This application claims the benefit under 35 U.S.C. ยง 119 (a) from Korean Patent Application No. 10-2004-0103430 filed on Dec. 9, 2004 in the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference.
1. Field of the Invention
The present invention relates generally to a security device for a home network and a security configuration method thereof. More particularly, the present invention relates to a security device for configuring security of a home network system using a public key and a password that are generated at a security device, and a security configuration method thereof.
2. Description of the Related Art
A home network is an advanced home appliance system enabling a user to operate home appliances using a wireless security device such as mobile phones and personal Digital Assistance (PDS). Home appliances such as personal computers (PCs), televisions, refrigerators, and air conditioners, are connected via the home network and information can be transferred among the home appliances.
Typically, the home network is realized using an Internet Protocol (IP)-based private network, in which various types of home appliances are connected to each other and controlled over the network.
Protocols such as Home Audio/Video Interoperability (HAVi), Universal Plug and Play (UPnP), Jini, and Home Wide Web (HWW) have been suggested for the service discovery to allow communications between the various home appliances over the home network.
As for the UPnP, home appliances dynamically join the network, obtain their IP addresses, provide their functions, and recognize the presence and the function of the other appliances. Hence, the true zero configuration network can be implemented. The home appliances continue to communicate with each other directly, to thus reinforce the peer-to-peer networking function.
When establishing the home network with the UPnP, a security system construction of the home network is crucial to prevent an external intruder from operating the home appliances. However, in reality, the user has difficulty in managing the security due to the lack of the specialized knowledge relating to the characteristics of the home network deployed in home.
Referring to
To register a new home appliance 10 to the home network, the SC 30 informs the home appliance 10 that the SC 30 is an owner of the home network. Next, the CP 20 and the SC 30 exchange a public key and conduct the security function.
Generally, since the home appliance 10 is not equipped with an input device for inputting a key, the invariant public key and the password are embedded in the home appliance 10 at the manufacturing phase.
If the public key and the password are exposed to an external intruder, the external intruder can randomly control the operation and the access with respect to the home appliance 10. For example, the external intruder may arbitrarily change the owner of the home appliance 10. As a result, the security of the home appliance 10 is of no use, and the security function is not provided at all afterward.
In addition, if the database of the public key and the password managed by the manufacturer is attacked and exposed to the external intruder, a large-scale recall may arise against the manufacturer.
Additional aspects and/or advantages of the invention will be set forth in part in the description which follows and, in part, will be apparent from the description, or may be learned by practice of the invention.
The present invention has been provided to solve the above-mentioned and other problems and disadvantages occurring in the conventional arrangement, and an aspect of the present invention provides a method for configuring security of a home network using a public key and a password, which are given unilaterally, at a security device when a home appliance is registered to the home network.
To achieve the above aspects and/or features of the present invention, a security device for a home network includes a user interface to send at least one request signal that includes a device register request signal to register a home appliance to the home network; a public key generator to generate a public key and a password used for security configuration of the home network; a home appliance interface to interface with the home appliance; and a controller to control the home appliance interface to transmit the public key and the password to the home appliance, and the controller to control to register the home appliance to the home network according to a service discovery protocol when the device register request signal is received from the user interface.
The home appliance interface may transmit the public key and the password via a location limited channel.
The security device may further include a memory to store the public key and the password that are generated at the public key generator.
The security device may further include a control device interface to exchange public keys with a control device that controls the home appliance.
The service discovery protocol may be a universal plug and play (UPnP).
According to another aspect of the present invention, a security configuration method of a security device for a home network includes generating a public key for security configuration of the home network; generating a password corresponding to the public key and transmitting the public key and the password when a device register request signal for registering a home appliance to the home network is received; and operating to register the home appliance to the home network.
The public key and the password may be transmitted via a location limited channel.
The home appliance may be registered to the home network according to a Universal Plug and Play (UPnP) protocol.
The security configuration method may further include exchanging public keys with a control device that controls the home appliance.
Additional and/or other aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
These and/or other aspects and advantages of the invention will become apparent and more readily appreciated from the following description of exemplary embodiments, taken in conjunction with the accompanying drawing figures of which:
Reference will now be made in detail to the embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The embodiments are described below to explain the present invention by referring to the figures.
The security system of the home network includes a security device 100 for configuring security of the home network, a home appliance 200 registered to the home network, and a control device 300 for controlling the home appliance 200.
The security device 100 is provided for the security configuration of the home network. The security device 100 may be a portable wireless security device such as mobile phones and personal digital assistants (PDAs). Herein, the security device 100 corresponds to the security console (SC) 30 of the conventional home network security system as illustrated in
The home appliance 200 is a next-generation home appliance such as audio and/or video devices, PCs, refrigerators, and washing machines, and is capable of communicating data over a wired and/or wireless network. Herein, the home appliance 200 refers to a new device to be registered to the home network.
