WO2020096162A1 - Method and device for secure communication in wireless communication system - Google Patents
Method and device for secure communication in wireless communication system Download PDFInfo
- Publication number
- WO2020096162A1 WO2020096162A1 PCT/KR2019/008226 KR2019008226W WO2020096162A1 WO 2020096162 A1 WO2020096162 A1 WO 2020096162A1 KR 2019008226 W KR2019008226 W KR 2019008226W WO 2020096162 A1 WO2020096162 A1 WO 2020096162A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secure communication
- iot
- resource
- ocf
- iot device
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Definitions
- the present invention relates to an Internet of Things (IoT) device and a method performed in connection with an IoT device. Specifically, the present invention relates to secure communication between IoT devices.
- IoT Internet of Things
- OIC Open Interconnect Consortium
- the OCF standardization organization is developing technologies for providing IoT services and open platforms, such as communication between IoT devices and cloud use, and linking with other IoT standards (oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI, etc.) Planning.
- IoT standards oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI, etc.
- An apparatus for providing a service according to the OCF standard includes a server for providing a resource and a client for accessing the resource.
- the technical problem to be achieved by the present invention is to provide a secure communication method for a client entering a network and a device therefor.
- the technical problem of the present invention is not limited to the above-described technical problem, and other technical problems can be inferred from the embodiments of the present invention.
- the present invention provides a secure communication method and apparatus in a wireless communication system.
- a secure communication method performed by a first device in a wireless communication system includes: searching for an Internet of Things (IoT) device belonging to a network configured by a second device, the IoT device Is pre-set to perform secure communication with the second device; Checking whether the IoT device supports ACG (Anonymous Credential Generation); If the IoT device supports ACG, performing security authentication to perform secure communication with the IoT device even if there is no security-related message received from the second device; And performing secure communication with the IoT device based on the security authentication. It may be configured to include.
- IoT Internet of Things
- ACG onymous Credential Generation
- a first device for performing secure communication in a wireless communication system includes: a transceiver; And a processor that controls the transceiver. Including, wherein the processor, Internet of Things (Internet of Things) belonging to the network configured by the second device (Internet of Things; IoT) device is searched, and the IoT device is preset to perform secure communication with the second device, Check whether the IoT device supports ACG (Anonymous Credential Generation), and if the IoT device supports ACG, security authentication to perform secure communication with the IoT device even if there is no security-related message received from the second device And performing secure communication with the IoT device based on the security authentication.
- Internet of Things Internet of Things
- IoT Internet of Things
- ACG onymous Credential Generation
- the IoT device may include an access control list (ACL) resource for indicating a list of resources accessible by the first device.
- ACL access control list
- the ACL resource may include information on resources accessible by the first device even when the first device is not previously authenticated by the second device.
- the security authentication is performed by generating a Pre-Shared Key (PSK) based on one or more of PIN, ID / password and / or QR (Quick Response), and the secure communication is It can be performed based on the generated PSK.
- PSK Pre-Shared Key
- the secure authentication and secure communication may be performed based on a certificate pre-stored in the first device and the IoT device.
- 1 is a view showing the connectivity and interoperability of the OCF platform.
- FIG. 2 is a diagram showing the framework structure of the OCF platform.
- 3 is a diagram for receiving requests and responses between a client, an intermediary, and a server.
- FIG. 4 is a diagram showing a protocol stack that can be supported in the OCF standard.
- FIG. 5 is a diagram showing a wide range of functions that can be supported through OCF.
- FIG. 6 is a diagram illustrating an example of performing a CRUDN operation.
- FIG. 7 is a view showing an example of the operation of the OCF system based on the onboarding tool.
- FIG. 8 is a diagram illustrating an example of a DTLS encryption suite method.
- 9 to 15 are views illustrating secure communication according to an embodiment of the present invention.
- FIG. 16 shows a flow chart according to an embodiment of the present invention.
- FIG 17 shows an apparatus according to an embodiment of the present invention.
- the 3GPP-based mobile communication system is mainly described, but the technical spirit of the present invention is not limited thereto.
- the following technology can be used for various IoT services or platforms, such as oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI.
- specific terms used in the following description are provided to help understanding of the present invention, and the use of these specific terms may be changed to other forms without departing from the technical spirit of the present invention.
- 1 is a view showing the connectivity and interoperability of the OCF platform.
- OCF defines a common platform that presents basic services and data models that connect and collaborate with various verticals such as health, smart home, and industrial IoT.
- the OCF platform provides connectivity level, platform level, and connectivity between service layers.
- the OCF platform provides full interoperability through user experience (UX).
- the OCF standard defines data structures, types, properties, and interfaces for resources.
- the OCF standard includes device authentication, security functions, access control to resources in the OCF network, discovery of devices that may be included in the OCF network, and commands for resources (CREATE, RETRIEVE, UPDATE, DELETE, and NOTIFY; CRUDN) ), A message for resources, and a frame for connecting the OCF network and the Internet network (IPv6, etc.).
- FIG. 2 is a diagram showing the framework structure of the OCF platform.
- the operation and main concepts of the OCF platform will be described with reference to FIG. 2.
- the conceptually described contents which will be described below, may be a resource model, a RESTful operation, or an abstraction, and may be a basic characteristic for OCF operations and standards.
- the OCF device may support one or more roles of client, server and / or intermediary.
- the role that the OCF device can support may be a region of a logical entity, and one OCF device may support one or more roles.
- 'device' may refer to a physical device including a logical entity, or may refer to the logical entity itself.
- the client device means a device that serves to access a server resource.
- the server device means a device that provides resource state information and is capable of performing remote interaction on the resource.
- the intermediary device means a device that provides an OCF proxy role. In other words, it is a device that acts as an intermediary for processing request messages for OCF resources hosted by the server device.
- the client can request the CRUDN operation for the resource from the server.
- the server can perform the CRUDN operation requested by the client. Resource designation and operation designation between the client and the server may be performed based on a RESTful resource model.
- Intermediary can generate another request according to the processing configuration and return a response to the generated request to the OCF server based on the request to process the OCF resource hosted by another OCF server. have.
- the resource model corresponds to the actual entity represented by the OCF resource.
- the upper layer eg OCF client, OCF server
- the CoAP Consstrained Application Protocol
- CoAP response e.g., XMPP (Extensible Messaging and Presence Protocol) in the lower layer (eg OCF device).
- XMPP Extensible Messaging and Presence Protocol
- CRUDN operation occurs between the OCF client and the OCF server.
- CRUDN operation may be transmitted and received through a signaling message (signaling message, e.g. GET / s / data, ⁇ "bulb": “on” ⁇ ) of CoAP request and CoAP response through protocol mapping.
- the CRUDN operation may be transmitted and received through Hypertext Transfer Protocol (HTTP) and / or XMPP other than CoAP through protocol mapping.
- HTTP Hypertext Transfer Protocol
- the request and response between the client and the intermediary may be transmitted and received through HTTP, and the request and response between the intermediary and the server may be transmitted and received through CoAP. .
- the encoding layer of the protocol stack illustrated in FIG. 4 supports CBOR (Concise binary object representation based on JSON data model) by default.
- JSON JavaScript Object Notation
- XML XML / EXI (Efficient XML Interchange)
- CBOR Concise binary object representation based on JSON data model
- JSON JavaScript Object Notation
- XML / EXI ficient XML Interchange
- CoAP Discovery is used for discovery of the end point (IETF RFC 7252).
- IPv6 For connection with the L2 layer, IPv6 for IoT devices exists.
- a datagram transport layer security (DTLS) layer may exist on the user datagram protocol (UDP) layer.
- DTLS transport layer security
- TLS transport control protocol
- TCP transport control protocol
- FIG. 5 is a diagram illustrating functions supportable through the OCF at a high level.
- the L2 connectivity layer may use existing wireless communication technologies such as Wi-Fi (wireless fidelity), BT (blootooth) and / or Z-wave.
- CRUDN operation is an operation that can be requested for a resource, and there may be 5 commands as shown in Table 2.
- the server including the resource executes a CRUDN command for the resource.
- FIG. 6 shows an example of performing a CRUDN operation.
- the client sends a Create request to the server during CRUDN operation.
- the server that receives the Create command performs Create on the resource.
- the server that created the resource sends a response to the request received from the client.
- Table 3 shows parameters that may be included in the CRUDN message.
- IoT devices and related functions are modeled in the form of devices and resources that computers can understand, and communication is performed through CRUDN Restful operations between devices.
- the client device starts communication between devices by performing a role of accessing a server resource.
- the server device provides resource status information according to a command requested by the client device, and performs remote interaction on the resource.
- SVRs Secure Virtual Resources
- OCF Onboarding Tool
- Onboarding is for initial setup for a new IoT device, and is for one or more of ownership transfer, access control setup and / or credential setup.
- the service entity may include one or more of Device Ownership Transfer Service (DOTS), Access Manager Service (AMS) and / or Certification Management Service (CMS).
- DOS Device Ownership Transfer Service
- AMS Access Manager Service
- CMS Certification Management Service
- DTLS Datagram Transport Layer Security
- D2D Device-to-Device
- UDP User Datagram Protocol
- TLS Transport layer security
- T2C Device-to-Central
- Encryption communication may be performed through handshaking based on cipher suites between devices, generation of a session key, and the like.
- the IoT device-to-device authentication may be performed based on a credential during DTSL or TLS process.
- Credentials include asymmetric keys and / or certificates that can be pre-shared keys, symmetric keys, public keys, or private keys. Certificate, eg X.509 certificate).
- the access authority for the OCF resource may be set / managed by access control entries (ACEs) and / or access control lists (ACLs).
- ACEs access control entries
- ACLs access control lists
- the SVR may include the following resources.
- the / oic / sec / doxm resource is a resource for managing a device ownership transfer method.
- Device UUID universalally unique identifier
- OHT unique administrator device
- Select indicating the support method for the ownership transfer method , Owned for ownership setting status information
- the / oic / sec / pstat is a resource for managing provisioning status.
- the / oic / sec / pstat resource may include a Resource Owner ID indicating a unique administrator ID accessible to the resource and a Current Provisioning Mode indicating whether provisioning status can be set as a resource.
- / oic / sec / cred is a resource for managing credentials.
- the / oic / sec / cred resource may include a Resource Owner ID indicating the unique management or ID that can access the resource, and Credential for storing credentials required for device authentication in an array form.
- / oic / sec / acl2 is a resource for managing access control lists.
- the / oic / sec / acl2 resource may include a Resource Owner ID indicating the only management or ID that can access the resource, and an Access Control Entries for storing information required for device access control in an array form.
- / oic / sec / amacl which is responsible for managing ACL settings
- / oic / sec / roles for defining roles for each device may be included as resources in the SVR.
- Roles for each device may include an administrator, a user, and a guest.
- the basic flow of onboarding related to security setting is as follows.
- the new OCF device may be searched by OBT (e.g. DOTS).
- OBT e.g. DOTS
- CoAP messages can be transmitted in a multicast manner to the same IP subnet (internet protocol sub-net) by a specific URL (Uniform Resource Locator).
- URL Uniform Resource Locator
- retrieve / oic / res as an OCF resource, ff02 :: 158 as an IPv6 multicast address, and port5683 as a port for message transmission may be used.
- a device that has received a CoAP message that does not have ownership in the DOTS sends a response including information on how to transfer ownership.
- the ownership transfer method may include one or more of an Ownership Transfer Method (OTM), Just Works (JW), Personal Information Number (PIN), and / or certificate method.
- OTM Ownership Transfer Method
- JW Just Works
- PIN Personal Information Number
- certificate method means a method of not performing separate authentication at the time of initial connection at the time of OBT and new device.
- Transfer of ownership may mean transferring authority related to the IoT device from the manufacturer of the IoT device to the purchaser of the IoT device.
- DOTS selects one of the OTM methods currently supported by new devices without ownership.
- D DLS handshaking is performed between the DOTS and the device without ownership, and then transfer of ownership is performed.
- Transfer of ownership may include setting a specific OBT (or DOTS) as the manager of the new device.
- DOTS may provide the ID of the AMS / CMS for credential and / or access setup to be used later on the device without ownership.
- provisioning may be performed to provide a credential that requires an authorized CMS and an access policy that requires an authorized AMS to a new device.
- the client device and the server device When the client device and the server device have credentials that can be verified with each other and have access to each other, the client device and the server device can communicate with each other.
- an onboarding tool is a mobile phone or TV application.
- the onboarding tool may be one of the devices exemplified in the following device drawings (FIG.).
- FIG. 7 shows an example of the operation of the OCF system based on the onboarding tool.
- a specific mobile phone having a device ID of 0x0001 is set as a device (onboarding tool) having administrator authority.
- the device ID may be stored in / oic / sec / doxm, / oic / sec / cred /, / oic / sec / acl2 resources.
- OBT needs to set the security function of the new OCF device to communicate with the existing OCF device. If a specific mobile phone with a device ID of 0x0001 operates as an onboarding tool, only the specific mobile phone can set security management functions (e.g. ownership / credential / access).
- DTLS or TLS protocols may be used for encrypted communication.
- the encryption suite may vary depending on the method of transferring ownership.
- An encryption suite means a combination of encryption protocols.
- FIG. 8 shows an example of a DTLS encryption suite method that can be used when the ownership transfer method of a new device is a Just works method.
- the onboarding tool and the new device can perform encrypted communication between devices by transmitting and receiving the messages shown in FIG. 8.
- On-boarding tools and OCF devices can authenticate each other by one of just works, PIN, and certificate.
- the onboarding tool may set authentication methods and credentials between OCF devices so that the OCF devices that have been authenticated with themselves can perform authentication and communication with each other.
- symmetric key credentials may exist.
- the CMS of the onboarding tool can inform each of the two OCF devices in advance the credential of the other OCF device.
- the server device first delivers the credentials set from the onboarding tool to the client device through the ServerKeyExchange message.
- the client device may authenticate whether the received credential is a credential included in the list of credentials that it has.
- the client device may perform authentication whether the subject ID connected with the received credential is the same as the server device ID. If necessary, the server device may perform verification on the client's credential.
- each device may have a secret key and / or a public key.
- each device may include a pair of a secret key and a public key.
- the public key may be pre-distributed to devices in the network to which the onboarding tool belongs through the onboarding tool.
- Each OCF device transmits data signed with its own secret key when DTLS handshaking is performed. Authentication between the OCF devices can be performed by the OCF devices receiving the secret key decrypting the message through the public key.
- a certificate method may exist as an authentication method.
- each device holds an OCF-accredited certificate issued by the manufacturer and / or a certificate issued through a CA (Certificate Authoroty).
- CA Certificate Authoroty
- access rights to specific resources may be limited for each device.
- the device may check the on / off state of the light bulb, but may not have the authority to command the light on or off. Referring to FIG. 8, if a device having a device ID of 0x0001 sends a Retrieve message to a light bulb to check whether the light bulb is on, the light bulb sends a response message to the Retrieve message to indicate that the light bulb is on and the device ID is 0x0001. You can tell the device.
- the bulb confirms that the device does not have Update permission, and then requests without updating the resource. You can send a response to rejection.
- FIG. 10 shows security settings by a plurality of onboarding tools.
- Mutual authentication between client A and server A may have been performed by onboarding tool A, and client B may have been authenticated by onboarding tool B. Since the client B and the server A have been authenticated by different onboarding tools, communication between devices is impossible.
