DE102017222953A1 - ACCESSING A COMMUNICATION DEVICE TO A WIRELESS-CONFIRMED COMMUNICATION NETWORK - Google Patents

Abstract

The invention relates to a method for joining a communication point (10) to a wireless communication network, in which an immediate communication between the communication points (10) is enabled and the communication is encrypted using a network network key, wherein a network coordinator (12) to join the Communicating station (10) to the communication network, and wherein the communication station (10) stores an individual identification code (28) and a unique connection key (24) associated with the individual identification code (28), comprising: - placing the network coordinator (12) in a registration and accession mode, - generating an identification signal using the individual identification code (28), - transmitting the identification signal, - receiving the identification signal by the network coordinator (12), - determining the individual identification code (28), - Er - encrypting the network key using the connection key (24), - emitting an accession signal (50) containing the encrypted network key, - receiving the accession signal (50) by the communication station (10), and - determining of the network key from the join signal (50).

Description

The invention relates to a method for joining a communication point to a wireless communication network, in which a direct communication between the communication points is made possible and the communication is encrypted using a network-specific network key. The invention further relates to a system for a wireless communication network, in which a direct communication between the communication points is made possible and the communication is encrypted using a network-specific network key. Furthermore, the invention relates to a communication point and a network coordinator for the system. Finally, the invention also relates to a method for producing the communication station.

Wireless communications networks are well known in the art, so there is no need for a separate documentary evidence for this. In particular, meshed communication networks are known, also called mesh communication network, in which the communication stations can at least partially communicate directly with each other. In carrying out the communication, the network coordinator does not need to be involved. Of course, the network coordinator can of course also at least partially provide the functionality of a communication station.

Such a network may be provided, for example, according to a standard such as ZigBee®, which standard uses a standard, for example the IEEE 802.15.4. ZigBee® is a specification for a communications protocol used to create private wireless meshed communication networks, preferably based on near-field radio. In this case, a physical layer according to the OSI model and the data link layer according to the standard IEEE 802.15.4 configured.

A method for creating a meshed communication network based on ZigBee® is also called "commissioning". At the same time, communication stations (nodes) form the common meshed communication network. In order to maintain the confidentiality of the communication within the meshed communication network, it is provided that the communication is encrypted using a network key. For this purpose, a predetermined encryption method is used. Only communication stations that have the network key available can participate in the communication within the meshed communication network. The network key must therefore be distributed to all participating communication points that are to participate in the communication.

The network key can be secretly generated by a network coordinator, who can also take on the role of a "trust center", and then distributes the network key to all communication points that should belong to the meshed communication network or should join it.

The use of the network key to protect the communication of the communication points with each other and also with the network coordinator has proven to be basically correct. Nevertheless, it turns out to be problematic to distribute the network key to the communication points of the meshed communication network. For example, version 2.0 of the ZigBee® protocol provides that the network key is encrypted by means of a default trust center link key specified in this standard and then transmitted to the communication points. Since these default keys are publicly available, there is therefore the danger that the network key can be determined by recording the communication between the network coordinator and the communication stations. The communication network is then no longer secure.

An improvement in this regard is achieved by the ZigBee® protocol version 3.0, which is also called "install code based commissioning". Thereafter, a preconfigured individual connection key is stored in each communication point in their manufacture, which can be determined by means of a predetermined hash function of one of the communication point also assigned individual identification code (English: install code). These two data are generated individually for the respective communication point during manufacture and associated with this a communication point.

The individual identification code can be made available to a user of the communication center in the manner of a QR code, for example. At the point where the communication center is to join a given meshed communications network in accordance with the ZigBee® standard, the individual identification code must be retransformed to the uniquely assigned, preconfigured individual connection key using the specific hash function, for example, the QR code is scanned and a special smartphone app or the like is used. Finally, the must preconfigured individual connection keys are installed at the mesh coordinator of the meshed communication network to join the meshed communication network.

Although this can improve the security of the communication, especially with regard to the network key, there are still disadvantages. These are evident, for example, in terms of scalability and usability, especially in cases where installations or the communication network should comprise or comprise a very large number of communication points. Existing implementations may distribute the individual identification codes in the form of numerical labels, bar codes, QR codes or the like which must be read and manually or at least partially manually read by the network coordinator of the communication network, for example using a bar code reader or similar engineering scanning techniques. For a large number of communication points, however, this proves to be very costly, expensive and prone to errors. This may discourage users from using the secure method and instead prefer the unsafe procedure of the ZigBee® protocol version 2.0.

The invention has for its object to improve the usability of a secure method for operating a meshed communication network.

As a solution, the invention proposes a method, a system, a communication point, a network coordinator and also a production method for the communication point according to the independent claims.

Advantageous developments emerge by features of the dependent claims.

