JP5192980B2 - Network system - Google Patents

Description

  The present invention relates to a network system that realizes a secure communication environment using devices on a network and a security management server.

  Conventionally, in this type of network system, as shown in FIG. 10, the security management server SA used by the device D1 is fixedly determined, and when a change occurs in the system configuration such as addition of a device, security management is performed. The security level is maintained by performing maintenance on the server SA. That is, if the setting data (security policy) of the security management server SA can be dynamically applied, a high security level can be maintained (see, for example, Patent Document 1).

  In addition, although it is considered to change the security level for each user or device (see, for example, Patent Document 2), even in such a case, in order to maintain a high security level, maintenance of the security management server is required. Is required.

  Here, there is a trade-off relationship between the security level and the maintenance man-hours of the security management server SA. For example, when the security management server SA is provided on the center server as shown in FIG. Although maintenance can be easily performed, it is necessary to set a high security level by using an encryption key unique to each device.

On the other hand, in a network system in which the device D1 and the security management server SB exist on a closed network (home LAN) constructed in the user's home, as in the housing facility system shown in FIG. 11, the security management server Since the SB cannot be easily accessed from the outside (outside the user's home), the security management server SB cannot be easily maintained, but security is ensured by using a common encryption key for a plurality of devices. It is possible to set the level low.
JP 2005-252947 A JP-A-8-297638

  By the way, when the system configuration changes, for example, when a network system constructed on a closed network such as a home LAN is expanded to be connectable to the Internet, the safety of communication changes. Sometimes. For example, when a device that uses a security management server SB in a home with a low security level is connected to the Internet, it is possible to attempt to access the device from an unspecified terminal on the Internet. As a result, the safety of communication is reduced. In this case, it is necessary to improve the security level by switching the security management server used by the device by changing the setting of the device.

  However, in this case, the user needs to select the security management server to be used by the device. Therefore, for general users who do not have the knowledge to identify the security management server with a higher security level, the optimal security level must be selected. It is difficult to realize.

  The present invention has been made in view of the above reasons, and an object of the present invention is to provide a network system capable of realizing an optimum security level even when the user has no special knowledge.

  According to the first aspect of the present invention, a plurality of security management servers each holding server attribute information relating to the security level and a device holding security attribute information are provided on the network, and the devices are security management servers existing on the network. By selecting the security management server that can achieve the highest security level by comparing the server detection means for detecting the security attribute information and the server attribute information of each security management server detected by the server detection means. Server selection means for acquiring security information possessed by the security management server.

  According to this configuration, the device detects the security management server on the network by the server detection unit, and compares the security attribute information of its own with the server attribute information of each security management server by the server selection unit. Since a security management server capable of realizing a high security level is selected and used, an optimal security level can be realized without the user selecting a security management server. That is, since the device itself selects and uses a security management server capable of realizing the optimum security level, there is an advantage that even when the user has no special knowledge, the optimum security level can be realized. Note that the security information held by the security management server includes a session key necessary for secure communication between devices, access restriction information indicating whether or not writing is possible between devices, and the like.

  The invention of claim 2 is characterized in that, in the invention of claim 1, the type of encryption key set in the security management server is used as the server attribute information.

  According to this configuration, since the server selection unit of the device selects the security management server based on the encryption key type, if there is a difference in security level between the security management servers due to the difference in the encryption key type, The security management server with the highest level can be selected and used. The type of encryption key includes the key length of the encryption key, the application range of the encryption key, and the like.

  According to a third aspect of the present invention, in the first aspect of the present invention, the type of encryption key generation process in the security management server is used as the server attribute information.

  According to this configuration, since the device server selection unit selects the security management server based on the type of encryption key generation process, there is a difference in security level between the security management servers due to the difference in the type of encryption key generation process. In some cases, the security management server with the highest security level can be selected and used. The type of encryption key generation process includes the accuracy of random numbers used to generate the encryption key.

  According to a fourth aspect of the present invention, in the invention according to any one of the first to third aspects, when the server selection unit detects increase / decrease of the security management server on the network, it re-selects the security management server. Features.

  According to this configuration, even when security management on the network increases or decreases due to the addition or removal of the security management server from the network, the server selection means automatically reselects the security management server. By doing so, the optimum security level can be realized.

  According to a fifth aspect of the present invention, in the invention of the fourth aspect, the security management server added on the network notifies the device of its own server attribute information, and the server selecting means It is characterized by detecting an increase in the security management server on the network upon receiving the notification.

