The present application is based on claims the benefit of priority under 35 U.S.C §119 of Japanese Patent Application No. 2012-182026 filed Aug. 21, 2012, the entire contents of which are hereby incorporated herein by reference.
1. Field of the Invention
The present invention relates to a wireless communication apparatus, a recording medium, and a method.
2. Description of the Related Art
Recently, more and more protocols have been proposed for a simple setup of wireless LAN connection to reduce its troublesome installation step. Currently, as such simple setup protocols, two methods have become popular: one is a PIN method in which a PIN code, which is known only to (accessible only by) a user having valid authority, is used for authentication between apparatuses; and the other is a push-button method.
Especially, in the push-button method, it is possible to eliminate troublesome data input, and it is further possible to easily apply to an electronic device such as a home electrical appliance having no user interface for data input. Due to these features, the push-button method if expected to be used in various applications.
In this regard, Japanese Laid-open Patent Publication No. 2008-283422 (Patent Document 1) discloses a method in which a secure connection is established between a printer and a camera based on a Push Button Configuration protocol of a Wi-Fi Protected Setup (WPS), the protocol having been standardized by IEEE 802.11.
In the following, the WPS push button method is briefly described with reference to
The WPS protocol sequence is divided into three main phases. In the first phase, a temporary connection (for plain text) is established between first and second apparatuses, via a probe request and open authentication, when, after a predetermined time period (e.g., from several tens of seconds to several minutes) has passed since a push button of the first apparatus is pressed, a push button of the second apparatus is pressed.
Next, in the second phase, the configuration data are shared which is necessary for the authentication and secure connection based on an EAP-WSC protocol. In the EAP-WSC protocol, to make it possible to share an encryption key by using a communication line on which no security is ensured, a Diffie-Hellman key exchange (hereinafter simplified as “DH”) algorithm is employed.
After the enrollee and registrar mutually transmit respective public keys to each other, the enrollee and registrar generate a passphrase (secret key), which is to be commonly used between the enrollee and registrar, based on the confidential information of the enrollee and registrar and the public key received from the registrar and enrollee, respectively.
Finally, in the third phase, based on the WPA protocol, after an encryption key is generated and shared using a predetermined algorithm based on the passphrase generated in the second phase, both the enrollee and registrar encrypt respective communication data using the encryption key (secret key) which is common between the enrollee and registrar. By doing this, a secure connection is established.
However, it is known that “DH”, which is used in the second phase, is vulnerable to a man-in-the-middle attack. To eliminate this vulnerability, it is necessary to carry out some kind of mutual authentication between the enrollee and registrar. In this regard, in the WPS push button method, the authentication indicating that the other part is valid (correct) is achieved based on a fact that the push buttons (of the enrollee and registrar) are pressed within the same time period (i.e., a fact that one party knows when the other party pushes the button).
Specifically, in response to the press down of the push button of the enrollee, the enrollee apparatus transmits a predetermined authentication code to the other party, and the registrar apparatus, where the push button of the registrar apparatus is pressed in the same time period when the push button of the enrollee apparatus is pressed, compares the authentication code received from the enrollee apparatus and the authentication code of the registrar apparatus.
However, the authentication code used in the push button method is typically a fixed value. Furthermore, in many cases, the authentication code is made public (disclosed) in the specification manual or the like. Therefore, it is not possible to completely eliminate the risk of a man-in-the-middle attack by a malicious third party.
The present invention is made in light of the above problem, and may provide a wireless communication apparatus, a recording medium, and a method capable of appropriately reducing a security risk in a wireless LAN connection setting.
According to an aspect of the present invention, a wireless communication apparatus includes an optical wireless receiving unit receiving a pseudo random number; an authentication code generator generating an authentication code based on the pseudo random number received by the optical wireless receiving unit; and a wireless communication unit determining whether authentication using the authentication code with a given wireless communication apparatus is successful, and performing wireless communications with the given wireless communication apparatus when determining that the authentication using the authentication code with a given wireless communication apparatus is successful.
Other objects, features, and advantages of the present invention will become more apparent from the following description when read in conjunction with the accompanying drawings, in which:
In the following, embodiments of the present invention are described with the accompanying drawings. However, it should be noted that the present invention is not limited to those embodiments described below. Throughout the figures, the same reference numerals are used to describe the same elements, and the descriptions thereof may be omitted.
