JPWO2016035466A1 - COMMUNICATION SYSTEM, SERVER DEVICE PROGRAM AND RECORDING MEDIUM RECORDING THE SAME, COMMUNICATION DEVICE PROGRAM AND RECORDING MEDIUM RECORDING THE SAME, TERMINAL DEVICE PROGRAM AND RECORDING MEDIUM RECORDING THE SAME - Google Patents

Abstract

An encryption key is distributed from a server to a short-range wireless terminal device regardless of the installation location of the server that manages the encryption key. A server device 2 includes a key storage unit 24 for storing a communication unique key and a terminal unique key, and a shared key K for sharing between the WiFi router 3 and the terminal device 4 based on the communication unique key. Encryption for executing encrypted shared key transmission processing for transmitting the encrypted first encrypted shared key E1 and the second encrypted shared key E2 obtained by encrypting the shared key K based on the terminal unique key to the WiFi router 3 And the WiFi router 3 receives E1 and E2 from the server device 2 and transmits E2 to the terminal device 4 and decrypts E1 based on the communication unique key. And a communication-side shared key decryption unit 34 that obtains K by converting the terminal device 4 to receive the E2 from the WiFi router 3 and decrypt the E2 based on the terminal unique key to obtain the shared key K. And a terminal-side shared key decryption unit 42 to be acquired Yeah.

Description

  The present invention relates to a communication system for managing keys used for communication, a server apparatus program used in the communication system, a recording medium recording the same, a communication apparatus program, a recording medium recording the program, and a terminal apparatus program. And a recording medium recording the same.

  Conventionally, encrypted communication has been widely used to prevent leakage of information and improve security. A technique is known in which an encryption key used in such encrypted communication is generated by a server (key issuing station) different from a user terminal (node) and distributed to each terminal (for example, Patent Document 1). reference).

JP-A-11-187008

  By the way, in recent years, various short-range wireless communication technologies such as WiFi (Wireless Fidelity), ZigBee, Bluetooth (registered trademark), NFC (Near Field Communication), and IrDA (Infrared Data Association) are widely used. Also, terminal devices (hereinafter referred to as short-range wireless terminal devices) having these short-range wireless communication functions are widely used. These short-range wireless terminal devices also have a need to perform encrypted communication.

  However, the above-described technique has a disadvantage that the encryption key cannot be distributed from the server to the short-range wireless terminal device when the server is installed outside the communicable range of the short-range wireless terminal device.

  An object of the present invention is to provide a communication system capable of distributing an encryption key from a server to a short-range wireless terminal device regardless of the installation location of the server that manages the encryption key, a program for the server device, and a recording medium recording the same, A communication apparatus program and a recording medium recording the same, a terminal apparatus program and a recording medium recording the same.

  A communication system according to the present invention is a communication system including a server device, a communication device capable of transmitting / receiving data to / from the server device, and a terminal device capable of transmitting / receiving data to / from the communication device by a wireless communication method. The communication device includes a communication-side storage unit that stores a communication unique key unique to the communication device, and the terminal device includes a terminal-side storage unit that stores a terminal unique key unique to the terminal device. The server device encrypts a key storage unit that stores the communication unique key and the terminal unique key, and a shared key for sharing between the communication device and the terminal device based on the communication unique key. Encrypted shared key transmission for executing encrypted shared key transmission processing for transmitting the first encrypted shared key and the second encrypted shared key obtained by encrypting the shared key based on the terminal unique key to the communication device With The communication device receives the first and second encrypted shared keys from the server device, transmits the second encrypted shared key to the terminal device, and the first encrypted key A communication-side shared key decryption unit that obtains the shared key by decrypting a shared key based on the communication unique key, and the terminal device receives the second encrypted shared key from the communication device. And a terminal-side shared key decryption unit that obtains the shared key by decrypting the second encrypted shared key based on the terminal unique key.

  According to this configuration, even when a short-range wireless terminal device is used as the terminal device, the first encrypted shared key and the second encrypted shared key are transmitted from the server device to the communication device, and the second encrypted The shared secret key is transmitted from the communication device to the terminal device. Then, the communication device acquires the shared key by decrypting the first encrypted shared key based on the communication unique key, and the terminal device receives the second encrypted shared key from the communication device, and receives the second encryption key. The shared key is obtained by decrypting the encrypted shared key based on the terminal unique key. Accordingly, the shared key that is the encryption key can be distributed from the server device to the communication device and the terminal device regardless of the installation location of the server device that manages the encryption key. Also, since the shared key is encrypted and transmitted from the server device to the communication device and from the communication device to the terminal device, the shared key can be distributed to the communication device and the terminal device while maintaining security. Further, since the communication device only transfers the second encrypted shared key encrypted by the server device to the terminal device, it is not necessary for the communication device to perform encryption when the communication device transmits the common key to the terminal device. . If the communication device encrypts the common key and transmits it to the terminal device, the communication device can provide the terminal unique to the terminal device to enable encryption that can be decrypted by the terminal device. It becomes necessary to inform the unique key. However, according to this configuration, since it is not necessary to perform encryption in the communication apparatus, it is not necessary to notify the communication apparatus of a terminal unique key unique to the terminal apparatus. As a result, it is not necessary to notify the terminal unique key used for encryption by the terminal device other than the terminal device and the server device, so that the security when the terminal device performs encrypted communication is improved.

  Moreover, it is preferable that the said terminal device is enabled to transmit / receive the said data with the said communication apparatus by the wireless communication system whose communication distance is 100 m or less.

  According to this configuration, it is possible to transmit and receive data between the terminal device and the communication device by an inexpensive wireless communication method that does not involve a communication carrier.

  In addition, it is preferable that the terminal device further includes an encrypted communication processing unit that performs encrypted communication with the communication device using the shared key acquired by the terminal-side shared key decryption unit.

  According to this configuration, since the wireless communication performed between the communication device and the terminal device is encrypted, the security of the wireless communication can be improved. In addition, since the shared key required for encryption communication is automatically distributed from the server device to the communication device and the terminal device, the user does not need to be aware of encryption, and security can be reduced while reducing the user's effort. Can be improved.

  The communication device further includes a key issue requesting unit that transmits identification information for identifying the device itself to the terminal device, the terminal device receiving the identification information of the communication device received from the communication device; It further includes a terminal information transmission unit that encrypts identification information for identifying its own device based on the terminal unique key and transmits the encrypted information as encrypted terminal information to the communication device, and the communication device is transmitted from the terminal device. And an encryption terminal information transfer unit that transmits the encryption terminal information and identification information for identifying the own device to the server device, wherein the server device transmits the encryption terminal transmitted from the communication device. Information is decrypted based on the terminal unique key to obtain identification information of the communication device, and the decrypted identification information of the communication device and the communication device that transmitted the encrypted terminal information are identified. The identification information for comparison is compared, and when the comparison result matches, the encryption shared key transmission unit executes the encryption shared key transmission process, and when the comparison result does not match, the encryption shared key transmission It is preferable to further include a terminal management unit that does not execute the encrypted shared key transmission process by the unit.