- both the client and the server In order for the client and the server to perform secure communication, both the client and the server must have credentials to enable mutual authentication. Credentials can be pre-shared symmetric keys, asymmetric keys and / or certificates, as described above. In addition, in order for the client and the server to perform secure communication, the client must be granted access authority so that the client can access the server's resources.
- Credentials can be self-generated by in-device applications.
- a certificate may be issued at the time of manufacture of the device.
- the CMS designated at the time of onboarding by the onboarding tool may dynamically manage the credentials.
- the AMS designated at the time of onboarding can perform access control related to access authority.
- CMS and AMS may be implemented as a part of the onboarding tool.
- the onboarding tool may be implemented in the form of an application of a smartphone and / or TV.
- New IoT devices that are not secured through the onboarding tool may not be able to communicate with existing IoT devices.
- a client application accompanying an onboarding tool function may be difficult to onboard by other onboarding tools.
- a smartphone including a client application accompanying the function of an onboarding tool may be difficult to enter an OCF network configured by another onboarding tool through the corresponding client.
- the OCF network is configured by a specific onboarding tool, so that credentials and access control settings can be completed for IoT devices. Subsequently, the onboarding tool that configures the OCF network may be out of range of the network. If the onboarding tool that constituted the original OCF network does not exist in the OCF network, there is no way to allow a new client to enter the OCF network.
- the present specification proposes a method in which a new client device can directly generate a credential by authenticating the device directly without the intervention of a device having ownership of the OCF network.
- Credential generation by a new client may be possible only when a device having ownership of the OCF network has previously allowed credential generation by a new client.
- FIG. 11 shows a flow chart according to an embodiment of the present invention.
- the on-boarding tool can search in a multicast manner whether a device owned by another on-boarding tool exists. If a device is already owned by another onboarding tool, check whether the user wants to use the device.
- / acg anonymous credential generation
- the / acg resource may be released on an un-secure channel (e.g. CoAP).
- the / acg resource may serve to determine the authentication method supported by the server device.
- the / acg resource can be used as an interface to start DTSL handshaking.
- the onboarding tool (hereinafter referred to as the second onboarding tool) that wants to enter the preconfigured OCF network is a / acg resource for controlling the device owned by the onboarding tool (hereinafter referred to as the first onboarding tool) that configures the first OCF network. Can be used.
- the second onboarding tool may generate a credential with the previously owned device by the first onboarding tool through the / acg resource. The credential generation between the first onboarding tool and the previously owned device may be performed without opening the first onboarding tool.
- first, onboarding is performed on the server A by the first onboarding tool OBT A, so that the first onboarding tool can take ownership of the server A.
- the second onboarding tool (OBT B) checks the ownership status of the server A. If server A is owned by another onboarding tool, the second onboarding tool checks whether server A supports anonymous credential generation (ACG). If server A supports ACG, the second onboarding tool may request credential generation from server A.
- ACG anonymous credential generation
- the DTLS handshaking and credential generation process performed according to the credential generation request of the second onboarding tool may follow the embodiment shown in FIG. 13 or FIG. 14.
- Anonymous devices can generate credentials with server devices.
- Anonymous devices may need to verify credential creation privileges using a supported authentication method before generating credentials with server devices.
- Supported authentication methods may include PIN, ID / password, QR (Quick Response) and / or certificate methods.
- PSK formal pre-shared key
- the device and the server device including the onboarding tool may include a certificate that can be used for mutual authentication.
- the certificate may be a specific device manufacturer's own certificate or an OCF-accredited certificate.
- a certificate capable of mutual authentication is included in the second onboarding tool and the server A as shown in FIG. 14, when DTLS handshaking, separate key (eg PSK) generation is unnecessary, and the included certificate communicates between devices. It can be used for authentication.
- the access control list (/ acl2) resource is required for the client to access the resources included in the server device. Permissions must be set.
- access authority may be granted by specifying a client device.
- access rights may be granted to all devices by setting a value for the access rights of the subject device to a wildcard value.
- the first onboarding tool does not communicate with a new client located on the same device as the second onboarding tool, the new client cannot be authenticated by the first onboarding tool.
- the first onboarding tool cannot set the authority for the new client on the server device. Wildcard values can be used to allow new clients to communicate with the server device without authenticating to the individual client by the first onboarding tool.
- connection type When the wild card is described, the connection type can be classified and access authority can be managed as shown in Table 4.
- communication of a server device previously owned by the new client device first onboarding tool may be performed without the intervention of the first onboarding tool that has performed the initial security setting.
- a credential may be generated for a new client device and a server device previously owned by the first onboarding tool to perform authentication with each other without intervention of the first onboarding tool.
- FIGS. 11 to 14 are views showing an embodiment described through FIGS. 11 to 14.
- a first device including a first onboarding tool may perform onboarding for a light bulb.
- the first device may set the value of the access control list resource (/ acl2) as a wildcard value, so that anonymous devices can generate a light bulb and a credential.
- the second device (Phone B) including the second onboarding tool may search for a light bulb included in the OCF network configured by the first device.
- the second device which searches for devices owned by the first device, checks whether the bulb supports ACG, and if so, selects an authentication method.
- the authentication method may include authentication based on PIN, ID / password, QR and / or certificate.
- the second device performs bulb and DTLS handshake and device authentication based on the selected authentication method, and generates and confirms credentials. Once the credential is created and confirmed, encrypted communication between the second device and the light bulb is possible.
- the second onboarding tool is owned by another onboarding tool Devices that are not detected through a multicast method. If a device that is not already owned is found, the second onboarding tool may perform an onboarding procedure with the device to construct a new OCF network.
- 16 is a flowchart of a signal reception method according to embodiments of the present invention.
- an embodiment of the present invention may be performed by a specific communication device (first device).
- the method performed by the first device includes the steps of searching for an IoT device belonging to the network configured by the second device (S1601), checking whether the searched IoT device supports ACG (S1603), and detecting the ACG of the IoT device. If supported, the step of performing security authentication with the discovered IoT device without receiving a security-related message from the second device constituting the network (S1605), and performing secure communication with the IoT device on which security authentication has been performed (S1607). Can be configured.
- the IoT device may be preset to perform secure communication with a second device envisioning a network.
- the IoT device may include an ACL resource for indicating a list of resources accessible by the first device.
- the ACL resource may include information about the resource accessible to the first device (even if the first device has not been previously authenticated by the second device).
- Security authentication between the first device and the IoT device may be performed by generating a pre-shared key (PSK) based on at least one of a PIN, ID / password, and / or QR (Quick Response). Secure communication may be performed based on the generated PSK.
- PSK pre-shared key
- security authentication between the first device and the IoT device may be performed based on certificates respectively stored in the first device and the IoT device.
- Secure communication may be performed based on security authentication performed using certificates stored in the first device and the IoT device, respectively.
- the first device may additionally perform one or more of the proposed operations through FIGS. 1 to 15 in addition to the operations illustrated through FIG. 16.
- FIG. 17 is a block diagram showing the components of a transmitting device 10 and a receiving device 20 for performing embodiments of the present invention.
- the transmitting device 10 and the receiving device 20 are transmitter / receivers 13 and 23 capable of transmitting or receiving wireless signals carrying information and / or data, signals, messages, and the like, and related to communication in the wireless communication system.
- Memory 12, 22 for storing various information, the transmitter / receiver (13, 23) and memory (12, 22), such as components operatively connected to control the component to control the device described above
- processors 11, 21 configured to control the memory 12, 22 and / or transmitter / receiver 13, 23, respectively, to perform at least one of the embodiments of the present invention.
- the memories 12 and 22 may store programs for processing and control of the processors 11 and 21, and temporarily store input / output information. Memory 12, 22 can be utilized as a buffer.
- Processors 11 and 21 typically control the overall operation of various modules in the transmitting or receiving device. In particular, the processors 11 and 21 can perform various control functions for carrying out the present invention.
- the processors 11 and 21 may also be called controllers, microcontrollers, microprocessors, microcomputers, and the like.
- the processors 11 and 21 may be implemented by hardware or firmware, software, or a combination thereof.
- firmware or software may be configured to include a module, procedure, or function that performs functions or operations of the present invention, and configured to perform the present invention.
- the firmware or software may be provided in the processors 11 and 21 or stored in the memories 12 and 22 to be driven by the processors 11 and 21.
- the processor 11 of the transmission device 10 is scheduled from the processor 11 or a scheduler connected to the processor 11 and predetermined encoding and modulation for signals and / or data to be transmitted to the outside. And transmits it to the transmitter / receiver 13.
- the processor 11 converts data streams to be transmitted into K layers through demultiplexing, channel encoding, scrambling, and modulation.
- the coded data stream is also referred to as a codeword, and is equivalent to a transport block, which is a data block provided by the MAC layer.
- One transport block (TB) is encoded as one codeword, and each codeword is transmitted to a receiving device in the form of one or more layers.
- the transmitter / receiver 13 may include an oscillator.
- the transmitter / receiver 13 may include Nt transmit antennas (Nt is a positive integer greater than 1).
- the signal processing process of the receiving device 20 is composed of the inverse of the signal processing process of the transmitting device 10.
- the transmitter / receiver 23 of the receiving device 20 receives the radio signal transmitted by the transmitting device 10.
- the transmitter / receiver 23 may include Nr receive antennas, and the transmitter / receiver 23 frequency down-converts each signal received through the receive antenna to restore a baseband signal. do.
- the transmitter / receiver 23 may include an oscillator for frequency downconversion.
- the processor 21 may perform decoding and demodulation of the radio signal received through the reception antenna to restore data originally intended to be transmitted by the transmission device 10.
- the transmitter / receiver 13, 23 has one or more antennas.
- the antenna transmits a signal processed by the transmitter / receiver 13 and 23 to the outside or receives a radio signal from the outside, according to an embodiment of the present invention under the control of the processors 11 and 21. (13, 23).
- the antenna is also called an antenna port.
- Each antenna may correspond to one physical antenna or may be configured by a combination of more than one physical antenna element. The signal transmitted from each antenna can no longer be resolved by the receiving device 20.
- the reference signal (RS) transmitted corresponding to the corresponding antenna defines the antenna viewed from the viewpoint of the receiving device 20, and whether the channel is a single radio channel from one physical antenna or includes the antenna Regardless of whether it is a composite channel from a plurality of physical antenna elements, the receiver 20 enables channel estimation for the antenna. That is, the antenna is defined such that a channel carrying a symbol on the antenna can be derived from the channel carrying another symbol on the same antenna. In the case of a transmitter / receiver that supports a multi-input multi-output (MIMO) function that transmits and receives data using a plurality of antennas, two or more antennas may be connected.
- MIMO multi-input multi-output
- the terminal or the UE operates as the transmitting device 10 in the uplink and the receiving device 20 in the downlink.
- the base station or eNB operates as the receiving device 20 in the uplink and as the transmitting device 10 in the downlink.
- the transmitting device and / or the receiving device may perform a combination of at least one or more embodiments of the embodiments of the present invention described above.
- the transmitting device and / or receiving terminal 10, 20 is a base station, a network node, a transmitting terminal, a receiving terminal, a wireless device, a wireless communication device, a vehicle, a vehicle equipped with an autonomous driving function, and a drone (Unmanned Aerial Vehicle, UAV) , AI (Artificial Intelligence) module, robot, AR (Augmented Reality) device, VR (Virtual Reality) device or other devices.
- UAV Unmanned Aerial Vehicle
- AI Artificial Intelligence
- robot AR (Augmented Reality) device
- VR Virtual Reality
- the terminal is a mobile phone, a smart phone, a laptop computer, a terminal for digital broadcasting, a personal digital assistants (PDA), a portable multimedia player (PMP), navigation, a slate PC, a tablet
- PDA personal digital assistants
- PMP portable multimedia player
- slate PC a tablet
- It may include a PC (tablet PC), ultrabook (ultrabook), wearable device (wearable device, for example, a watch-type terminal (smartwatch), glass-type terminal (smart glass), HMD (head mounted display), and the like.
- a drone may be a vehicle that does not ride and is flying by radio control signals.
- the HMD may be a display device worn on the head.
- HMD can be used to implement VR or AR.
- the present invention can be applied to various wireless communication systems.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to a secure communication method performed by a first device. The present invention relates to a method and device for: searching an IoT device which belongs to a network configured by a second device and which is preset to perform secure communication with the second device; checking whether the IoT device supports Anonymous Credential Generation (ACG); if the IoT device supports ACG, performing secure certification for performing the secure communication with the IoT device even when a security-related message has not been received from the second device; and performing the secure communication with the IoT device on the basis of the secure certification.
Description
본 발명은 사물인터넷 (Internet of Things; IoT) 장치 및 IoT 장치와 관련하여 수행되는 방법에 관한 것이다. 구체적으로, 본 발명은 IoT 장치 간의 보안 통신에 관한 것이다.The present invention relates to an Internet of Things (IoT) device and a method performed in connection with an IoT device. Specifically, the present invention relates to secure communication between IoT devices.
IoT 기술 발전에 따라 가정 내 다양한 전자기기들이 네트워크를 통해 서로 연결되어 정보를 공유할 수 있는 환경이 조성되어 있다.With the development of IoT technology, an environment in which various electronic devices in the home are connected to each other through a network to share information has been created.
IoT 장치 간 상호 운용성 확보를 위한 표준화를 위해 OIC(Open Interconnect Consortium)가 구성되었다. 이후 OIC와 UPnP (Universal Plug and Play)가 통합되어 OCF (Open Connectivity Foundation)가 구성되었다. The Open Interconnect Consortium (OIC) was established to standardize to secure interoperability between IoT devices. Since then, OIC and UPnP (Universal Plug and Play) have been integrated to form the Open Connectivity Foundation (OCF).
OCF 표준화 기구에서는 IoT 장치 간 통신 및 클라우드 이용 등 IoT 서비스 및 오픈 플랫폼 제공을 위한 기술을 개발 중에 있으며, 타 IoT 표준 (oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI 등)과의 연계를 계획하고 있다.The OCF standardization organization is developing technologies for providing IoT services and open platforms, such as communication between IoT devices and cloud use, and linking with other IoT standards (oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI, etc.) Planning.
OCF 표준에 따른 서비스를 제공하기 위한 장치는, 리소스(resource)를 제공하기 위한 서버(server) 및 리소스에 액세스(access)하는 클라이언트(Client)를 포함한다. An apparatus for providing a service according to the OCF standard includes a server for providing a resource and a client for accessing the resource.
이러한 환경에서, OCF 표준에 기반하여 보안 네트워크를 효율적으로 구성하기 위한 방법들이 제안되고 있다.In this environment, methods for efficiently constructing a secure network based on the OCF standard have been proposed.
본 발명이 이루고자 하는 기술적 과제는, 네트워크에 신규 진입하는 클라이언트에 대한 보안 통신 방법 및 이를 위한 장치를 제공하는데 있다.The technical problem to be achieved by the present invention is to provide a secure communication method for a client entering a network and a device therefor.
본 발명의 기술적 과제는 상술된 기술적 과제에 제한되지 않으며, 다른 기술적 과제들이 본 발명의 실시예로부터 유추될 수 있다.The technical problem of the present invention is not limited to the above-described technical problem, and other technical problems can be inferred from the embodiments of the present invention.