A wireless communication apparatus 100 according to an embodiment may be referred to as a wireless communication apparatus which is compliant with a push-button-type simple configuration protocol. As an example of the push-button-type simple configuration protocol, there is a “Push Button Configuration Method” of the Wi-Fi Protected Setup (WPS) which is standardized by IEEE 802.11.
In the following descriptions, an example is described where the wireless communication apparatus 100 employs the “Push Button Configuration method” (herein after simplified as “PB method”) for WPS simple configuration setup.
In WPS, in a simple configuration setup, the function to provide “Configuration Data” which are necessary for a secure connection is called the “Registrar” and the function to set the provided “Configuration Data” is called the “Enrollee”. Therefore, the wireless communication apparatus 100 according to an embodiment may include any one of the Registrar and Enrollee or both the Registrar and Enrollee depending on the application.
Namely, the wireless communication apparatus 100 according to the embodiment may be used (provided) as a wireless LAN base station (access point). In this case, the wireless communication apparatus 100 serves as the Registrar (i.e., includes (provides) the function of the Registrar). Further, the wireless communication apparatus 100 according to the embodiment may be used (provided) as a wireless terminal (wireless station). In this case, the wireless communication apparatus 100 serves as the Enrollee (i.e., includes (provides) the function of the Enrollee).
Further, the wireless communication apparatus 100 according to the embodiment may be used (provided) as any electronic device, (e.g., Multi Function Peripheral (MFP), cellular phone, tablet terminal and the like), which is compliant with the “Wi-Fi Direct” formulated by the Wi-Fi Alliance. In this case, the wireless communication apparatus 100 serves as both the Registrar and Enrollee (i.e., includes (provides) the functions of the Registrar and Enrollee), and selectively activates the functions.
The optical wireless receiving device 20 includes a light receiving section 22 having an appropriate light receiving device(s) such as diode(s), so as to achieve (provide) optical wireless communications using light having a wavelength of visible to infrared light. For example, the optical wireless receiving device 20 may be referred to as a “data receiving device” in the illumination light communication using an LED light.
The push button 30 herein referred to as a “push button” used in the WPS PB method, and may be either a mechanical button switch or a software button (in GUI).
The controller 10 includes a connection controller (connection setting section) 12, an authentication code generator 14, a pressed button detector 16, and a fixed code storage 18.
The pressed button detector 16 detects a fact that the push button 30 is pressed (down), and reports the detected fact to the controller 12. In response to the report, the controller 12 controls the RF wireless communication device 40 so as to perform data communications to share the configuration data which are necessary for the secure connection to be established between the wireless communication apparatus 100 and the other wireless communication apparatus whose push button is pressed within a predetermined time period (e.g., tens of seconds to several minutes) which is started since the push button 30 is pressed (hereinafter simplified as “configuration data”).
When the wireless communication apparatus 100 serves (is functioned) as the wireless LAN base station (access point), the controller 12 serves as the Registrar, so as to provide the configuration data to the Enrollee of the other wireless communication apparatus via the RF wireless communication device 40.
Meanwhile, when the wireless communication apparatus 100 serves (is functioned) as the wireless terminal (wireless station), the controller 12 serves as the Enrollee, so as to receive the configuration data from the Registrar of the other wireless communication apparatus via the RF wireless communication device 40 and set various communication parameters.
As described above, an example configuration of the wireless communication apparatus 100 is described. Next, in a case of
Here, a case is described where the wireless LAN simple setup (“PB method”) is performed between the wireless communication apparatus 100 having the Registrar function (hereinafter may be referred to as a “Registrar 100A”) and the wireless communication apparatus 100 having the Enrollee function (hereinafter may be referred to as an “Enrollee 100B”) under an LED lighting device 200 as shown in the wireless LAN system of
In the case of
To that end, the LED lighting device 200 converts a pseudo random number (i.e., digital data), which is internally or externally generated, into a flashing (blinking) signal having a frequency in a range from several kHz to several hundred kHz, and blinks on and off the LED in high speed in synchronization with the converted flashing signal (optical wireless signal) to distribute the pseudo random number in the room of the LED lighting device 200.
In this case, it is preferable that the distributed pseudo random number may be updated every predetermined time interval to reinforce the security.