  According to this configuration, when the encrypted terminal information is transmitted to the server device by a communication device different from the communication device that transmitted the identification information for identifying the own device to the terminal device, the encrypted shared key transmission process is performed. Since it is not executed, acquisition of an encryption key by impersonation is prevented.

  Moreover, it is preferable that the communication device further includes a router processing unit that is connected to a communication network and performs routing by being interposed between the terminal device and the communication network.

  According to this configuration, a wireless router device can be used as the communication device.

  The communication device further includes a router processing unit that is connected to a communication network and performs routing between the terminal device and the communication network, and the router processing unit receives the encryption from the terminal device. When encrypted data addressed to the communication network is received, the encrypted data is preferably decrypted using the shared key and transmitted to the communication network.

  According to this configuration, the terminal device can access the communication network via the communication device including the router processing unit. When the terminal device transmits data to a node on a communication network that does not have an encryption key and cannot perform encrypted communication with the terminal device, the terminal device performs communication by encrypting and transmitting the data to the communication device. Since the data is decrypted by the device and transmitted to the communication network, the data can be transmitted to the communication network having no encryption key while improving the security of wireless communication between the terminal device and the communication device. It becomes possible.

  Further, the router processing unit prohibits access from the terminal device to a node other than the server device when the shared key corresponding to the terminal device is not acquired by the communication-side shared key decryption unit. Is preferred.

  According to this configuration, when the shared key corresponding to the terminal device is not acquired by the communication-side shared key decryption unit, that is, encrypted communication based on the shared key cannot be executed between the communication device and the terminal device. The router processing unit prohibits access from the terminal device to nodes other than the server device. As a result, a chance that a radio signal transmitted / received between the communication apparatus and the terminal apparatus is transmitted without being encrypted based on the shared key is reduced. As a result, the security of wireless communication is improved.

  Moreover, it is preferable that the router processing unit authenticates the terminal device based on the shared key and prohibits the terminal device from accessing the communication network when the authentication fails.

  According to this configuration, since the terminal device can access the communication network via the communication device only when the authentication is successful, an unauthorized terminal device is prevented from accessing the communication network via the communication device. it can.

  The communication device may be a portable terminal device that can be carried by a user, and the terminal device may further include an authentication unit that authenticates the communication device based on the shared key.

  According to this configuration, the user's portable terminal device can be used as a communication device. In this case, since the communication device becomes the property of an unspecified user, by authenticating the communication device, it becomes easy to prevent an unauthorized user (communication device) from using the communication system.

  The terminal device can be mounted on a vehicle, and the terminal device controls the vehicle according to data transmitted from the communication device when the authentication unit succeeds in the authentication. It is preferable to further comprise.

  According to this configuration, it is possible to control the vehicle by wireless communication from the communication device while ensuring security by authentication.

  A server device program according to the present invention is a server device program for operating the server device of the communication system described above, and is a shared key for sharing between the communication device and the terminal device. Encrypted shared key transmission in which a first encrypted shared key obtained by encrypting the shared key based on the communication unique key and a second encrypted shared key obtained by encrypting the shared key based on the terminal unique key are transmitted to the communication device. The server device is caused to function as an encrypted shared key transmission unit that executes processing.

  Moreover, the recording medium which recorded the program for server apparatuses which concerns on this invention is a recording medium which recorded the program for server apparatuses for operating the said server apparatus of the above-mentioned communication system, Comprising: The said communication apparatus and the said terminal device A first encrypted shared key obtained by encrypting a shared key based on the communication unique key and a second encrypted shared key obtained by encrypting the shared key based on the terminal unique key. It is a recording medium recording a server device program that causes the server device to function as an encrypted shared key transmission unit that executes encrypted shared key transmission processing to be transmitted to a communication device.

  According to the server device program and the recording medium, the computer can function as the server device described above.

  A communication device program according to the present invention is a communication device program for operating the communication device of the communication system described above, and receives the first and second encrypted shared keys from the server device. An encrypted shared key transfer unit that transmits the second encrypted shared key to the terminal device, and a shared communication side that acquires the shared key by decrypting the first encrypted shared key based on the communication unique key The communication apparatus functions as a key decryption unit.

  Further, a recording medium recording a communication device program according to the present invention is a recording medium recording a communication device program for operating the communication device of the communication system described above. And an encrypted shared key transfer unit that receives the second encrypted shared key and transmits the second encrypted shared key to the terminal device, and decrypts the first encrypted shared key based on the communication unique key. Is a recording medium on which a communication device program that causes the communication device to function as a communication-side shared key decryption unit that acquires the shared key is recorded.

  According to the communication device program and the recording medium, the computer can function as the above-described communication device.

  A terminal device program according to the present invention is a terminal device program for operating the terminal device of the communication system described above, receives the second encrypted shared key from the communication device, and (2) The terminal device is caused to function as a terminal-side shared key decryption unit that acquires the shared key by decrypting the encrypted shared key based on the terminal unique key.

  A recording medium on which a terminal device program according to the present invention is recorded is a recording medium on which a terminal device program for operating the terminal device of the communication system described above is recorded. A program for a terminal device that receives an encrypted shared key and causes the terminal device to function as a terminal-side shared key decryption unit that acquires the shared key by decrypting the second encrypted shared key based on the terminal unique key Is a recording medium.

  According to the terminal device program and the recording medium, the computer can be operated as the above-described terminal device.

  According to the communication system, the server device program and the recording medium recorded therewith, the communication device program and the recording medium recorded therewith, the terminal device program and the recording medium recorded therewith according to such a configuration, The encryption key can be distributed from the server to the short-range wireless terminal device regardless of the installation location of the server to be managed.

It is a block diagram which shows an example of a structure of the communication system which concerns on one Embodiment of this invention. It is explanatory drawing which shows an example of operation | movement of the communication system shown in FIG. It is a block diagram which shows an example of a structure of the car sharing system which concerns on 2nd Embodiment of this invention. It is explanatory drawing which shows an example of operation | movement of the car sharing system shown in FIG.

Embodiments according to the present invention will be described below with reference to the drawings. In addition, the structure which attached | subjected the same code | symbol in each figure shows that it is the same structure, The description is abbreviate | omitted.
(First embodiment)

  FIG. 1 is a block diagram showing an example of the configuration of a communication system according to an embodiment of the present invention. A communication system 1 illustrated in FIG. 1 includes a server device 2, a WiFi router 3 (communication device), and a terminal device 4. The server device 2 and the WiFi router 3 can transmit and receive data to and from each other via the network 5.