  According to this configuration, when there are a plurality of devices on the network, even if a security management server is added on the network, the server attribute information is notified from the security management server to the plurality of devices. Therefore, it is possible to avoid the concentration of access to the security management server from the plurality of devices, and there is an advantage that communication traffic on the network can be reduced.

  A sixth aspect of the present invention is the security management server according to any one of the first to fifth aspects, wherein the server selection unit detects a change in the server attribute information of the security management server on the network. Is selected again.

  According to this configuration, when there is a change in the server attribute information in the security management server already detected by the server detection means, the server selection means automatically performs security management based on the changed server attribute information. An optimal security level can be realized by reselecting the server.

  The invention according to claim 7 is the invention according to claim 6, wherein the security management server in which the server attribute information has been changed notifies the device of the server attribute information after the change, and the server selection means includes a server A change in server attribute information of the security management server on the network is detected in response to notification of attribute information.

  According to this configuration, when there are a plurality of devices on the network, even if the server attribute information of the security management server on the network is changed, the security management server changes the plurality of devices. Server attribute information is notified, there is an advantage that it is possible to avoid the concentration of access to the security management server from the plurality of devices and to reduce communication traffic on the network.

  The invention of claim 8 is the invention according to any one of claims 1 to 7, wherein the device has server management means for evaluating communication reliability with the security management server, and the server selection means comprises: When a plurality of security management servers capable of realizing the highest security level exist on the network, the security management server having the highest evaluation value in the server management means is selected from the plurality of security management servers. Features.

  According to this configuration, since the device selects the security management server by adding the evaluation value of the communication reliability with the security management server to the server attribute information, the security management in which the communication status is unstable even if the security level is high. The server is excluded from the selection target, and as a result, there is an advantage that the operation of the security level can be prevented from becoming unstable.

  The present invention has an advantage that an optimum security level can be realized even when the user has no special knowledge because the device itself selects and uses a security management server that can realize the optimum security level.

(Embodiment 1)
As shown in FIG. 1, the network system according to the present embodiment includes a device D1 made up of equipment installed in a user's home, and a home server S1 and a backup home server S2 that function as security management servers. It consists of a house equipment system provided on the home LAN. In this network system, it is possible to manage the device D1 such as control and monitoring of the device D1 by performing communication between the devices D1 or between the home server S1 and the device D1.

  As shown in FIG. 2, the device D1 generates a trigger signal for activating the communication means 1 connected to the network, the server detection means 2 for detecting the security management server on the network, and the server detection means 2. Evaluation of communication reliability between the security management server and the server selection unit 4 for selecting a security management server capable of realizing an optimum security level from the detection management unit 3 and the security management server detected by the server detection unit 2 Server management means 5 that performs security information, and information holding means 6 that holds security attribute information.

  The security attribute information held in the information holding means 6 of the device D1 is information relating to the security level currently available to the device D1 itself, and here, “there is an encryption key common to the home” and “the encryption key unique to the device” It contains two pieces of information “Yes”.

  As shown in FIG. 3 (home server S1 is illustrated in FIG. 3), each of home server S1 and backup home server S2 implements a communication means 7 connected to the network and a function as a security management server. Security management means 8, information holding means 9 for holding server attribute information as a security management server, data management means 10 for managing server attribute information in the information holding means 9, and changing server attribute information settings Setting change means 11.

  The server attribute information held in the information holding means 9 of the home server S1 is information relating to the security level applied to the device D1 on the network. Here, “security level: medium”, “home common encryption key is set. It includes four pieces of information: “use”, “key length of encryption key: 256 bits”, and “highly accurate random number”.

  Similarly, the server attribute information held in the information holding unit 9 of the backup home server S2 includes “security level: low”, “use common encryption key in home”, “key length of encryption key: 128 bits”, It contains four pieces of information that “the accuracy of random numbers is low”.

  Here, “key length of encryption key” indicates the type of encryption key used in the network system, specifically the bit length of the encryption key, and the longer the key length (the greater the number of bits), the higher the security. Means a high level. As the type of encryption key, in addition to the key length, the encryption key is an encryption key unique to the device (device), a common encryption key in a group determined in advance among devices in the home, or a common encryption key in the home. Whichever is specified, the security of communication becomes lower as the application range of the encryption key becomes wider, that is, in the order of device-specific, in-group common, and in-home common. Therefore, it is desirable to narrow the application range of the encryption key when increasing the security level. When the device-specific encryption key is used, for example, a public key encryption method using a public key for encryption and using the device-specific encryption key as a secret key for decryption is applied to communication between devices. The

  “Random number accuracy” indicates the type of encryption key generation process, specifically, the accuracy of random numbers used in the encryption key generation process. The higher the accuracy, the higher the security level. To do.

