1. Field of the Invention
The present invention relates to a technology for performing an authentication processing to obtain a permission for a data transfer when connecting a physical interface to a network.
2. Description of the Related Art
There has been a demand for communication security using, for example, an encryption or an authentication of a communication via a network, and the demand is increasing along with a wide use of the Internet because any person who has knowledge of networks to some extent is capable of sniffing or modifying data relatively easily. For this reason, security devices, which used to be for special devices and manufactured on special orders, are recently widely adapted to, for example, software on a personal computer (PC), an image processing apparatus, and a communication apparatus and used in general offices.
In a device connectable to a network such as the Internet, in which the network and related programs are layered, a processing such as an encryption or an authentication is performed in each layer of the open systems interconnection (OSI) reference model for each purpose.
A transmission control protocol/Internet protocol (TCP/IP) communication on a local area network (LAN) is explained below based on the OSI reference model. A physical layer of Layer 1 and a data link layer of Layer 2 correspond to an interface card of, for example, Ethernet (Registered Trademark) (IEEE 802.3) or a wireless LAN (IEEE 802.11), defining a physical (PHY) communication protocol and a media access control (MAC) protocol, respectively. A network layer of Layer 3 and a transport layer of Layer 4 define an IP protocol and a TCP protocol, respectively. Upper-level layers with respect to the Layer 4 are application layers.
A technology in which an encryption and an authentication can be performed in each layer is available, in which contents data is encrypted based on an application protocol of the highest-level layer; a secure socket layer (SSL) is used for the TCP protocol; a security architecture for Internet protocol (IPSec) is used for the IP protocol; and all data of communications including communications in a MAC layer is encrypted based on the MAC protocol. Although an authentication is required for both a transmission destination and a transmission source in each encryption to share an encryption key, it can be implemented by various types of encryption systems.
When a communication apparatus communicates with an external device via a network, if it is configured to perform an authentication processing in each layer, it is important to control an operation of the communication apparatus depending on a progress of the authentication processing. Technologies relating to the authentication processing are disclosed in some documents. For example, Japanese Patent Application Laid-open No. 2004-254277 discloses a technology for achieving a high-speed IP connection, in which, after detecting a successful authentication, an IP processing unit or a high-speed IP connection processing unit immediately makes a request for a rooter advertisement message so that a subsequent IP connection processing is started at an early stage by the rooter advertisement message received in response to the request. Furthermore, Japanese Patent No. 3628315 discloses a technology for handling an upper-level protocol stack when performing an operation based on an authentication protocol (PPPoE or IEEE 802.1X) on a wireless LAN, in which a middle-level protocol stack monitors a connection status and adjusts a disconnection notification to the upper-level protocol stack, thereby preventing frequent disconnections or abnormal connections of the wireless LAN that is an unstable communication medium. Moreover, Japanese Patent Application Laid-open No. 2002-034066 discloses a technology for a wireless information communication terminal in which a data link layer control unit detects a usable wireless range and achieves a display indicating that a processing for an authentication or a subscription during a communication is successful.
Among the layers, for example, in the interface card portion, in the case of being authenticated by the external device based on an authentication protocol for a connection to the network, a protocol essentially higher than the interface card portion should not perform a communication because of the following reason. For example, when the authentication is successful, in the case of performing an encryption communication in which the communication apparatus shares an encryption key with a device to communicate with, such as a hub in the case of a wired communication or an access point in the case of a wireless LAN, the communication cannot be performed even if an upper-level protocol tries a communication before the authentication of the communication apparatus. Furthermore, even when the encryption is not performed in the above case, data cannot be transmitted from the hub or the access point to the network before the communication apparatus is authenticated. As a result, a communication protocol address may not be received or a duplication of a communication protocol address may not be detected. For example, in the TCP/IP, even if data for address resolution is transmitted in an unauthenticated state, the duplication of the IP address may not be detected. Moreover, when the communication apparatus in the unauthenticated state transmits data other than that for the authentication processing (hereinafter, “authentication communication data”) to the external device, a control unit of the external device may detect that a large volume of abnormal unauthenticated data is transmitted to the external device and terminates the data communication, which deters the authentication processing. Furthermore, when the data from an upper-level application and the authentication communication data are received together during a data communication for the authentication processing (hereinafter, “authentication communication”), the authentication communication may be started over from the beginning for many times, which deters the authentication processing. This can easily occur when a disconnection occurs in a lower-level layer and the authentication communication is started over from the unauthenticated state, because the upper-level application cannot stop a communication promptly.
The technologies disclosed in Japanese Patent Application Laid-open No. 2004-254277, Japanese Patent No. 3628315, and Japanese Patent Application Laid-open No. 2002-034066 do not sufficiently solve the above problems. Particularly in an apparatus, such as an image forming apparatus, in which realizable functions are implemented in advance, the above problems cannot be easily solved.