  The network 5 is a communication network configured by, for example, a WAN (Wide Area Network) such as the Internet, a telephone line, a public line such as a mobile phone network, and a LAN (Local Area Network). In addition to the server device 2 and the WiFi router 3, a node N is connected to the network 5. The node N is a communication terminal device such as a Web server operated by a third party, for example.

  The terminal device 4 is a terminal device used by a user, for example, a portable personal computer (so-called notebook personal computer) or a tablet terminal device. The terminal device 4 is a short-range wireless terminal device, and is capable of transmitting and receiving data to and from the WiFi router 3 by wireless communication using WiFi, for example. The terminal device 4 cannot directly communicate with the server device 2. The terminal device 4 can communicate with the server device 2 and another terminal device (node N) connected to the network 5 via the WiFi router 3.

  The terminal device 4 includes, for example, a CPU (Central Processing Unit) that executes predetermined arithmetic processing, a RAM (Random Access Memory) that temporarily stores data, and an HDD that stores a terminal device program according to an embodiment of the present invention. (Hard Disk Drive), a non-volatile storage unit such as a flash memory, a short-range wireless communication circuit, and peripheral circuits thereof. For example, a part of the non-volatile storage unit is used as the terminal-side storage unit 44. The terminal-side storage unit 44 stores a terminal unique key unique to the terminal device 4 in advance.

  The terminal device 4 functions as the access processing unit 41, the terminal-side shared key decryption unit 42, and the encrypted communication processing unit 43, for example, by executing a terminal device program stored in the nonvolatile storage unit.

  The terminal device program may be stored in a recording medium such as a USB (Universal Serial Bus) memory, a CD-ROM, or a DVD-ROM. The terminal device 4 may be configured to be able to read the storage medium and execute a terminal device program read from the storage medium. The storage medium is readable by a computer connected to the network 5, and the terminal device 4 downloads the terminal device program read from the storage medium by the computer via the network 5. It may be a configuration.

  The access processing unit 41 executes communication processing for accessing the server device 2 and other terminal devices connected to the network 5 through the WiFi router 3. For example, when the access processing unit 41 accesses the WiFi router 3 for the first time, the access processing unit 41 requests the WiFi router 3 to register the terminal device 4.

  Note that the communication system 1, the server device 2, and the WiFi router 3 each provide identification information (for example, an ID, an IP address, etc.) for identifying the own device when accessing another node N or the network 5. Send to the destination node or network. In the following description, the description of the transmission of identification information is omitted.

  The terminal-side shared key decryption unit 42 receives a second encrypted shared key (to be described later) from the WiFi router 3 and decrypts the second encrypted shared key based on the terminal unique key stored in the terminal-side storage unit 44. To obtain the shared key. The encrypted communication processing unit 43 performs encrypted communication with the WiFi router 3 using the shared key acquired by the terminal-side shared key decrypting unit 42.

  The WiFi router 3 is a so-called router device that performs network routing. The WiFi router 3 includes, for example, a CPU that executes predetermined arithmetic processing, a RAM that temporarily stores data, a non-volatile storage unit such as a flash memory that stores a communication device program according to an embodiment of the present invention, and a network 5. A communication interface circuit (not shown) for accessing the terminal device, a short-range wireless communication circuit for performing wireless communication with the terminal device 4, peripheral circuits thereof, and the like are provided. For example, a part of the nonvolatile storage unit is used as the communication-side storage unit 35. The communication side storage unit 35 stores a communication unique key unique to the WiFi router 3 in advance.

  The WiFi router 3 executes, for example, a communication device program stored in a nonvolatile storage unit, thereby causing a router processing unit 31, a registration request processing unit 32, an encrypted shared key transfer unit 33, and a communication-side shared key decryption unit. 34 functions.

  The communication device program may be stored in a recording medium such as a USB memory, a CD-ROM, or a DVD-ROM. The WiFi router 3 may be configured to be able to read this storage medium and execute a communication device program read from the storage medium. The storage medium is readable by a computer connected to the network 5, and the WiFi router 3 downloads the communication device program read from the storage medium by the computer via the network 5. It may be a configuration.

  In addition, although the WiFi router 3 was shown as an example of a communication apparatus, a communication apparatus is not restricted to what performs wireless communication by WiFi. As a communication method between the communication device and the terminal device 4, in addition to WiFi, for example, a wireless communication method having a communication distance of 100 m or less, such as ZigBee, Bluetooth (registered trademark), NFC, IrDA, etc. Various short-range wireless communication systems such as those using light such as infrared rays and ultraviolet rays can be employed.

  The router processing unit 31 performs routing by being interposed between the terminal device 4 and the network 5. The router processing unit 31 prohibits access from the terminal device 4 to the nodes N other than the server device 2 when the shared key corresponding to the terminal device 4 is not acquired by the communication-side shared key decryption unit 34. Also, when the router processing unit 31 receives data addressed to the network 5 encrypted by encrypted communication from the terminal device 4, the encrypted data is acquired by the communication-side shared key decryption unit 34. It is decrypted using the shared key and transmitted to the network 5.

  When there is a registration request for the terminal device 4 from the terminal device 4 to the WiFi router 3, the registration request processing unit 32 registers the terminal device 4 together with the identification information of the terminal device 4 to the server device 2 via the network 5. Send a registration request requesting The encrypted shared key transfer unit 33 receives the first and second encrypted shared keys from the server device 2 and transmits the second encrypted shared key to the terminal device 4. The communication side shared key decryption unit 34 obtains the shared key by decrypting the first encrypted shared key based on the communication unique key stored in the communication side storage unit 35.

  The server device 2 includes, for example, a CPU that executes predetermined arithmetic processing, a RAM that temporarily stores data, a non-volatile storage unit such as an HDD or a flash memory that stores a server device program according to an embodiment of the present invention, The communication interface circuit (not shown) for accessing the network 5 and peripheral circuits thereof are configured. For example, a part of the nonvolatile storage unit is used as the key storage unit 24.

  In the key storage unit 24, a communication unique key unique to the WiFi router 3 and a terminal unique key unique to the terminal device 4 are stored in advance. The communication unique key and the terminal unique key are input to the server device 2 in advance using an operation unit such as a keyboard (not shown) and stored in the key storage unit 24 in advance. Note that the method for storing the communication unique key and the terminal unique key in advance in the key storage unit 24 is not limited, and various methods can be used.

  The server device 2 functions as a terminal registration processing unit 21, a shared key generation unit 22, and an encrypted shared key transmission unit 23 by executing a server device program stored in a nonvolatile storage unit, for example.

  The server device program may be stored in a recording medium such as a USB memory, a CD-ROM, or a DVD-ROM. The server device 2 may be configured to be able to read the storage medium and execute a server device program read from the storage medium. The storage medium is readable by a computer connected to the network 5, and the server apparatus 2 downloads the server apparatus program read from the storage medium by the computer via the network 5. It may be a configuration.

