JP2003304252A - Communication system, authentication device, communication connection device, station authentication method, program, and storage medium - Google Patents

Abstract

(57) [Summary] [PROBLEMS] To eliminate the time and work for setting an encryption key of an access point as in the related art, and to ensure the security in a conference or the like. A plurality of stations (502, 504, 5) are provided.
In a communication system capable of providing the service of the service unit 507 via the access point 501 to the stations 05, 506, a plurality of stations 502, 504, 5
05, 506 at least one station 50
2 determines whether to permit authentication requested from a station that desires communication regarding service provision via the access point 501 and whether to provide service based on the authentication information written in the storage device 503. The access point 501 determines whether or not the authentication is required, and notifies the station that desires the communication via the access point 501.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to wireless communication technology, and in particular, in order to restrict the users (stations) connected to a network in wireless communication and ensure security, authentication information is created on the station and authentication work is performed. , A communication system, an authentication device, a communication connection device, a station authentication method, which are suitable for connecting to a network based on authentication information.
The present invention relates to a program and a storage medium.

[0002]

2. Description of the Related Art A conventional network configuration will be described with reference to FIGS. FIG. 14 is a schematic diagram showing a configuration example in which a station (STA) according to a conventional example is connected to a backbone wired network composed of an Ethernet (registered trademark) cable or the like via an access point (AP). The configuration of FIG. 14 has a backbone wired network 101,
Router 1 that relays between 110 and the backbone wired network
11, a storage device 102 connected to the backbone wired network 101, a terminal device 103 such as a personal computer, an AP 104, an AP 105, and a STA 10 such as a personal computer that wirelessly communicates with the AP 104.
6, STA107, STA108 and STA109 such as a personal computer that wirelessly communicates with the AP105.

FIG. 15 shows a plurality of STAs according to a conventional example.
It is a schematic diagram which shows the structural example in the case of connecting to one AP and receiving a service, and is a basic system using a single AP. The configuration of FIG. 15 includes an AP 201 and STAs 202 to 205 that perform wireless communication with the AP 201. Figure 1
FIG. 6 is a schematic diagram showing a configuration example when a plurality of STAs according to a conventional example are connected to corresponding APs to receive a service, and a system in which a plurality of APs are connected and used. The configuration of FIG. 16 includes an AP 301, STAs 302 to 305 that perform wireless communication with the AP 301, an AP 310, and an AP 31.
0, and STAs 306 to 309 that perform wireless communication.

In each of the above-mentioned configurations, connection with the user (station (STA)) is performed by each access point (A).
P) is the Institute of Electrical and Elec
tronics Engineers) E specified by 802.11 wireless LAN
The user (station (STA)) is identified by the SSID (Extended Service Set Identity) and the encryption key. Regarding the encryption method, IEEE 802.11b
WEP (Wired Equivalent Priva) specified by the standard
cy), a common encryption method such as DES (Data Encryption Standard), a public key encryption method, or the like can be used. When the STA uses the service of each device connected to the AP, registration setting is required for each device and it is necessary to know the ESSID and encryption key of the AP.

FIG. 17 is a flowchart showing connection authentication between an access point (AP) and a station (STA) according to a conventional example. STA401 and AP402,
The key information and the authentication information are shared by a predetermined means. That is, the STA 401 and the AP 402 respectively set the ESSID and the key information (step S170).
1, step S1702). STA401 is AP40
A connection request is made based on the ESSID of 2. Next, STA4
Upon receiving the connection request from 01, the AP 402 permits the connection, and when receiving the authentication request from the STA 401, creates an authentication challenge text and sends it to the STA 401.

ST receiving the challenge text for authentication
A401 encrypts this challenge text using a predetermined encryption key (step S1703),
Send to AP402. The AP 402 that has received this encrypted data (challenge text) decrypts this data with a predetermined encryption key (step S170).
4) and compare and verify with the original text (step S170).
5), determine whether or not the authentication is possible, and determine whether or not the authentication is possible by STA401.
Send to.

[0007]

However, the above-mentioned conventional example has the following problems. As described in the conventional example, the STA (user) can connect to the AP based on the information set in the AP. Therefore, when the conventional system is applied to a conference system or the like, information may be leaked to users registered in the AP or the network. Therefore, it is necessary to set and connect the encryption key to the STA each time, and when the STA and the group connected at the place such as the conference room are changed each time, the encryption key of the AP is set again for security. It was necessary and required time and work for setting. Further, in the AP having the authentication server function, it is necessary to newly register the authentication information.

The present invention has been made in view of the above-mentioned points, and eliminates the time and work for setting the encryption key of the access point as in the conventional case, and guarantees the security in the conference and the like. It is an object of the present invention to provide a communication system, an authentication device, a communication connection device, a station authentication method, a program, and a storage medium that enable the above.