The optical wireless receiving device 20 starts its receiving operation either at the same time when the wireless communication apparatus 100 is started or in response to the detection that the push button 30, which is described below, is pressed. Then, the optical wireless receiving device 20 performs WE conversion from the flashing signal (illumination light) blinking on and off in high speed from the LED lighting device 200 into an electronic signal and demodulates the electronic signal to acquire the pseudo random number (digital data).
The optical wireless receiving device 20 transmits the acquired pseudo random number (digital data) to the authentication code generator 14.
The authentication code generator 14 generates an authentication code, based on the pseudo random number received from the optical wireless receiving device 20, in accordance with a predetermined algorithm, and stores the generated authentication code into a temporary memory (buffer) (of the authentication code generator 14).
Here, it should be noted that the algorithm to generate the authentication code is not limited. Namely, for example, an algorithm may be used in which the received pseudo random number is directly used as the authentication code. Further, when the pseudo random number distributed from the LED lighting device 200 is periodically updated, the authentication code generator 14 generates (updates) new authentication code based on the updated pseudo random number, and replaces the authentication code currently stored in the temporary memory (buffer) by the updated authentication code.
In the following, the authentication code stored in the temporary memory (buffer) may be referred to as an “optical wireless PIN code”.
When the fact that the push button 30 is pressed is detected (Yes in step S101), the controller 12 establishes a temporary connection between the wireless communication apparatus 100 and the other wireless communication apparatus whose push button is pressed within a predetermined time period (e.g., tens of seconds to several minutes) which is started since the push button 30 is pressed (step S102).
Next, in step S103, the controller 12 exchanges data indicating which functions are supported (hereinafter may be referred to as an “ability exchange”) with the other wireless communication apparatus which is connected from the wireless communication apparatus 100.
Specifically, the controller 12 exchanges (receives) the data indicating whether the other wireless communication apparatus connected from the wireless communication apparatus 100 has a function to generates the optical wireless PIN code.
As a result, when it is determined that the other wireless communication apparatus connected from the wireless communication apparatus 100 has the function to generate the optical wireless PIN code (i.e., supports to handle the optical wireless PIN code) (Yes in step 104), the controller 12 performs an authentication process based on the latest optical wireless PIN code stored in the temporary memory of the authentication code generator 14 (step S105).
Specifically, the Enrollee 100B reads the latest optical wireless PIN code stored in the temporary memory of the authentication code generator 14, and transmits the latest optical wireless PIN code to the Registrar 100A. Then, the Registrar 100A compares the latest optical wireless PIN code received from the Enrollee 100B with the latest optical wireless PIN code stored in the temporary memory of the authentication code generator 14 of the Registrar 100A, and performs authentication.
On the other hand, when it is determined that the other wireless communication apparatus connected from the wireless communication apparatus 100 has no function to generates the optical wireless PIN code (i.e., the other wireless communication apparatus does not support the handling of the optical wireless PIN code) (No in step 104), the controller 12 performs the authentication process based on a fixed code stored in the fixed code storage 18 (hereinafter referred to as a “fixed PIN code”) (step S106).
Specifically, the Enrollee 100B reads the fixed PIN code stored in the fixed code storage 18, and transmits the fixed PIN code to the Registrar 100A. Then, the Registrar 100A compares the fixed PIN code received from the Enrollee 100B with the fixed PIN code stored in the fixed code storage 18 of the Registrar 100A, and performs authentication.
As a result, when the authentication fails (NO in step S107), the setup fails.
On the other hand, when the authentication succeeds (YES in step S107), the process goes to step S108, a predetermined data communication is performed to share the configuration data.
Specifically, the Registrar 100A provides (transmits) the configuration data possessed by the Registrar 100A to the Enrollee 100B, and the Enrollee 100B sets necessary communication parameters based on the configuration data received from the Registrar 100A. After that, the encryption key is generated and shared, so as to establish the secure connection.
Next, an example sequence of the simple setup performed between the Registrar 100A and the Enrollee 100B is described with reference to
A WPS protocol sequence is divided into three main phases. In the first phase, a temporary connection (in plain text) is established between wireless communication apparatuses in which a simple setup is to be performed.
In the second phase, the authentication based on the EAP-WSC protocol and the sharing of the configuration data are performed. In the third phase, a secured connection is established after the encryption key is generated and shared based on the WPA protocol.