  Upon receiving the registration request for the terminal device 4 from the WiFi router 3, the terminal registration processing unit 21 stores the identification information of the WiFi router 3 and the identification information of the terminal device 4 in association with each other in the key storage unit 24 and generates a shared key. The unit 22 generates a shared key K for use in encrypted communication between the WiFi router 3 and the terminal device 4 and an authentication password P for use in authentication. The shared key generation unit 22 generates a shared key K and an authentication password P using, for example, random numbers.

  The encrypted shared key transmission unit 23 encrypts the shared key K and the authentication password P generated by the shared key generation unit 22 based on the communication unique key stored in the key storage unit 24 to thereby generate the first cipher. The shared encryption key E1 and the first encrypted password P1 are generated, and the shared key K and the authentication password P are encrypted based on the terminal unique key to obtain the second encrypted shared key E2 and the second encrypted password P2. Generate. Then, the encrypted shared key transmission unit 23 sends the first encrypted shared key E1, the second encrypted shared key E2, the first encrypted password P1, and the second encrypted password P2 to the WiFi router via the network 5. 3 (encrypted shared key transmission process).

  Next, the operation of the communication system 1 configured as described above will be described. FIG. 2 is an explanatory diagram showing an example of the operation of the communication system 1 shown in FIG. First, the access processing unit 41 of the terminal device 4 executes “(1) registration request”, and transmits a registration request to the WiFi router 3 by WiFi wireless communication. In “(1) Registration request”, the WiFi router 3 and the terminal device 4 do not have to encrypt communication, or perform communication by performing standard encryption such as WPA (Wi-Fi Protected Access). May be.

  Next, in the WiFi router 3 that has received the registration request from the terminal device 4, the registration request processing unit 32 executes “(2) registration request”, and sends the terminal device 4 and the WiFi to the server device 2 via the network 5. A registration request for requesting registration of the terminal device 4 is transmitted together with the identification information of the router 3.

  Next, when the server device 2 receives a registration request for the terminal device 4 from the WiFi router 3, the terminal registration processing unit 21 associates the identification information of the WiFi router 3 with the identification information of the terminal device 4, and stores the key storage unit. 24, the shared key generation unit 22 generates a shared key K and an authentication password P for use in authentication.

  Then, the encrypted shared key transmission unit 23 performs “(3) transmission of the first and second encrypted shared keys E1 and E2 and the first and second encrypted passwords P1 and P2” (encrypted shared key transmission process). Is executed. Specifically, the shared key K and the authentication password P generated by the shared key generation unit 22 are encrypted by the encrypted shared key transmission unit 23 based on the communication unique key, respectively, and the first encrypted shared key E1, A first encrypted password P1 is generated, and the shared key K and the authentication password P are encrypted based on the terminal unique key to generate a second encrypted shared key E2 and a second encrypted password P2.

  Then, the encrypted shared key transmission unit 23 sends the first encrypted shared key E1, the second encrypted shared key E2, the first encrypted password P1, and the second encrypted password P2 via the network 5 to the WiFi router 3. Sent to.

  Next, in the WiFi router 3, “(4) transmission of the second encrypted shared key E2 and the second encrypted password P2” is executed. Specifically, the first encrypted shared key E1, the second encrypted shared key E2, the first encrypted password P1, and the second encrypted password received from the server device 2 by the encrypted shared key transfer unit 33. Of P2, the second encrypted shared key E2 and the second encrypted password P2 are transmitted to the terminal device 4. In “(4) Transmission of second encrypted shared key E2 and second encrypted password P2”, the encrypted second encrypted shared key E2 and second encrypted password P2 are transmitted by radio signals. The encrypted second shared encryption key E2 and second encrypted password P2 may be further encrypted by a standard encryption method such as WPA for transmission. This further improves security.

  Next, in the WiFi router 3, “(5) first encrypted shared key E1 → shared key K, first encrypted password P1 → authentication password P” is executed. Specifically, the first encrypted shared key E1 and the first encrypted password P1 received from the server device 2 are used as communication unique keys stored in the communication side storage unit 35 by the communication side shared key decryption unit 34. Based on the decryption, the shared key K and the authentication password P are acquired and stored in the communication-side storage unit 35.

  On the other hand, in the terminal device 4, “(6) second encrypted shared key E2 → shared key K, second encrypted password P2 → authentication password P” is executed. Specifically, the second encrypted shared key E2 and the second encrypted password P2 received from the WiFi router 3 by the terminal side shared key decryption unit 42 are used as the terminal unique key stored in the terminal side storage unit 44. Based on the decryption, the shared key K and the authentication password P are acquired and stored in the terminal-side storage unit 44.

  As described above, according to the processes (1) to (6), the shared key K and the authentication password P are encrypted and transmitted from the server device 2 to the WiFi router 3 and from the WiFi router 3 to the terminal device 4. Even if the server device 2 that generates the shared key K or the authentication password P used as the encryption key is installed farther than the communication distance of the wireless communication by WiFi from the terminal device 4, the short-range wireless communication The shared key K and the authentication password P can be distributed to the terminal device 4 and the WiFi router 3 that are terminal devices while ensuring security.

  Further, encrypted communication based on the shared key K cannot be executed before “(5) first encrypted shared key E1 → shared key K”, that is, between the WiFi router 3 and the terminal device 4. At this time, the router processing unit 31 prohibits access from the terminal device 4 to the node N other than the server device 2. As a result, a chance that a radio signal transmitted and received between the WiFi router 3 and the terminal device 4 is transmitted without being encrypted based on the shared key K is reduced. As a result, the security of wireless communication between the WiFi router 3 and the terminal device 4 is improved.

  Further, according to the process (4), the WiFi router 3 only transfers the second encrypted shared key E1 encrypted by the server device 2 to the terminal device 4, so that the WiFi router 3 is shared by the terminal device 4. When transmitting the key K, the WiFi router 3 does not need to perform encryption. If the WiFi router 3 encrypts the common key K and transmits it to the terminal device 4, the WiFi router 3 can be encrypted by the WiFi router 3 so that the terminal device 4 can decrypt it. The terminal device 4 needs to be notified of a unique terminal unique key. However, according to the process (4), since it is not necessary to perform encryption in the WiFi router 3, it is not necessary to notify the WiFi router 3 of the terminal unique key of the terminal device 4. Accordingly, since it is not necessary to notify the terminal unique key used for encryption by the terminal device 4 to other than the terminal device 4 and the server device 2, security when the terminal device 4 performs encrypted communication is improved.