[0009]

In order to achieve the above object, the communication system of the present invention is a communication system capable of providing a service to a plurality of stations via an access point. Based on the authentication information, at least one station determines whether or not to permit the authentication requested via the access point from the station desiring to communicate regarding the provision of the service, and whether to provide the service, It is characterized in that whether or not the authentication is possible is notified to the station desiring the communication via the access point.

Further, the authentication device of the present invention is an authentication device which constitutes a communication system capable of providing a service to a plurality of stations via access points, and performs communication relating to the provision of the service based on the authentication information. It is determined whether to permit the authentication requested from the desired station via the access point and whether to provide a service, and determine whether the authentication is possible to the station desiring the communication via the access point. It is characterized by notifying.

Further, the communication connection device of the present invention is a communication connection device which constitutes a communication system capable of providing a service to a plurality of stations, wherein the station having an authentication function among the plurality of stations is It is characterized in that an authentication request from a station desiring communication regarding service provision is performed instead.

Further, the station authentication method of the present invention is
The control procedure in the communication system is executed.

The program of the present invention is characterized in that the control procedure in the communication system is stored.

A storage medium of the present invention is characterized by storing the program.

[0015]

BEST MODE FOR CARRYING OUT THE INVENTION First, an outline of an embodiment of the present invention will be described. According to the embodiment of the present invention, a station (STA) having authentication information authenticates another station (STA) requesting a new connection and manages an encryption key, so that the access point (AP) It is possible to eliminate the time and work for setting the encryption key and to guarantee the security in the conference and the like. Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The communication according to the embodiment of the present invention is executed by the connection forms shown in FIGS. 1, 2, 3, 6, 7, and 8.

[First Embodiment] The first embodiment of the present invention is shown in FIG. 1 and FIG. 1 as a configuration example when a station (STA) receives a service provided by a server via an access point (AP). 2. It is configured as shown in FIG. The station (STA) is a device having a wireless communication function attached to or built in a client PC (personal computer), and is built in the client PC in the first embodiment and each of the embodiments described later. Be present.

FIG. 1 is a schematic diagram showing a configuration example in which a station (STA) according to the first embodiment is connected to a backbone wired network via an access point (AP), and a plurality of STAs are independent. This is the most basic system showing the configuration for wireless communication with an installed AP. The communication system includes an AP 501 and a storage device 503.
STA502, STA504, 505, 50 equipped with
6. A service unit 507 including a terminal device 5071, a projector 5072, and a screen 5073 is provided. The STA 502 includes a storage device 503 for storing authentication information and is connected to the AP 501. The STAs 504, 505, and 506 can receive the service of the AP 501 by being authenticated by the STA 502 through the AP 501. Service unit 50
7 is installed in, for example, a conference room or the like, and a projector 5072 displays an image relating to the conference or the like on a screen 507.
By projecting the image on the screen No. 3, each STA is provided with an image relating to the conference or the like.

FIG. 2 shows a plurality of S's according to the first embodiment.
It is a schematic diagram which shows the structural example in case TA connects to each corresponding AP and receives a service, and is an example which connects STA to the backbone wired network comprised by Ethernet (trademark) cable etc. This communication system is an STA equipped with backbone wired networks 601, 613, a storage device 602, a terminal device 603, an AP 604, and a storage device 614.
606, STA607, AP605, STA608, S
It includes a TA 609, a printer 610 that provides a print service for forming an image on a print medium, a service unit 611 including a terminal device 6111, a projector 6112, and a screen 6113, and a router 612 that relays between backbone cable networks.

FIG. 3 shows a plurality of S's according to the first embodiment.
It is a schematic diagram which shows the structural example in case TA connects to each corresponding AP, and receives a service, It is an example in case a plurality of STAs wirelessly communicate with each AP installed. The communication system includes an AP 701 and a storage device 712.
STA702, STA703 to 705, AP7
10 and STAs 706 to 709.

Next, the operation of the first embodiment configured as described above will be described in detail with reference to the flowchart of FIG. In the figure, 1003 is a wireless access point (AP), 1004 to 1006 are stations (S).
TA). The STA 1006 includes a storage device 1001 in which authentication information has already been written. Also, an arbitrarily created encryption key is already registered in the storage device 1001.

First, the STA 1006 makes a connection request for connection to the AP 1003. At this time, STA1
006 makes a connection request based on the ESSID of AP 1003. At this time point, the encryption key is not registered in the AP 1003, or the encryption key which is determined in advance and disclosed as necessary is used. In addition, STA1
006 creates an authentication list in advance (step S
401). STA1006 connected to AP1003
Sends the encryption key generated by itself (step S402) to the AP 1003, and thereafter encrypts communication based on this encryption key.