본 발명은 무선 통신 시스템에서의 보안 통신 방법 및 장치를 제공한다.The present invention provides a secure communication method and apparatus in a wireless communication system.
본 발명의 일 양태로서, 무선 통신 시스템에서 제1 장치에 의해 수행되는 보안 통신 방법은, 제2 장치에 의해 구성된 네트워크에 속하는 사물 인터넷 (Internet of Things; IoT) 장치를 검색하는 단계, 상기 IoT 장치는 상기 제2 장치와 보안 통신을 수행하도록 기 설정되어 있으며; 상기 IoT 장치가 ACG (Anonymous Credential Generation)을 지원하는지 확인하는 단계; 상기 IoT 장치가 ACG를 지원하는 경우, 상기 제2 장치로부터의 보안 관련 메시지 수신이 없더라도 상기 IoT 장치와 보안 통신을 수행하기 위한 보안 인증을 수행하는 단계; 및 상기 보안 인증에 기반하여 상기 IoT 장치와 보안 통신을 수행하는 단계; 를 포함하여 구성될 수 있다.As an aspect of the present invention, a secure communication method performed by a first device in a wireless communication system includes: searching for an Internet of Things (IoT) device belonging to a network configured by a second device, the IoT device Is pre-set to perform secure communication with the second device; Checking whether the IoT device supports ACG (Anonymous Credential Generation); If the IoT device supports ACG, performing security authentication to perform secure communication with the IoT device even if there is no security-related message received from the second device; And performing secure communication with the IoT device based on the security authentication. It may be configured to include.
무선 통신 시스템에서 보안 통신을 수행하는 제1 장치는, 송수신기; 및 상기 송수신기를 제어하는 프로세서; 를 포함하며, 상기 프로세서는, 제2 장치에 의해 구성된 네트워크에 속하는 사물 인터넷 (Internet of Things; IoT) 장치를 검색하고, 상기 IoT 장치는 상기 제2 장치와 보안 통신을 수행하도록 기 설정되어 있으며, 상기 IoT 장치가 ACG (Anonymous Credential Generation)을 지원하는지 확인하고, 상기 IoT 장치가 ACG를 지원하는 경우, 상기 제2 장치로부터의 보안 관련 메시지 수신이 없더라도 상기 IoT 장치와 보안 통신을 수행하기 위한 보안 인증을 수행하고, 상기 보안 인증에 기반하여 상기 IoT 장치와 보안 통신을 수행하도록 구성될 수 있다.A first device for performing secure communication in a wireless communication system includes: a transceiver; And a processor that controls the transceiver. Including, wherein the processor, Internet of Things (Internet of Things) belonging to the network configured by the second device (Internet of Things; IoT) device is searched, and the IoT device is preset to perform secure communication with the second device, Check whether the IoT device supports ACG (Anonymous Credential Generation), and if the IoT device supports ACG, security authentication to perform secure communication with the IoT device even if there is no security-related message received from the second device And performing secure communication with the IoT device based on the security authentication.
상기 방법 및 장치에 있어서, 상기 IoT 장치는 상기 제1 장치가 접근 가능한 리소스(resource)의 리스트를 나타내기 위한 접근 제어 리스트(Access Control List; ACL) 리소스를 포함할 수 있다.In the above method and device, the IoT device may include an access control list (ACL) resource for indicating a list of resources accessible by the first device.
상기 방법 및 장치에 있어서, 상기 ACL 리소스는, 상기 제1 장치가 상기 제2 장치에 의해 기 인증되지 않은 경우에도 상기 제1 장치가 접근 가능한 리소스에 대한 정보를 포함할 수 있다.In the above method and device, the ACL resource may include information on resources accessible by the first device even when the first device is not previously authenticated by the second device.
상기 방법 및 장치에 있어서, 상기 보안 인증은, PIN, ID/password 및/또는 QR (Quick Response) 중 하나 이상에 기반하여 PSK (Pre-Shared Key)를 생성함으로써 수행되고, 상기 보안 통신은, 상기 생성된 PSK에 기반하여 수행될 수 있다. In the method and apparatus, the security authentication is performed by generating a Pre-Shared Key (PSK) based on one or more of PIN, ID / password and / or QR (Quick Response), and the secure communication is It can be performed based on the generated PSK.
상기 방법 및 장치에 있어서, 상기 보안 인증 및 보안 통신은, 상기 제1 장치 및 상기 IoT 장치에 기 저장된 인증서에 기반하여 수행될 수 있다.In the method and device, the secure authentication and secure communication may be performed based on a certificate pre-stored in the first device and the IoT device.
상술한 본 발명의 양태들은 본 발명의 바람직한 실시예들 중 일부에 불과하며, 본원 발명의 기술적 특징들이 반영된 다양한 실시예들이 당해 기술분야의 통상적인 지식을 가진 자에 의해 이하 상술할 본 발명의 상세한 설명을 기반으로 도출되고 이해될 수 있다.The above-described aspects of the present invention are only some of the preferred embodiments of the present invention, and various embodiments in which the technical features of the present invention are reflected are detailed by the person skilled in the art to be described below. It can be derived and understood based on description.
본 발명의 일 실시예에 따르면, 네트워크에 신규 진입하는 클라이언트에 대한 새로운 보안 통신 방법을 제공함을 통해, 최초 네트워크를 생성한 기기의 도움 없이도 보다 효율적으로 보안 통신을 수행할 수 있다는 장점이 있다.According to an embodiment of the present invention, by providing a new secure communication method for a client newly entering the network, there is an advantage that it is possible to perform secure communication more efficiently without the aid of the device that created the first network.
본 발명의 기술적 효과는 상술된 기술적 효과에 제한되지 않으며, 다른 기술적 효과들이 본 발명의 실시예로부터 유추될 수 있다.The technical effects of the present invention are not limited to the above-described technical effects, and other technical effects can be inferred from embodiments of the present invention.
도 1은 OCF 플랫폼의 연결성 및 상호 운용성을 나타내는 도면이다.1 is a view showing the connectivity and interoperability of the OCF platform.
도 2는 OCF 플랫폼의 프레임워크 구조를 나타낸 도면이다.2 is a diagram showing the framework structure of the OCF platform.
도 3은 클라이언트, 인터미디어리, 서버 사이의 요청 및 응답 수신에 대한 도면이다.3 is a diagram for receiving requests and responses between a client, an intermediary, and a server.
도 4는 OCF 표준에서 지원 가능한 프로토콜 스택을 나타낸 도면이다.4 is a diagram showing a protocol stack that can be supported in the OCF standard.
도 5는 OCF를 통해 지원 가능한 기능들을 넓은 범위에서 나타낸 도면이다.5 is a diagram showing a wide range of functions that can be supported through OCF.
도 6은 CRUDN 동작을 수행하는 일 예시를 나타낸 도면이다. 6 is a diagram illustrating an example of performing a CRUDN operation.
도 7은 온보딩 툴에 기반한 OCF 시스템 동작의 일 예를 나타낸 도면이다.7 is a view showing an example of the operation of the OCF system based on the onboarding tool.
도 8 DTLS 암호화 스위트 방식의 일 예를 나타낸 도면이다.8 is a diagram illustrating an example of a DTLS encryption suite method.
도 9 내지 도 15는 본 발명의 실시 예에 따른 보안 통신을 나타낸 도면이다.9 to 15 are views illustrating secure communication according to an embodiment of the present invention.
도 16은 본 발명의 실시예에 따른 흐름도를 도시한다.16 shows a flow chart according to an embodiment of the present invention.
도 17은 본 발명의 실시예에 따른 장치를 도시한다.17 shows an apparatus according to an embodiment of the present invention.
이하, 본 발명에 따른 바람직한 실시형태를 첨부된 도면을 참조하여 상 세하게 설명한다. 첨부된 도면과 함께 이하에 개시될 상세한 설명은 본 발명의 예시적인 실시형태를 설명하고자 하는 것이며, 본 발명이 실시될 수 있는 유일한 실시형태를 나타내고자 하는 것이 아니다. 이하의 상세한 설명은 본 발명의 완전한 이해를 제공하기 위해서 구체적 세부사항을 포함 한다. 그러나, 당업자는 본 발명이 이러한 구체적 세부사항 없이도 실시될 수 있음을 안다.Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION The following detailed description, together with the accompanying drawings, is intended to describe exemplary embodiments of the present invention, and is not intended to represent the only embodiments in which the present invention may be practiced. The following detailed description includes specific details to provide a thorough understanding of the invention. However, one skilled in the art knows that the present invention may be practiced without these specific details.
몇몇 경우, 본 발명의 개념이 모호해지는 것을 피하기 위하여 공지의 구조 및 장치는 생략되거나, 각 구조 및 장치의 핵심 기능을 중심으로 한 블록도 형식으로 도시될 수 있다. 또한, 본 명세서 전체에서 동일한 구성요소에 대해서는 동일한 도면 부호를 사용하여 설명한다.In some cases, in order to avoid obscuring the concept of the present invention, well-known structures and devices may be omitted, or block diagrams centered on core functions of each structure and device may be illustrated. In addition, the same components throughout the specification will be described using the same reference numerals.
설명을 명확하게 하기 위해, 3GPP 기반의 이동 통신 시스템을 위주로 기술하지만 본 발명의 기술적 사상이 이에 제한되는 것은 아니다. 이하의 기술은 oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI 등과 같은 다양한 IoT 서비스 또는 플랫폼에 사용될 수 있다. 또한, 이하의 설명에서 사용되는 특정 용어들은 본 발명의 이해를 돕기 위해서 제공된 것이며, 이러한 특정 용어의 사용은 본 발명의 기술적 사상을 벗어나지 않는 범위에서 다른 형태로 변경될 수 있다.To clarify the description, the 3GPP-based mobile communication system is mainly described, but the technical spirit of the present invention is not limited thereto. The following technology can be used for various IoT services or platforms, such as oneM2M, OMA LWM2M, BLE, Zigbee, Z-Wave, GENIVI. In addition, specific terms used in the following description are provided to help understanding of the present invention, and the use of these specific terms may be changed to other forms without departing from the technical spirit of the present invention.
OCF 개요OCF Overview
도 1은 OCF 플랫폼의 연결성 및 상호 운용성을 나타내는 도면이다.1 is a view showing the connectivity and interoperability of the OCF platform.
OCF는 헬스, 스마트홈, 산업 IoT 등 여러 수직산업(Verticals)을 연결하며 협력할 수 있게 하는 기본서비스와 데이터 모델을 제시하는 공통 플랫폼을 정의한다. OCF 플랫폼은 커넥티비티(Connectivity) 레벨, 플랫폼(Platform) 레벨, 서비스(Service) 계층 사이의 연결성(connectivity)을 제공한다. 더하여 OCF 플랫폼은 UX (user experience)를 통한 완전한 상호 운용성(Full interoperability)을 제공한다.OCF defines a common platform that presents basic services and data models that connect and collaborate with various verticals such as health, smart home, and industrial IoT. The OCF platform provides connectivity level, platform level, and connectivity between service layers. In addition, the OCF platform provides full interoperability through user experience (UX).
OCF 표준은 데이터 구조, 리소스에 대한 타입(type), 프로퍼티(property) 및 인터페이스(interface)를 정의한다. 더하여, OCF 표준은 기기 인증, 보안 기능, OCF 망(network) 내 리소스에 대한 접근 제어, OCF 망 내에 포함될 수 있는 기기의 발견, 리소스에 대한 명령(CREATE, RETRIEVE, UPDATE, DELETE, and NOTIFY; CRUDN), 리소스에 대한 메시지, OCF 망과 인터넷 망 (IPv6 등)의 연결을 위한 프레임(frame)을 제공한다.The OCF standard defines data structures, types, properties, and interfaces for resources. In addition, the OCF standard includes device authentication, security functions, access control to resources in the OCF network, discovery of devices that may be included in the OCF network, and commands for resources (CREATE, RETRIEVE, UPDATE, DELETE, and NOTIFY; CRUDN) ), A message for resources, and a frame for connecting the OCF network and the Internet network (IPv6, etc.).
OCF 프레임워크 구조 (OCF Framework Architecture)OCF Framework Architecture
도 2는 OCF 플랫폼의 프레임워크 구조를 나타낸 도면이다.2 is a diagram showing the framework structure of the OCF platform.
도 2를 통해 OCF 플랫폼의 동작 및 주요 개념을 형상화하여 설명한다. 이하에서 설명할, 개념적으로 형상화된 내용들은 리소스 모델(resource model), RESTful 동작(RESTful operation) 또는 개요(abstraction)에 대한 것이 될 수 있으며, OCF 동작 및 표준에 대한 기본적인 특징이 될 수 있다.The operation and main concepts of the OCF platform will be described with reference to FIG. 2. The conceptually described contents, which will be described below, may be a resource model, a RESTful operation, or an abstraction, and may be a basic characteristic for OCF operations and standards.
OCF 장치는 클라이언트, 서버 및/또는 인터미디어리(intermediary) 중 하나 이상의 역할을 지원할 수 있다. OCF 장치가 지원 가능한 역할은 논리 엔티티(logical entity)의 영역일 수 있으며, 하나의 OCF 장치가 하나 이상의 역할을 지원할 수 있다. 이하의 설명에서 '장치'는 논리 엔티티를 포함하는 물리 장치를 지칭할 수 있으며, 혹은 논리 엔티티 자체를 지칭할 수도 있다.The OCF device may support one or more roles of client, server and / or intermediary. The role that the OCF device can support may be a region of a logical entity, and one OCF device may support one or more roles. In the following description, 'device' may refer to a physical device including a logical entity, or may refer to the logical entity itself.
클라이언트 장치는, 서버의 리소스에 접속하는 역할을 수행하는 장치를 의미한다.The client device means a device that serves to access a server resource.
서버 장치는, 리소스 상태 정보(resource state information)을 제공하고, 리소스에 대해 원격 상호작용(remote interaction)을 수행 가능한 장치를 의미한다.The server device means a device that provides resource state information and is capable of performing remote interaction on the resource.
인터미디어리 장치는, OCF 프록시(OCF proxy) 역할을 제공하는 장치를 의미한다. 다시 말해서, 서버 장치에 의해 호스팅(hosting)된 OCF 자원에 대한 요청 메시지를 처리하는 중개 역할을 수행하는 장치이다.The intermediary device means a device that provides an OCF proxy role. In other words, it is a device that acts as an intermediary for processing request messages for OCF resources hosted by the server device.
이하의 설명에서, 리소스에 대한 상태(state), 값(value), 정보(information)은 동일한 의미로 사용될 수 있다.In the following description, states, values, and information about resources may be used in the same sense.
클라이언트는 리소스에 대한 CRUDN 동작을 서버에 요구할 수 있다. 서버는 클라이언트에 의해 요구된 CRUDN 동작을 수행할 수 있다. 클라이언트와 서버 사이의 리소스 지정 및 동작 지정은, RESTful 자원 모델을 기반으로 수행될 수 있다. 인터미디어리는 다른 OCF 서버에 의해 호스팅된 OCF 리소스를 처리하기 위한 요청에 기반하여, 프로세싱 설정(processing configuration)에 따라 또 다른 요청을 생성하고, 생성된 요청에 대한 응답을 OCF 서버에 반환할 수 있다.The client can request the CRUDN operation for the resource from the server. The server can perform the CRUDN operation requested by the client. Resource designation and operation designation between the client and the server may be performed based on a RESTful resource model. Intermediary can generate another request according to the processing configuration and return a response to the generated request to the OCF server based on the request to process the OCF resource hosted by another OCF server. have.