The control device 300 controls the home appliance 200 registered to the home network. Similarly to the security device 100, the control device 300 may be a portable wireless security device such as mobile phones and the PDAs. Herein, the control device 300 corresponds to the control point (CP) 200 of the conventional home network security system as illustrated in
In
The user interface 110 provides the controller 160, to be explained, with at least one request signal including a device register request signal to register the home appliance 200 to the home network. The user interface 110 may include key input means or electromagnetic sensing means depending on the type of the security device 100.
The public key generator 120 generates a public key of the home appliance 200 for the security configuration of the home network, and generates a random password corresponding to the public key. It takes much time for the public key generator 120 to generate the public key. Thus, the public key is generated in advance while the security device 100 is idle according to an embodiment of the present invention. Since the time taken to generate the password is less than the time taken to generate the public key, the password may be generated upon the request. It is also understood that the public key is generated when the security device is active.
The public key of an asymmetric cryptographic key pair for the public key cryptography system is made public. In specific, the public key cryptography algorithm uses an encryption key for encrypting data and a decryption key for recovering the original data, in which the encryption key is different from the decryption key. The public key cryptography algorithm is referred to as an asymmetric cryptography algorithm. According to the public key cryptography algorithm, even when the encryption key is made public, the original data cannot be obtained from the ciphertext because the decryption key is kept secret. In this sense, the encryption key is known as a public key, and the decryption key is known as a private key.
The memory 130 stores the public key generated at the public key generator 120. The pre-generated public key is stored in the memory 130 since it may take too much time for the public key generator 120 of the security device 110 to generate the public key. It is also understood that the memory can be connected to the security device 100 by a Universal Serial Bus (USB) port or IEEE 1394 port.
The home appliance interface 140 interfaces with the home appliance 200. According to one embodiment of the present invention, the home appliance interface 140 transfers the public key pair (public key and private key) to the home appliance 200 under the control of the controller 150. The public key pair and the password are transmitted via a location limited channel.
The control device interface 150 transfers the public key of the security device 100 to the control device 300 and receives the public key of the control device 300, to authorize the control device 300 to control the home appliance 200. In short, the security device 100 and the control device 300 exchange their own public keys with each other.
The controller 160, upon receiving the device register request signal from the user interface 110, controls to transmit the public key to the home appliance 200 via the home appliance interface 140. The public key may be generated by the public key generator 120 or pre-stored in the memory 130.
The controller 160 controls to register the home appliance 200 to the home network according to a service discovery protocol. The service discovery protocol is a Universal Plug and Play (UPnP) according to an aspect of the present invention. It is also understood that the service protocol can be anyone of HAVI, Jini, and HWW.
The public key generator 120 generates a public key (S400). Since the security device 100 and the control device 300 have their own public keys already, the generated public key is to be given to the home appliance 200.
Upon receiving the device register request signal via the user interface 110 according to the manipulation of the user (S410), the controller 160 transfers its public key to the control device 300 via the control device interface 150 and receives the public key of the control device 300 (S420).
The public key generator 120 generates a password corresponding to the public key to be given to the home appliance 200 (S430). The controller 160 controls to transmit the public key and the password to the home appliance 200 via the home appliance interface 140 (S440).
Next, the home appliance 200 is registered to the home network according to the UPnP (S450), and the control authority of the home appliance 200 is granted to the control device 300 (S460).
The security device 100 and the control device 300 inform their presence according to the Simple Service Discovery Protocol (SSDP) (S500). When a new device is connected to the home network, the SSDP informs its presence using a SSDP message, and devices already connected in the home network receive the SSDP message and thus confirm that the new device is connected.
The user disposes the security device 100 in vicinity of the home appliance 200 or points the security device 100 to the home appliance 200 in the same signal transmission direction, and requests the device registration by manipulating the security device 100 (S502).
Upon receiving the device register request from the user, the security device 100 and the control device 300 exchange their own public keys using a Present Key message (S504).
After the public key exchange between the security device 100 and the control device 300, the user can randomly select a user definition name of the control device 300 in consideration of identification and usability of the name using a Select & Name message (S506). Alternatively the name of the control device may be generated automatically.
The security device 100 transmits a Hello message to the home appliance 200 to commence the communication with the home appliance 200, and the home appliance 200 receives the Hello message and responds with a Response message (S508).
The security device 100 transmits the public key pair and the password generated at the public key generator 120, to the home appliance 200 using a Public Key Pair, Password message (S510).
The security device 100 and the home appliance 200 inform their present using a SSDP message (S512). The user defines a user definition name of the home appliance 200 using a Select & Name message (S514). For instance, the user definition name may be a TV in a living room, a TV in a inner bedroom, a PC in a study room, and the like
The security device 100 informs that it is the owner by sending a Take Ownership message to the home appliance 200 (S516). According to the UPnP of the related art, the Take Ownership message is encrypted using the password as the key, and the password is input to the security device 100 directly by the user. The home appliance 200 upon receiving the Take Ownership message, decrypts the message using its password and permits the security device 100 as its owner when the message decryption succeeds.