Next, when connecting to the AP 1003, the STA 1004 first makes a connection request to the AP 1003 based on the ESSID. Next, the STA 1004 sends AP1
After connecting to 003, an authentication request is further made to the AP 1003. The AP 1003 having received this authentication request, on behalf of the STA 1006 having the authentication information, makes an authentication request from the STA 1004. ST receiving this certification request
A1006 performs authentication processing (step S403),
Whether the STA 1004 is registered in the authentication list is checked based on the authentication list (step S404) (step S405). Further, it is determined whether or not to provide the service to the STA 1004 based on the service list. If the STA 1004 is registered in the authentication list, the STA 1006 permits the authentication (step S4
(YES in 06), the encryption key and other information are transmitted to the STA 1004 via the AP 1003. Upon receiving the encryption key and other information, the STA 1004 can start communication.

In addition, other unregistered STAs 100
The case where there is a connection request from 5 will be described. In this case, the STA1005 is based on the ESSID as in the above procedure.
Connection request is sent, and an authentication request for the AP 1003 is sent to the STA 1006 via the AP 1003. The STA 1006 that has received this authentication request performs authentication processing (step S407), but STA1 is added to the authentication list.
Since 005 is not included (step S408), S
The TA 1006 rejects the authentication (NO in step S409) and notifies the AP 1003 of the authentication rejection. Upon receiving the authentication refusal, the AP 1003 notifies the STA 1005 of the connection refusal. A cross mark at the lower left of FIG. 4 indicates that communication is not started due to connection refusal.

In the first embodiment, the STA100
4. The processing based on the authentication request from the STA 1005 (whether authentication is possible and whether service is provided) can be manually performed by the STA 1006.

Also, in the first embodiment, the AP100
When the STA connected to No. 3 receives authentication, the STA having the authentication information uses the IP (Internet Protocol) address (identification information) used for communication by the STA as DHCP (Dynamic).
It can also be assigned by the Host Configuration Protocol) function.

Further, in the first embodiment, between the STAs to which the encryption key is connected (for example, STA1006 and STA).
If it is determined in advance in 1004), it is possible to perform authentication by a method of encrypting and decrypting the challenge text and collating the challenge text as shown in the flowchart of FIG. In FIG. 5, 1703 is an AP, and 1704 to 1706 are S.
The TA is basically the same as that shown in FIG. 4 except for the process related to the challenge text, and the description thereof will be omitted. As an encryption method here, a common encryption method such as WEP or DES defined by the IEEE 802.11b standard, a public key encryption method, or the like can be used.

As described above, according to the first embodiment, the authentication information is created and authenticated on the STA having the authentication information to register or delete any group as necessary. This makes it unnecessary to perform the operation of registering on the network or the operation of setting the encryption key of the access point. Also, by performing on-the-spot authentication of the STA requesting the connection, the connection of the previously connected STA is eliminated, or the connection of the STA connected to the backbone network to the AP is rejected. Is possible. Further, even if the STA newly connecting to the server and trying to enjoy the service of the server or the STA trying to connect to the network is not registered in the database on the authentication server, the connection can be performed. .

As described above, it is possible to eliminate the time and work for setting the encryption key of the access point, which is required in the prior art. Moreover, when the network of the present invention is applied to a conference system, etc. It is possible to connect the participants and to ensure the security in the conference and the like.

[Second Embodiment] A second embodiment of the present invention is an example in which a plurality of stations (STAs) having authentication information are present in a network. Authentication information when several participants gather from and connect to the access point (AP).
This is effective when brought to each department, and is configured as shown in FIGS. 6, 7, and 8.

FIG. 6 is a schematic diagram showing a configuration example in which a plurality of STAs having the authentication information according to the second embodiment are installed, and the STAs are configured by an Ethernet (registered trademark) cable or the like. This is an example of connecting to a backbone wired network. The communication system is a backbone wired network 80.
1. STA 806, STA 807 with storage device 802, terminal device 803, AP 804, storage device 814, STA 808, STA 809, S with storage device 815
TA 810, STA 811 including a storage device 817, printer 812 that provides a print service for forming an image on a print medium, projector 8131, screen 8
Service unit 813 provided with 132, terminal device 81
6 is equipped.

FIG. 7 is a schematic diagram showing a configuration example in the case where a plurality of STAs having the authentication information according to the second embodiment are installed, and of an AP in which a plurality of STAs are installed. This is an example of performing wireless communication with each. The communication system includes an AP 901, an STA 904, and a storage device 911.
STA with 905, STA with storage device 913
914, STA 915, AP 910, STA 903, STA 906, STA 907, S provided with a storage device 912.
It is equipped with TA908.