• - Versetzen des Netzwerkkoordinators in einen Anmelde- und Beitrittsmodus,
• - Erzeugen eines Identifikationssignals unter Nutzung des individuellen Identifikationscodes durch die Kommunikationsstelle,
• - Aussenden des Identifikationssignals durch die Kommunikationsstelle,
• - Empfangen des unter Nutzung des individuellen Identifikationscodes der Kommunikationsstelle erzeugten Identifikationssignals durch den Netzwerkkoordinator,
• - Ermitteln des individuellen Identifikationscodes der Kommunikationsstelle aus dem Identifikationssignal durch den Netzwerkkoordinator,
• - Ermitteln des zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssels durch den Netzwerkkoordinator,
• - Verschlüsseln des Netzwerkschlüssels unter Nutzung des zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssels,
• - Aussenden eines Beitrittssignals vom Netzwerkkoordinator an die Kommunikationsstelle, wobei das Beitrittssignal den unter Nutzung des zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssels verschlüsselten Netzwerkschlüssel enthält,
• - Empfangen des Beitrittssignals durch die Kommunikationsstelle, und
• - Ermitteln des Netzwerkschlüssels aus dem Beitrittssignal unter Nutzung des vorkonfigurierten individuellen Verbindungsschlüssels in der Kommunikationsstelle.

In terms of the method, in particular, a method is proposed for joining a communication center to a wireless communication network, in which an immediate communication between the communication stations is enabled and the communication is encrypted using a network-specific network key, wherein a network coordinator controls the joining of the communication center to the communication network and wherein the Communication point stores an individual identification code and a preconfigured individual connection key uniquely assigned to the individual identification code, with:

• Putting the network coordinator in a login and join mode,
• Generating an identification signal using the individual identification code by the communication center,
• Sending the identification signal through the communication point,
• Receiving the identification signal generated using the individual identification code of the communication station by the network coordinator,
• Determining the individual identification code of the communication station from the identification signal by the network coordinator,
• Determining the assigned, preconfigured individual connection key by the network coordinator,
• Encrypting the network key using the associated preconfigured individual connection key,
• Sending an accession signal from the network coordinator to the communication station, the accession signal including the network key encrypted using the associated preconfigured individual connection key,
• Receiving the accession signal by the communication office, and
• Determining the network key from the accession signal using the preconfigured individual connection key in the communication station.

• - wenigstens zwei Kommunikationsstellen, die jeweils einen individuellen Identifikationscode und einen dem individuellen Identifikationscode eindeutig zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssel speichern und ferner ausgebildet sind, ein Identifikationssignal unter Nutzung des individuellen Identifikationscodes zu erzeugen, das Identifikationssignal auszusenden, ein Beitrittssignal des Netzwerkkoordinators zu empfangen, und den Netzwerkschlüssel aus dem Beitrittssignal unter Nutzung des vorkonfigurierten individuellen Verbindungsschlüssels in der Kommunikationsstelle zu ermitteln, und
• - einem Netzwerkkoordinator, der ausgebildet ist, das Beitreten der Kommunikationsstelle zu dem Kommunikationsnetzwerk zu steuern, zu welchem Zweck der Netzwerkkoordinator ferner ausgebildet ist, in einen Anmelde- und Beitrittsmodus versetzt zu werden, das unter Nutzung des individuellen Identifikationscodes erzeugte Identifikationssignal der Kommunikationsstelle zu empfangen, aus dem Identifikationssignal den individuellen Identifikationscode der Kommunikationsstelle zu ermitteln, den zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssel zu ermitteln, den Netzwerkschlüssel unter Nutzung des zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssels zu verschlüsseln, und ein Beitrittssignal an die Kommunikationsstelle auszusenden, wobei das Beitrittssignal den unter Nutzung des zugeordneten, vorkonfigurierten individuellen Verbindungsschlüssels verschlüsselten Netzwerkschlüssel enthält.

With regard to the system, in particular, a system for a wireless communication network is proposed, in which an immediate communication between the communication stations is made possible and the communication is encrypted using a network-specific network key, with:

• at least two communication stations each storing an individual identification code and a preconfigured individual connection key uniquely associated with the individual identification code, and further configured to generate an identification signal using the individual identification code, to transmit the identification signal, to receive an admission signal of the network coordinator, and Determine network key from the accession signal using the preconfigured individual connection key in the communication station, and
• - a network coordinator configured to control the joining of the communication center to the communication network for which purpose the network coordinator is further adapted to be placed in a log on and join mode to receive the identification signal generated using the individual identification code of the communication station the identification signal to determine the individual identification code of the communication station, to determine the assigned, preconfigured individual connection key to encrypt the network key using the associated, preconfigured individual connection key, and to send an accession signal to the communication station, the accession signal using the associated, preconfigured individual connection key contains encrypted network key.

Furthermore, in particular, a communication station and a network coordinator are proposed according to the system of the invention.