리소스 모델은 OCF 리소스로 표시된 실제 엔티티에 해당한다.The resource model corresponds to the actual entity represented by the OCF resource.
상위 계층(e.g. OCF client, OCF server)에서 발생한 클라이언트-서버 사이의 CRUDN 동작은, 하위 계층(e.g. OCF device)에서는 CoAP (Constrained Application Protocol) 요청 및 CoAP 응답, 또는 XMPP (Extensible Messaging and Presence Protocol)를 통해서 전달될 수 있다.The CRUDN operation between the client-server originating from the upper layer (eg OCF client, OCF server), the CoAP (Constrained Application Protocol) request and CoAP response, or XMPP (Extensible Messaging and Presence Protocol) in the lower layer (eg OCF device). Can be passed through.
CRUDN 동작은 OCF 클라이언트와 OCF 서버 사이에서 발생된다. CRUDN 동작은 프로토콜 맵핑(protocol mapping)을 통해 CoAP 요청 및 CoAP 응답이라는 시그널링 메시지(signaling message, e.g. GET /s/data, {"bulb":"on"})를 통해 송수신될 수 있다. CRUDN 동작은, 프로토콜 맵핑을 통해 CoAP 외의 HTTP (hypertext transfer protocol) 및/또는 XMPP를 통해 송수신될 수도 있다.CRUDN operation occurs between the OCF client and the OCF server. CRUDN operation may be transmitted and received through a signaling message (signaling message, e.g. GET / s / data, {"bulb": "on"}) of CoAP request and CoAP response through protocol mapping. The CRUDN operation may be transmitted and received through Hypertext Transfer Protocol (HTTP) and / or XMPP other than CoAP through protocol mapping.
또는, 도 3과 같이 클라이언트, 인터미디어리, 서버가 연결된 경우, 클라이언트와 인터미디어리 사이의 요청 및 응답은 HTTP를 통해, 인터미디어리와 서버 사이의 요청 및 응답은 CoAP를 통해 송수신될 수도 있다.Alternatively, when a client, an intermediary, and a server are connected as shown in FIG. 3, the request and response between the client and the intermediary may be transmitted and received through HTTP, and the request and response between the intermediary and the server may be transmitted and received through CoAP. .
OCF 프로토콜 스택(OCF Protocol Stack)OCF Protocol Stack
도 4는 OCF 표준에서 지원 가능한 프로토콜 스택을 나타낸다.4 shows a protocol stack that can be supported in the OCF standard.
도4에 도시된 프로토콜 스택 중 인코딩(Encoding) 계층은 CBOR (Concise binary object representation based on JSON data model)를 지원하는 것이 디폴트(default)이다. 다만, 클라이언트와 서버의 협상에 의해 JSON (JavaScript Object Notation) 및/또는 XML/EXI (Efficient XML Interchange)가 사용될 수도 있다.The encoding layer of the protocol stack illustrated in FIG. 4 supports CBOR (Concise binary object representation based on JSON data model) by default. However, JSON (JavaScript Object Notation) and / or XML / EXI (Efficient XML Interchange) may be used by negotiation between the client and the server.
엔드 포인트(End point)의 디스커버리(discovery)에는 CoAP 디스커버리 (CoAP Discovery)가 사용된다 (IETF RFC 7252).CoAP Discovery is used for discovery of the end point (IETF RFC 7252).
L2 계층과의 연결을 위해, IoT 디바이스를 위한 IPv6 이 존재한다. 전송 계층의 보안성 확보를 위해 UDP (user datagram protocol) 계층 위에 DTLS (datagram transport layer security) 계층이 존재할 수 있다. 또한, 전송 계층의 보안성 확보를 위해 TCP (transmission control protocol) 계층 위에 TLS (transport layer security) 계층이 존재할 수 있다.For connection with the L2 layer, IPv6 for IoT devices exists. To secure the security of the transport layer, a datagram transport layer security (DTLS) layer may exist on the user datagram protocol (UDP) layer. In addition, a transport layer security (TLS) layer may exist on the transport control protocol (TCP) layer to secure the security of the transport layer.
OCF 프레임워크 블록 다이어그램(OCF Framework Block Diagram)OCF Framework Block Diagram
도 5는 OCF를 통해 지원 가능한 기능들을 넓은 범위(high level)에서 나타낸 도면이다.FIG. 5 is a diagram illustrating functions supportable through the OCF at a high level.
OCF 프레임워크에서 지원 가능한 기능들은 하기 표 1과 같다.The functions supported by the OCF framework are shown in Table 1 below.
[표 1][Table 1]
하위 계층에서는 L2 커넥티비티(L2 connectivity) 및 네트워킹 (Networking) 계층에서 표 1을 통해 설명된 기능들이 수행될 수 있다. L2 커넥티비티 계층은 Wi-Fi (wireless fidelity), BT (blootooth) 및/또는 Z-wave 등 기존의 무선 통신 기술이 사용될 수 있다.In the lower layer, the functions described through Table 1 may be performed in the L2 connectivity and networking layers. The L2 connectivity layer may use existing wireless communication technologies such as Wi-Fi (wireless fidelity), BT (blootooth) and / or Z-wave.
OCF 프레임워크에서는 표 1을 통해 설명된 기능들이 수행될 수 있다.In the OCF framework, the functions described through Table 1 can be performed.
어플레케이션(application) 계층에는, OCF에 의해 마켓들을 위한 개별 프로필(data model, function 등)이 생성되어 있다. 일 예로, 스마트 홈 데이터 모델 (smart home data model)이 존재한다.In the application layer, individual profiles (data models, functions, etc.) for markets are created by OCF. As an example, a smart home data model exists.
CRUDN 동작(CRUDN Operation)CRUDN Operation
CRUDN 동작이란, 리소스에 대해 요청될 수 있는 동작으로, 표 2와 같이 5개의 명령이 존재할 수 있다. 클라리언트가 명령을 전송하면, 해당 리소스가 포함된 서버에서 해당 리소스에 대해 CRUDN 명령을 수행한다.CRUDN operation is an operation that can be requested for a resource, and there may be 5 commands as shown in Table 2. When the client sends a command, the server including the resource executes a CRUDN command for the resource.
[표 2][Table 2]
도 6은 CRUDN 동작을 수행하는 일 예시를 나타낸다. 먼저, 클라이언트가 CRUDN 동작 중 Create 요청을 서버로 전송한다. Create 명령을 수신한 서버는 리소스에 대해 Create를 수행한다. 리소스에 대한 Create를 실시한 서버는 클라이언트로부터 수신한 요청에 대한 응답을 클라이언트로 전송한다.6 shows an example of performing a CRUDN operation. First, the client sends a Create request to the server during CRUDN operation. The server that receives the Create command performs Create on the resource. The server that created the resource sends a response to the request received from the client.
CRUDN 메시지에 포함될 수 있는 파라미터는 표 3과 같다.Table 3 shows parameters that may be included in the CRUDN message.
[표 3][Table 3]
OCF 보안 기술OCF security technology
앞서 설명한 바와 같이, OCF 시스템에서는 IoT 장치와 관련 기능을 컴퓨터가 이해할 수 있는 장치와 리소스 형태로 모델링하며, 장치 간 CRUDN Restful 동작을 통해 통신하게 된다. 여기서 클라이언트 장치는 서버의 리소스에 접속하는 역할을 수행함으로써 장치 간 통신을 시작한다. 서버 장치는, 클라이언트 장치에 의해 요청된 명령에 따라 리소스 상태 정보을 제공하고, 리소스에 대해 원격 상호작용을 수행한다.As described above, in the OCF system, IoT devices and related functions are modeled in the form of devices and resources that computers can understand, and communication is performed through CRUDN Restful operations between devices. Here, the client device starts communication between devices by performing a role of accessing a server resource. The server device provides resource status information according to a command requested by the client device, and performs remote interaction on the resource.
서버의 리소스 중, 보안 기능 설정을 위해 모든 OCF 기기가 가지고 있어야 하는 특수한 리소스로서, 보안 가상 리소스들(Secure Virtual Resources; SVRs)이 있다. SVRs에는, 접근 권한을 가진 온보딩 툴(Onboarding Tool; OBT) 및 서비스 엔티티(service entity)들만이 접근 가능하다.Among the server resources, there are Secure Virtual Resources (SVRs) as a special resource that all OCF devices must have in order to set security functions. In SVRs, only Onboarding Tool (OBT) and service entities with access rights are accessible.
온보딩이란 신규 IoT 기기에 대한 초기 설정에 대한 것으로서, 소유권 이전(ownership transfer), 접근 제어(access control) 설정 및/또는 크리덴셜(credential) 설정 중 하나 이상에 대한 것이다. 서비스 엔티티는, DOTS (Device Ownership Transfer Service), AMS (Access Manager Service) 및/또는 CMS (Certification Management Service) 중 하나 이상을 포함할 수 있다.Onboarding is for initial setup for a new IoT device, and is for one or more of ownership transfer, access control setup and / or credential setup. The service entity may include one or more of Device Ownership Transfer Service (DOTS), Access Manager Service (AMS) and / or Certification Management Service (CMS).
IoT 기기 간 메시지 암호화를 위해서는, UDP (User Datagram Protocol) 방식의 D2D (Device-to-Device) 통신에서는 DTLS (Datagram Transport Layer Security)가 사용될 수 있다. TCP (Transmission Control Protocol) 방식의 D2C (Device-to-Central) 통신에서는 TLS (Transport Layer Security)가 사용될 수 있다. 기기간 암호화 스위트(cipher suites)에 기반한 핸드셰이킹(handshaking), 세션 키(session key) 생성 등을 통해 암호화 통신이 수행될 수 있다.For message encryption between IoT devices, DTLS (Datagram Transport Layer Security) may be used in D2D (Device-to-Device) communication of the User Datagram Protocol (UDP) method. Transport layer security (TLS) may be used in D2C (Device-to-Central) communication of the Transmission Control Protocol (TCP) method. Encryption communication may be performed through handshaking based on cipher suites between devices, generation of a session key, and the like.
IoT 기기 간 인증은, DTSL 또는 TLS 과정이 수행되는 중 크리덴셜에 기반하여 기기 상호 인증이 수행될 수 있다. 크리덴셜에는, 미리 공유된 키(pre-shared key)인 대칭 키(symmetric key), 공개 키(public key) 또는 비밀 키(private key)가 될 수 있는 비대칭 키(asymmetric key) 및/또는 인증서(Certificate, e.g. X.509 인증서)가 포함될 수 있다.The IoT device-to-device authentication may be performed based on a credential during DTSL or TLS process. Credentials include asymmetric keys and / or certificates that can be pre-shared keys, symmetric keys, public keys, or private keys. Certificate, eg X.509 certificate).
OCF 리소스에 대한 접근 권한은 접근 제어 엔트리(Access Control Entry; ACE)들 및/또는 접근 제어 리스트(Access control List; ACL)들에 의해 설정/관리될 수 있다.The access authority for the OCF resource may be set / managed by access control entries (ACEs) and / or access control lists (ACLs).
SVR은, 이하의 리소스들을 포함할 수 있다.The SVR may include the following resources.
/oic/sec/doxm 리소스는, 장치의 소유권 이전 방법을 관리하기 위한 리소스이다. /oic/sec/doxm 리소스에는 기기 자체의 ID를 나타내는 Device UUID (universally unique identifier), 유일한 관리자 기기(OBT)의 UUID를 나타내는 Device Owner UUID, 소유권 이전 방법에 대한 지원 방식을 나타내는 Ownership Transfer Method, Select, 소유권 설정 상태 정보에 대한 Owned가 리소스로서 포함될 수 있다.The / oic / sec / doxm resource is a resource for managing a device ownership transfer method. In the / oic / sec / doxm resource, Device UUID (universally unique identifier) indicating the ID of the device itself, Device Owner UUID indicating the UUID of the unique administrator device (OBT), Ownership Transfer Method, Select indicating the support method for the ownership transfer method , Owned for ownership setting status information may be included as a resource.
/oic/sec/pstat는 프로비저닝 상태(provisioning status)를 관리하기 위한 리소스이다. /oic/sec/pstat 리소스에는 해당 리소스에 접근 가능한 유일한 관리자 ID를 나타내는 Resource Owner ID, 프로비저닝 상태의 설정이 가능한지를 나타내는 Current Provisioning Mode가 리소스로서 포함될 수 있다./ oic / sec / pstat is a resource for managing provisioning status. The / oic / sec / pstat resource may include a Resource Owner ID indicating a unique administrator ID accessible to the resource and a Current Provisioning Mode indicating whether provisioning status can be set as a resource.
/oic/sec/cred는 크리덴셜을 관리하기 위한 리소스이다. /oic/sec/cred 리소스에는 해당 리소스에 접근 가능한 유일한 관리나 ID를 나타내는 Resource Owner ID, 기기 인증을 위해 필요한 크리덴셜들을 배열 형태로 저장하기 위한 Credential이 리소스로서 포함될 수 있다./ oic / sec / cred is a resource for managing credentials. The / oic / sec / cred resource may include a Resource Owner ID indicating the unique management or ID that can access the resource, and Credential for storing credentials required for device authentication in an array form.
/oic/sec/acl2는 접근 제어 리스트를 관리하기 위한 리소스이다. /oic/sec/acl2 리소스에는 해당 리소스에 접근 가능한 유일한 관리나 ID를 나타내는 Resource Owner ID, 기기 접근 제어를 위해 필요한 정보를 배열 형태로 저장하기 위한 Access Control Entries가 리소스로서 포함될 수 있다./ oic / sec / acl2 is a resource for managing access control lists. The / oic / sec / acl2 resource may include a Resource Owner ID indicating the only management or ID that can access the resource, and an Access Control Entries for storing information required for device access control in an array form.
더하여, ACL 설정을 관리하는 역할을 담당하는 /oic/sec/amacl, 기기 별 역할에 대해 정의하기 위한 /oic/sec/roles가 SVR에 리소스로서 포함될 수 있다. 기기 별 역할에는, 관리자(admin), 사용자(user), 게스트(guest)가 포함될 수 있다.In addition, / oic / sec / amacl, which is responsible for managing ACL settings, and / oic / sec / roles for defining roles for each device may be included as resources in the SVR. Roles for each device may include an administrator, a user, and a guest.
보안 설정과 관련된 온보딩의 기본 흐름은 다음과 같다.The basic flow of onboarding related to security setting is as follows.
