical area key, whose position (i.e., the number of elements) is maximum, in the set S. The reason is that a hierarchical area key having a maximum position means it is a lowest one among the received hierarchical area keys, i.e., it is the hierarchical area key of an area restricted network nearest the node 600.
After that, the selected LPA_HAK serves as a second hierarchical area key for communicating with devices within a determined second area restricted network as illustrated on the basis of
Of course, the node 600 may also include (but is not limited to) a memory 602 configured to store information; a central processing unit (CPU) 603 configured to conduct calculation; and a wireless module 604 configured to broadcast various area keys and to communicate with other devices.
In what follows, examples of using the selected LPA_HAK to carry out authorization, routing, and communications with devices within the determined second area restricted network will be given.
As shown in
In STEP S702, it is determined whether there is a master node in the area restricted network α.
If there is the master node in the area restricted network α, STEP S707 is carried out. In STEP S707, the master node uses the hierarchical area key of the area restricted network α to carry out authorization with respect to the new node. An example of the authorization is that the master node requests the hierarchical area key of the new node, and compares the hierarchical area key of the new node and a hierarchical area key received by the master node itself. If the two are the same, the master node authorizes the new node to be a member of the area restricted network α; otherwise, the master node does not authorize the new node to be a member of the area restricted network α. Of course, it is also possible to adopt another authorization method, for example, Wi-Fi protected access (WPA). That is to say, the present invention is not limited to this.
If it is determined that there isn't the master node in the area restricted network α, then STEP S703 is carried out. In STEP S703, the new node becomes the master node.
After the new node becomes the master node (hereinafter, called a “current master node”), in STEP S704, the current master node scans its parent area restricted network β located in its upper layer within the corresponding hierarchical area restricted network, so as to find a master node of its parent area restricted network β. Here it should be noted that the current master node should be located in the coverage of the parent area restricted network β.
In STEP S705, it is determined whether the master node in the parent area restricted network β is found.
If it is determined that the master node in the parent area restricted network β is found, then in STEP S708, the current master node utilizes the hierarchical area key of the area restricted network α to carry out authorization with respect to the master node of the parent area restricted network β.
If it is determined that the master node in the parent area restricted network β is not found, then in STEP S706, the current master node continues to scan an area restricted network located in the upper layer of the parent area restricted network until it is determined that the parent area restricted network β is a root area restricted network.
If it is determined that the parent area restricted network β is the root area restricted network, then STEP S709 is carried out. In STEP S709, the current master node broadcasts its own master information so as to request a master node of its child area restricted network within its coverage to carry out an authorization process with respect to the current master itself (this authorization process is the same as STEP S707).
Here it should be noted that the method 700 shown in
As a result, according to the embodiments of the present invention, in a case where there is a hierarchical area restricted network, it is possible to guarantee that devices in the respective area restricted network may carry out normal authorization and reliable communications.
In addition, this kind of communications link may include two cases, namely, (1) if the involved two nodes are located in a same area covered by their signals, then they may directly establish a communications link between them; and (2) if the involved two nodes are not located in the same area covered by their signals, then they may establish a communications link between them by causing the respective master nodes within the corresponding hierarchical area restricted network to carry out data forwarding (as shown in
As a result, all the nodes located in the whole hierarchical area restricted network may carry out reliable communications with each other. When a node provides a service to other nodes, the corresponding access authorization follows a strategy on the basis of the hierarchical area restricted network, and the strategy is that only some physical areas covered by the hierarchical area restricted network are authorized to access the service. For example, in
As a result, an example of the authorization process on the basis of the hierarchical area restricted network may be as follows.
Here, N refers to a current node N; PSNode refers to a node providing a service; and S′ refers to a set of detected hierarchical area keys.
According to the above equation, if the current node N is located in a layer lower than that in which the node providing the service is located or in a layer the same as that in which the node providing the service is located, that means the current node N is covered by the area restricted network in which the node providing the service is located, i.e., the current N is authorized to access the node providing the service. On the other hand, if the current node N is located in a layer upper than that in which the node providing the service is located, that means the current node N is not covered by the area restricted network in which the node providing the service is located, i.e., the current node N is not authorized to access the node providing the service.
As a result, according to the embodiments of the present invention, in a case where there is a hierarchical area restricted network, it is possible to ensure that devices located in the hierarchical area restricted network may carry out normal authorization, normal routing, and reliable communications.
As shown in
As shown in
The analysis part 1002 is configured to analyze the one or more hierarchical area keys so as to determine in which second area restricted network(s) the area key receipt device 1000 is located. The communications part 1003 is configured to utilize a first hierarchical area key managed by the above-described area restricted network management method or the one or more second hierarchical area keys to communicate with one or more devices located in the inside of the determined second area restricted network(s).
As a result, according to the embodiments of the present invention, in a case where there is a hierarchical area restricted network, it is possible to ensure that devices located in the respective area restricted networks may carry out normal authorization, normal routing, and reliable communications.
Here it should be noted that an embodiment of the present invention may also include parts configured to achieve the steps of the above-described methods, respectively. For the sake of convenience, the descriptions of the parts are omitted here.
Furthermore, sometimes any one of the above-mentioned “area key”, “hierarchical area key”, “area security key”, and “security key” for carrying out reliable communications may be replaced by another one of them. The reason is that these kinds of keys include information by which verification may be carried out, and sometimes any one of these keys may be converted to another one of them by utilizing some algorithms.
Here it should be noted that the above respective embodiments are just exemplary ones, and the specific structure and operation of each of them may not be used for limiting the present invention.
Moreover, the embodiments of the present invention may be implemented in any convenient form, for example, using dedicated hardware, or a mixture of dedicated hardware and software. The embodiments of the present invention may be implemented as computer software implemented by one or more networked processing apparatuses. The network may comprise any conventional terrestrial or wireless communications network, such as the Internet. The processing apparatuses may comprise any suitably programmed apparatuses such as a general purpose computer, personal digital assistant, mobile telephone (such as a WAP or 3G-compliant phone) and so on. Since the embodiments of the present invention can be implemented as software, each and every aspect of the present invention thus encompasses computer software implementable on a programmable device.
The computer software may be provided to the programmable device using any storage medium for storing processor-readable code such as a floppy disk, a hard disk, a CD ROM, a magnetic tape device or a solid state memory device.
The hardware platform includes any desired hardware resources including, for example, a central processing unit (CPU), a random access memory (RAM), and a hard disk drive (HDD). The CPU may include processors of any desired type and number. The RAM may include any desired volatile or nonvolatile memory. The HDD may include any desired nonvolatile memory capable of storing a large amount of data. The hardware resources may further include an input device, an output device, and a network device in accordance with the type of the apparatus. The HDD may be provided external to the apparatus as long as the HDD is accessible from the apparatus. In this case, the CPU, for example, the cache memory of the CPU, and the RAM may operate as a physical memory or a primary memory of the apparatus, while the HDD may operate as a secondary memory of the apparatus.
While the present invention is described with reference to the specific embodiments chosen for purpose of illustration, it should be apparent that the present invention is not limited to these embodiments, but numerous modifications could be made thereto by those people skilled in the art without departing from the basic concept and technical scope of the present invention.
The present application is based on and claims the benefit of priority of Chinese Priority Patent Application No. 201310435574.7 filed on Sep. 23, 2013, the entire contents of which are hereby incorporated by reference.
Number | Date | Country | Kind |
---|---|---|---|
201310435574.7 | Sep 2013 | CN | national |