Abstract: A GM acquires a first certificate revocation list designating revoked public key certificates and distributed from a certificate authority server. The GM generates a second certificate revocation list produced by extracting information on a plurality of home electric appliances from the first certificate revocation list. The GM restricts communication with a device for which the public key certificate is revoked, by distributing the second certificate revocation list generated to the plurality of home electric appliances.

Abstract: In an authentication method, a first controller generates a first group key, executes first mutual authentication with devices within a group, and shares the first group key with devices that have succeeded in the first mutual authentication. When a second controller joins the group, the first controller decides which coordinator manages a group key used in common. The first controller executes second mutual authentication with the coordinator, and shares the first group key with the coordinator when the second mutual authentication is successful. The coordinator performs encrypted communication within the group using the first group key, generates a second group key when the first group key valid time runs out and before updating the first group key, executes third mutual authentication with the devices and a third controller, and updates the first group key of the devices and the third controller that have succeeded in the third authentication.

Abstract: A HEMS controller receives, from each of a plurality of devices requesting registration in a HEMS, an electronic certificate of the device in a continuous registration mode in which a plurality of devices can be continuously registered in the HEMS. The HEMS controller 14 determines whether or not to permit registration in the HEMS for each device based on an attribute indicated by the electronic certificate of each of the plurality of devices.

Abstract: A first controller generates a first group key, executes first mutual authentication with devices within a group, and shares the first group key with the devices that have succeeded in first mutual authentication. When a second controller joins the group, the first controller decides a coordinator that manages a group key used in common in the group. The first controller executes second mutual authentication with the coordinator, and shares the first group key with the coordinator when the second mutual authentication is successful. The coordinator performs encrypted communication within the group using the first group key, generates a second group key when valid time of the first group key is equal to or smaller than a predetermined value, executes third mutual authentication with the devices and a third controller, and updates the first group key of the devices and the third controller that have succeeded in the third authentication.

Abstract: An authentication method for a group of devices connected to a network includes selecting the first controller as a coordinator, the coordinator being configured to manage a group key to be used in common in the group. The method includes generating the group key, and performing first mutual authentication and second mutual authentication. The method also includes sharing the group key with each device for which the first mutual authentication has been successful, and sharing the group key with each second controller for which the second mutual authentication has been successful. The method further includes encrypting transmission data by using the group key to generate encrypted data, generating, authentication data by using the group key, and simultaneously broadcasting a message to each device for which the first mutual authentication has been successful and each second controller for which the second mutual authentication has been successful.

Abstract: An HEMS controller receives a certificate revocation list distributed from a certificate authority server and listing serial numbers of revoked electronic certificates. The serial number of the electronic certificate includes a first identifying part that indicates a value for identifying a type of a participation node maintaining the electronic certificate and a second identifying part that indicates a value for identifying an individual participation node. In the case the certificate revocation list includes a serial number in which the second identifying part is a predetermined value, the HEMS controller determines that the electronic certificate of a participation node that meets the type indicated by the first identifying part of the serial number is invalid.

Abstract: A controller and a device generate a shared key by performing mutual authentication using a public key certificate of the controller and a public key certificate of the device. The controller and the device set an expiry for the shared key to one of the expiry of the public key certificate of the controller and the expiry of the public key certificate of the device. The controller and the device perform the mutual authentication using neither the public key certificate of the controller nor the public key certificate of the device, but the shared key, if the expiry set for the shared key has not passed.

Abstract: A new controller (supporting device authentication) is a controller which performs encrypted communication with a device which has succeeded in mutual authentication using an electronic certificate, and the controller includes: a determining unit that determines whether or not a communication target device with which communication is to be performed is an authentication support device that supports the mutual authentication; a functional restriction unit that, when the communication target device is determined not to be the authentication support device by the determining unit, imposes a functional restriction on one or more functions of the communication target device which are operable by the new controller (supporting device authentication); and a communication unit which performs communication in plain text with the communication target device with the functional restriction imposed by the functional restriction unit.