Finally, in particular, a method for producing a communication point of the system according to the invention is proposed, wherein an individual identification code and an individual identification code uniquely assigned, preconfigured individual connection keys are generated, the individual identification code and the preconfigured individual connection key are stored in a memory unit of the communication station, and individual identification code and the preconfigured individual connection key are stored separately for a network coordinator for controlling accession of the communication station to a wireless communication network.

With the invention can be advantageously achieved that not so, as for example in the ZigBee® standard version 3.0, the communication points are manually integrated into the meshed communication network or join this, but the invention allows to do this automatically and at the same time to ensure a high level of safety. The invention achieves this by virtue of the fact that the network key required for communication within the communication network no longer needs to be transmitted to the respective joining communication station by means of a publicly known key, but rather a secret individual key of the communication station is used for this purpose. which is also preferably secretly made available to the network coordinator. This provides the network coordinator with a key which is not the network key but which is known to the acceding communication station, preferably only that individual communication station and the network coordinator, so that by means of this one key the network key of the communication network is secured and transmitted to the acceding communication station can be. This key is the preconfigured individual connection key uniquely assigned to the individual identification code.

The network key is required so that the communication points of the meshed communication network can communicate with each other in a secure manner. It is therefore desirable that the network key outside of the meshed communications network remain as secret as possible. This can be achieved with the invention.

In order for the invention to be realized, it is preferably already provided in the production of the communication station that the assigned, preconfigured individual connection key is generated in addition to the individual identification code. This data pair is stored on the one hand protected in the communication station, so that it is preferably not possible to read the associated preconfigured individual connection key from the communication center can. At the same time, the network coordinator data pair is stored in a secure location that allows the network coordinator to access the associated preconfigured individual connection key when needed. This may be internal and / or external with respect to the network coordinator.

Due to the fact that the communication station transmits its individual identification code to the network coordinator for joining, the latter can use the transmitted individual identification code to determine the assigned, preconfigured individual connection key and to use this to encrypt the network key. It is thus possible with the invention to provide an individually encrypted communication link between the joining communication station and the network coordinator. As a result, the network key can be transmitted securely from the network coordinator to the accessing communication station via this communication connection, which can preferably be read by no other location. As soon as the communication site-individually encrypted network key is available at the communication point, the communication center can use the preconfigured individual connection key stored in its memory unit decrypt and participate in the communication of the meshed communication network in a predetermined manner.

While the invention is particularly suited to further develop the ZigBee® standard to allow secure joining of communication sites to a meshed communication network of this standard, the invention is of course not limited thereto and, of course, may be useful in other communications protocols as well ,

The invention therefore makes it possible, without much additional effort, to enable a highly secure access of communication points to a meshed communication network.

The invention uses in particular in relation to the ZigBee® standard in version 3.0 the fact that the individual identification code, also called install code here, as well as the associated, preconfigured individual connection key, also called pre-configured link key here, already are available when establishing a communication point. Unlike the aforementioned standard, however, in the invention, the data pair for the network coordinator is automatically made available in a protected manner so that manual operation can be largely eliminated. The invention is therefore particularly suitable for the creation of extensive meshed communication networks, in which a variety of communication points are to join automatically. Overall, it is thus possible to simplify the creation or setup of meshed communication networks with high security considerably. In addition, the fact that manual activities can be omitted, the reliability or an error rate can be reduced beyond.

The wireless mesh communication network is preferably radio-based. However, it may also use another medium for data transmission, for example light, in particular infrared light, ultraviolet light, combinations thereof and / or the like. In addition, of course, sound can be used as a medium for communication, such as ultrasound, infrasound and / or the like. Preferably, the meshed communication network is based on the IEEE 802.15.4 standard. This allows long periods of silence to be provided between individual communications, whereby a communication station, called a node in this case, can operate a large part of the operating time in an energy-saving operating state. Only when data is to be transmitted or received, the communication center in a short time, for example, about 15 ms, change to the active operating state, perform the required communication and then, preferably automatically switch back to the energy-saving operating state. As a result, very long operating times can be achieved without the need for maintenance, especially in the case of battery-operated communication stations.

ZigBee® is a specification or standard that addresses wireless data networks, such as home automation, sensor networks, lighting, or the like. One focus of ZigBee® is, for example, in short-range networks, in particular near-field radio, whose range is in a range up to about 100 m, but preferably up to about 10 m. Of course, larger ranges can be provided, for example, of one or more kilometers or the like. The ZigBee® standard extends the IEEE 802.15.4 standard with a network and application layer.

By encrypting, it is meant that readable data, such as digital data or the like, is converted into data by a method which uses, for example, a mathematical mapping, which makes it more difficult to determine the information contained in the data. The reverse process is called decrypting. The key corresponds to a specific record used to perform the encryption and / or decryption. The key is usually secret and known only to the recipient of the data as well as the sender of the data. In this sense, the network key means a key that is known to all communication stations as well as the network coordinator so that they can communicate with each other in encrypted form.

