1. Field of the Invention
The present invention generally relates to a system and method for setting up security by authenticating and authorizing a control point or a user device using a home network middleware, Universal Plug and Play (UPnP). More particularly, the present invention relates to a method for managing an Access Control List (ACL) and sharing credentials mapped to roles that are objects to be authorized in the ACL among all controlled devices over a network, and an administration-mode control point for setting the security of a controlled device and a home network.
2. Description of the Related Art
In general, a home network is an Internet Protocol (IP)-based private network. The home network interconnects and controls various devices including Personal Computers (PCs), intelligent products, and wireless devices to a network in a common virtual computing environment referred to as middleware. Middleware enables communications among digital devices by interconnecting the devices in a peer-to-peer scheme. Home AV Interoperability (HAVI), UPnP, Java Intelligent Network Intra-structure (Jini), Home Wide Web (HWW), etc. have been proposed as middleware.
With the introduction of the Plug and Play (PnP) function to the current operating systems, the installation and set up of PC peripheral devices got much easier. Further, UPnP extends this convenient function to entire networks based on Internet standard technologies such as Transmission Control Protocol/Internet Protocol (TCP/IP), HyperText Transfer Protocol (HTTP), and eXtensible Markup Language (XML), thereby enabling the networking, particularly home networking of various electronic appliances, network printers, and network devices such as Internet gates.
A UPnP network includes a Controlled Device (CD) connected to and controlled by an IP-based home network and a Control Point (CP) for controlling the CD. In the UPnP network, the CP communicates with the CD using a UPnP protocol stack involving Internet protocols such as TCP/IP and HTTP and technologies such as XML and Simple Object Access Protocol (SOAP), according to the following steps:
Step 1 is addressing. The CP and the CD have respective IP addresses. When the CD joins the network, it receives an IP address by Dynamic Host Configuration Protocol (DHCP), or gets an IP address by an automatic IP function in the absence of a DHCP server in the network.
Step 2 is discovery. The CP discovers the CD or the CD advertises its location. The discovery stage is implemented by Simple Service Discovery Protocol (SSDP). If the CD is added to the network, the CD transmits an SSDP alive message to the network by an IP multicast function and the CP is made aware of the existence of the CD from the SSDP alive message. If the CP newly joins the network, the CP multicasts an SSDP Multicast-search (M-search) message to the network and, upon receipt of the SSDP M-search message, CDs transmit M-search response messages carrying their information to the CP.
Step 3 is description. The CP retrieves the description of the CD. The CP receives a response message from the CD, and when needed, the CP may request detailed information about the CD from the CD. Then the CD transmits its information in XML.
Step 4 is control. The CP operates the CD by controlling functions of the CD. If the CP intends to control any CD, the CP invokes an action of an intended service on the CD based on detailed information about the CD by SOAP. SOAP is a protocol written in HTTP based on XML to make a remote function call.
Step 5 is eventing. The CP receives an event message from the CD. To receive the event message from the CD, the CP transmits a request of subscription to an event to the CD. When the subscription is successful, the CD transmits the event message to the CP by General Event Notification Architecture (GENA).
Step 6 is presentation. The CP displays the state of the CD using the HTML of the CD.
With reference to FIG. 1, a UPnP control operation will be described in more detail. FIG. 1 is a diagram illustrating a signal flow for a conventional UPnP control method. Referring to FIG. 1, when a CP 11 discovers a CD 12 in step 100, the CP transmits an action request to the CD 12 in step 101. In step 102, the CD 12 executes the requested action and changes the state of the CD 12 according to the executed action. The CD 12 notifies the CP 11 of an execution result by a response in step 103. That is, the CD 12 executes the requested action and then transmits a normal processing result or an error message to the CP 11.
The UPnP CD may provide various service functions to the CP based on this UPnP basic control mechanism (UPnP device architecture). For example, the UPnP CP may control the UPnP CD to reproduce Audio/Video (A/V) contents in another UPnP CD that provides a rendering service according to the UPnP basic control mechanism. If the UPnP CD is a gateway, the UPnP CP may change and set an IP address, a subnet address, and a gateway address to be allocated to an in-home device by controlling the UPnP gateway CD.
UPnP Device Security is a standard technology that provides authentication/access control/encryption to a CP using a UPnP device/service. Each of a CP and a CD that implement UPnP Device Security has a public key pair and uses a hash value of a public key as its security Identifier (ID). Each CD has an ACL which is created and managed by a security console. The security console defines the ACL for services provided by the CD based on the security ID of the CP. That is, the CP transmits a service request message including the CP security ID signed with its private key to the CD and the CD determines whether to accept or reject the request, referring to the ACL.
As described above, conventionally, the CD determines whether to accept or reject a request of the CP, referring to its ACL.
Since the ACL is defined based on security IDs allocated to the CP and the CD, when different users use the same CP, there is no way to distinguish them from each other. To avert this problem, a user certificate-based security method was proposed. However, the user certificate-based security method is not suitable for a home network environment because of certificate management complexity and a large amount of resources required for public key processing.
While a method for assigning IDs to users and managing passwords based on the IDs was also proposed, it is difficult to assign and manage IDs/passwords for individual users in the home network environment. Accordingly, there exists a method for maintaining a minimum level of security and maximizing the convenience of management for the security.