The above second phase generally includes eight messages (M1 through M8). The messages M1 and M2 correspond to the communications exchange to share the Diffie-Hellman key. In the sequence of
In the following, the simple setup sequence performed by the Registrar 100A and the Enrollee 100B is
Described step by step.
First, the Registrar 100A and the Enrollee 100B start receiving the optical wireless signal at the same time when the Registrar 100A and the Enrollee 100B, respectively, are started up or when the fact that the respective push button 30 are pressed (S1/S2). Then the Registrar 100A and the Enrollee 100B generate respective optical wireless PIN codes based on the received pseudo random number (S1.1/S2.1).
Next, the Enrollee 100B issues a probe request across a predetermined time period after the push button 30 of the Enrollee 100B is pressed. During the predetermined time period, when the push button 30 of the Registrar 100A is pressed and the Registrar 100A responds to the probe request, a temporary connection in plain text is established between the Enrollee 100B which has issued the probe request and the Registrar 100A (S3).
Next, the start of the simple setup using an EAPOL frame format is declared (announced) (S4).
Next, the Enrollee 100B adds a flag indicating that the Enrollee 100B has the function to generate the optical wireless PIN code (hereinafter “optical wireless PIN code activation flag”) to the message M1 which is for transmitting the public key PKE on the Enrollee 100B side (S5), and transmits the message M1 including the “optical wireless PIN code activation flag” to the Registrar 100A (S6).
Further, for example, the optical wireless PIN code activation flag may be implemented by using a vendor dedicated extended region formulated by WPS.
The Registrar 100A having received the message M1 from the Enrollee 100B checks the optical wireless PIN code activation flag included in the message M1 to make sure that the Enrollee 100B supports the optical wireless PIN code activation flag (S6.1).
Next, the Registrar 100A adds the optical wireless PIN code activation flag to the message M2 for transmitting the public key PKR on the Registrar 100A side (S5), and transmits the message M2 including the optical wireless PIN code activation flag to the Enrollee 100B (S8).
The Enrollee 100B having received the message M2 from the Registrar 100A checks the optical wireless PIN code activation flag included in the message M2 to make sure that the Registrar 100A supports the optical wireless PIN code activation flag (S8.1).
After the time point when the Registrar 100A and the Enrollee 100B determine that the Enrollee 100B and the Registrar 100A, respectively support the optical wireless PIN code activation flag, both the Registrar 100A and Enrollee 100B perform the authentication using the optical wireless PIN code activation flags in place of the fixed codes stored in the respective fixed code storages 18, and share the configuration data (S9/S10).
As described, a sequence including the “ability exchange” in the EAP-WSC phase is described. However, the above described sequence is an example only. Namely, for example, the “ability exchange” may be performed using the information elements (i.e., “Information Entity” formulated in IEEE 802.11) before the EAP-WSC phase. Further, it is preferable, that the “ability exchange” be performed within a framework of the standard protocol.
As described above, according to the embodiment, as shown in
Also, the authentication inevitably fails when only one of the wireless communication apparatus is outside of the irradiation range of the illumination light from the LED lighting device 200 (e.g., in the other room). Therefore, even when a malicious third party is able to know the timing when the push button is pressed, a man-in-the-middle attack by the malicious third party who is in the other room which is outside the irradiation range of the illumination light from the LED lighting device 200 may not be successful.
Further, in another embodiment, as shown in
Further, in this embodiment, the optical wireless receiving device 20 includes two light receiving sections 22a and 22b having different directivities from each other, so that the light receiving section 22a receives the pseudo random number (“2728”) distributed from the LED lighting device 200A and the light receiving section 22b receives the pseudo random number (“1506”) distributed from the LED lighting device 200B.
Further, the authentication code generators 14 of the Registrar 100A and Enrollee 100B generate one authentication code based on two different pseudo random numbers in accordance with a predetermined algorithm.
In this embodiment, by appropriately adjusting the directivities of the LED lighting devices 200A and 200B (i.e., optical wireless transmission and reception devices) and the directivities of the optical wireless receiving devices 20, the area where the authentication is successfully performed may be limited to small areas. Therefore, for example, it may become possible to respond to a request for limiting the wireless LAN circumstance only to an area on the desk in the meeting room.
As described above, according to an embodiment of the present invention, it may become possible to appropriately reduce the security risk while the convenience of the push button method is maintained.