Data within the meaning of the invention are, in particular, digital data which can be structured or coded in various ways. The data may be, for example, in the context of block coding or the like. The identification code is formed by data, which may be formed by a string or the like, for example, and which are individual to each communication site. This provides an individual identification code for each communication station. Preferably, the individual identification code is formed by digital data. Thus, data may basically be formed by alphanumeric characters, which are preferably available electronically in digital, in particular binary form.

Both the communication station and the network coordinator can each have a control unit which is designed to be able to realize the respective functionality. For this purpose, the control unit may be formed by an electronic hardware circuit, for example using integrated circuits, in particular hardware chips, or the like. The control unit may moreover also comprise a program-controlled computer unit which at least partially realizes the functionality of the control unit. For this purpose, the control unit may comprise a memory unit in which the computer program required for this purpose is stored.

Basically, the network coordinator can also provide a communication point. However, it may also be a separate device dedicated solely to controlling communication within the meshed communication network, particularly with regard to joining a new communication point.

It is further proposed that the communication station send out a beacon request signal and, in response, receive a beacon signal from the network coordinator. This can signal to the network coordinator that a new communication point is in communication range, which is to join the meshed communication network. The network coordinator may for this purpose comprise a transmitting device which is at least adapted to transmit a specific signal wirelessly, for example in the manner of broadcasting. Preferably, this transmitting device is designed to emit the radio signal in the manner of near-field radio. Such a transmitting device is also referred to in the art as a "beacon".

So-called beacons can provide information with transmitted data by means of their radio signal. The beacon technology is based on a transmitter system or on a transmitter-receiver system. A beacon (too beacon beacon, beacon or the like) is a small transmitter, which emits a signal, in particular a radio signal. The radio signal of a beacon may be distinguished by identification data, which may comprise, for example, a unique identification number, for example universally unic identifier (UUID). Beacons can be used to associate objects and / or locations with one, in particular digital, identification. Objects where a beacon is installed, as well as places where a beacon is installed, for example, on a wall or a ceiling, can thus be identified by the communication points in the signal field of the beacon.

However, for this purpose, the network coordinator must first be placed in a logon and join mode. This can be realized by different measures, as will be explained below. Only when the network coordinator is in logon and join mode can a new communication station join the new communication network. Only in this state will the network coordinator then send out a beacon signal upon the transmission of the beacon request signal by the communication station so that the communication station can receive it. If the communication station does not receive a beacon signal, provision may be made for the transmission of a beacon request signal to be repeated as required or for the communication station to enter a standby mode in which as little energy as possible is consumed. The communication office can then not join the meshed communication network. The meshed communication network is thereby protected against unauthorized access by communication points.

The sending of the beacon request signal can be done, for example, due to a manual input at the communication point. The manual input can be carried out, for example, by actuating a corresponding switch. In addition, of course, it can also be provided that the communication point must be moved in a predeterminable manner in order to be able to send out the beacon request signal.

Alternatively or additionally, it can also be provided that the transmission of the beacon request signal by the communication station is automated due to switching on the power supply of the communication point. Thus, for example, upon activation of the communication point, for example when connected to the power supply or the like, the sending of the beacon request signal can be initiated automatically. As a result, further manual intervention is not required.

In addition, provision may be made for an accession request signal to be transmitted instead of or in addition to the transmission of the identification signal. This allows the communication station to signal the network coordinator that it wishes to join the meshed communication network. The network coordinator may then decide whether to enter logon and join mode, in addition to the join request signal. In addition, the decision may be further Conditions to ensure the security of the meshed communication network. Of course, it may also be provided that the network coordinator, who is placed in the logon and join mode, first responds to the join request signal of the communication office and then provides the functionality to join the communication office.

In addition, it can be provided that, before receiving an accession signal from the network coordinator, a membership reply signal of the network coordinator is received by the communication center. This has the advantage that the communication center only needs to transmit its individual identification code when the network coordinator is ready to join the communication office. An unnecessary transmission of energy-consuming signals can thereby be reduced.

It may further be provided that the network coordinator receives the identification signal of the communication point and determines from the identification signal the individual identification code of the communication point. The identification code does not need to be transmitted encrypted from the communication point to the network coordinator for this purpose. The identification code as such is initially worthless for third parties, since the identification code of the communication center is not used for encryption. Rather, the network coordinator uses the individual identification code of the communication station to determine the assigned, preconfigured individual connection key, which is preferably likewise kept secret in the present method. The assigned, preconfigured individual connection key of the communication center can be present in the network coordinator in a specially protected file or can be called up externally, preferably via a secure communication connection from a central office.