  Below, the operation example of the network system of this embodiment is demonstrated with reference to FIG.1, FIG.4, FIG.5.

  When the detection trigger means 3 detects that the device D1 has been powered on and activated, the detection trigger means 3 generates a trigger signal, and the server detection means 2 that has received the trigger signal causes the device D1 on the network (home LAN). Start searching for the security management server. At this time, in the example of FIG. 1, two security management servers, ie, the home server S1 and the backup home server S2, are detected.

  Then, the device D1 acquires server attribute information of each detected security management server (home server S1 and backup home server S2), and determines whether each security management server is a security management server that can be used by itself. to decide. Here, since the device D1 has a common encryption key as security information, the device D1 determines that both the home server S1 and the backup home server S2 can be used.

  The device D1 selects the security management server with the highest security level among the security management servers determined to be usable by the server selection unit 4 as the target server. Here, the home server S1 in which the “security level” in the server attribute information is set to “medium” is selected as the target server.

  The security management server selected as the target server in this way generates access keys (encryption keys) necessary for secure communication between devices, access restriction information indicating whether or not writing between devices is possible ( Permission information) is set or generated according to its own server attribute information. In short, the server attribute information manages the security level of the session key and access restriction information generated by the security management server. For example, the higher the “random number accuracy”, the higher the security level (that is, It is possible to generate a session key (with high communication security), and it is possible to set the access restriction information more finely as the “security level” becomes higher. The device D1 acquires security information including the above-described session key and access restriction information from the security management server selected as the target server, and starts communication using these security information.

  However, the criteria for determining the target server are not limited to the “security level”, but may be any information included in the server attribute information. For example, the “encryption key key length” in the server attribute information is compared, The home server S1 whose “key length” is “256 bits” may be selected as the target server. In addition, the security management server (here, the home server S1) in which the “random number accuracy” is set to “high” is compared by comparing the “random number accuracy” used in the process of generating the encryption key by the security management server. It is also possible to select the target server. Which item in the server attribute information is used as a determination criterion when selecting the target server can be defined by the security attribute information held in the information holding means 6 of the device D1. That is, in the security attribute information, for example, with regard to “key length of the encryption key”, the security level is determined such that the longer the bit length, the higher the security level, and the shorter the bit length, the lower the security level. The conditions at the time of judgment are defined.

  Here, the device D1 repeatedly searches for a security management server on the network at regular intervals after power-on. That is, when the detection trigger unit 3 generates a trigger signal at a constant cycle and gives it to the server detection unit 2, the server detection unit 2 searches the security management server at the predetermined cycle. At this time, if the system configuration itself has changed due to an increase or decrease in the number of security management servers on the network, the server selection unit 4 selects the target server again for the security management server after the change of the system configuration. . In addition to this configuration, for example, by operating a switch (not shown) provided in the device D1, the user gives a trigger signal to the server detection unit 2 at an arbitrary timing to start searching for a security management server on the network. You may make it do.

  Thus, in the state where the device D1 selects the home server S1 as the target server, for example, as shown in FIG. 4, when the home server S1 stops operating and is disconnected (detached) from the network, the device When D1 re-searches the security management server on the network at regular intervals, it detects that the home server S1 has left, and the security management with the highest security level among the security management servers remaining on the network A server (here, backup home server S2) is selected as a target server and used (acquires security information of the target server).

  Also, when maintenance of any security management server on the network is performed and the server attribute information stored in the information holding means 9 of the security management server is changed (that is, when the server attribute information is rewritten) ), The device D1 reselects the target server by comparing the server attribute information after the change by the server selection means 4. In short, each time the server detection unit 2 detects a security management server on the network, the device D1 acquires server attribute information of each security management server, and the server attribute information acquired when the security management server was detected last time. By comparing with the attribute information, it is determined whether or not the server attribute information has been changed. If the server attribute information has been changed, the target server is selected again using the changed server attribute information.

  That is, in the state where the device D1 selects the home server S1 as the target server, for example, when the server attribute information of the backup home server S2 is changed as shown in FIG. Changes in server attribute information are detected when searching for security management servers. Here, the server attribute information of the backup home server S2 changes from “security level: low” to “security level: high”, “use common encryption key from home” to “use device-specific encryption key”, “encryption key” ”Key length: 128 bits” to “encryption key key length: 256 bits”, and “random number accuracy is low” to “random number accuracy is high”. In this case, the device D1 selects the security management server (here, the backup home server S2) with a higher security level as the target server by using the changed server attribute information as a comparison target.