As described above, as an embodiment, a case is described where the LED lighting device is used as the optical wireless transmission unit. However, it should be noted that the present invention does not limit the type or wavelength of the light source used in the optical wireless communications. Namely, for example, an LED emitting infrared light may be used as the light source.
Further, the present invention is not limited to be applied to the WPA protocol. Namely, it may not be necessary to emphasize that the present invention may also be applied to any other simple setup protocol employing a similar push button method.
Although the invention has been described with respect to specific embodiments for a complete and clear disclosure, the appended claims are not to be thus limited but are to be construed as embodying all modifications and alternative constructions that may occur to one skilled in the art that fairly fall within the basic teaching herein set forth.
The functions described in the above embodiments may be realized by a computer-readable program written in, for example, an object-oriented language such as C, C++, C#, Java (registered trademark) or the like. The program according to an embodiment of the present invention may be stored in and distributed using a hard disk drive, CD-ROM, MO, DVD, flexible disk, EEPROM, EPROM, or the like. Further, the program may be transmitted via a network using a format readable by other devices.
Number | Date | Country | Kind |
---|---|---|---|
2012-182026 | Aug 2012 | JP | national |
Number | Name | Date | Kind |
---|---|---|---|
7231521 | Buddhikot et al. | Jun 2007 | B2 |
7721325 | Lee et al. | May 2010 | B2 |
7739513 | Iwamura | Jun 2010 | B2 |
7912222 | Hagiwara | Mar 2011 | B2 |
7912224 | Lee et al. | Mar 2011 | B2 |
8127340 | Azuma | Feb 2012 | B2 |
8145194 | Yoshikawa et al. | Mar 2012 | B2 |
8649275 | Pyatkovskiy et al. | Feb 2014 | B2 |
20010033221 | Thomas et al. | Oct 2001 | A1 |
20030120925 | Rose | Jun 2003 | A1 |
20040073795 | Jablon | Apr 2004 | A1 |
20040131185 | Kakumer | Jul 2004 | A1 |
20050201557 | Ishidoshiro | Sep 2005 | A1 |
20050276418 | Hagiwara | Dec 2005 | A1 |
20090222659 | Miyabayashi et al. | Sep 2009 | A1 |
20100002884 | Sherman | Jan 2010 | A1 |
20100146129 | Nakahara | Jun 2010 | A1 |
20100169646 | Zhang et al. | Jul 2010 | A1 |
20100251345 | James et al. | Sep 2010 | A1 |
20100254314 | Tsuchiya | Oct 2010 | A1 |
20100313241 | Lee et al. | Dec 2010 | A1 |
20110142021 | Kito | Jun 2011 | A1 |
20110176457 | Yee | Jul 2011 | A1 |
20110275316 | Suumaki et al. | Nov 2011 | A1 |
20120030466 | Yamaguchi | Feb 2012 | A1 |
20120182884 | Pyatkovskiy et al. | Jul 2012 | A1 |
20120250863 | Bukshpun et al. | Oct 2012 | A1 |
20120265913 | Suumaki et al. | Oct 2012 | A1 |
20130036231 | Suumaki | Feb 2013 | A1 |
20130057913 | Park | Mar 2013 | A1 |
20130103807 | Couto et al. | Apr 2013 | A1 |
20130195271 | Miyabayashi et al. | Aug 2013 | A1 |
20130309971 | Kiukkonen et al. | Nov 2013 | A1 |
20130332739 | Yi et al. | Dec 2013 | A1 |
20140068267 | Le Saint et al. | Mar 2014 | A1 |
20140072119 | Hranilovic et al. | Mar 2014 | A1 |
20140123213 | Vank et al. | May 2014 | A1 |
Number | Date | Country |
---|---|---|
2004-118488 | Apr 2004 | JP |
2005-333606 | Dec 2005 | JP |
2006-123183 | May 2006 | JP |
2006-254077 | Sep 2006 | JP |
2008-283422 | Nov 2008 | JP |
2013-21499 | Jan 2013 | JP |
WO 2013008939 | Jan 2013 | WO |
WO 2013149459 | Oct 2013 | WO |
WO 2013153171 | Oct 2013 | WO |
Entry |
---|
Wi-Fi Protected Setup Specification Version 1.0h (Dec. 2006) . . . . |
Number | Date | Country | |
---|---|---|---|
20140059643 A1 | Feb 2014 | US |