At this point, for example, additional security measures may be provided, so that for an individual identification code of the associated, preconfigured individual connection key is transmitted only in a limited number, preferably only once to a corresponding network coordinator. The network coordinator can also provide that the assigned, preconfigured individual connection key is used only once. Moreover, it is of course possible to provide a limited additional number of uses, for example, if the accession of the communication office for other technical reasons has failed and must be repeated or the like. Overall, this can be further improved safety.

The network coordinator or its control unit can then encrypt the network key by means of a suitable predetermined encryption method by means of the preconfigured individual connection key assigned to the individual identification code. The network coordinator then generates a join signal which is sent out to the communication site, the join signal containing the network key encrypted using the associated preconfigured individual connection key. In this way, the network key can be secretly transmitted to the communication office.

The communication station receives the accession signal and determines therefrom by means of the present at her preconfigured individual connection key the network key. The communication center is now able to participate in the communication in the meshed communication network.

The network coordinator may determine the associated preconfigured individual connection key from the communication center's individual identification code using a hash function, such as specified in the version 3.0 ZigBee® Install Code based commissioning procedure, for example , The assigned, preconfigured individual connection key can be stored, for example, on the network coordinator side, specifically assigned to the individual identification code of the communication station.

It can be provided that before the identification of the individual identification code by the network coordinator a Beitrittserwiderungssignal is sent to the communication center, in particular if the communication station has sent out a Beitrittsanforderungssignal that has been received by the network coordinator. Thereby, the functionality of the access of the communication station to the meshed communication network can be better controlled.

In addition, it can be provided that the network coordinator receives a beacon request signal of the communication station and - in response - emits a beacon signal. As a result, the entities involved can be shown which facilities are available. The network coordinator then knows that a communication point that has not yet joined is in communication range and the communication point knows that a network coordinator is in communication range. This can further improve the process of joining.

In order to further improve the security and / or to further flexibilize the invention, it can additionally be provided that the network coordinator establishes a preferably secured, communication connection to a control center for determining the assigned, preconfigured individual connection key, in which the individual identification code and the individual Identification code uniquely assigned, preconfigured individual connection keys are stored, the individual identification code transmitted to the control panel and the center of the individual identification code uniquely assigned, preconfigured individual connection key transmitted to the network coordinator. As a result, the preconfigured individual connection keys for the communication station do not need to be kept internally available in the network coordinator. This could be an obstacle especially for existing meshed communication networks where the network coordinator has limited storage capacities and can not store the individual connection keys preconfigured for the plurality of possible communication points.

In addition, this can be realized in a particularly simple manner an update, especially in relation to newly established communication points that are to be subsequently incorporated into an existing meshed communication network or join this. As a secure communication connection, for example, an SSL-encrypted communication connection can be provided, as it is also used, for example, for communication on the Internet or the like. For example, the center may be cloud-based and may include one or more storage units within a communication network that may be accessed by the network coordinator via a preferably secured communication link.

The center is also preferably secured, in such a way that only the manufacturers of the communication centers in addition to the network coordinators can access the center, namely there to be able to store the data pairs of individual identification codes and the respectively assigned, preconfigured individual connection keys. It can only be provided in this regard, a write function, so that unauthorized third parties from the headquarters can read out any data.

It is also suggested that the network coordinator be put into logon and join mode due to a manual input to the network coordinator. The manual input can be done, for example, by manually pressing a switch on the network coordinator. Alternatively or additionally, provision can also be made for the network coordinator to be put into the logon and accession mode automatically on the basis of switching on a power supply of the network coordinator. In this case, manual operation may be unnecessary.

It is also proposed that a hash function be used to determine the assigned preconfigured individual connection key. In this way, the determination of the preconfigured individual connection key can be further simplified or improved.

Further advantages and features can be found in the following description of exemplary embodiments. In the figures, like reference numerals designate like features and functions.

• 1 eine schematische Blockdarstellung, welches das Beitreten einer Kommunikationsstelle zu einem Mesh-Kommunikationsnetzwerk gemäß dem ZigBee-Standard in der Version 2.0 darstellt,
• 2 eine schematische Blockdarstellung wie 1, wobei hier jedoch der ZigBee-Standard in der Version 3.0 zugrundeliegt,
• 3 eine schematische Blockdarstellung zur Herstellung von Kommunikationsstellen für ein Mesh-Kommunikationsnetzwerk gemäß der Erfindung,
• 4-8 schematische Blockdarstellungen in Bezug auf das Erstellen meines Mesh-Kommunikationsnetzwerks gemäß der Erfindung,
• 9-13 schematische Blockdarstellungen in Bezug auf das Beitreten einer weiteren Kommunikationsstelle zu einem bereits bestehenden Mesh-Kommunikationsnetzwerk, wie es in Bezug auf die 4 bis 8 bereits erläutert wurde,
• 14,15 schematische Darstellungen für Softwareanpassungen zur Realisierung der Erfindung bei einem ZigBee-Standard.