FIG. 8 is a schematic diagram showing a configuration example in which a plurality of STAs having authentication information according to the second embodiment are installed, and an AP in which a plurality of STAs are installed independently. This is the most basic system showing the configuration for wireless communication. The communication system includes an AP 1201 and a STA 12 including a storage device 1203 for holding authentication information.
02, STA 1204, STA 1205 and STA 1207 having a storage device 1206 for holding authentication information, a terminal unit 12081, a projector 12082, and a service unit 1208 having a screen 12083. STA1202 and STA1205 are APs
1201 and STA1204 and STA1207 are connected to operate.

Next, the operation of the second embodiment configured as described above will be described in detail with reference to the flowchart of FIG. In the figure, 1103 is a wireless access point (AP), and 1104-1106 are stations (S).
TA). STA1104 and STA1106 are
Storage device 11 for respectively registering and storing authentication information in advance
02 and a storage device 1101.

First, the STA 1106 issues a connection request for connection to the AP 1103, as in the first embodiment. At this time, the STA 1106 has the AP 110.
A connection request is made based on the ESSID of 3. At this point,
No encryption key is registered in the AP 1103, or an encryption key that is predetermined and published as necessary is used. The STA 1106 creates an authentication list in advance (step S901). AP110
The STA 1106 connected to the S3 sends the encryption key generated by itself (step S902) to the AP 1103,
After that, communication is encrypted based on this encryption key.

Next, the STA 1104 makes a connection request to the AP 1103 based on the ESSID. Next, STA110
4 makes an authentication request to the AP 1103, and the AP 1103 that has received this authentication request has the STA having the authentication information.
The authentication request is sent to 1106 on behalf. Upon receiving this authentication request, the STA 1106 performs an authentication process (step S903), and checks whether this STA 1104 is registered in the authentication list based on the authentication list (step S904) (step S). Also, it determines whether to provide a service to the STA 1104 based on the service list. STA1106, STA1104
Is registered in the authentication list, authentication is permitted (YES in step S906), and the encryption key and other information are transmitted to the STA 1104 via the AP 1103.
The STA 110 that received the encryption key and other information
4 can start communication.

Next, the STA 1104 sends a request to combine the authentication information via the AP 1103 to the S having the authentication information first.
This is performed for the STA 1106 registered as TA. The STA 1106, which has received the request for combining the authentication information, acquires the authentication list (step S907), and if the request is determined to be appropriate, the STA 1104 stores the authentication information held by the STA 1104.
S is stored in the storage device 1101 of the STA 1106 itself.
It is stored together with the authentication information held by the TA 1106 itself, and then the STA 11 performs the authentication work for the generated authentication request.
Operates as done in 04.

Next, the STA 1105 registered in advance in the storage device (medium) 1102 included in the STA 1104 is authenticated and registered.
A case will be described in which the communication is performed by the. STA1105
First makes a connection request to AP 1103 based on the ESSID. Next, the STA 1105 makes an authentication request to the AP 1103, but since the authentication information of this STA 1105 has already been transferred from the STA 1104 to the STA 1106, the AP 1103 that has received this authentication request makes a request to the STA 1106 having the authentication information. , STA 1105 on behalf of the authentication request. S that received this authentication request
The TA 1106 performs an authentication process (step S90
8), collates whether or not this STA1105 is registered in the authentication list (step S909), and STA11
If 05 is registered in the authentication list, authentication is permitted (YES in step S910), and the encryption key and other information are transmitted to the STA 1105 via the AP 1103. The STA that received the encryption key and other information
1105 can initiate communication.

In the second embodiment, the STA110
4. The processing based on the authentication request from the STA 1105 (whether the authentication is possible and the service is provided) can be manually performed in the STA 1106.

In the second embodiment, the AP100
It is also possible that the STA having authentication information allocates the IP address used by the STA for communication when the STA connected to No. 3 is authenticated by the DHCP function.

As described above, according to the second embodiment, it is possible to eliminate the time and work for setting the encryption key of the access point as in the conventional case.
In addition, when the network of the present invention is applied to a conference system or the like, it is possible to temporarily connect the participants and to ensure security in the conference or the like.

[Third Embodiment] The third embodiment of the present invention has the same configuration as that of the first and second embodiments, and is connected to an access point (AP). The authentication information of the selected station (STA) is registered in the storage device of the access point (AP), and the subsequent authentication is performed by the access point (AP). At this time, if the authentication information of the station (STA) issuing the authentication request is not registered in the registered list, the access point (A
P) transfers the authentication request to another station (STA) having the authentication function, and the station (ST) having the authentication function
A) is configured to perform authentication by manual authentication or automatic authentication by a human. Note that the third embodiment is similar to the first embodiment described above with reference to FIGS.
The configuration shown in is assumed.