먼저, 새로운 OCF 장치의 전원이 켜지면(power-on), OBT (e.g. DOTS)에 의해 새로운 OCF 장치가 검색될 수 있다. DOTS가, 아직 소유권이 없는(un-owned) 기기를 검색하기 위해서는, 특정 URL (Uniform Resource Locator)로 동일 IP 서브넷(internet protocol sub-net)에 CoAP 메시지를 멀티캐스트(multicast) 방식으로 전송할 수 있다. 예를 들어, OCF 리소스로서 Retrieve/oic/res, IPv6 멀티캐스트 주소로서 ff02::158, 메시지 전송을 위한 포트로서 port5683이 사용될 수 있다. DOTS에 소유권이 없는, CoAP 메시지를 수신한 기기는, 소유권 이전 지원 방식에 대한 정보를 포함한 응답을 전송한다. 소유권 이전 방식은, OTM (Ownership Transfer Method), JW (Just Works), PIN (Personal Information Number) 및/또는 인증서 방식 중 하나 이상을 포함할 수 있다. JW 방식은, 초기 연결 시점에서 OBT와 신규 기기 사시에 별도의 인증을 수행하지 않는 방식을 의미한다.First, when the power of the new OCF device is turned on (power-on), the new OCF device may be searched by OBT (e.g. DOTS). In order for DOTS to search for devices that are not yet owned (un-owned), CoAP messages can be transmitted in a multicast manner to the same IP subnet (internet protocol sub-net) by a specific URL (Uniform Resource Locator). . For example, Retrieve / oic / res as an OCF resource, ff02 :: 158 as an IPv6 multicast address, and port5683 as a port for message transmission may be used. A device that has received a CoAP message that does not have ownership in the DOTS sends a response including information on how to transfer ownership. The ownership transfer method may include one or more of an Ownership Transfer Method (OTM), Just Works (JW), Personal Information Number (PIN), and / or certificate method. The JW method means a method of not performing separate authentication at the time of initial connection at the time of OBT and new device.
소유권 이전이란, IoT 기기의 제조사에서 IoT 기기의 구매자로 해당 IoT기기와 관련한 권한을 이전함을 의미할 수 있다. DOTS는 현재 소유권이 없는 신규 기기가 지원하는 OTM 방식 중 하나를 선택한다. DOTS와 소유권이 없는 기기 사이에서는 (D)DLS 핸드셰이킹이 수행되고 이후 소유권 이전이 수행된다. 소유권의 이전은, 특정 OBT(또는 DOTS)를 신규 기기의 관리자로 설정하는 것을 포함할 수 있다. DOTS는, 소유권이 없는 기기에 이후부터 사용될 크리덴셜 및/또는 접근 설정을 위한 AMS/CMS의 ID를 제공할 수 있다.Transfer of ownership may mean transferring authority related to the IoT device from the manufacturer of the IoT device to the purchaser of the IoT device. DOTS selects one of the OTM methods currently supported by new devices without ownership. (D) DLS handshaking is performed between the DOTS and the device without ownership, and then transfer of ownership is performed. Transfer of ownership may include setting a specific OBT (or DOTS) as the manager of the new device. DOTS may provide the ID of the AMS / CMS for credential and / or access setup to be used later on the device without ownership.
또한, 권한을 가진 CMS가 필요한 크리덴셜을, 권한을 가진 AMS가 필요한 접근 정책(Access Policy)를 신규 기기에 제공하는 프로비저닝이 수행될 수 있다.In addition, provisioning may be performed to provide a credential that requires an authorized CMS and an access policy that requires an authorized AMS to a new device.
클라이언트 장치와 서버 장치가 서로 검증 가능한 크리덴셜을 가지고 있고 서로에 대한 접근 권한이 있는 경우, 클라이언트 장치와 서버 장치는 서로 통신이 가능하게 된다.When the client device and the server device have credentials that can be verified with each other and have access to each other, the client device and the server device can communicate with each other.
온보딩 툴의 예로, 휴대전화 또는 TV 어플리케이션이 있다. 또는, 온보딩 툴은 이하 장치 도면 (도 )에서 예시로 든 장치 중 하나일 수 있다.An example of an onboarding tool is a mobile phone or TV application. Alternatively, the onboarding tool may be one of the devices exemplified in the following device drawings (FIG.).
도 7은 온보딩 툴에 기반한 OCF 시스템 동작의 일 예를 나타낸다.7 shows an example of the operation of the OCF system based on the onboarding tool.
도 7의 화재감지기 및 자동문에는, 관리자 권한이 있는 장치(온보딩 툴)로서 기기 ID가 0x0001인 특정 휴대전화가 설정되어 있다. 이러한 기기 ID는 /oic/sec/doxm, /oic/sec/cred/, /oic/sec/acl2 리소스 내에 저장되어 있을 수 있다.In the fire detector and automatic door of Fig. 7, a specific mobile phone having a device ID of 0x0001 is set as a device (onboarding tool) having administrator authority. The device ID may be stored in / oic / sec / doxm, / oic / sec / cred /, / oic / sec / acl2 resources.
화재감지기 또는 자동문 중 하나의 기기가 신규 OCF 기기라면, OBT가 해당 신규 OCF 기기의 보안 기능을 설정해야 기존 OCF 기기와 상호 통신이 가능하다. 만약 기기 ID가 0x0001인 특정 휴대전화가 온보딩 툴로서 동작한다면, 해당 특정 휴대전화만이 보안 관리 기능(e.g. 소유권/크리덴셜/접근)에 대한 설정이 가능하다.If one of the fire detectors or automatic doors is a new OCF device, OBT needs to set the security function of the new OCF device to communicate with the existing OCF device. If a specific mobile phone with a device ID of 0x0001 operates as an onboarding tool, only the specific mobile phone can set security management functions (e.g. ownership / credential / access).
OCF에서 기기 검색을 제외하면, 모든 통신에 대해 패킷 단위의 암호화, 복호화가 사용된다. 암호화 통신에는 DTLS 또는 TLS 프로토콜이 사용될 수 있다. 다만, 소유권 이전 방법에 따라 암호화 스위트가 달라질 수 있다. 암호화 스위트는 암호화 프로토콜의 조합을 의미한다. With the exception of device discovery in OCF, packet-level encryption and decryption is used for all communications. DTLS or TLS protocols may be used for encrypted communication. However, the encryption suite may vary depending on the method of transferring ownership. An encryption suite means a combination of encryption protocols.
도 8은 신규 기기의 소유권 이전 방식이 Just works 방식인 경우 사용될 수 있는, DTLS 암호화 스위트 방식의 일 예를 나타낸다. 신규 기기가 Just works 방식을 따르는 경우, 온보딩 툴과 신규 기기는 도 8에 도시된 메시지들을 송수신함을 통해 기기 간 암호화 통신을 수행할 수 있다.8 shows an example of a DTLS encryption suite method that can be used when the ownership transfer method of a new device is a Just works method. When the new device follows the Just works method, the onboarding tool and the new device can perform encrypted communication between devices by transmitting and receiving the messages shown in FIG. 8.
온보딩 툴 및 OCF 기기는, just works, PIN, 인증서 중 하나의 방식으로 서로를 인증할 수 있다. 온보딩 툴은, 자신과 인증을 마친 OCF 기기들끼리 서로 인증 및 통신을 수행할 수 있도록, OCF 기기 간 인증 방법과 크리덴셜을 설정해줄 수 있다.On-boarding tools and OCF devices can authenticate each other by one of just works, PIN, and certificate. The onboarding tool may set authentication methods and credentials between OCF devices so that the OCF devices that have been authenticated with themselves can perform authentication and communication with each other.
인증 방법으로서, 대칭 키 크리덴셜(symmetric key credential)들이 존재할 수 있다. 서로 통신해야할 두 OCF 기기들이 있을 때, 온보딩 툴의 CMS는 두 OCF 기기들 각각에게 상대 OCF 기기의 크리덴셜을 미리 알려줄 수 있다. 두 OCF 기기들 사이에서 DTLS 핸드셰이킹이 수행될 때, 서버 기기는 먼저 ServerKeyExchange 메시지를 통해 온보딩 툴로부터 설정받은 크리덴셜을 클라이언트 기기로 전달한다. 클라이언트 기기는 전달받은 크리덴셜이 자신이 가지고 있는 크리덴셜들의 목록에 포함된 크리덴셜인지 인증을 수행할 수 있다. 또한 클라이언트 기기는 전달받은 크리덴셜과 연결된 서브젝트 ID (subject ID)가 서버 기기의 ID와 동일한지 인증을 수행할 수 있다. 필요한 경우, 클라이언트의 크리덴셜에 대해 서버 기기가 검증을 수행할 수도 있다.As an authentication method, symmetric key credentials may exist. When there are two OCF devices that need to communicate with each other, the CMS of the onboarding tool can inform each of the two OCF devices in advance the credential of the other OCF device. When DTLS handshaking is performed between two OCF devices, the server device first delivers the credentials set from the onboarding tool to the client device through the ServerKeyExchange message. The client device may authenticate whether the received credential is a credential included in the list of credentials that it has. In addition, the client device may perform authentication whether the subject ID connected with the received credential is the same as the server device ID. If necessary, the server device may perform verification on the client's credential.
또한, 인증 방법으로서 비대칭 키 크리덴셜(asymmetric key credential)들이 존재할 수 있다. IoT 기기의 제조 단계에서, 각 기기는 비밀 키 및/또는 공개 키를 가질 수 있다. 또는 각 기기는 비밀 키 및 공개 키의 페어(pair) 형태로 포함할 수 있다. 공개 키는, 온보딩 툴을 통해 온보딩 툴이 속한 네트워크 내의 기기들로 사전 배포될 수 있다. 각 OCF 기기들은 DTLS 핸드셰이킹이 수행될 때, 자신의 비밀 키로 사인(sign)된 데이터를 송신한다. 비밀 키를 수신한 OCF 기기들이 공개 키를 통해 메시지를 복호화함으로써, OCF 기기들 간 인증이 수행될 수 있다.Also, asymmetric key credentials may exist as an authentication method. In the manufacturing stage of the IoT device, each device may have a secret key and / or a public key. Alternatively, each device may include a pair of a secret key and a public key. The public key may be pre-distributed to devices in the network to which the onboarding tool belongs through the onboarding tool. Each OCF device transmits data signed with its own secret key when DTLS handshaking is performed. Authentication between the OCF devices can be performed by the OCF devices receiving the secret key decrypting the message through the public key.
또한, 인증 방법으로서 인증서 방식이 존재할 수 있따. IoT 기기의 제조 단계에서, 각 기기는 제조사가 발행한 OCF 공인 인증서 및/또는 CA (Certificate Authoroty)를 통해 발행한 인증서를 보유하고 있다. 각 OCF 기기들이 DTLS 핸드셰이킹이 수행될 때 인증서를 서로 교환함으로써, OCF 기기들 간 인증이 수행될 수 있다.Also, a certificate method may exist as an authentication method. In the manufacturing stage of IoT devices, each device holds an OCF-accredited certificate issued by the manufacturer and / or a certificate issued through a CA (Certificate Authoroty). When each OCF device exchanges certificates when DTLS handshaking is performed, authentication between OCF devices can be performed.
또한, 기기 별로 특정 리소스에 대한 접근 권한이 제한되어 있을 수 있다. 도 9와 같이, 기기 ID가 0x0001인 기기가 있을 때, 해당 기기는 전구의 켜짐/꺼짐 상태를 확인할 수는 있으나, 전구를 켜거나 끄도록 명령하는 권한은 없을 수 있다. 도8을 참조하면, 기기 ID가 0x0001인 기기가 전구가 켜져 있는지를 확인하기 위해 Retrieve 메시지를 전구로 전송한다면, 전구는 Retrieve 메시지에 대한 응답 메시지를 전송하여 전구가 켜져 있음을 기기 ID가 0x0001인 기기로 알려줄 수 있다. 기기 ID가 0x0001인 기기가 전구의 리소스를 업데이트할 수 있는 권한이 없다면, 기기 ID가 0x0001인 기기가 Update 메시지를 전송하더라도 전구는 해당 장치가 Update 권한이 없음을 확인한 후, 리소스를 업데이트하지 않고 요청에 대한 거절 응답을 전송할 수 있다.In addition, access rights to specific resources may be limited for each device. As illustrated in FIG. 9, when there is a device having a device ID of 0x0001, the device may check the on / off state of the light bulb, but may not have the authority to command the light on or off. Referring to FIG. 8, if a device having a device ID of 0x0001 sends a Retrieve message to a light bulb to check whether the light bulb is on, the light bulb sends a response message to the Retrieve message to indicate that the light bulb is on and the device ID is 0x0001. You can tell the device. If the device with device ID 0x0001 does not have permission to update the resource of the light bulb, even if the device with device ID 0x0001 sends an Update message, the bulb confirms that the device does not have Update permission, and then requests without updating the resource. You can send a response to rejection.
기존 OCF 시스템에서 네트워크가 구성될 때, 하나의 네트워크에는 하나의 온보딩 툴만이 허용될 수 있다. DOTS, AMS 및 CMS 역시 하나의 네트워크에 하나만 허용될 수 있다. 그러나 IoT 네트워크가 구성될 때, 복수의 온보딩 툴들이 공존하게 될 경우가 있다. 기존 OCF 시스템에은 하나의 네트워크에 하나의 온보딩 툴을 전제로 하므로, 서로 다른 온보딩 툴들에 의해 보선 설정된 기기들끼리는 서로 통신이 불가능하게 된다.When a network is configured in an existing OCF system, only one onboarding tool can be allowed in one network. Only one DOTS, AMS and CMS can be allowed on a network. However, when an IoT network is constructed, there are cases where multiple onboarding tools will coexist. In the existing OCF system, since one onboarding tool is premised on one network, devices set by the different onboarding tools cannot communicate with each other.
도 10은 복수의 온보딩 툴들에 의한 보안 설정을 나타낸다. 클라이언트 A 및 서버 A 사이의 상호 인증이 온보딩 툴 A에 의해 수행되었고, 클라이언트 B는 온보딩 툴 B에 의해 인증이 수행되었을 수 있다. 클라이언트 B와 서버 A는, 각각 다른 온보딩 툴들에 의해 인증이 수행되었으므로, 기기 간 통신이 불가능하게 된다.10 shows security settings by a plurality of onboarding tools. Mutual authentication between client A and server A may have been performed by onboarding tool A, and client B may have been authenticated by onboarding tool B. Since the client B and the server A have been authenticated by different onboarding tools, communication between devices is impossible.
클라이언트와 서버가 보안 통신을 수행하기 위해서는, 상호 인증이 가능하도록 클라이언트와 서버가 모두 크리덴셜을 가지고 있어야 한다. 크리덴셜은 앞서 설명한 바와 같이 기 공유된 대칭 키, 비대칭 키 및/또는 인증서가 될 수 있다. 또한, 클라이언트와 서버가 보안 통신을 수행하기 위해서는, 클라이언트가 서버의 리소스에 접근할 수 있도록 클라이언트에 접근 권한이 부여되어 있어야 한다.In order for the client and the server to perform secure communication, both the client and the server must have credentials to enable mutual authentication. Credentials can be pre-shared symmetric keys, asymmetric keys and / or certificates, as described above. In addition, in order for the client and the server to perform secure communication, the client must be granted access authority so that the client can access the server's resources.
크리덴셜은 기기 내 어플리케이션에 의해 자체 생성될 수 있다. 또는, 기기의 제조 시점에 인증서가 발급될 수 있다. 또는, 온보딩 툴에 의해 온보딩 시점에 지정된 CMS가, 크리덴셜을 동적으로 관리할 수도 있다.Credentials can be self-generated by in-device applications. Alternatively, a certificate may be issued at the time of manufacture of the device. Alternatively, the CMS designated at the time of onboarding by the onboarding tool may dynamically manage the credentials.