Show it:

• 1 3 is a schematic block diagram illustrating the joining of a communication station to a mesh communication network according to the ZigBee standard in version 2.0;
• 2 a schematic block diagram like 1 , which is based on the ZigBee standard version 3.0,
• 3 1 is a schematic block diagram for the production of communication points for a mesh communication network according to the invention,
• 4-8 schematic block diagrams relating to the creation of my mesh communication network according to the invention,
• 9-13 schematic block diagrams relating to the joining of another communication point to an already existing mesh communication network as described in relation to FIG 4 to 8th has already been explained
• 14 . 15 schematic representations for software adjustments to implement the invention in a ZigBee standard.

1 shows in a schematic block diagram the provision of a network key for a mesh communication network according to the standard ZigBee® version 2.0. A network coordinator 12 , also called Trust Center, controls the accession of communication centers like the communication agencies 10 to join the mesh communication network.

For this purpose, sends each of the communication points 10 a request signal 14 for the network key to the network coordinator 12 , The network coordinator then sends 12 the network key by means of an accession signal 16 to the communication offices 10 , The network key is encrypted using a key published in this standard. For example, the standard provides for 16 different keys for encrypting the network key to transmit the join signal 16 can be used. Since these keys are publicly known by the standard, transmitting the accession signal may 16 cause it to be recorded or intercepted and decrypted using the familiar key already published in the standard. Thus, the network key of the mesh communication network is available to unauthorized third parties who can intervene illegally in the communication of the mesh communication network.

The communication office 10 itself may be, for example, a sensor, an actuator, a manually operable switch, combinations thereof, and / or the like. The communication office 10 as well as the network coordinator 12 each have transmit-receive units, which are designed in this case for near-field radio. Of course, these transceiver units can also be designed otherwise, for example for the use of the medium sound, light or the like.

2 shows an improvement with respect to the problem, which is based on 1 this improvement was based on the standard ZigBee® in the version 3.0 based. After that, before the production of the communication points 10 Install codes generated, for example, like a QR code for joining the communication office 10 provided to the mesh communication network. 2 shows this in a corresponding block diagram.

During the production of each of the communication points 10 becomes the respective Install Code in the communication point 10 saved. The Install Code becomes a unique, preconfigured, individual connection key 24 using a Matyas-Meyer-Oseas hash function 36 determined and also in the communication office 10 saved.

Thus the communication office 10 join the mesh communication network, the preconfigured individual connection key associated with the install code becomes 24 at the network coordinator 12 in one step 18 Installed. This can be done, for example, by having the install code as a QR code with the network coordinator 12 is entered, for example by means of a scanner or the like. The network coordinator 12 then performs the Matyas-Meyer-Oseas hash function 36 from this the associated, preconfigured individual connection key 24 to investigate.

The accession of the communication office 10 to the mesh communication network is done basically as already for 1 However, unlike the 1 the accession signal 16 contains the network key, by means of the preconfigured individual connection key uniquely assigned to the individual identification code, here in the Install Code 24 is encrypted.

Communication site side is the preconfigured individual connection key 24 also before and can decrypt the accession signal 16 be used so that the network key in the communication point 10 is available. Although this method makes it difficult to identify the network key for unauthorized third parties, there are deficiencies in handling, especially in mesh communication networks with a variety of communication points 10 , The manual effort is significant here.

3 now shows a block diagram for a manufacturing process for establishing communication points 10 in the sense of the invention. Out 3 it can be seen that in one step 30 , here exemplary for three communication points 10 , first individual identification codes 28 (EUI 64 1 , EUI 64 2 , EUI 64 3 ), which are individually Install Codes 22 INCD 1 , INCD 2 , INCD 3 , assigned. The individual identification codes 28 are in the respectively assigned communication points 10 stored in a secure storage unit, not shown.

Using the Matyas-Meyer-Oseas hash function 36 are from the respective install codes 22 the according to the individual identification codes 28 uniquely assigned, preconfigured individual connection keys 24 determined and in the step 38 also in the memory unit of the respective communication point 10 saved. In the communication offices 10 is thus the respective individual identification code 28 and the associated, preconfigured individual connection key 24 (PCLK 1 , PCLK 2 , PCLK 3 ) saved.

In addition, in one step 32 the data pairs of the individual identification codes 28 and the install codes 22 in a secured headquarters 26 saved. Thus, the manufacturing process for the communication points 10 essentially completed.

The creation of a mesh communication network based on the ZigBee standard using the invention will now be described. First, the network coordinator 12 entered a login and join mode. In the present case, this is done by activating a power supply.

The communication points 10 In the present case, each first send a beacon request signal 40 out. The beacon request signals 40 be from the network coordinator 12 receive. This then sends corresponding beacon signals 42 from, by the respective communication offices 10 are received as in the schematic block diagram in 4 shown.