Next, the operation of the third embodiment configured as described above will be described in detail with reference to the flowchart of FIG. In the figure, 1506 is a wireless access point (AP), and 1502, 1504, 1505 are stations (STA). The STA 1502 includes a storage device 1501 that registers and stores authentication information in advance. Further, the AP 1506 includes a storage device 1503 that temporarily stores the authentication information from the storage device 1501 provided in the STA 1502.

First, the STA 1502 issues a connection request for connection to the AP 1506 as in the first embodiment. At this time, the STA 1502 has the AP 1506.
A connection request is made based on the ESSID. At this point, A
In P1506, the encryption key is not registered, or the encryption key that is determined in advance and published as necessary is used. Note that the STA 1502 has created an authentication list in advance (step S1001). AP150
The STA 1502 connected to No. 6 sends the encryption key generated by itself (step S1002) to the AP 1506, and thereafter encrypts communication based on this encryption key.

Next, the STA 1502 selects an STA permitted to authenticate by this connection from the authentication information possessed by itself, and registers the selected information list in the storage device 1503 included in the AP 1506. An authentication information registration request is sent to AP 1506, and when permission is obtained from AP 1506, transfer of authentication information is started. Third
In the embodiment of the present invention, the authentication information (stored in the storage device 1501) possessed by the STA 1502 includes the STA 150
4, STA1505 is registered and selected above AP15
The information list that is authorized to be sent to
The following description will be given assuming that only A1504 is registered.

Next, the AP 1506, which has acquired the authentication information from the STA 1502 (step S1003), stores the authentication information in the storage device 1503 and ends the authentication information acquisition processing. At this point, communication is possible with AP 1506 and ST
It is A1502.

Next, the other STA 1504 has the AP 1506.
When an authentication request is made to
P1506 performs an authentication process based on the authentication information already acquired from STA1502 and the encryption key acquired from STA1502 (step S1004). Based on the verification of the authentication list (step S1005), if the authentication is OK (step S1006). YES), authentication permission, key information, and other information (IP address, communication parameters for the STA to receive service provision) are sent to the STA 1504. The STA 1504 that has received the communication becomes communicable.

Next, when the STA 1505 connects to the AP 1506, first, a connection request is made to the AP 1506 based on the ESSID. Next, STA1505 sends AP1
An authentication request is made to 506. At this time, AP1506
Performs the authentication process based on the already acquired authentication information as in the previous time (step S1007). In this case, AP1
Since the STA 1505 is not included in the authentication information stored in the storage device 1503 connected to the 506, the result of the authentication list collation (step S1008) indicates that authentication is not possible (NG) (NO in step S1009). Therefore, the AP 1506 is a STA that has an authentication function.
The authentication processing request is transferred to 1502.

Upon receiving the authentication processing request, the STA 1502
Based on the authentication information stored in the storage device 1501, the authentication process (step S1010) is performed automatically or manually by a human hand (step S1014), and the authentication list is collated based on the authentication list (step S1011) (step S1012). The authentication result (step S1013) is notified to the AP 1506. Further, it is determined whether or not to provide the service based on the service list. In addition to manual authentication, it is possible to manually permit the service. If the notified authentication result is OK, the AP 1506 permits the authentication, and sends the STA 1505 the authentication permission, key information, and other information (IP address, communication parameters for the STA to receive service). The STA 1505 that has received it can communicate.

In the third embodiment, AP1003
When the STA connected to the STA receives authentication, the STA having the authentication information sets the IP address used by the STA for communication.
It can also be assigned by the HCP function.

As described above, according to the third embodiment, it is possible to eliminate the time and work required to set the encryption key of the access point as in the conventional case.
In addition, when the network of the present invention is applied to a conference system or the like, it is possible to temporarily connect the participants and to ensure security in the conference or the like.

[Fourth Embodiment] In the fourth embodiment of the present invention, a terminal device such as a station (STA) and a personal computer according to the present invention is configured as shown in FIG.

FIG. 11 is a block diagram showing a configuration example of the STA according to the fourth embodiment. The STA 1300 includes a wireless unit 1301, a storage device (medium) 1302, a program storage unit 1303, a control unit 1304, and a PIO (Parallel I).
nput / Output) 1305 and a bus 1306. In addition, a terminal device 130 such as a personal computer
8 includes a storage device 1307.

A data exchange connection between the constituent elements of the STA 1300 is performed by the bus 1306, and each constituent element is controlled by the control unit 1304. The connection between the STA 1300 and the terminal device 1308 such as a personal computer is performed by the PIO 1305.
The first embodiment, the second embodiment, and the third embodiment described above are performed based on information such as authentication information and encryption information stored in the storage device 1307 installed in the terminal device 1308. It acts according to the form. The storage device 1307 is a terminal device 1308 such as a connected personal computer.
It is also possible to read and write from and to store the above authentication information.