또한, 온보딩 시점에 지정된 AMS가, 접근 권한과 관련된 접근 제어는 관리를 수행할 수 있다.In addition, the AMS designated at the time of onboarding can perform access control related to access authority.
또한, CMS와 AMS는 온보딩 툴의 일부 구성으로서 구현되어 있을 수 있다. 앞서 설명한 바와 같이, 온보딩 툴은 스마트폰 및/또는 TV의 어플리케이션 형태로 구현될 수 있다.Also, CMS and AMS may be implemented as a part of the onboarding tool. As described above, the onboarding tool may be implemented in the form of an application of a smartphone and / or TV.
온보딩 툴을 통해 보안 설정이 되지 않은 신규 IoT 기기는 기존 IoT 기기들과 통신이 불가능할 수 있다. 또한 온보딩 툴 기능을 동반하는 클라이언트 어플리케이션은, 다른 온보딩 툴에 의해 온보딩되기 어려울 수 있다. 온보딩 툴의 기능을 동반하는 클라이언트 어플리케이션을 포함하는 스마트폰은, 해당 클라이언트를 통해, 다른 온보딩 툴에 의해 구성된 OCF 네트워크에 진입하는 것이 어려울 수 있다. New IoT devices that are not secured through the onboarding tool may not be able to communicate with existing IoT devices. Also, a client application accompanying an onboarding tool function may be difficult to onboard by other onboarding tools. A smartphone including a client application accompanying the function of an onboarding tool may be difficult to enter an OCF network configured by another onboarding tool through the corresponding client.
특정 온보딩 툴에 의해 OCF 네트워크가 구성되어, IoT 기기들에 크리덴셜 및 접근 제어 설정이 완료될 수 있다. 이후, OCF 네트워크를 구성한 온보딩 툴이 네트워크 범위를 벗어날 수 있다. 최초 OCF 네트워크를 구성한 온보딩 툴이 해당 OCF 네트워크 내에 존재하지 않는 경우, 새로운 클라이언트가 해당 OCF 네트워크에 진입하도록 허용할 수 있는 방법이 존재하지 않는다.The OCF network is configured by a specific onboarding tool, so that credentials and access control settings can be completed for IoT devices. Subsequently, the onboarding tool that configures the OCF network may be out of range of the network. If the onboarding tool that constituted the original OCF network does not exist in the OCF network, there is no way to allow a new client to enter the OCF network.
이러한 문제를 해결하기 위해, 본 명세서에서는 신규 클라이언트 기기가 OCF 네트워크의 소유권을 가진 기기(Owner)의 개입 없이 직접 기기를 인증하여 크리덴셜을 새로 생성할 수 있는 방안을 제안한다. 신규 클라이언트에 의한 크리덴셜 생성은, OCF 네트워크의 소유권을 가진 기기가 신규 클라이언트에 의한 크리덴셜 생성을 사전 허용한 경우에만 가능할 수 있다.In order to solve this problem, the present specification proposes a method in which a new client device can directly generate a credential by authenticating the device directly without the intervention of a device having ownership of the OCF network. Credential generation by a new client may be possible only when a device having ownership of the OCF network has previously allowed credential generation by a new client.
도 11은 본 발명의 일 실시예에 따른 흐름도를 나타낸다.11 shows a flow chart according to an embodiment of the present invention.
도 11을 참조하면, 특정 기기에서 온보딩 툴을 포함하는 어플리케이션이 실행되면, 온보딩 툴은 다른 온보딩 툴에 의해 기 소유된(owned) 기기가 존재하는지를 멀티캐스트 방식으로 검색할 수 있다. 다른 온보딩 툴에 의해 기 소유된 기기가 존재한다면, 사용자가 기 소유된 기기를 사용하기를 원하는지 확인한다.Referring to FIG. 11, when an application including an on-boarding tool is executed on a specific device, the on-boarding tool can search in a multicast manner whether a device owned by another on-boarding tool exists. If a device is already owned by another onboarding tool, check whether the user wants to use the device.
사용자가 기 소유된 기기를 사용하기를 원한다면, 도 12 내지 도 14에 도시된 내용과 관련된 동작이 수행될 수 있다.If the user wants to use a device that is already owned, operations related to the contents shown in FIGS. 12 to 14 may be performed.
도 12를 참조하면, 사용자가 기 소유된 기기를 사용하기를 원하는 경우, 서버 기기에 보안과 관련된 신규 리소스로서 /acg (anonymous credential generation)이 정의될 수 있다. /acg 리소스는 비 보안 채널(un-secure channel, e.g. CoAP)에 공개될 수 있다. /acg 리소스는 서버 기기가 지원하는 인증 방식을 결정하는 역할을 수행할 수 있다. /acg 리소스는 DTSL 핸드셰이킹을 시작하기 위한 인터페이스로 사용될 수 있다.Referring to FIG. 12, when a user wants to use a device that is already owned, / acg (anonymous credential generation) may be defined as a new resource related to security on the server device. The / acg resource may be released on an un-secure channel (e.g. CoAP). The / acg resource may serve to determine the authentication method supported by the server device. The / acg resource can be used as an interface to start DTSL handshaking.
기 구성된 OCF 네트워크에 진입하고자 하는 온보딩 툴(이하 제2 온보딩 툴)은, 최초 OCF 네트워크를 구성한 온보딩 툴(이하 제1 온보딩 툴)에 의해 기 소유된 기기를 제어하기 위해 /acg 리소스를 사용할 수 있다. 제2 온보딩 툴은, /acg 리소스를 통해 제1 온보딩 툴에 의해 기 소유된 기기와 서로 크리덴셜을 생성할 수 있다. 제1 온보딩 툴과 기 소유된 기기 간의 크리덴셜 생성은, 제1 온보딩 툴의 개업 없이 이루어질 수 있다.The onboarding tool (hereinafter referred to as the second onboarding tool) that wants to enter the preconfigured OCF network is a / acg resource for controlling the device owned by the onboarding tool (hereinafter referred to as the first onboarding tool) that configures the first OCF network. Can be used. The second onboarding tool may generate a credential with the previously owned device by the first onboarding tool through the / acg resource. The credential generation between the first onboarding tool and the previously owned device may be performed without opening the first onboarding tool.
도 12를 참조하면, 먼저 제1 온보딩 툴(OBT A)에 의해 서버 A에 대한 온보딩이 수행되어, 제1 온보딩 툴이 서버 A의 소유권을 가질 수 있다. 제1 온보딩 툴에 의해 구성된 네트워크에 속하는 서버 A를 사용하기 위해, 제2 온보딩 툴(OBT B)은 서버 A의 소유권 상태를 확인한다. 서버 A가 다른 온보딩 툴에 의해 소유되어 있으면, 제2 온보딩 툴은 서버 A가 ACG (Anonymous Credential Generation)를 지원하는지 여부를 확인한다. 서버 A가 ACG를 지원한다면, 제2 온보딩 툴은 서버 A에 크리덴셜 생성을 요청할 수 있다.Referring to FIG. 12, first, onboarding is performed on the server A by the first onboarding tool OBT A, so that the first onboarding tool can take ownership of the server A. In order to use the server A belonging to the network configured by the first onboarding tool, the second onboarding tool (OBT B) checks the ownership status of the server A. If server A is owned by another onboarding tool, the second onboarding tool checks whether server A supports anonymous credential generation (ACG). If server A supports ACG, the second onboarding tool may request credential generation from server A.
제2 온보딩 툴의 크리덴셜 생성 요청에 따라 수행되는 DTLS 핸드셰이킹 및 크리덴셜 생성 과정은 도 13 또는 도 14에 도시된 실시예를 따를 수 있다.The DTLS handshaking and credential generation process performed according to the credential generation request of the second onboarding tool may follow the embodiment shown in FIG. 13 or FIG. 14.
온보딩 툴을 포함하는 익명의 기기는 서버 기기와 크리덴셜을 생성할 수 있다. 익명의 기기는 서버 기기와 크리덴셜을 생성하기 전 지원 가능한 인증 방식을 사용하여 크리덴셜 생성 권한을 확인해야 할 수 있다. 지원 가능한 인증 방식에는 PIN, ID/password, QR (Quick Response) 및/또는 인증서 방식이 포함될 수 있다.Anonymous devices, including onboarding tools, can generate credentials with server devices. Anonymous devices may need to verify credential creation privileges using a supported authentication method before generating credentials with server devices. Supported authentication methods may include PIN, ID / password, QR (Quick Response) and / or certificate methods.
PIN, ID/password 및/또는 QR에 의한 인증은, 도 13에 도시된 바와 같이, 제2 온보딩 툴 어플리케이션에서 해당 PIN, ID/password 및/또는 QR이 입력되면 이를 DTLS 핸드셰이크 과정에서 인증함을 통해 수행될 수 있다.The authentication by PIN, ID / password and / or QR, as shown in FIG. 13, when the corresponding PIN, ID / password and / or QR is input in the second onboarding tool application, authenticates it in the DTLS handshake process Can be done through
DTLS 핸드셰이크 결과 및 각 기기들의 ID들을 포함한 정보를 통해 두 기기들 사이에서 공식화된 PSK (pre-shared key) 크리덴셜이 생성된다. 생성된 PSK를 통해 기기들 간 통신에 대한 인증이 수행될 수 있다.A formal pre-shared key (PSK) credential is created between the two devices through the DTLS handshake result and information including the IDs of each device. Authentication for communication between devices may be performed through the generated PSK.
또는, 온보딩 툴을 포함하는 기기 및 서버 기기는 상호 인증을 위해 활용 가능한 인증서를 포함할 수 있다. 인증서는 특정 기기 제조사의 독자적인 인증서 또는 OCF 공인 인증서일 수 있다. 상호 인증이 가능한 인증서가 도 14와 같이 제2 온보딩 툴과 서버 A에 포함되어 있는 경우, DTLS 핸드셰이킹 시 별도의 키(e.g. PSK) 생성이 불필요하며, 기 포함된 인증서가 기기들 간 통신의 인증에 사용될 수 있다.Alternatively, the device and the server device including the onboarding tool may include a certificate that can be used for mutual authentication. The certificate may be a specific device manufacturer's own certificate or an OCF-accredited certificate. When a certificate capable of mutual authentication is included in the second onboarding tool and the server A as shown in FIG. 14, when DTLS handshaking, separate key (eg PSK) generation is unnecessary, and the included certificate communicates between devices. It can be used for authentication.
익명의 기기에 포함된 온보딩 툴과 서버 사이에서 크리덴셜이 생성되어 기기들 간 인증이 되었더라도, 서버 기기에 포함된 리소스에 클라이언트가 접근하기 위해서는 접근 제어 리스트(/acl2) 리소스에 해당 클라이언트를 위한 권한이 기 설정되어 있어야 한다.Even if the credential is generated between the onboarding tool included in the anonymous device and the server and the devices are authenticated, the access control list (/ acl2) resource is required for the client to access the resources included in the server device. Permissions must be set.
액세스 대상이 되는 서브젝트(subject) 기기에 대해, 클라이언트 기기를 특정하여 접근 권한이 부여될 수 있다. 또는, 서브젝트 기기의 접근 권한에 대한 값을 와일드카드 값(wildcard value)로 설정하여 모든 기기에 접근 권한이 부여될 수도 있다. For a subject device to be accessed, access authority may be granted by specifying a client device. Alternatively, access rights may be granted to all devices by setting a value for the access rights of the subject device to a wildcard value.
제1 온보딩 툴이 제2 온보딩 툴과 같은 기기에 위치하는 신규 클라이언트와 통신하지 않는다면, 해당 신규 클라이언트는 제1 온보딩 툴의 인증을 받을 수 없다. 제1 온보딩 툴은 서버 기기에 해당 신규 클라이언트를 위한 권한을 설정해줄 수 없다. 제1 온보딩 툴에 의한 개별 클라이언트에 대한 인증 없이도 신규 클라이언트들이 서버 기기와 통신을 수행하기 위해, 와일드카드 값이 사용될 수 있다.If the first onboarding tool does not communicate with a new client located on the same device as the second onboarding tool, the new client cannot be authenticated by the first onboarding tool. The first onboarding tool cannot set the authority for the new client on the server device. Wildcard values can be used to allow new clients to communicate with the server device without authenticating to the individual client by the first onboarding tool.
와일드카드가 설명되면, 표 4와 같이 연결 타입(connection type)이 구분되어 접근 권한이 관리될 수 있다.When the wild card is described, the connection type can be classified and access authority can be managed as shown in Table 4.
[표 4][Table 4]
제안된 실시예들을 통해, 최초 보안 설정을 수행한 제1 온보딩 툴의 개입 없이도 신규 클라이언트 기기화 제1 온보딩 툴에 의해 기 소유된 서버 기기의 통신이 수행될 수 있다. 또한, 제1 온보딩 툴의 개입 없이 신규 클라이언트 기기와 제1 온보딩 툴에 의해 기 소유된 서버 기기가 서로 인증을 수행하기 위한 크리덴셜이 생성될 수 있다.Through the proposed embodiments, communication of a server device previously owned by the new client device first onboarding tool may be performed without the intervention of the first onboarding tool that has performed the initial security setting. In addition, a credential may be generated for a new client device and a server device previously owned by the first onboarding tool to perform authentication with each other without intervention of the first onboarding tool.
도 15는 도 11 내지 도 14을 통해 설명한 실시예를 나타낸 도면이다.15 is a view showing an embodiment described through FIGS. 11 to 14.
도 15를 참조하면, 먼저 제1 온보딩 툴을 포함하는 제1 장치(Phone A)는 전구에 대한 온보딩을 수행할 수 있다. 또한 제1 장치는 접근 제어 리스트 리소스(/acl2)의 값을 와일드카드 값으로 설정하여, 익명의 기기들이 전구와 크리덴셜을 생성 가능하도록 설정할 수 있다.Referring to FIG. 15, first, a first device (Phone A) including a first onboarding tool may perform onboarding for a light bulb. In addition, the first device may set the value of the access control list resource (/ acl2) as a wildcard value, so that anonymous devices can generate a light bulb and a credential.
제2 온보딩 툴을 포함하는 제2 장치(Phone B)는, 제1 장치에 의해 구성된 OCF 네트워크에 포함되는 전구를 검색할 수 있다. 제1 장치에 의해 소유된 기기를 검색한 제2 장치는, 전구가 ACG를 지원하는지를 확인하고, 만약 지원한다면 인증 수행 방법을 선택한다. 앞서 설명한 바와 같이, 인증 방법에는 PIN, ID/password, QR 및/또는 인증서에 기반한 인증이 포함될 수 있다. 제2 장치는 선택된 인증 방법에 기반하여 전구와 DTLS 핸드셰이크 및 기기 인증을 수행하고, 크리덴셜을 생성 및 확정한다. 크리덴셜이 생성 및 확정되면, 제2 장치와 전구 간의 암호화 통신이 가능하다.The second device (Phone B) including the second onboarding tool may search for a light bulb included in the OCF network configured by the first device. The second device, which searches for devices owned by the first device, checks whether the bulb supports ACG, and if so, selects an authentication method. As described above, the authentication method may include authentication based on PIN, ID / password, QR and / or certificate. The second device performs bulb and DTLS handshake and device authentication based on the selected authentication method, and generates and confirms credentials. Once the credential is created and confirmed, encrypted communication between the second device and the light bulb is possible.