As is apparent from the schematic block diagram according to 5 is apparent, then done by each of the communication centers 10 a transmission of their respective individual identification code 28 together with a membership request signal 44 , The network coordinator 12 receives the from the communication offices 10 emitted signals and stores the individual identification codes 28 , The network coordinator 12 then sends out respective membership reply signals received from the respective communication stations 10 be received.

The network coordinator 12 now occurs via a secure communication connection 48 with the central office 26 in communication connection. He transmits to the central office 26 the individual identification codes 28 and receives in response from the central office 26 the individual identification codes 28 clearly to ordered install codes 22 , These are called respective data pairs in the network coordinator 12 saved ( 6 ).

From the in 7 shown in schematic block diagram is that in a next step in the network coordinator 12 from the install codes 22 using the Matyas-Meyer-Oseas hash function 36 the corresponding assigned, preconfigured individual connection keys 24 for each of the communication offices 10 be determined. These are combined as data pairs with the respective individual identification codes 28 saved.

8th shows another schematic block diagram in which the network coordinator 12 using the respective preconfigured individual connection keys 24 the network key of the mesh communication network is encrypted and by means of respective accession signals 50 to the respective communication offices 10 sending out. The communication points 10 receive the accession signals assigned to them 50 where the accession signals 50 that are not assigned to them, go unnoticed.

The respectively assigned accession signals 50 be with each in the respective communication centers 10 existing preconfigured individual connection keys 24 decrypts, so the network key in each of the communication points 10 is available. Thus, the mesh communication network can now start operation and carry out encrypted communication by means of the network key.

A subsequent joining to an existing, mesh communication network can be realized in this way, as in the following starting on the basis of the schematically in 9 illustrated block diagram will be explained. In 9 a mesh communication network is shown, as indicated by the installation at the end of FIG 8th results. In this existing mesh communication network is now another communication point 60 or should join this mesh communication network. The communication office 60 also stores an individual identification code 28 (EUI 64 4 ) as well as a uniquely assigned, preconfigured individual connection key 24 (PCLK 4 ). This data pair is also in the control center 26 saved.

From the schematic block diagrams according to 10 it turns out that the network coordinator 12 will first be put into login and join mode. This is done here by a manual operation of a switch. A deactivation and renewed activation of a power supply would not be expedient here because the current operation of the mesh communication network could be disturbed by this. Alternatively, of course, other possibilities can be realized here.

Out 10 it can be seen that the communication point 60 a beacon request signal 40 sends out that from the network coordinator 12 Will be received. The sending of the beacon request signal 40 takes place in that at the communication office 60 a power supply is activated, for example by a battery is inserted into a designated receptacle that the communication point 60 supplied with electrical energy.

The network coordinator 12 responds to the beacon request signal 40 with the sending of the beacon signal 42 , From the schematic block diagram according to 11 is then apparent that after receiving the beacon signal 42 the communication point 60 their individual identification code 28 together by means of a membership request signal 44 to the network coordinator 12 transmitted. The network coordinator 12 then sends a membership reply signal 46 to the communication office 60 out.

According to the schematic block diagram of 12 then determines the network coordinator 12 as already explained for the preceding figures, the uniquely assigned, preconfigured individual connection key 24 for the communication office 60 , For this purpose, he obtains the corresponding Install Code 22 from the central office 26 via the secure communication connection 48 , from which - as already explained above - by means of the Matyas-Meyer-Oseas hash function 36 the uniquely assigned, preconfigured individual connection key 24 is determined.

According to the schematic block diagram of 13 Encrypted by the network coordinator 12 then the network key by means of the communication office 60 associated preconfigured individual connection key 24 and sends a corresponding admission signal 50 to the communication office 60 out.

The communication office 60 receives the admission signal 50 and decrypts the network key using the preconfigured individual connection key stored in it 24 , Thus the network key is in the communication point 60 available and the communication point 60 can participate in the communication of the mesh communication network.

It is therefore no longer necessary in the invention, the individual communication points 10 . 60 at the network coordinator 12 log in manually. This can be done automatically, while at the same time a high degree of security with respect to the network key can be achieved. Those in the prior art, especially in relation to the standard ZigBee in the version 2.0 , occurring problems can be avoided.

The 14 and 15 show by way of example schematically changes to existing software for the standard ZigBee to realize the invention. This is shown only schematically. In 14 delivers at one point 62 the acceding communications office their EUI 64 Address to the trust center or the network coordinator 12 , At one point 64 in 15 uses the Trust Center or the Network Coordinator 12 the preconfigured individual connection key 24 instead of the default trust center link key.

The exemplary embodiments serve exclusively to explain the invention and are not intended to limit this. In particular, the invention is of course not limited to use with a ZigBee standard, but instead may be used with any other mesh communication network.