STA1 is stored in the program storage section 1303.
A program for realizing the operation of 300, various communication parameters, etc. are stored, and the control unit 1304 is operated by these programs, various communication parameters, etc.
Furthermore, the program storage unit 1303 is a terminal device 130 such as a personal computer connected to the STA 1300.
It is also possible to read and write data from the computer 8 and to download programs and various communication parameters from the terminal device 1308.

The radio section 1301 operates to generate and modulate transmission data and send it out as a radio wave to the space, or to receive and demodulate a radio signal and take it in as digital data. The control unit 1304 generates necessary control data or the like according to a communication standard such as IEEE802.11b or IEEE802.11a and outputs it to the wireless unit 1301 or analyzes the control data or the like received by the wireless unit 1301 to perform necessary processing. To do.

Also in the fourth embodiment, by applying the station (STA) shown in FIG. 11 to the system as shown in the above embodiment, the encryption key of the access point can be obtained in the same manner as above. The effect is that time and work for setting are unnecessary and security in a conference or the like can be guaranteed.

[Fifth Embodiment] In the fifth embodiment of the present invention, an access point (AP) according to the present invention is configured as shown in FIG.

FIG. 12 is a block diagram showing a configuration example of the AP according to the fifth embodiment. AP is the wireless unit 140
1, 1408, control unit 1402, program storage unit 14
03, bus 1404, PIO 1405, wired section 140
6. It has an input / output device 1407.

A data exchange connection between the constituent elements of the AP is performed by the bus 1404, and the respective constituent elements are controlled by the control unit 1402. The control unit 1402 generates transmission data and outputs the transmission data to the wireless unit 14.
01 and the wireless unit 1408. The wireless unit 1401 and the wireless unit 1408 operate to modulate transmission data and send it to the space as a radio wave, or to receive and demodulate a radio signal and capture it as digital data. The wireless unit 1401 and the wireless unit 1408 have different ESSIDs and
It operates independently according to the connection request from. The wired unit 1407 is a PHY (Physical layer protoco) compatible with various networks such as Ethernet (registered trademark).
l), MAC (Media Access Control), etc., each device or terminal connected to the wired network, which operates to send or receive data to the wired network,
This AP provides each STA with the service provided by the server or the like.

The program for realizing the operation of the AP shown in the first and second embodiments is the program storage unit 14 together with various communication parameters and the like.
03, and is configured to be executed by the control unit 1402. PIO1405 is parallel,
It is equipped with various interfaces such as a serial interface, and is connected to an input / output device 1407 such as a printer or a display, and provided to each STA from this AP. In addition, the control unit 1
402 is IEEE802.3 or IEEE802.11a, IE
In accordance with a communication standard such as EE802.11b, necessary control data and the like are generated and output through the wireless unit 1401 and the wireless unit 1408, and the data received by the wireless unit 1401 and the wired unit 1407 are analyzed and necessary processing is performed. To do.

Also in the fifth embodiment, by applying the access point (AP) shown in FIG. 12 to the system shown in the above embodiment, the encryption key of the access point is set in the same manner as above. The effect is that time and work for doing so are unnecessary, and security at a conference or the like can be guaranteed.

[Sixth Embodiment] In the sixth embodiment of the present invention, an access point (AP) according to the present invention is configured as shown in FIG.

FIG. 13 is a block diagram showing a configuration example of an AP according to the sixth embodiment. AP is the wireless unit 160
1, 1608, control unit 1602, program storage unit 16
03, bus 1604, PIO 1605, wired section 160
6, an input / output device 1607, and a storage device 1609.

The AP of the sixth embodiment has a configuration in which a means 1609 for storing authentication information is added to each of the constituent elements of the AP of the fifth embodiment, and the data bus 1604 performs authentication. Information and the like are stored, and the operation shown in the third embodiment is performed.

Also in the sixth embodiment, by applying the access point (AP) shown in FIG. 13 to the system shown in the above embodiments, the encryption key of the access point is set in the same manner as above. The effect is that time and work for doing so are unnecessary, and security at a conference or the like can be guaranteed.

[Other Embodiments] In the above embodiment,
As shown in FIGS. 1, 2, 6 and 8, a service unit including a terminal, a projector and a screen, or a service unit including a projector and a screen is connected to an access point to provide a video service related to a conference or the like. Although the present invention has been described as an example, the present invention is not limited to this. For example, when a server device is connected to an access point and a predetermined service such as various information provision is provided from the server device, , Printers, copiers,
The present invention is also applicable to a case where an image forming apparatus such as a multifunction peripheral is connected to an access point and a print service is provided from the image forming apparatus.

The present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. A medium such as a storage medium that stores a program code of software that realizes the functions of the above-described embodiments is supplied to a system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the medium in the medium such as the storage medium. It goes without saying that the present invention can also be achieved by reading and executing the executed program code.