  Next, when the terminal device 4 transmits data to the node N, first, “(7) authentication process” is executed. Specifically, the access processing unit 41 of the terminal device 4 encrypts the authentication password P with the shared key K and transmits it to the WiFi router 3. In the WiFi router 3, the router processing unit 31 decrypts the data transmitted from the terminal device 4 using the shared key K stored in the communication-side storage unit 35, and stores the decrypted data in the communication-side storage. The authentication password P is compared with the authentication password P stored in the unit 35. If they match as a result of the comparison, the router processing unit 31 notifies the terminal device 4 of successful authentication. On the other hand, if they do not match, the router processing unit 31 notifies the terminal device 4 of the authentication failure, and prohibits the terminal device 4 from accessing the network 5.

  In the terminal device 4, when the authentication success is notified, the access processing unit 41 “(8) transmits data addressed to the node N encrypted with the shared key K”.

  Next, the WiFi router 3 transmits “(9) data decrypted with the shared key K to the node N”. Specifically, the router processing unit 31 decrypts the encrypted data transmitted from the terminal device 4 using the shared key K, and performs routing to the node N designated as the destination. The decrypted data is transmitted to the node N via the network 5.

  Thereby, since the encrypted communication based on the shared key K is performed between the terminal device 4 and the WiFi router 3, the security of the wireless communication between the terminal device 4 and the WiFi router 3 can be improved. . In this case, in the encrypted communication executed between the terminal device 4 and the WiFi router 3, an encryption method with high encryption strength can be appropriately selected and applied according to the importance of the transmitted data. Compared to the case where only standard WPA encryption or the like is used between the terminal device 4 and the WiFi router 3, the security level can be flexibly improved as necessary.

  In (7) and (8), the encrypted authentication password P and data are transmitted by radio signals. The encrypted authentication password P and data are further transferred to a standard encryption method such as WPA. It is also possible to send data after encryption. This further improves security.

Further, (7) the authentication process does not necessarily have to be executed, and the transmission of the first and second encrypted passwords P1 and P2 and the transfer of the second encrypted password P2 are executed in (3) and (4). You don't have to. Further, the router processing unit 31 does not necessarily prohibit the access to the node N when “(5) first encrypted shared key E1 → shared key K” is not executed.
(Second Embodiment)

  Next, a car sharing system that is an example of a communication system according to a second embodiment of the present invention will be described. FIG. 3 is a block diagram showing an example of the configuration of the car sharing system 1a according to the second embodiment of the present invention. The car sharing system 1a shown in FIG. 3 differs from the communication system 1 shown in FIG. 1 in the following points.

  That is, the car sharing system 1 a shown in FIG. 3 includes a mobile terminal device 3 a (communication device) instead of the WiFi router 3 and a vehicle control device 4 a (terminal device) instead of the terminal device 4. As the network 5 shown in FIG. 3, for example, a wireless public line such as a cellular phone network or a PHS (Personal Handy-phone System) is used. The vehicle control device 4a is mounted on the vehicle A shared in the car sharing system 1a and controls the operation of the vehicle A.

  The mobile terminal device 3a is a wireless communication terminal device that can be carried by the user, such as a so-called smartphone, mobile phone, or tablet terminal. The mobile terminal device 3a can communicate with the server device 2a via the network 5 and a short-range wireless communication circuit (not shown) capable of short-range wireless communication with a vehicle control device 4a of 100m or less. An abbreviated wireless communication circuit.

  The mobile terminal device 3a differs from the WiFi router 3 in that it does not include the router processing unit 31, but includes a reservation processing unit 30, a key issuance request unit 36, a command transmission unit 37, a display unit 38, and an operation unit 39. Further, instead of the registration request processing unit 32, a registration request processing unit 32a (encrypted terminal information transfer unit) is provided. The registration request processing unit 32a, the encrypted shared key transfer unit 33, and the communication side shared key decryption unit 34 operate using the server device 2a and the vehicle control device 4a as processing targets instead of the server device 2 and the terminal device 4, respectively. The mobile terminal device 3a executes the communication device program according to the embodiment of the present invention, thereby executing the reservation processing unit 30, the key issue requesting unit 36, the registration request processing unit 32a, the encrypted shared key transfer unit 33, the communication It functions as a side shared key decryption unit 34 and a command transmission unit 37.

  The communication device program may be stored in a recording medium such as a USB memory, a CD-ROM, or a DVD-ROM. The mobile terminal device 3a may be configured to be able to read this storage medium and execute a communication device program read from the storage medium. The storage medium is readable by a computer connected to the network 5, and the mobile terminal device 3 a downloads the communication device program read from the storage medium by the computer via the network 5. It may be configured to.

  The display unit 38 is a display device such as a liquid crystal display device. The operation unit 39 is an operation input device such as a key switch or a touch panel. In addition, the display part 38 and the operation part 39 may be integrally comprised, for example as a touch-panel display in which the liquid crystal display and the touch panel were comprised integrally.

  The operation unit 39 is, for example, a registration instruction operation for registering the mobile terminal device 3a as an operation terminal of the vehicle control device 4a by a user, and a key operation for locking or unlocking the door lock of the vehicle A by the vehicle control device 4a. Various operation instructions such as an instruction and an engine operation instruction for starting or stopping the engine of the vehicle A can be received.

  For example, when a vehicle use reservation operation is accepted by the operation unit 39, the reservation processing unit 30 accesses the server device 2a via the network 5 and transmits a vehicle use reservation request to the server device 2a. Further, the reservation processing unit 30 receives information indicating available vehicles from the server device 2a, and causes the display unit 38 to display a vehicle that the user wants to use from among these vehicles. And the reservation process part 30 transmits the information which shows the vehicle which the user operated and selected the operation part 39 to the server apparatus 2a.

  For example, when a registration instruction operation is accepted by the operation unit 39, the key issue request unit 36 requests a vehicle information transmission request for requesting transmission of vehicle information necessary to issue a shared key for enabling the vehicle A. Is transmitted to the vehicle control device 4a by short-range wireless communication together with the identification information of the own device.

  When the registration request processing unit 32a receives encrypted vehicle information, which will be described later, from the vehicle control device 4a, the registration request processing unit 32a transfers the encrypted vehicle information to the server device 2a via the network 5, whereby the mobile terminal device 3a and the vehicle A Requests registration with the (vehicle control device 4a) and issuance of a shared key for enabling the vehicle A by the mobile terminal device 3a.

  The command transmission part 37 transmits the command according to the user's operation instruction received by the operation part 39 to the vehicle control apparatus 4a by short-range wireless communication. Specifically, a registration command, a key command, and an engine command are transmitted in response to a registration instruction operation, a key operation instruction, and an engine operation instruction, respectively.

