In recent years, television sets (hereinafter, referred to as “TVs”) having Internet Protocol Television (IPTV) functions have been appeared. The IPTV is the provision of services such as shopping and Video on Demand (VOD) to users over the Internet using the Internet technologies. Some of the services such as shopping and VOD require entry of a credit card number of a user for payment, or entry of a name, an address, a telephone number, etc. of a user for user registration or delivery. Such data entry is performed using a control device (transmission device) such as a remote controller.
Control devices so-called remote controllers which control controlled devices such as TVs conventionally use infrared ray to send commands to control the controlled devices. Recently, control devices (remote controllers) are considered to use radio waves to wirelessly transmit commands to control the controlled devices.
However, wireless transmission (radio waves) does not generally have directionality. For example, radio waves in wireless communication using IEEE 802.15.4 standard travel a distance ranging from 10 m to 100 m. That is, wireless transmission (radio waves) would be easily transmitted from a user's house to an area where a third party is present. This allows a malicious third party to do packet tapping, packet tampering, or replay attack.
More specifically, the use of such a remote controller employing wireless transmission has the following concerns about security. Packet tapping would cause leakage of private information of a viewer of the controlled device, such as a name, an address, a telephone number, and a credit card number. Packet tapping would also cause reveal of viewer's preference by analyzing a program viewed by the viewer. Packet tampering would cause manipulation of a power source or channels of a TV controlled by a viewer, or would cause unintended shopping. Even if packet tampering is impossible, attack means called a replay attack would enable the unauthorized manipulation of a power source or channels of the TV of the viewer, or repetition of past shopping.
In order to avoid the above-described security concerns, IEEE 802.15.4 standardized in Non-Patent Reference 1, for example, offers secure communication using the following functions. 1) A payload is encrypted to prevent packet tapping. 2) A Message Integrity Code (MIC) is added to a packet to distinguish the packet if tampered, thereby preventing packet tampering. 3) A frame counter incremented for each packet transmission is used to prevent replay attacks. The Message Integrity Code (MIC) is a system assuring integrity of a message.
FIG. 1 is a diagram of packet structures. FIG. 2 is a schematic diagram of packet structures. Each of FIGS. 1 and 2 illustrates a structure of a plain text packet 101 using IEEE 802.15.4, and a structure of a secure packet 102 generated by applying the above-described functions to the plain text packet 101.
The plain text packet 101 illustrated in FIG. 1 includes a Frame Control 111, an address 112, a payload 113, and a Frame Check Sequence (FCS) 114. An example of the plain text packet 101 is a pairing request packet including a pairing request, or a pairing response packet including a pairing response indicating a response to the pairing request. FIG. 2 schematically illustrates a portion related to the above-described functions in the plain text packet 101. In other words, the plain text packet 101 illustrated in FIG. 2 includes the payload 113.
The secure packet 102 illustrated in FIG. 1 includes a frame control 121, an address 122, a frame counter (FC) 123, a Key Sequence Counter (KSC) 124, an encrypted payload 125, a MIC 126, and a FCS 127. An example of the secure packet 102 is a command packet including a command. FIG. 2 schematically illustrates a portion related to the above-described functions in the secure packet 102. In short, the secure packet 102 illustrated in FIG. 2 includes the frame counter 123, the encrypted payload 125, and the MIC 126.
Each of the frame control 111 and the frame control 121 is a header indicating a structure of the corresponding packet. The frame control 111 includes information of a plain text packet. The frame control 121 includes information of a secure packet.
Each of the addresses 112 and 122 is a field in which a destination address and a source address are indicated.
The payload 113 is data to be transmitted. An example of the payload 113 is data indicating a pairing request included in a pairing request packet, or data indicating a pairing response included in a pairing response packet.
Each of the FCS 114 and the FCS 127 is one of error detection methods using a checksum for error detection. They are data used to check errors such as data transformation. More specifically, the FCS 114 is a Cyclic Redundancy Check (CRC) for the frame control 111, the address 112, and the payload 113. Here, the CRC is one of error detection methods for detecting a series of errors. Likewise, the FCS 127 is a CRC for the frame control 121, the address 122, the frame counter 123, the KSC 124, the encrypted payload 125, and the MIC 126.
The frame counter 123 is a counter monotonically incremented for every packet transmission. More specifically, the frame counter 123 has a counter value that is incremented by 1 for each transmitted packet.
The KSC 124 is a counter monotonically incremented for every key updating.
The encrypted payload 125 is generated by encrypting the payload 113. An example of the encrypted payload 125 is data indicating a command included in a command packet.
The MIC 126 is data generated by performing an operation using the frame control 121, the address 112, the frame counter 123, the KSC 124, the encrypted payload 125, and the key. The MIC 126 is used to check tampering. The MIC 126 has a length of 4 bytes at minimum.
Thus, the plain text packet 101 and the secure packet 102 have the above-described structures.
Next, the description is given for the situation where communication is performed using the plain text packet 101 and the secure packet 102 between a TV as the controlled device and a remote controller as the control device.
More specifically, the plain text packet 101 and the secure packet 102 are used in the following manner. It is assumed in the following description that a remote controller transmits data (as the transmission device) and a TV receives the data (as the reception device).
First, the remote controller serving as the transmission device and the TV serving as the reception device performs processing called pairing using the plain text packet 101. The pairing includes, for example, address exchange, function confirmation, device verification, key sharing, and the like. It should be noted that the processing performed by the remote controller and the TV is not limited to the pairing as long as the remote controller and the TV can exchange a key used in the secure packet 102.
Next, the remote controller transmits the secure packet 102 to the TV. The secure packet 102 includes the encrypted payload 125 in which a command for controlling the TV is indicated.
This command, by which the remote controller controls the TV, is encrypted using a key and added as the encrypted payload 125 into the secure packet 102. Therefore, a third party who does not know the key cannot decrypt the encrypted command. As a result, it is possible to prevent a third party from tapping the command.
In addition, the MIC 126 in the secure packet 102 includes information (a hash value, for example) indicating the encrypted payload 125. The information is generated by performing an operation using a key shared between the transmission device and the reception device. Therefore, it is difficult for a third party who does not know the key to perform the operation correctly. Moreover, since the MIC 126 has a length of 4 bytes at minimum, even so-called Brute Force Attack needs 231 tries, namely two billion tries in average to perform the operation correctly, which is not practical. This means that the MIC 126 makes difficult for a third party to perform correct operation. Therefore, the MIC 126 is useful for checking tampering.
Furthermore, the frame counter 123 in the secure packet 102 indicates a value of a counter which is incremented by 1 for each packet transmission. The reception device stores, as a value of a current reception frame counter, the value of the frame counter 123 included in a packet that has been received without error. If a value of a frame counter 123 in a currently received packet is equal to or smaller than the value of the current reception frame counter which is stored in the reception device, the reception device discards the currently received packet. Thereby, the reception device can avoid re-receiving of a packet that has already been received. As a result, it is possible to prevent a replay attack by which a third party obtains a packet transmitted using a remote controller by a viewer who is a true user and then re-transmits the obtained packet.
As described above, the conventional method ensures security of packets transmitted from the transmission device to the reception device. In other words, the conventional technology can transmit the secure packet 102 from the transmission device to the reception device in the above-described manner.