In this case, the program code itself read from the medium such as the storage medium realizes the function of the above-described embodiment, and the medium such as the storage medium storing the program code constitutes the present invention. It will be. As a medium such as a storage medium for supplying the program code, for example, a floppy (registered trademark) disk, a hard disk, an optical disk, a magneto-optical disk, a CD-RO.
M, CD-R, magnetic tape, non-volatile memory card,
ROM or download via a network can be used.

Further, by executing the program code read by the computer, not only the functions of the above-described embodiment are realized, but also the OS or the like running on the computer is actually executed based on the instruction of the program code. Needless to say, the present invention includes a case where a part or all of the processing of (1) is performed and the functions of the above-described embodiments are realized by the processing.

Further, after the program code read from a medium such as a storage medium is written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the instruction of the program code is given. Based on the above, a case where a CPU or the like included in the function expansion board or the function expansion unit performs a part or all of actual processing and the processing realizes the functions of the above-described embodiments is not included in the present invention. Needless to say.

[0071]

As described above, according to the present invention,
By creating authentication information on a station that has authentication information and performing authentication, it is possible to register or delete any station group as needed, and perform operations to register on the network or access point encryption keys. No setting operation is required. In addition, by performing on-the-fly authentication of the station requesting the connection, the connection of the previously connected station is eliminated, or the connection to the access point is denied to the station connected to the backbone network. It becomes possible. In addition, even if a station that is newly connecting to the server and wants to enjoy the service of the server or a station that is trying to connect to the network is not registered in the database on the authentication server, the connection can be made. .

As described above, it is possible to eliminate the time and work for setting the encryption key of the access point, which is required in the prior art. Moreover, when the network of the present invention is applied to the conference system, etc. It is possible to connect the participants and to ensure the security in the conference and the like.

[Brief description of drawings]

FIG. 1 is a diagram showing an STA as an AP according to a first embodiment of the present invention.
It is a schematic diagram which shows the structural example at the time of connecting to a backbone wired network via.

FIG. 2 is a schematic diagram showing a configuration example when a plurality of STAs according to the first embodiment are connected to corresponding APs and receive services.

FIG. 3 is a schematic diagram showing a configuration example when a plurality of STAs according to the first embodiment connect to corresponding APs and receive a service.

FIG. 4 is a flowchart showing an example in which the STA according to the first embodiment receives an AP service.

FIG. 5 is a flowchart showing an example of a case where a cryptographic key according to the first embodiment is predetermined and authentication is performed.

FIG. 6 is a schematic diagram showing a configuration example in the case where a plurality of STAs having the authentication information according to the above-mentioned FIG. 1 according to the second embodiment of the present invention are installed.

FIG. 7 is a schematic diagram showing a configuration example when a plurality of STAs having the authentication information according to FIG. 3 according to the second embodiment are installed.

FIG. 8 is a schematic diagram showing a configuration example when a plurality of STAs having the authentication information according to FIG. 1 according to the second embodiment are installed.

FIG. 9 is a flowchart showing an example in which the STA according to the second embodiment receives an AP service.

FIG. 10 shows an STA according to the third embodiment of the present invention,
It is a flowchart which shows an example at the time of receiving the service of P.

FIG. 11 is a block diagram showing a configuration example of an STA according to a fourth embodiment of the present invention.

FIG. 12 is a block diagram showing a configuration example of an AP according to a fifth embodiment of the present invention.

FIG. 13 is a block diagram showing a configuration example of an AP according to a sixth embodiment of the present invention.

FIG. 14 is a schematic diagram showing a configuration example in which a STA according to a conventional example connects to a backbone wired network via an AP.

FIG. 15 is a schematic diagram showing a configuration example in which a plurality of STAs according to a conventional example are connected to one AP to receive a service.

FIG. 16 is a schematic diagram showing a configuration example when a plurality of STAs according to a conventional example are connected to corresponding APs and receive services.

FIG. 17 is a flowchart showing an example in which a STA according to a conventional example connects to an AP.