  As a result, even if there is no change in the system configuration of the network system and there is a change in the settings of the existing security management server, the security management server with the highest security level should be used as the target server in consideration of the setting change. Is possible.

  Here, the detection of the server attribute information setting change of the security management server may be performed whenever the server detection means 2 detects the security management server on the network as described above. When the attribute information setting is changed, the security management server may notify the device D1 on the network of the activation notification including the server attribute information after the change. In this case, the server selection unit 2 of the device D1 detects the change of the server attribute information of the security management server upon receiving the activation notification, and selects the target server again using the server attribute information after the change.

(Embodiment 2)
As shown in FIG. 6, the network system of the present embodiment is additionally provided with a center server S3 connected to the home LAN via the Internet, and the center server S3 also has a function as a security management server. It is different from the network system of form 1.

  In the present embodiment, by expanding a network system constructed on a closed network (home LAN) and connecting to the Internet, a device that can only use the security management servers S1 and S2 on the home LAN before the expansion. It is assumed that D1 becomes able to use the security management server (center server S3) on the Internet. In such a case, it becomes possible to attempt to access the device D1 from an unspecified terminal on the Internet, and the safety of communication is lowered. Therefore, a security management server used as a target server by the device D1 is used. It is necessary to improve the security level by switching.

  In the following, the home LAN and the Internet are combined into one network. In the example of FIG. 6, it is assumed that the backup home server S2 having the server attribute information of “security level: low” and the device D1 are connected to the network on the home LAN side.

  Here, the server attribute information stored in the information holding means of the center server S3 includes “security level: high”, “use device-specific encryption key”, “encryption key key length: 256 bits”, “random number It contains four pieces of information, “Accuracy is high”.

  Therefore, when the device D1 existing on the home LAN is connected to the center server S3 via the Internet, the device D1 is connected to the backup home server S2 and the center server S3 as a security management server on the network by the server detection unit 2. Is detected. Then, the server attribute information of the backup home server S2 and the center server S3 is compared, and a security management server (here, the center server S3) with a higher security level is selected and used as the target server.

  By the way, the detection of a newly added security management server may be performed by the device D1 at a constant cycle as described above, but there is a problem that communication traffic increases as the number of devices increases. That is, as shown in FIG. 7, when there are a plurality of devices D1 to D3 on the network (in this case, a home LAN), the plurality of devices D1 to D3 access the center server S3 all at once and receive server attribute information. Obtaining traffic may increase traffic on the network.

  Therefore, when a security management server (here, the center server S3) is added to the network, the security management server notifies the devices D1 to D3 on the network of activation including own server attribute information. It is desirable to have a configuration. The activation notification is sent from the security management server to all the devices D1 to D3 on the network by a broadcast method, thereby suppressing an increase in traffic on the network.

  In short, in the example of FIG. 7, when the center server S3 is connected to the network (home LAN), the activation notification from the center server S3 is transmitted to the devices D1 to D3 on the home LAN all at once, and these devices D1 to D3. The server detection unit 2 detects the presence of the center server S3 by receiving the activation notification from the center server S3. Thereafter, each of the devices D1 to D3 compares the center server S3 with other security management servers on the network, so that the security management server having the highest security level among the available security management servers (here, the center server S3). ) Is selected and used as the target server. When a security management server with a high security level becomes available as described above, the devices D1 to D3 automatically switch the target server so that the security management server with a higher security level is set as the target server.

  Note that if a startup notification cannot be transmitted directly from the center server S3 to the devices D1 to D3 on the home LAN due to a router or the like interposed between the home LAN and the Internet, the home server S1 periodically transmits on the Internet. The security management server may be searched, and when the security management server is detected, the activation notification may be transferred from the home server S1 to the devices D1 to D3 by the broadcast method or the multicast method.

  Here, it is assumed that the device D1 is connected to the center server S3 via a dial-up line, and therefore, Internet communication between the device D1 and the center server S3 is likely to be unstable. In this case, if communication between the device D1 and the center server S3 is temporarily interrupted due to the interruption of the Internet communication, the device D1 determines that the center server S3 has left the network, and the target server is moved from the center server S3 to another security management. Switch to the server. Thereafter, when communication between the device D1 and the center server S3 is restored, the device D1 determines that the center server S3 has been activated, and switches the target server to the center server S3 again. As described above, if the target server is frequently switched depending on the state of the communication path (dial-up line), there is a possibility that the system is temporarily stopped when the target server is switched, thereby causing a problem.