The security device 100 sends a Get Algorithms And Protocols message to the home appliance 200 to confirm algorithms and protocols supported by the home appliance 200 (S518). Upon receiving the Get Algorithms And Protocols message, the home appliance 200 transmits a list of its supporting algorithms and protocols to the security device 100 (S518). The Get Algorithms And Protocols message is transmitted to ensure compatibility among home network devices produced by different manufactures.
The security device 100 sends a Set Session Keys message to the home appliance 200 (S520). The Set Session Keys message instructs to generate a one-time key used only for a relevant session. Also, the Set Session Keys message instructs the security device 100 to generate and provide a hash and a random character string to be used as the encryption key to the home appliance 200. Only the security device 100 can generate the Set Session Keys message and only the home appliance 200 is able to decrypt the message.
Next, the user selects an intended home appliance using a Select Device message by manipulating the security device 100 (S522).
Upon receiving a Get Defined Permissions message from the security device 100, the home appliance 200 transmits a set of its definable permissions (S524).
The security device 100 sends an Add ACL Entry message to the home appliance 200 to instruct to add the control device 300 into an access control list (ACL) (S526). A typical home appliance 200 has a database for the ACL entry and executes only a control command corresponding to a defined permission retrieved from the database upon receiving the control command from the control device 300.
The home appliance 200 transmits its public key to the control device 300 and the control device 300 also transmits its public key to the home appliance 200 using a Get Public Keys message (S528).
The home appliance 200 sends a Get Algorithms And Protocols message to the control device 300. The control device 300 upon receiving the message transmits a list of its supporting algorithms to the home appliance 200 (S530).
The home appliance 200 sends a Get Lifetime Sequence Base message to the control device 300 and receives a response (S532). The Get Lifetime Sequence Base message is to set sequential numbers to prevent a second attack. The sequential numbers prevents an attacker from reusing a previous message.
Lastly, the home appliance 200 sends a Set Session Keys message to the control device 300 (S534). As a result, only the control device 300 can decrypt the message received from the home appliance 200.
Operations S512 through S534 are the same as in the conventional security configuration method using the UPnP. Thus, detailed descriptions thereof are omitted for brevity.
Through the message transmission and reception among the security device 100, the home appliance 200, and the control device 300 at operations S500 through S534, the security configuration method as shown in
The home network security system according to another embodiment of the present invention is constructed similarly to one embodiment of the present invention. In the following, only different constructions are explained for conciseness, wherein like reference numerals refer to the like elements throughout.
As shown in
The security device 100 includes a user interface 110, a public key generator 120, a memory 130, a home appliance interface 140, and a controller 160. Herein, the user interface 110, the public key generator 120, the memory 130, and the home appliance interface 140 function the same as the components in
According to another embodiment of the present invention, the security device 100 needs to be able to control the home appliance 200. Hence, the controller 160 further functions to control the home appliance 200.
When a request signal to control the home appliance 200 is input via the user interface 110, the controller 160 generates a control signal corresponding to the received request signal. The controller 170 transmits the generated control signal to the home appliance 200 via the home appliance interface 140 to thus control the home appliance 200.
The public key generator 120 generates a public key to be given to the home appliance 10 in advance and stores the generated public key in the memory 130 (S600).
Upon receiving the device register request signal via the user interface 110 (S610), the public key generator 120 randomly generates the password corresponding to the public key given to the home appliance 200 (S620).
The controller 160 controls to transmit the public key and the password to the home appliance 200 via the home appliance interface 140 (S630). The home appliance 200 is registered to the home network according to the UPnP (S640). The controller 160 sets to grant the control authority of the home appliance 200 to the security device 100 (S650).
The user disposes or points the security device 100 in vicinity of the home appliance 200 and requests the device registration by manipulating the security device 100 (S700).
The security device 100 sends a Hello message to the home appliance 200 to commence the communication with the home appliance 200. The home appliance 200 receives the Hello message and responds with a Response message (S702).
The security device 100 transmits the public key and the password, which are generated at the public key generator 120, to the home appliance 200 using a Public Key Pair, Password message, and then the home appliance 100 responds to this message (S704).
Messages transferred between the security device 100 and the home appliance 200 according to the UPnP at operation S706 through S728 are the same as the messages at operations S512 through S534 as explained in
In
It is noted that the Add ACL Entry message at operation S720 indicates that the control authority of the home appliance 200 is given to the security device 100. The user defines a user definition name of the home appliance 200 at operation S708.
As for the security configuration method of the security device for the home network according to an embodiment of the present invention, it is understood that the control device 300 and the security device 100 may be equipped respectively, or, the security device 100 may combine the function of the control device 300.
In light of the foregoing as set forth above, the security device and the security configuration method for the home network according to an embodiment of the present invention, utilize the public key generated at the security device as the security key of the home appliance. Therefore, the network security can be configured with the simple manipulation.
Furthermore, the public key of the home appliance can be kept safe from attacks of an external intruder even when the public key database maintained by the manufacturer is exposed. More thorough security of the home network can be achieved.
Although a few embodiments of the present invention have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the claims and their equivalents.
Number | Date | Country | Kind |
---|---|---|---|
10-2004-0103430 | Dec 2004 | KR | national |