  The vehicle control device 4a is different from the terminal device 4 in that the access processing unit 41 is not provided, and a vehicle information transmission unit 45 (terminal information transmission unit), an authentication unit 46, and a vehicle control unit 47 are further provided. The terminal-side shared key decryption unit 42 operates with the server device 2a and the mobile terminal device 3a as processing targets instead of the server device 2 and the WiFi router 3. The terminal-side storage unit 44 stores in advance a terminal unique key unique to the vehicle control device 4a. The vehicle control device 4a functions as a vehicle information transmission unit 45, a terminal-side shared key decryption unit 42, an authentication unit 46, and a vehicle control unit 47 by executing a terminal device program according to an embodiment of the present invention. .

  When a vehicle information transmission request is transmitted from the mobile terminal device 3a, the vehicle information transmission unit 45 transmits the vehicle ID (identification information) for identifying the vehicle A and the identification information of the transmission source mobile terminal device 3a to the terminal side. It encrypts based on the terminal specific key memorize | stored in the memory | storage part 44, and transmits to the portable terminal device 3a as encryption vehicle information (encryption terminal information).

  The authentication unit 46 performs authentication of the mobile terminal device 3a based on the shared key K and the authentication password P acquired by the terminal-side shared key decryption unit 42. When the authentication by the authentication unit 46 is successful, the vehicle control unit 47 controls the vehicle A according to the command transmitted from the mobile terminal device 3a.

  The server device 2a performs vehicle management in the car sharing system. The server device 2a differs from the server device 2 in that a car sharing management unit 25 (terminal management unit) is provided instead of the terminal registration processing unit 21 and a management information storage unit 26 is further provided. In addition, the car sharing management unit 25, the shared key generation unit 22, and the encrypted shared key transmission unit 23 operate with the mobile terminal device 3a and the vehicle control device 4a as processing targets instead of the WiFi router 3 and the terminal device 4, respectively. . The server device 2a functions as the car sharing management unit 25, the shared key generation unit 22, and the encrypted shared key transmission unit 23 by executing the server device program according to the embodiment of the present invention.

  In the key storage unit 24, the vehicle ID of the vehicle that is the target of car sharing and the terminal unique key of the vehicle are stored in advance in association with each other. Here, since the vehicle control device 4a is mounted on the vehicle A and the vehicle control device 4a and the vehicle A correspond one-to-one, the vehicle ID corresponds to an example of identification information of the vehicle control device 4a. The terminal unique key corresponds to an example of a terminal unique key of the vehicle control device 4a. Further, in the key storage unit 24, identification information of the mobile terminal device 3a of the user who performs car sharing and a communication unique key of the mobile terminal device 3a are stored in association with each other.

  The management information storage unit 26 is configured by a storage device such as an HDD device, for example, and stores management information of vehicles to be car-shared.

  The car sharing management part 25 will transmit the information which shows the vehicle which can be utilized to the portable terminal device 3a, if the utilization reservation request | requirement of a vehicle is received from the portable terminal device 3a. When the car sharing management unit 25 receives information indicating the vehicle selected by the user from the mobile terminal device 3a, the car sharing management unit 25 associates the vehicle ID indicating the vehicle with the identification information of the mobile terminal device 3a, and manages it as reservation information. The information is stored in the information storage unit 26.

  In addition, when the car sharing management unit 25 receives the encrypted vehicle information from the registration request processing unit 32a of the mobile terminal device 3a, the car sharing management unit 25 refers to the management information storage unit 26, and uses the reservation information as the transmission source of the encrypted vehicle information. The vehicle ID associated with the identification information of the mobile terminal device 3a is acquired as the vehicle ID of the rental reservation target. Then, the car sharing management unit 25 refers to the key storage unit 24, obtains the terminal unique key of the vehicle associated with the rental reservation target vehicle ID, and decrypts the encrypted vehicle information with the terminal unique key. By doing this, the vehicle ID of the vehicle A and the identification information of the mobile terminal device 3a are acquired.

  Furthermore, the car sharing management unit 25, when the identification information of the mobile terminal device 3a obtained by decrypting the encrypted vehicle information matches the identification information of the mobile terminal device 3a that is the transmission source of the encrypted vehicle information The vehicle ID of the vehicle A obtained by decrypting the encrypted vehicle information and the identification information of the portable terminal device 3a are associated with each other and stored in the management information storage unit 26 as the rental information of the vehicle A, and the shared key generation unit 22 generates a shared key K and an authentication password P for use in authentication between the mobile terminal device 3a and the vehicle control device 4a.

  The shared key generation unit 22 and the encrypted shared key transmission unit 23 are the same as the above-described shared key generation unit 22 and the encrypted shared key transmission unit 23 except that the transmission destination is the mobile terminal device 3a. Is omitted.

  Next, the operation of the car sharing system 1a configured as described above will be described. FIG. 4 is an explanatory diagram showing an example of the operation of the car sharing system 1a shown in FIG. First, the reservation processing unit 30 and the car sharing management unit 25 execute “(11) reservation processing”. Specifically, for example, when a vehicle use reservation operation is received by the operation unit 39, a vehicle use reservation request is transmitted from the reservation processing unit 30 to the server device 2a via the network 5.

  When the use reservation request is received by the server device 2a, the car sharing management unit 25 transmits information indicating a usable vehicle to the mobile terminal device 3a.

  Next, when information indicating vehicles that can be used by the mobile terminal device 3a is received, the reservation processing unit 30 causes the display unit 38 to display a vehicle that the user wants to use from among these vehicles. And if a user operates the operation part 39 and selects a vehicle, the reservation process part 30 will transmit the information which shows the selected vehicle to the server apparatus 2a.

  When information indicating the vehicle selected by the user is received by the server device 2a, the car sharing management unit 25 associates the vehicle ID indicating the vehicle with the identification information of the portable terminal device 3a as reservation information. The information is stored in the management information storage unit 26. Thereby, “(11) reservation process” is completed.

  Next, when the user borrows the vehicle A, when the user approaches the vehicle A and operates the operation unit 39 of the mobile terminal device 3a to perform a registration instruction operation, the key issue request unit 36 performs “(12) vehicle An “information transmission request” is transmitted to the vehicle control device 4a by short-range wireless communication.

  When “(12) vehicle information transmission request” is received by the vehicle control device 4a, the vehicle information transmission unit 45 determines that the vehicle ID of the vehicle A and the identification information of the mobile terminal device 3a that is the transmission source are the vehicle control device. Encrypted vehicle information is generated by encryption based on the terminal unique key of 4a, and “(13) Encrypted vehicle information encrypted with the terminal unique key” is transmitted to the portable terminal device 3a by short-range wireless communication. .

  Next, when the encrypted vehicle information is received by the mobile terminal device 3a, the registration request processing unit 32a executes "(14) Encrypted vehicle information transfer (registration request)". Specifically, the registration request processing unit 32a requests registration between the mobile terminal device 3a and the vehicle A (vehicle control device 4a), and issuance of a shared key for making the vehicle A usable by the mobile terminal device 3a. As the registration request, the encrypted vehicle information is transferred to the server device 2a.