LIST OF REFERENCE NUMBERS

10

communication office

12

Network Coordinator

14

request signal

16

candidate signal

18

step

22

Install Code

24

Join key

26

headquarters

28

identification code

30

step

32

step

36

hash function

38

step

40

Beacon request signal

42

Beacon

44

Join request signal

46

Accession response signal

48

communication link

50

candidate signal

60

communication office

62

location

64

location

Claims (14)

A method for joining a communication station (10) to a wireless communication network, in which an immediate communication between the communication points (10) is enabled and the communication is encrypted using a network-specific network key, wherein a network coordinator (12) to join the communication point (10) to the communication network and wherein the communication station (10) stores an individual identification code (28) and a preconfigured individual connection key (24) uniquely associated with the individual identification code (28), comprising: - Placing the network coordinator (12) in a log-on and access mode, - generating an identification signal using the individual identification code (28) by the communication station (10), - sending the identification signal by the communication station (10), - receiving the using the individual Identification codes (28) of the communication station (10) generated by the network coordinator (12), - Determining the individual identification code (28) of the communication station (10) from the identification signal by the network coordinator (12), - Determining the associated, preconfigured individual connection key ( 24) by the network coordinator (12), - encrypting the network key using the associated preconfigured individual connection key (24), - sending an accession signal (50) from the network coordinator (12) to the communication station (10), the accession sign al (50) includes the network key encrypted using the associated preconfigured individual connection key (24), receiving the accession signal (50) by the communication station (10), and determining the network key from the accession signal (50) using the preconfigured individual Connection key (24) in the communication point (10). Method according to Claim 1 Characterized by: - transmitting a beacon request signal (40) by the communication station (10) by the communication station (10), - receiving the beacon request signal (40) of the communication station (10) by the network coordinator (12), - emitting a Beacon signal (42) to the communication point (10) by the network coordinator (12). and - receiving the beacon signal (42) of the network coordinator (12) by the communication station (10). Method according to Claim 2 , characterized in that the transmission of the beacon request signal (40) by the communication station (10) due to a manual input at the communication point (10). Method according to Claim 2 or 3 , characterized in that the emission of the beacon request signal (40) by the communication station (10) due to switching on a power supply of the communication point (10) is carried out automatically. Method according to one of the preceding claims, characterized in that instead of or in addition to the transmission of the identification signal by the communication station (10) an accession request signal (44) from the communication station (10) is transmitted. Method according to Claim 5 characterized in that the network coordinator (12) receives the admission request signal (44) and then sends out a membership reply signal (46) to the communication station (10). Method according to one of the preceding claims, characterized in that, characterized in that the network coordinator (12) for determining the assigned, preconfigured individual connection key (24) establishes a, preferably secured, communication connection (48) to a control center (26) the individual identification code (28) and the individual identification code (28) uniquely assigned, preconfigured individual connection key (24) are stored, the individual identification code (28) transmitted to the center (26) and the control center (26) the individual identification code (28) uniquely assigned, preconfigured individual connection key (24) to the network coordinator (12). Method according to one of the preceding claims, characterized in that the assignment of the network coordinator (12) in the login and accession mode due to a manual input to the network coordinator (12). Method according to one of the preceding claims, characterized in that, characterized in that the setting of the network coordinator (12) in the logon and Beitrittsmodus due to switching on a power supply of the network coordinator (12) takes place automatically. Method according to one of the preceding claims, characterized in that a hash function (36) is used to determine the assigned, preconfigured individual connection key (24). A wireless communication network system in which direct communication between the communication sites (10) is enabled and the communication is encrypted using a network-specific network key, comprising: - at least two communication sites (10), each having an individual identification code (28) and a the unique identification code (28) uniquely assigned, preconfigured store individual connection keys (24) and are further configured to generate an identification signal using the individual identification code (28), to transmit the identification signal, to receive a subscription signal (50) from the network coordinator (12), and to retrieve the network key from the subscription signal (50) using the preconfigured individual connection key (24) in the communication station (10), and - a network coordinator (12) arranged to control the joining of the communication station (10) to the communication network, for what purpose the network coordinator (12 ) is further configured to be placed in a login and accession mode, to receive the identification signal of the communication station (10) generated using the individual identification code (28), to determine from the identification signal the individual identification code (28) of the communication station (10) The added to identify the preconfigured individual connection key (24), to encrypt the network key using the associated preconfigured individual connection key (24), and to send an accession signal (50) to the communication station (10), the accession signal (50) using of the associated preconfigured individual connection key (24) contains encrypted network keys. Communication point (10) of the system after Claim 11 , Method for establishing a communication point (10) according to Claim 12 in which - an individual identification code (28) and a preconfigured individual connection key (24) uniquely assigned to the individual identification code are generated, - the individual identification code (28) and the preconfigured individual connection key (24) are stored in a memory unit of the communication station (10) and - the individual identification code (28) and preconfigured individual connection key (24) are separately stored for a network coordinator (12) for controlling accession of the communication station (10) to a wireless mesh communication network. Network coordinator (12) of the system Claim 11 ,

Images