Abstract: A communication system, including: a NW management device which (i) forms a network together with an authenticated target device, and (ii) manages the network by delivering a session key for use in communication in the network to the authenticated target device; and a device authenticated by the NW management device, wherein the NW management device: determines whether or not to permit the device to be an alternative management device which manages the network in replace of the NW management device when communication is impossible in the network; shares, with the device, authentication information about the authenticated target device, when permitting the device to be the alternative management device; and the device shares the authentication information with the NW management device, and starts managing the network using the authentication information as the alternative management device when determining that the NW management device cannot communicate in the network.

Abstract: A first controller generates a first group key, executes first mutual authentication with devices within a group, and shares a first group key with devices that have succeeded in authentication. At least one controller within the group decides a coordinator that manages a group key used in common in the group, from controllers including a second controller newly joined in the group. The first controller executes second mutual authentication with the coordinator, and shares the first group key with the coordinator. The coordinator performs encrypted communication within the group using the first group key. The coordinator generates a second group key when valid time of the first group key is equal to or smaller than a predetermined value, executes third mutual authentication with the devices and controllers within the group, and updates the group key of the devices and controllers that have succeeded in authentication to the second group key.

Abstract: At least one controller in a group selects a coordinator that manages a group key to be used in common in the group from among controllers in the group in accordance with an attribute of the controllers. The selected coordinator generates a group key, performs mutual authentication with devices and the controllers in the group, and shares the generated group key with devices and controllers that have been successfully authenticated. The coordinator then generates encrypted data and authentication data by using the group key and simultaneously broadcasts a message including the encrypted data and the authentication data.

Abstract: An address setting method of a wireless communication system includes the steps of generating an address by each of a HEMS controller and a HEMS terminal based on an address prefix included in a router advertisement of a smart meter, and setting, by the HEMS terminal, a route of a packet sent to a HEMS server to a route by way of the HEMS controller. The HEMS controller performs NAT setting by replacing an address prefix of a source address of the packet sent to the HEMS server with an address prefix of the HEMS controller.

Abstract: An edge router 12 sends a router advertisement to wireless terminals 11 to notify the wireless terminals 11 of the hop limit. Each wireless terminals 11 stores the notified hop limit in the hop limit field of an IPv6 packet. The edge router 12 stores the maximum number of hops in the user's home system 1 and the maximum number of hops in the IP network NW. When receiving a communication packet sent from the user's home system 1 to the IP network NW, the edge router 12 sets the hop limit in the communication packet to the maximum number of hops in the IP network NW. When receiving a communication packet sent from the IP network NW to the user's home system 1, the edge router 12 sets the hop limit in the communication packet to the maximum number of hops in the user's home system 1.

Abstract: A communication control apparatus (1) is connected to a router (6) and a terminal device (4), and upon receiving prefix information transmitted from the router (6) by a router advertisement, stores the prefix information. In a case where prefix information of a transmission source address or a destination address, which is included in the received communication packet, is different from the stored prefix information, the communication control apparatus (1) blocks the communication packet, and in a case where the prefix information of the transmission source address or the destination address, which is included in the received communication packet, is the stored prefix information, the communication control apparatus (1) allows passing of the communication packet. In such a way, an unauthorized communication packet can be blocked appropriately under an IPv6 network environment.

Abstract: An edge router 12 sends a router advertisement to wireless terminals 11 to notify the wireless terminals 11 of the hop limit. Each wireless terminals 11 stores the notified hop limit in the hop limit field of an IPv6 packet. The edge router 12 stores the maximum number of hops in the user's home system 1 and the maximum number of hops in the IP network NW. When receiving a communication packet sent from the user's home system 1 to the IP network NW, the edge router 12 sets the hop limit in the communication packet to the maximum number of hops in the IP network NW. When receiving a communication packet sent from the IP network NW to the user's home system 1, the edge router 12 sets the hop limit in the communication packet to the maximum number of hops in the user's home system 1.

Abstract: A communication control apparatus (1) is connected to a router (6) and a terminal device (4), and upon receiving prefix information transmitted from the router (6) by a router advertisement, stores the prefix information. In a case where prefix information of a transmission source address or a destination address, which is included in the received communication packet, is different from the stored prefix information, the communication control apparatus (1) blocks the communication packet, and in a case where the prefix information of the transmission source address or the destination address, which is included in the received communication packet, is the stored prefix information, the communication control apparatus (1) allows passing of the communication packet. In such a way, an unauthorized communication packet can be blocked appropriately under an IPv6 network environment.