  Next, when the encrypted vehicle information (registration request) is received by the server device 2a, the car sharing management unit 25 executes “(15) reservation confirmation and use registration”. Specifically, the car sharing management unit 25 refers to the management information storage unit 26, acquires the vehicle ID targeted for lending reservation based on the reservation information, and further refers to the key storage unit 24 for the vehicle reserved for lending reservation. Is obtained, and the vehicle ID of the vehicle A and the identification information of the portable terminal device 3a are obtained by decrypting the encrypted vehicle information with the terminal unique key.

  Furthermore, the car sharing management unit 25, when the identification information of the mobile terminal device 3a obtained by decrypting the encrypted vehicle information matches the identification information of the mobile terminal device 3a that is the transmission source of the encrypted vehicle information The vehicle ID of the vehicle A obtained by decrypting the encrypted vehicle information and the identification information of the mobile terminal device 3a are associated with each other, stored as rental registration information of the vehicle A in the management information storage unit 26 as a use registration, and shared The key generation unit 22 generates a shared key K and an authentication password P for use in authentication between the mobile terminal device 3a and the vehicle control device 4a, and the encrypted shared key transmission unit 23 performs an encrypted shared key transmission process. (16) Execute first and second encrypted shared keys E1, E2 and first and second encrypted passwords P1, P2 ". Subsequently, in the same manner as (4) to (6), “(17) transmission of second encrypted shared key E2 and second encrypted password P2”, “(18) first encrypted shared key E1 → Shared key K, first encrypted password P1 → authentication password P ”,“ (19) second encrypted shared key E2 → shared key K, second encrypted password P2 → authentication password P ”are executed.

  On the other hand, in “(15) Reservation confirmation and use registration”, the identification information of the portable terminal device 3a obtained by decrypting the encrypted vehicle information, and the identification information of the portable terminal device 3a that is the transmission source of the encrypted vehicle information, If they do not match, the car sharing management unit 25 notifies the mobile terminal device 3a of an error, and ends the subsequent processing.

  As described above, according to the processes (11) to (15), “(14) Encrypted vehicle information transfer (registration request) is performed by a mobile terminal device different from the mobile terminal device 3a that has executed“ (12) vehicle information transmission request ”. ) ”Is executed, the car sharing management unit 25 determines that the error has occurred. Therefore, the first and second ciphers are executed by a mobile terminal device different from the mobile terminal device 3a that has executed“ (12) vehicle information transmission request ”. It is possible to prevent so-called spoofing in which the encrypted shared keys E1, E2 and the first and second encrypted passwords P1, P2 are acquired.

  Further, according to the process of (15), the vehicle ID and the identification information of the mobile terminal device 3a included in the encrypted vehicle information obtained in (14) are the vehicle ID and the mobile terminal device 3a reserved in advance. If it is different from the identification information, the car sharing management unit 25 cannot obtain the terminal unique key that can decrypt the encrypted vehicle information, and therefore cannot decrypt the encrypted vehicle information. As a result, since the process (16) is not executed, it is possible to prevent a user who has not made a reservation from borrowing the vehicle A by mistake.

  In addition, the vehicle A on which the vehicle control device 4a is mounted is usually located far away from the range where communication with the server device 2a is possible. According to the processes (11) to (19), (1) Similarly to (6), even when the vehicle A (vehicle control device 4a) is installed at a distance, the shared key K is transferred from the server device 2a to the portable terminal device 3a that is a short-range wireless terminal device, and It can be distributed to the vehicle control device 4a while ensuring security.

  Further, according to the process of (17), as in the process of (4), the mobile terminal device 3a uses the second encrypted shared key E1 and the second encrypted password P2 encrypted by the server device 2a as the vehicle. Since it is only transferred to the control device 4a, it is not necessary for the mobile terminal device 3a to perform encryption when the mobile terminal device 3a transmits the common key K to the vehicle control device 4a. Therefore, since it is not necessary to notify the terminal unique key used for encryption by the vehicle control device 4a to other than the vehicle control device 4a and the server device 2, security when the vehicle control device 4a performs encrypted communication is improved. In particular, in the car sharing system 1a, the server device 2a and the vehicle A (vehicle control device 4a) are equipment of a car sharing company, whereas the mobile terminal device 3a is owned by an unspecified user. The fact that there is no need to inform the mobile terminal device 3a of the terminal unique key of the vehicle control device 4a has a great security advantage.

  Next, when the user operates the operation unit 39 to use the vehicle A, the command transmission unit 37 executes “(20) Request for control of the vehicle A” and transmits the control command to the vehicle control device 4a. The Specifically, for example, when the user operates the operation unit 39 of the mobile terminal device 3a to perform the unlocking operation of the door of the vehicle A, the command transmission unit 37 transmits the key command and the authentication password P to the shared key. It encrypts using K, and transmits to the vehicle control apparatus 4a as a control request.

  When the vehicle control device 4a receives the encrypted control request, the authentication unit 46 executes “(21) authentication process”. Specifically, the authentication unit 46 decrypts the control request based on the shared key K, and acquires the key command and the authentication password P. Then, the authentication unit 46 compares the authentication password P obtained by decryption with the authentication password P stored in the terminal-side storage unit 44. If they match, the authentication unit 46 determines that the authentication is successful. Judge as failure.

  When the authentication by the authentication unit 46 is successful, the vehicle control unit 47 executes control according to the above-described control request, for example, control for switching the door lock of the vehicle A to unlocking or locking according to the key command. On the other hand, when the authentication by the authentication unit 46 fails, the vehicle control unit 47 does not perform control according to the above-described control request.

  As described above, according to the processes (20) and (21), the mobile terminal device 3a is authenticated based on the shared key K, and the user (mobile terminal device 3a) can operate the vehicle A only when the authentication is successful. Therefore, a third party other than the user (mobile terminal device 3a) registered in the server device 2a is prevented from using (borrowing) the vehicle A. As a result, a so-called unmanned car sharing system that does not require an administrator of the vehicle A can be easily configured.

  In addition, although the car sharing system 1a was shown as an example of a communication system, a communication system is not restricted to a car sharing system. The vehicle control device 4a may be a terminal device that is not mounted on the vehicle A, and the server device 2a is not limited to one that manages the vehicle A.