[Explanation of symbols]

501, 604, 605, 701, 710, 804, 901, 910, 1201 Access point (communication connection device) 502, 504-506, 606-609, 702-709, 806-811, 903-
908, 914, 915, 1202, 1204, 1205, 1207, 1300 Stations 502, 606, 702, 806, 808, 811, 905, 906, 914, 100
6, 1104, 1106, 1202, 1205, 1502 Station (authentication device) 503, 614, 712, 814, 815, 817, 911 to 913, 1203, 1206
Storage device (storage means) 507, 611, 813, 1208 Service units 601, 602, 801 Core wired network

Claims (25)

[Claims] 1. A communication system capable of providing a service to a plurality of stations via an access point, wherein at least one station among the plurality of stations performs communication related to the provision of the service based on authentication information. It is determined whether to permit the authentication requested from the desired station via the access point and whether to provide a service, and determine whether the authentication is possible to the station desiring the communication via the access point. A communication system characterized by notifying. 2. At least one station of the plurality of stations has a storage unit for storing the authentication information, sends an encryption key to the access point when connecting to the access point, and thereafter the The communication system according to claim 1, wherein communication is encrypted based on an encryption key. 3. The communication system according to claim 1, wherein the access point makes an authentication request from a station desiring the communication on behalf of a station having the authentication function. 4. The station having the authentication function,
The identification information used for communication when the station connecting to the access point and desiring the communication is authenticated is DHCP (Dynamic Host Configuration Protocol).
l) The communication system according to any one of claims 1 to 3, wherein allocation is performed by a function. 5. When an authentication request is made from a station desiring to communicate with a station having the authentication function, it is possible to manually determine whether or not the authentication is possible and whether or not the service is provided. The communication system according to any one of claims 1 to 4, characterized in that: 6. The access point obtains authentication information and an encryption key from a station having the authentication function, and authenticates based on the authentication information and the encryption key in response to an authentication request from a station desiring communication. 6. The communication system according to claim 1, further comprising determining whether or not to provide the service. 7. The access point, when the access point cannot authenticate the station desiring the communication, transfers the authentication request of the station desiring the communication to a station having an authentication function. Item 6. The communication system according to Item 6. 8. The access point, when the station having the authentication function cannot authenticate the station desiring the communication, transfers the authentication request of the station desiring the communication to another station having the authentication function. The communication system according to claim 7, wherein 9. The communication, wherein the access point has a function of storing the authentication information, and when the authentication of a station desiring the communication is permitted, the station desiring the communication receives the service. The communication system according to any one of claims 1 to 8, wherein the parameters are sent to a station which desires the communication together with the authentication permission. 10. A predetermined station having an authentication function acquires authentication information of another station having an authentication function, and collectively determines whether or not to authenticate and whether or not to provide a service. The communication system according to any one of 1 to 9. 11. The communication system according to claim 1, wherein the station is a device attached to or built in an information processing device such as a personal computer. 12. An authentication device constituting a communication system capable of providing a service to a plurality of stations via an access point, wherein a station desiring communication regarding the provision of the service from the access point based on authentication information. Determining whether to permit the requested authentication and whether to provide the service via the access point, and notifying whether the authentication is possible to the station desiring the communication via the access point. Authentication device. 13. A storage means for storing the authentication information, wherein an encryption key is sent to the access point at the time of connection with the access point, and thereafter, communication is encrypted based on the encryption key. The authentication device according to claim 12, which is characterized in that. 14. Identification information used for communication when a station connected to the access point and desiring the communication is authenticated is DHCP (Dynamic Host Configu).
14. The authentication device according to claim 12, wherein the authentication device is assigned by a ration protocol) function. 15. The method according to claim 12, wherein when an authentication request is issued from a station desiring to communicate, it is possible to manually determine whether or not to perform the authentication and whether or not to provide the service. The authentication device according to any one of 1. 16. The authentication information of a station having an authentication function among the plurality of stations is acquired, and the determination as to whether or not the authentication is possible and whether or not the service is provided is collectively performed. The authentication device according to Crab. 17. The authentication device according to claim 12, wherein the authentication device is at least one station of the plurality of stations. 18. A communication connection device constituting a communication system capable of providing a service to a plurality of stations, wherein a station having an authentication function of the plurality of stations desires communication regarding the provision of the service. A communication connection device characterized by performing an authentication request from a station on behalf of the user. 19. Acquiring authentication information and an encryption key from a station having the authentication function, responding to an authentication request from a station desiring the communication based on the authentication information and the encryption key, and providing a service or not. 19. The communication connection device according to claim 18, wherein the permission / prohibition is determined. 20. The communication connection device according to claim 19, wherein when the station that wants to communicate cannot be authenticated, the authentication request of the station that wants to communicate is transferred to a station having an authentication function. 21. When the station having the authentication function cannot authenticate the station desiring the communication, the authentication request of the station desiring the communication is transferred to another station having the authentication function. Item 21. The communication connection device according to item 20. 22. Having a function of storing the authentication information,
In the case of permitting the authentication of the station desiring the communication, the communication parameter for the station desiring the communication to receive the provision of the service together with the authentication permission,
22. The communication connection device according to claim 18, wherein the communication is sent to a desired station. 23. A station authentication method, characterized in that the control procedure in the communication system according to claim 1 is executed. 24. A program storing the control procedure in the communication system according to any one of claims 1 to 11. 25. A storage medium storing the program according to claim 24.