  Therefore, in this embodiment, the device D1 evaluates the communication reliability with the security management server by the server management unit 5 and adds the evaluation value to the determination criterion of the target server by the server selection unit 4. . That is, as shown in FIG. 8, the device D1 has an abnormal operation status of the security management server (here, the center server S3) selected as the target server (the server is not stable due to repeated start / stop, dial-up line, etc. In this case, the security management server (here, the home server S1) with the highest security level among the security management servers other than the security management server having an abnormal operation status is targeted. Select to server. As a result, even if a security management server having a communication reliability problem is included in the security management servers that can be used by the device D1, the problem security management server is prevented from being selected as a target server. it can.

  Further, in order to evaluate the communication reliability with the security management server in the device D1, the server attribute information of the security management server may be used as shown in FIG. In the example of FIG. 9, the in-home server S1 and the center server S3 have the same items regarding the security level in the server attribute information held in the information holding means 9 (here, “security level: high”, “device” “Use unique encryption key”, “Encryption key key length: 256 bits”, “The accuracy of random numbers is high”), but the server attribute information of home server S1 includes “installed on home LAN” On the other hand, the server attribute information of the center server S3 includes “installed on the Internet”.

  In this case, since the security level of the device D1 is the same for both security management servers, the locations where the security management servers are installed are compared, and the home server S1 on the home LAN and the center server S3 on the Internet The home server S1 on the home LAN is determined to have better communication reliability (stability). Therefore, the device D1 selects and uses the home server S1 as the target server. In this way, even if the actual communication status of the security management server is not evaluated, it is possible to avoid frequent switching of the target server by taking into account the communication reliability of the security management server given in advance as server attribute information. it can.

  It should be noted that the degree to which the evaluation value in the server management means 5 is added to the determination criteria when selecting the target server can be defined in the security attribute information of the device D1. Therefore, even if the security level of the home server S1 is lower than the security management server of the center server S3, priority is given to the communication reliability (stability) of the security management server, and the home server S1 instead of the center server D3 is set as the target server. It is also possible to select a setting to be selected.

  Other configurations and functions are the same as those of the first embodiment.

It is a schematic block diagram which shows the system configuration | structure of Embodiment 1 of this invention. It is a schematic block diagram which shows the structure of a device same as the above. It is a schematic block diagram which shows the structure of a security management server same as the above. It is a schematic block diagram which shows a system configuration same as the above. It is a schematic block diagram which shows a system configuration same as the above. It is a schematic block diagram which shows the system configuration | structure of Embodiment 2 of this invention. It is a schematic block diagram which shows a system configuration same as the above. It is a schematic block diagram which shows a system configuration same as the above. It is a schematic block diagram which shows a system configuration same as the above. It is a schematic block diagram which shows a prior art example. It is a schematic block diagram which shows another prior art example.

Explanation of symbols

2 Server detection means 4 Server selection means 5 Server management means D1 to D3 Device S1 Home server (security management server)
S2 Backup home server (security management server)
S3 Center server (security management server)

Claims (8)

  A plurality of security management servers each holding server attribute information related to the security level and a device holding security attribute information on the network, the device detecting means for detecting a security management server existing on the network; The security management server can select the security management server that can achieve the highest security level by comparing its own security attribute information with the server attribute information of each security management server detected by the server detection means. A network system comprising server selection means for acquiring information.   The network system according to claim 1, wherein a type of encryption key set in the security management server is used as the server attribute information.   The network system according to claim 1, wherein a type of encryption key generation process in the security management server is used as the server attribute information.   4. The network system according to claim 1, wherein the server selection unit reselects a security management server when detecting an increase or decrease in the security management server on the network. 5.   The security management server added on the network notifies the device of its own server attribute information, and the server selection unit detects an increase in the number of security management servers on the network upon receiving notification of the server attribute information. The network system according to claim 4, wherein:   6. The server selection unit according to claim 1, wherein the server selection unit detects a change in the server attribute information of the security management server on the network and reselects the security management server. The network system described in 1.   The security management server in which the server attribute information has been changed notifies the device of the server attribute information after the change, and the server selection means receives the notification of the server attribute information, and the security management server on the network 7. The network system according to claim 6, wherein a change in server attribute information of the server is detected. The device has server management means for evaluating communication reliability with the security management server, and the server selection means is configured when a plurality of security management servers capable of realizing the highest security level exist on the network. 8. The network system according to claim 1, wherein a security management server having the highest evaluation value in the server management means is selected from the plurality of security management servers.

Images