DESCRIPTION OF SYMBOLS 1 Communication system 1a Car sharing system 2, 2a Server apparatus 3 WiFi router (communication apparatus)
3a Mobile terminal device (communication device)
4 Terminal device 4a Vehicle control device (terminal device)
5 Network 21 Terminal Registration Processing Unit 22 Shared Key Generation Unit 23 Encrypted Shared Key Transmission Unit 24 Key Storage Unit 25 Car Sharing Management Unit (Terminal Management Unit)
26 Management Information Storage Unit 30 Reservation Processing Unit 31 Router Processing Unit 32 Registration Request Processing Unit 32a Registration Request Processing Unit (Encrypted Terminal Information Transfer Unit)
33 Encryption shared key transfer unit 34 Communication side shared key decryption unit 35 Communication side storage unit 36 Key issue request unit 37 Command transmission unit 38 Display unit 39 Operation unit 41 Access processing unit 42 Terminal side shared key decryption unit 43 Encrypted communication processing Unit 44 terminal side storage unit 45 vehicle information transmission unit 46 authentication unit 47 vehicle control unit A vehicle E1 first encryption shared key E2 second encryption shared key K shared key N node P authentication password P1 first encryption password P2 first 2 Encryption password

Claims (16)

A communication system including a server device, a communication device capable of transmitting / receiving data to / from the server device, and a terminal device capable of transmitting / receiving data to / from the communication device by a wireless communication method,
The communication device includes a communication-side storage unit that stores a communication unique key unique to the communication device,
The terminal device includes a terminal-side storage unit that stores a terminal unique key unique to the terminal device,
The server device
A key storage unit for storing the communication unique key and the terminal unique key;
A first encrypted shared key obtained by encrypting a shared key for sharing between the communication device and the terminal device based on the communication unique key; and a second encrypted key obtained by encrypting the shared key based on the terminal unique key. An encrypted shared key transmitting unit that executes an encrypted shared key transmission process for transmitting an encrypted shared key to the communication device;
The communication device
An encrypted shared key transfer unit that receives the first and second encrypted shared keys from the server device and transmits the second encrypted shared key to the terminal device;
A communication-side shared key decryption unit that acquires the shared key by decrypting the first encrypted shared key based on the communication unique key;
The terminal device
A terminal-side shared key decryption unit that receives the second encrypted shared key from the communication device and obtains the shared key by decrypting the second encrypted shared key based on the terminal unique key; Communications system.   The communication system according to claim 1, wherein the terminal device is configured to be able to transmit and receive data to and from the communication device by a wireless communication method having a communication distance of 100 m or less.   The said terminal device is further equipped with the encryption communication process part which performs encrypted communication between the said communication apparatuses using the said shared key acquired by the said terminal side shared key decoding part. Communications system. The communication device further includes a key issue request unit that transmits identification information for identifying the device itself to the terminal device,
The terminal device encrypts the identification information of the communication device received from the communication device and the identification information for identifying the own device based on the terminal unique key, and transmits the encrypted information to the communication device as encrypted terminal information. A terminal information transmission unit;
The communication device further includes an encrypted terminal information transfer unit that transmits the encrypted terminal information transmitted from the terminal device and identification information for identifying the own device to the server device,
The server device decrypts the encrypted terminal information transmitted from the communication device based on the terminal unique key to obtain the identification information of the communication device, and the decrypted identification information of the communication device; Compared with the identification information for identifying the communication device that has transmitted the encrypted terminal information, if the comparison result matches, the encrypted shared key transmission unit to execute the encrypted shared key transmission process, The communication system according to any one of claims 1 to 3, further comprising a terminal management unit that does not cause the encrypted shared key transmission unit to execute the encrypted shared key transmission process when they do not match. The communication device
The communication system according to any one of claims 1 to 4, further comprising a router processing unit that is connected to a communication network and performs routing by being interposed between the terminal device and the communication network. The communication device
A router processing unit connected to a communication network, further comprising a router that performs intervening between the terminal device and the communication network,
When the router processing unit receives data addressed to the communication network encrypted by the encrypted communication from the terminal device, the router processing unit decrypts the encrypted data using the shared key and performs the communication The communication system according to claim 3, wherein the communication system transmits to a network. The router processing unit
The communication system according to claim 5 or 6, wherein when the shared key corresponding to the terminal device is not acquired by the communication-side shared key decryption unit, access from the terminal device to a node other than the server device is prohibited. . The router processing unit
The communication system according to any one of claims 5 to 7, wherein authentication of the terminal device is performed based on the shared key, and when the authentication fails, access to the communication network by the terminal device is prohibited. The communication device is a portable terminal device that can be carried by a user,
The communication system according to claim 1, wherein the terminal device further includes an authentication unit that authenticates the communication device based on the shared key. The terminal device can be mounted on a vehicle,
The communication system according to claim 9, wherein the terminal device further includes a vehicle control unit that controls the vehicle according to data transmitted from the communication device when the authentication unit succeeds in the authentication. A program for a server device for operating the server device of the communication system according to any one of claims 1 to 10,
A first encrypted shared key obtained by encrypting a shared key for sharing between the communication device and the terminal device based on the communication unique key; and a second encrypted key obtained by encrypting the shared key based on the terminal unique key. A program for a server device that causes the server device to function as an encrypted shared key transmission unit that executes an encrypted shared key transmission process for transmitting an encrypted shared key to the communication device. A communication device program for operating the communication device of the communication system according to any one of claims 1 to 10,
An encrypted shared key transfer unit that receives the first and second encrypted shared keys from the server device and transmits the second encrypted shared key to the terminal device;
A program for a communication device that causes the communication device to function as a communication-side shared key decryption unit that acquires the shared key by decrypting the first encrypted shared key based on the communication unique key. A program for a terminal device for operating the terminal device of the communication system according to any one of claims 1 to 10,
The terminal device as a terminal-side shared key decryption unit that receives the second encrypted shared key from the communication device and obtains the shared key by decrypting the second encrypted shared key based on the terminal unique key A program for a terminal device that functions. A recording medium storing a server device program for operating the server device of the communication system according to any one of claims 1 to 10,
A first encrypted shared key obtained by encrypting a shared key for sharing between the communication device and the terminal device based on the communication unique key; and a second encrypted key obtained by encrypting the shared key based on the terminal unique key. A recording medium storing a server device program that causes the server device to function as an encrypted shared key transmission unit that executes an encrypted shared key transmission process of transmitting an encrypted shared key to the communication device. A recording medium recording a communication device program for operating the communication device of the communication system according to any one of claims 1 to 10,
An encrypted shared key transfer unit that receives the first and second encrypted shared keys from the server device and transmits the second encrypted shared key to the terminal device;
A recording medium storing a communication device program that causes the communication device to function as a communication-side shared key decryption unit that acquires the shared key by decrypting the first encrypted shared key based on the communication unique key. A recording medium recording a program for a terminal device for operating the terminal device of the communication system according to any one of claims 1 to 10,
The terminal device as a terminal-side shared key decryption unit that receives the second encrypted shared key from the communication device and obtains the shared key by decrypting the second encrypted shared key based on the terminal unique key A recording medium that records a program for a terminal device that causes the device to function.

Images