만약, 사용자가 다른 온보딩 툴에 의해 기 소유된 장치를 사용하기 원하지 않거나, 다른 온보딩 툴에 의해 기 소유된 장치가 존재하지 않는 경우, 제2 온보딩 툴은 다른 온보딩 툴에 의해 기 소유되지 않은 장치를 멀티캐스트 방식을 통해 검색한다. 기 소유되지 않은 장치가 발견되면, 제2 온보딩 툴은 해당 장치와 온보딩 절차를 수행하여 새로운 OCF 네트워크를 구성할 수 있다.If the user does not want to use a device previously owned by another onboarding tool, or if a device previously owned by another onboarding tool does not exist, the second onboarding tool is owned by another onboarding tool Devices that are not detected through a multicast method. If a device that is not already owned is found, the second onboarding tool may perform an onboarding procedure with the device to construct a new OCF network.
도 16은 본 발명의 실시예들에 따른 신호 수신 방법에 대한 흐름도이다.16 is a flowchart of a signal reception method according to embodiments of the present invention.
도 16을 참조하면, 본 발명의 일 실시예는, 특정 통신 장치(제1 장치)에 의해 수행될 수 있다. 제1 장치에 의해 수행되는 방법은, 제2 장치에 의해 구성된 네트워크에 속하는 IoT 장치를 검색하는 단계(S1601), 검색된 IoT 장치의 ACG 지원 여부를 확인하는 단계(S1603), 검색된 IoT 장치가 ACG를 지원하면, 네트워크를 구성한 제2 장치로부터 보안 관련 메시지를 수신하지 않고도 검색된 IoT 장치와 보안 인증을 수행하는 단계(S1605), 보안 인증이 수행된 IoT 장치와 보안 통신을 수행하는 단계(S1607)을 포함하여 구성될 수 있다. IoT 장치는, 네트워크를 구상한 제2 장치와 보안 통신을 수행하도록 기 설정되어 있을 수 있다.Referring to FIG. 16, an embodiment of the present invention may be performed by a specific communication device (first device). The method performed by the first device includes the steps of searching for an IoT device belonging to the network configured by the second device (S1601), checking whether the searched IoT device supports ACG (S1603), and detecting the ACG of the IoT device. If supported, the step of performing security authentication with the discovered IoT device without receiving a security-related message from the second device constituting the network (S1605), and performing secure communication with the IoT device on which security authentication has been performed (S1607). Can be configured. The IoT device may be preset to perform secure communication with a second device envisioning a network.
IoT 장치는 제1 장치가 접근 가능한 리소스의 리스트를 나타내기 위한 ACL 리소스를 포함할 수 있다. ACL 리소스는, 제1 장치가 접근 가능한 (제1 장치가 제2 장치에 의해 기 인증되지 않은 경우에도) 리소스에 대한 정보를 포함할 수 있다.The IoT device may include an ACL resource for indicating a list of resources accessible by the first device. The ACL resource may include information about the resource accessible to the first device (even if the first device has not been previously authenticated by the second device).
제1 장치와 IoT 장치 간 보안 인증은, PIN, ID/password 및/또는 QR (Quick Response) 중 적어도 하나 이상에 기반하여 PSK (Pre-Shared Key)를 생성함으로써 수행될 수 있다. 보안 통신은, 생성된 PSK에 기반하여 수행될 수 있다.Security authentication between the first device and the IoT device may be performed by generating a pre-shared key (PSK) based on at least one of a PIN, ID / password, and / or QR (Quick Response). Secure communication may be performed based on the generated PSK.
또는, 제1 장치와 IoT 장치 간 보안 인증은, 제1 장치 및 IoT 장치에 각각 저장된 인증서에 기반하여 수행될 수 있다. 보안 통신은, 제1 장치 및 IoT 장치에 각각 저장된 인증서를 사용하여 수행된 보안 인증을 기반으로 수행될 수 있다.Alternatively, security authentication between the first device and the IoT device may be performed based on certificates respectively stored in the first device and the IoT device. Secure communication may be performed based on security authentication performed using certificates stored in the first device and the IoT device, respectively.
제1 장치는, 도 16을 통해 도시된 동작에 더하여 도 1 내지 도 15를 통해 제안된 동작들 중 하나 이상을 추가적으로 수행할 수 있다.The first device may additionally perform one or more of the proposed operations through FIGS. 1 to 15 in addition to the operations illustrated through FIG. 16.
장치 구성Device configuration
도 17은 본 발명의 실시예들을 수행하는 전송장치(10) 및 수신장치(20)의 구성요소를 나타내는 블록도이다. 전송장치(10) 및 수신장치(20)는 정보 및/또는 데이터, 신호, 메시지 등을 나르는 무선 신호를 전송 또는 수신할 수 있는 송신기/수신기(13, 23)와, 무선통신 시스템 내 통신과 관련된 각종 정보를 저장하는 메모리(12, 22), 상기 송신기/수신기(13, 23) 및 메모리(12, 22)등의 구성요소와 동작적으로 연결되어, 상기 구성요소를 제어하여 해당 장치가 전술한 본 발명의 실시예들 중 적어도 하나를 수행하도록 메모리(12, 22) 및/또는 송신기/수신기(13,23)을 제어하도록 구성된 프로세서(11, 21)를 각각 포함한다. 17 is a block diagram showing the components of a transmitting device 10 and a receiving device 20 for performing embodiments of the present invention. The transmitting device 10 and the receiving device 20 are transmitter / receivers 13 and 23 capable of transmitting or receiving wireless signals carrying information and / or data, signals, messages, and the like, and related to communication in the wireless communication system. Memory 12, 22 for storing various information, the transmitter / receiver (13, 23) and memory (12, 22), such as components operatively connected to control the component to control the device described above And processors 11, 21 configured to control the memory 12, 22 and / or transmitter / receiver 13, 23, respectively, to perform at least one of the embodiments of the present invention.
메모리(12, 22)는 프로세서(11, 21)의 처리 및 제어를 위한 프로그램을 저장할 수 있고, 입/출력되는 정보를 임시 저장할 수 있다. 메모리(12, 22)가 버퍼로서 활용될 수 있다. 프로세서(11, 21)는 통상적으로 전송장치 또는 수신장치 내 각종 모듈의 전반적인 동작을 제어한다. 특히, 프로세서(11, 21)는 본 발명을 수행하기 위한 각종 제어 기능을 수행할 수 있다. 프로세서(11, 21)는 컨트롤러(controller), 마이크로 컨트롤러(microcontroller), 마이크로 프로세서(microprocessor), 마이크로 컴퓨터(microcomputer) 등으로도 불릴 수 있다. 프로세서(11, 21)는 하드웨어(hardware) 또는 펌웨어(firmware), 소프트웨어, 또는 이들의 결합에 의해 구현될 수 있다. 하드웨어를 이용하여 본 발명을 구현하는 경우에는, 본 발명을 수행하도록 구성된 ASICs(application specific integrated circuits) 또는 DSPs(digital signal processors), DSPDs(digital signal processing devices), PLDs(programmable logic devices), FPGAs(field programmable gate arrays) 등이 프로세서(11, 21)에 구비될 수 있다. 한편, 펌웨어나 소프트웨어를 이용하여 본 발명을 구현하는 경우에는 본 발명의 기능 또는 동작들을 수행하는 모듈, 절차 또는 함수 등을 포함하도록 펌웨어나 소프트웨어가 구성될 수 있으며, 본 발명을 수행할 수 있도록 구성된 펌웨어 또는 소프트웨어는 프로세서(11, 21) 내에 구비되거나 메모리(12, 22)에 저장되어 프로세서(11, 21)에 의해 구동될 수 있다. The memories 12 and 22 may store programs for processing and control of the processors 11 and 21, and temporarily store input / output information. Memory 12, 22 can be utilized as a buffer. Processors 11 and 21 typically control the overall operation of various modules in the transmitting or receiving device. In particular, the processors 11 and 21 can perform various control functions for carrying out the present invention. The processors 11 and 21 may also be called controllers, microcontrollers, microprocessors, microcomputers, and the like. The processors 11 and 21 may be implemented by hardware or firmware, software, or a combination thereof. When implementing the present invention using hardware, application specific integrated circuits (ASICs) or digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), FPGAs ( field programmable gate arrays) may be provided in the processors 11 and 21. On the other hand, when the present invention is implemented using firmware or software, firmware or software may be configured to include a module, procedure, or function that performs functions or operations of the present invention, and configured to perform the present invention. The firmware or software may be provided in the processors 11 and 21 or stored in the memories 12 and 22 to be driven by the processors 11 and 21.
전송장치(10)의 프로세서(11)는 상기 프로세서(11) 또는 상기 프로세서(11)와 연결된 스케줄러로부터 스케줄링되어 외부로 전송될 신호 및/또는 데이터에 대하여 소정의 부호화(coding) 및 변조(modulation)를 수행한 후 송신기/수신기(13)에 전송한다. 예를 들어, 프로세서(11)는 전송하고자 하는 데이터 열을 역다중화 및 채널 부호화, 스크램블링, 변조과정 등을 거쳐 K개의 레이어로 변환한다. 부호화된 데이터 열은 코드워드로 지칭되기도 하며, MAC 계층이 제공하는 데이터 블록인 전송 블록과 등가이다. 일 전송블록(transport block, TB)은 일 코드워드로 부호화되며, 각 코드워드는 하나 이상의 레이어의 형태로 수신장치에 전송되게 된다. 주파수 상향 변환을 위해 송신기/수신기(13)는 오실레이터(oscillator)를 포함할 수 있다. 송신기/수신기(13)는 Nt개(Nt는 1보다 이상의 양의 정수)의 전송 안테나를 포함할 수 있다. The processor 11 of the transmission device 10 is scheduled from the processor 11 or a scheduler connected to the processor 11 and predetermined encoding and modulation for signals and / or data to be transmitted to the outside. And transmits it to the transmitter / receiver 13. For example, the processor 11 converts data streams to be transmitted into K layers through demultiplexing, channel encoding, scrambling, and modulation. The coded data stream is also referred to as a codeword, and is equivalent to a transport block, which is a data block provided by the MAC layer. One transport block (TB) is encoded as one codeword, and each codeword is transmitted to a receiving device in the form of one or more layers. For frequency upconversion, the transmitter / receiver 13 may include an oscillator. The transmitter / receiver 13 may include Nt transmit antennas (Nt is a positive integer greater than 1).
수신장치(20)의 신호 처리 과정은 전송장치(10)의 신호 처리 과정의 역으로 구성된다. 프로세서(21)의 제어 하에, 수신장치(20)의 송신기/수신기(23)는 전송장치(10)에 의해 전송된 무선 신호를 수신한다. 상기 송신기/수신기(23)는 Nr개의 수신 안테나를 포함할 수 있으며, 상기 송신기/수신기(23)는 수신 안테나를 통해 수신된 신호 각각을 주파수 하향 변환하여(frequency down-convert) 기저대역 신호로 복원한다. 송신기/수신기(23)는 주파수 하향 변환을 위해 오실레이터를 포함할 수 있다. 상기 프로세서(21)는 수신 안테나를 통하여 수신된 무선 신호에 대한 복호(decoding) 및 복조(demodulation)를 수행하여, 전송장치(10)가 본래 전송하고자 했던 데이터를 복원할 수 있다. The signal processing process of the receiving device 20 is composed of the inverse of the signal processing process of the transmitting device 10. Under the control of the processor 21, the transmitter / receiver 23 of the receiving device 20 receives the radio signal transmitted by the transmitting device 10. The transmitter / receiver 23 may include Nr receive antennas, and the transmitter / receiver 23 frequency down-converts each signal received through the receive antenna to restore a baseband signal. do. The transmitter / receiver 23 may include an oscillator for frequency downconversion. The processor 21 may perform decoding and demodulation of the radio signal received through the reception antenna to restore data originally intended to be transmitted by the transmission device 10.
송신기/수신기(13, 23)는 하나 이상의 안테나를 구비한다. 안테나는, 프로세서(11, 21)의 제어 하에 본 발명의 일 실시예에 따라, 송신기/수신기(13, 23)에 의해 처리된 신호를 외부로 전송하거나, 외부로부터 무선 신호를 수신하여 송신기/수신기(13, 23)로 전달하는 기능을 수행한다. 안테나는 안테나 포트로 불리기도 한다. 각 안테나는 하나의 물리 안테나에 해당하거나 하나보다 많은 물리 안테나 요소(element)의 조합에 의해 구성될 수 있다. 각 안테나로부터 전송된 신호는 수신장치(20)에 의해 더 이상 분해될 수 없다. 해당 안테나에 대응하여 전송된 참조신호(reference signal, RS)는 수신장치(20)의 관점에서 본 안테나를 정의하며, 채널이 일 물리 안테나로부터의 단일(single) 무선 채널인지 혹은 상기 안테나를 포함하는 복수의 물리 안테나 요소(element)들로부터의 합성(composite) 채널인지에 관계없이, 상기 수신장치(20)로 하여금 상기 안테나에 대한 채널 추정을 가능하게 한다. 즉, 안테나는 상기 안테나 상의 심볼을 전달하는 채널이 상기 동일 안테나 상의 다른 심볼이 전달되는 상기 채널로부터 도출될 수 있도록 정의된다. 복수의 안테나를 이용하여 데이터를 송수신하는 다중 입출력(Multi-Input Multi-Output, MIMO) 기능을 지원하는 송신기/수신기의 경우에는 2개 이상의 안테나와 연결될 수 있다.The transmitter / receiver 13, 23 has one or more antennas. The antenna transmits a signal processed by the transmitter / receiver 13 and 23 to the outside or receives a radio signal from the outside, according to an embodiment of the present invention under the control of the processors 11 and 21. (13, 23). The antenna is also called an antenna port. Each antenna may correspond to one physical antenna or may be configured by a combination of more than one physical antenna element. The signal transmitted from each antenna can no longer be resolved by the receiving device 20. The reference signal (RS) transmitted corresponding to the corresponding antenna defines the antenna viewed from the viewpoint of the receiving device 20, and whether the channel is a single radio channel from one physical antenna or includes the antenna Regardless of whether it is a composite channel from a plurality of physical antenna elements, the receiver 20 enables channel estimation for the antenna. That is, the antenna is defined such that a channel carrying a symbol on the antenna can be derived from the channel carrying another symbol on the same antenna. In the case of a transmitter / receiver that supports a multi-input multi-output (MIMO) function that transmits and receives data using a plurality of antennas, two or more antennas may be connected.
본 발명의 실시예들에 있어서, 단말 또는 UE는 상향링크에서는 전송장치(10)로 동작하고, 하향링크에서는 수신장치(20)로 동작한다. 본 발명의 실시예들에 있어서, 기지국 또는 eNB는 상향링크에서는 수신장치(20)로 동작하고, 하향링크에서는 전송장치(10)로 동작한다.In the embodiments of the present invention, the terminal or the UE operates as the transmitting device 10 in the uplink and the receiving device 20 in the downlink. In embodiments of the present invention, the base station or eNB operates as the receiving device 20 in the uplink and as the transmitting device 10 in the downlink.
상기 전송장치 및/또는 상기 수신장치는 앞서 설명한 본 발명의 실시예들 중 적어도 하나 또는 둘 이상의 실시예들의 조합을 수행할 수 있다. The transmitting device and / or the receiving device may perform a combination of at least one or more embodiments of the embodiments of the present invention described above.
상기 전송장치 및/또는 수신상치(10, 20)는 기지국, 네트워크 노드, 전송 단말, 수신 단말, 무선 장치, 무선 통신 장치, 차량, 자율주행 기능을 탑재한 차량, 드론(Unmanned Aerial Vehicle, UAV), AI(Artificial Intelligence) 모듈, 로봇, AR(Augmented Reality) 장치, VR(Virtual Reality) 장치 또는 그 이외의 장치일 수 있다.The transmitting device and / or receiving terminal 10, 20 is a base station, a network node, a transmitting terminal, a receiving terminal, a wireless device, a wireless communication device, a vehicle, a vehicle equipped with an autonomous driving function, and a drone (Unmanned Aerial Vehicle, UAV) , AI (Artificial Intelligence) module, robot, AR (Augmented Reality) device, VR (Virtual Reality) device or other devices.
예를 들어, 단말은 휴대폰, 스마트 폰(smart phone), 노트북 컴퓨터(laptop computer), 디지털 방송용 단말기, PDA(personal digital assistants), PMP(portable multimedia player), 네비게이션, 슬레이트 PC(slate PC), 태블릿 PC(tablet PC), 울트라북(ultrabook), 웨어러블 디바이스(wearable device, 예를 들어, 워치형 단말기 (smartwatch), 글래스형 단말기 (smart glass), HMD(head mounted display)) 등을 포함할 수 있다. 예를 들어, 드론은 사람이 타지 않고 무선 컨트롤 신호에 의해 비행하는 비행체일 수 있다. 예를 들어, HMD는 머리에 착용하는 형태의 디스플레이 장치일 수 있다. 예를 들어, HMD는 VR 또는 AR을 구현하기 위해 사용될 수 있다.For example, the terminal is a mobile phone, a smart phone, a laptop computer, a terminal for digital broadcasting, a personal digital assistants (PDA), a portable multimedia player (PMP), navigation, a slate PC, a tablet It may include a PC (tablet PC), ultrabook (ultrabook), wearable device (wearable device, for example, a watch-type terminal (smartwatch), glass-type terminal (smart glass), HMD (head mounted display), and the like. . For example, a drone may be a vehicle that does not ride and is flying by radio control signals. For example, the HMD may be a display device worn on the head. For example, HMD can be used to implement VR or AR.
이상에서 설명된 실시예들은 본 발명의 구성요소들과 특징들이 소정 형태로 결합된 것들이다. 각 구성요소 또는 특징은 별도의 명시적 언급이 없는 한 선택적인 것으로 고려되어야 한다. 각 구성요소 또는 특징은 다른 구성요소나 특징과 결합되지 않은 형태로 실시될 수 있다. 또한, 일부 구성요소들 및/또는 특징들을 결합하여 본 발명의 실시예를 구성하는 것도 가능하다. 본 발명의 실시예들에서 설명되는 동작들의 순서는 변경될 수 있다. 어느 실시예의 일부 구성이나 특징은 다른 실시예에 포함될 수 있고, 또는 다른 실시예의 대응하는 구성 또는 특징과 교체될 수 있다. 특허청구범위에서 명시적인 인용 관계가 있지 않은 청구항들을 결합하여 실시예를 구성하거나 출원 후의 보정에 의해 새로운 청구항으로 포함시킬 수 있음은 자명하다.The embodiments described above are those in which the components and features of the present invention are combined in a predetermined form. Each component or feature should be considered optional unless stated otherwise. Each component or feature may be implemented in a form that is not combined with other components or features. It is also possible to configure embodiments of the present invention by combining some components and / or features. The order of the operations described in the embodiments of the present invention can be changed. Some configurations or features of one embodiment may be included in other embodiments, or may be replaced with corresponding configurations or features of other embodiments. It is obvious that the claims may not be explicitly included in the claims, and the embodiments may be combined or included as new claims by amendment after filing.
본 발명은 본 발명의 정신 및 필수적 특징을 벗어나지 않는 범위에서 다른 특정한 형태로 구체화될 수 있음은 당업자에게 자명하다. 따라서, 상기의 상세한 설명은 모든 면에서 제한적으로 해석되어서는 아니되고 예시적인 것으로 고려되어야 한다. 본 발명의 범위는 첨부된 청구항의 합리적 해석에 의해 결정되어야 하고, 본 발명의 등가적 범위 내에서의 모든 변경은 본 발명의 범위에 포함된다.It will be apparent to those skilled in the art that the present invention may be embodied in other specific forms without departing from the spirit and essential features of the present invention. Accordingly, the above detailed description should not be construed as limiting in all respects, but should be considered illustrative. The scope of the invention should be determined by rational interpretation of the appended claims, and all changes within the equivalent scope of the invention are included in the scope of the invention.
상술된 바와 같이 본 발명은 다양한 무선 통신 시스템에 적용될 수 있다. As described above, the present invention can be applied to various wireless communication systems.
Claims (10)
- 무선 통신 시스템에서 제1 장치에 의해 수행되는 보안 통신 방법에 있어서, A secure communication method performed by a first device in a wireless communication system, the method comprising:제2 장치에 의해 구성된 네트워크에 속하는 사물 인터넷 (Internet of Things; IoT) 장치를 검색하는 단계, 상기 IoT 장치는 상기 제2 장치와 보안 통신을 수행하도록 기 설정되어 있으며;Searching for an Internet of Things (IoT) device belonging to a network configured by a second device, wherein the IoT device is preset to perform secure communication with the second device;상기 IoT 장치가 ACG (Anonymous Credential Generation)을 지원하는지 확인하는 단계;Checking whether the IoT device supports ACG (Anonymous Credential Generation);상기 IoT 장치가 ACG를 지원하는 경우, 상기 제2 장치로부터의 보안 관련 메시지 수신이 없더라도 상기 IoT 장치와 보안 통신을 수행하기 위한 보안 인증을 수행하는 단계; 및If the IoT device supports ACG, performing security authentication to perform secure communication with the IoT device even if there is no security-related message received from the second device; And상기 보안 인증에 기반하여 상기 IoT 장치와 보안 통신을 수행하는 단계; 를 포함하는,Performing secure communication with the IoT device based on the security authentication; Containing,보안 통신 방법.Secure communication method.
- 제1항에 있어서,According to claim 1,상기 IoT 장치는 상기 제1 장치가 접근 가능한 리소스(resource)의 리스트를 나타내기 위한 접근 제어 리스트(Access Control List; ACL) 리소스를 포함하는,The IoT device includes an access control list (ACL) resource for indicating a list of resources accessible by the first device,보안 통신 방법.Secure communication method.
- 제2항에 있어서,According to claim 2,상기 ACL 리소스는, 상기 제1 장치가 상기 제2 장치에 의해 기 인증되지 않은 경우에도 상기 제1 장치가 접근 가능한 리소스에 대한 정보를 포함하는,The ACL resource includes information on a resource accessible by the first device even when the first device is not previously authenticated by the second device.보안 통신 방법.Secure communication method.
- 제1항에 있어서, According to claim 1,상기 보안 인증은, PIN, ID/password 및/또는 QR (Quick Response) 중 하나 이상에 기반하여 PSK (Pre-Shared Key)를 생성함으로써 수행되고, The security authentication is performed by generating a pre-shared key (PSK) based on one or more of PIN, ID / password and / or QR (Quick Response),상기 보안 통신은, 상기 생성된 PSK에 기반하여 수행되는,The secure communication is performed based on the generated PSK,보안 통신 방법.Secure communication method.
- 제1항에 있어서, According to claim 1,상기 보안 인증 및 보안 통신은, 상기 제1 장치 및 상기 IoT 장치에 기 저장된 인증서에 기반하여 수행되는,The secure authentication and secure communication is performed based on a certificate pre-stored in the first device and the IoT device,보안 통신 방법.Secure communication method.
- 무선 통신 시스템에서 보안 통신을 수행하는 제1 장치에 있어서,A first device for performing secure communication in a wireless communication system,송수신기; 및Transceiver; And상기 송수신기를 제어하는 프로세서; 를 포함하며,A processor that controls the transceiver; It includes,상기 프로세서는,The processor,제2 장치에 의해 구성된 네트워크에 속하는 사물 인터넷 (Internet of Things; IoT) 장치를 검색하고, 상기 IoT 장치는 상기 제2 장치와 보안 통신을 수행하도록 기 설정되어 있으며,Search for an Internet of Things (IoT) device belonging to a network configured by a second device, and the IoT device is preset to perform secure communication with the second device,상기 IoT 장치가 ACG (Anonymous Credential Generation)을 지원하는지 확인하고,Check whether the IoT device supports ACG (Anonymous Credential Generation),상기 IoT 장치가 ACG를 지원하는 경우, 상기 제2 장치로부터의 보안 관련 메시지 수신이 없더라도 상기 IoT 장치와 보안 통신을 수행하기 위한 보안 인증을 수행하고,When the IoT device supports ACG, security authentication is performed to perform secure communication with the IoT device even if there is no security-related message received from the second device.상기 보안 인증에 기반하여 상기 IoT 장치와 보안 통신을 수행하도록 구성되는,Configured to perform secure communication with the IoT device based on the security authentication,제1 장치.First device.
- 제6항에 있어서,The method of claim 6,상기 IoT 장치는 상기 제1 장치가 접근 가능한 리소스(resource)의 리스트를 나타내기 위한 접근 제어 리스트(Access Control List; ACL) 리소스를 포함하는,The IoT device includes an access control list (ACL) resource for indicating a list of resources accessible by the first device,제1 장치.First device.
- 제6항에 있어서,The method of claim 6,상기 ACL 리소스는, 상기 제1 장치가 상기 제2 장치에 의해 기 인증되지 않은 경우에도 상기 제1 장치가 접근 가능한 리소스에 대한 정보를 포함하는,The ACL resource includes information on a resource accessible by the first device even when the first device is not previously authenticated by the second device.제1 장치.First device.
- 제6항에 있어서, The method of claim 6,상기 보안 인증은, PIN (Personal Information Number), ID/패스워드(password) 및/또는 QR (Quick Response) 중 하나 이상에 기반하여 PSK (Pre-Shared Key)를 생성함으로써 수행되고, The security authentication is performed by generating a PSK (Pre-Shared Key) based on at least one of a PIN (Personal Information Number), an ID / password, and / or a QR (Quick Response),상기 보안 통신은, 상기 생성된 PSK에 기반하여 수행되는,The secure communication is performed based on the generated PSK,제1 장치.First device.
- 제6항에 있어서, The method of claim 6,상기 보안 인증 및 보안 통신은, 상기 제1 장치 및 상기 IoT 장치에 기 저장된 인증서에 기반하여 수행되는,The secure authentication and secure communication is performed based on a certificate pre-stored in the first device and the IoT device,제1 장치.First device.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20180136894 | 2018-11-08 | ||
KR10-2018-0136894 | 2018-11-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020096162A1 true WO2020096162A1 (en) | 2020-05-14 |
Family
ID=70611372
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2019/008226 WO2020096162A1 (en) | 2018-11-08 | 2019-07-04 | Method and device for secure communication in wireless communication system |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2020096162A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024168935A1 (en) * | 2023-02-19 | 2024-08-22 | 北京小米移动软件有限公司 | Message verification method and apparatus therefor |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20060057345A (en) * | 2004-11-23 | 2006-05-26 | 삼성전자주식회사 | System and method for making a secure connection between home network devices |
KR20100040694A (en) * | 2008-10-10 | 2010-04-20 | 삼성전자주식회사 | System and method for establishing security of contrilled device by control point device in home network |
KR101737345B1 (en) * | 2016-10-27 | 2017-05-18 | 아주대학교산학협력단 | Method and apparatus for authenticating Internet-Of-Things device in cloud-based Internet-Of-Things system |
KR20170088193A (en) * | 2016-01-22 | 2017-08-01 | 한국전자통신연구원 | System for object-based social network service and journalism activities in the autonomous IoT environment |
-
2019
- 2019-07-04 WO PCT/KR2019/008226 patent/WO2020096162A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20060057345A (en) * | 2004-11-23 | 2006-05-26 | 삼성전자주식회사 | System and method for making a secure connection between home network devices |
KR20100040694A (en) * | 2008-10-10 | 2010-04-20 | 삼성전자주식회사 | System and method for establishing security of contrilled device by control point device in home network |
KR20170088193A (en) * | 2016-01-22 | 2017-08-01 | 한국전자통신연구원 | System for object-based social network service and journalism activities in the autonomous IoT environment |
KR101737345B1 (en) * | 2016-10-27 | 2017-05-18 | 아주대학교산학협력단 | Method and apparatus for authenticating Internet-Of-Things device in cloud-based Internet-Of-Things system |
Non-Patent Citations (1)
Title |
---|
NI, JIANBING ET AL.: "Efficient and Secure Service-Oriented Authentication Supporting Network Slicing for 5G-Enabled IoT", IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, vol. 36, no. 3, 12 March 2018 (2018-03-12), pages 644 - 657 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024168935A1 (en) * | 2023-02-19 | 2024-08-22 | 北京小米移动软件有限公司 | Message verification method and apparatus therefor |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3286893B1 (en) | Secure transmission of a session identifier during service authentication | |
US11272361B2 (en) | Zero-touch onboarding in a network | |
US9049184B2 (en) | System and method for provisioning a unique device credentials | |
KR102227177B1 (en) | Uniform communication protocols for communication between controllers and accessories | |
WO2015126124A1 (en) | Method and device for transmitting and receiving authentication information in wireless communication system | |
US8464322B2 (en) | Secure device introduction with capabilities assessment | |
US8724515B2 (en) | Configuring a secure network | |
JP5080852B2 (en) | Personal domain controller | |
WO2010041915A2 (en) | System and method for setting up security for controlled device by control point in a home network | |
US9344417B2 (en) | Authentication method and system | |
EP2958291B1 (en) | Method and system for authenticating network equipment | |
WO2019194665A1 (en) | Method and device for performing onboarding | |
JP2006524017A (en) | ID mapping mechanism for controlling wireless LAN access with public authentication server | |
CN110741614B (en) | Data communication system and method | |
US20150249639A1 (en) | Method and devices for registering a client to a server | |
WO2020096162A1 (en) | Method and device for secure communication in wireless communication system | |
WO2021249512A1 (en) | Secure communication method, related apparatus, and system | |
WO2020096161A1 (en) | Method and apparatus for security communication in wireless communication system | |
US7349972B2 (en) | Secure initialization of communication with a network resource | |
WO2015196350A1 (en) | Wireless network access method, system and terminal | |
KR102132490B1 (en) | Method and apparatus for trust network configurations of mobile devices in software-defined network | |
EP4320821A1 (en) | Method and system for self-onboarding of iot devices | |
KR20150060050A (en) | Network device and method of forming tunnel of network device | |
WO2023249192A1 (en) | Method and apparatus for authentication of user equipment in wireless communication system | |
WO2024147633A1 (en) | Method and apparatus for providing or revoking user authorization information using oauth |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19881166 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19881166 Country of ref document: EP Kind code of ref document: A1 |