JP2022164458A - Communication device and computer program for communication device - Google Patents

Abstract

To provide a technique to prevent an access point not supporting a predetermined system from being mistakenly selected.SOLUTION: In a situation in which two or more access points are present around a communication device, the communication device receives signals from the two or more access points. The two or more access points include a first access point supporting a predetermined system and a second access point not supporting the predetermined system. The communication device comprises a first display control unit that, when the signals are received from the two or more access points, displays, on a display, a first selection screen for selecting one access point from the two or more access points, and on the first selection screen, information indicating the first access point is displayed preferentially over information indicating the second access point.SELECTED DRAWING: Figure 6

Description

This specification discloses a communication device that displays a selection screen for selecting an access point.

As shown in Non-Patent Document 1, the Wi-Fi Alliance (registered trademark) established WPA3, which is a new communication standard in the Wi-Fi standard. WPA3 Enterprise provides a 192-bit option as a next-generation security protocol. Also, other security protocols may be provided in communication standards other than WPA3.

JP 2016-019085 A JP 2016-208448 A JP 2019-106610 A

"WPA3 Specification Version 3.0" Wi-Fi Alliance, 2020, https://www.wi-fi.org/ja/discover-wi-fi/security

With the establishment of a new wireless standard, it is assumed that there will be access points that support the specified method of the wireless standard and access points that do not support the specified method. . For example, when the user desires to use an access point that supports a predetermined method, if the above two types of access points are searched, the user may select an access point that does not support the predetermined method. You may choose the wrong one.

This specification provides a technique for suppressing the erroneous selection of an access point that does not support a predetermined scheme in the mixed situation described above.

The communication device disclosed in this specification includes a wireless interface for performing wireless communication according to a predetermined wireless standard, a display unit, and two or more access points around the communication device. A first receiver that receives signals from each of the two or more access points via the wireless interface, wherein the two or more access points support a predetermined method in the predetermined wireless standard and a second access point that does not support the predetermined scheme, the predetermined scheme includes an encryption scheme that satisfies a predetermined criterion, and the first the signal received from the access point includes first method information indicating an encryption method supported by the first access point, and the signal received from the second access point includes the first the second access point includes second method information indicating an encryption method supported by the second access point, the encryption method indicated by the first method information being a method satisfying the predetermined criteria; When the signal is received from each of the first receiving unit and the two or more access points, the encryption method indicated by the method information of 2 is a method that does not satisfy the predetermined criteria. and a first display control unit for causing the display unit to display a first selection screen for selecting one access point from among the two or more access points, wherein the first selection screen is , the information indicating the first access point supporting the encryption scheme indicated by the first scheme information supports the encryption scheme indicated by the second scheme information; and the first display control unit that is displayed with priority over the information indicating the second access point.

If an access point supports an encryption method that satisfies a predetermined standard, it is presumed that the access point supports the predetermined method. According to the above configuration, in a situation where signals are received from each of two or more access points, the first access point that supports an encryption scheme that satisfies the predetermined criteria is is displayed preferentially over the second access point that supports the encryption method that is not supported. In a situation where a first access point that supports a predetermined method and a second access point that does not support the predetermined method coexist, the second access point that does not support the predetermined method may Erroneous selection can be suppressed.

Also, the method for controlling the communication device, the computer program for the communication device, and the storage medium storing the computer program are novel and useful.

1 shows the configuration of a communication system; 4 shows an outline of processing for establishing a wireless connection in the first embodiment; FIG. 2 shows the structure of a beacon signal packet in Personal of WPA3. FIG. FIG. 3 shows the configuration of a beacon signal packet in WPA3 Enterprise (not compatible with 192-bit Option). FIG. 2 shows the configuration of a beacon signal packet in WPA3 Enterprise (compatible with 192-bit Option). FIG. 11 shows a diagram of a flow chart of selection screen processing. A specific case realized by the selection screen processing of FIG. 6 is shown. 11 shows an outline of processing for establishing a wireless connection in the second embodiment;

(First embodiment)
(Configuration of communication system 2; Fig. 1)
As shown in FIG. 1, the communication system 2 includes an MFP (abbreviation for Multifunction Peripheral) 10, a terminal device 100, APs (abbreviation for Access Point) 200, 300 and 400, and authentication servers 210 and 410. . Each of the APs 200 to 400 can form a wireless LAN (abbreviation for Local Area Network). The MFP 10 is connected to a wireless LAN formed by one of APs 200 to 400, and is capable of communicating with other devices (eg, terminal device 100) connected to the wireless LAN.

The terminal device 100 is a mobile terminal, a desktop PC, a notebook PC, or the like. The authentication servers 210 and 410 are servers that authenticate a user using the MFP 10 and provide the AP and the MFP 10 with an encryption key used in wireless communication via the AP. The authentication server 210 is used in processing for establishing wireless connection with the APs 200 and 300, and is connected to the APs 200 and 300 via a wired LAN. The authentication server 410 is used in processing for establishing wireless connection with the AP 400 and is connected to the AP 400 via a wired LAN.

(Configuration of MFP 10; Fig. 1)
The MFP 10 is a peripheral device (for example, a peripheral device of the terminal device 100) capable of executing a print function, a scan function, and the like. The MFP 10 includes an operation section 12 , a display section 14 , a Wi-Fi interface 16 , a print execution section 20 , a scan execution section 22 and a control section 30 . Each unit 12 to 30 is connected to a bus line (reference numerals omitted). Below, the interface is simply described as "I/F".

The operation unit 12 has a plurality of keys. A user can input various instructions to the MFP 10 by operating the operation unit 12 . The display unit 14 is a display for displaying various information. Note that the display unit 14 may function as a touch panel (that is, the operation unit 12).

A Wi-Fi I/F 16 is a wireless I/F for performing wireless communication conforming to the Wi-Fi standard. The Wi-Fi standard is, for example, the IEEE (abbreviation of The Institute of Electrical and Electronics Engineers, Inc.) 802.11 standard and its equivalent standards (eg 802.11a, 11b, 11g, 11n, etc.). It is a standard for performing wireless communication.

Also, the Wi-Fi I/F 16 supports Personal and Enterprise of WPA3 formulated by the Wi-Fi Alliance. Personal is a method for authenticating a slave station in a small-scale wireless LAN such as a home. Enterprise is a method for authenticating a slave station in a large-scale wireless LAN of a company or the like. In Enterprise, an authentication server (eg, 210) that performs authentication according to IEEE 802.1X authenticates slave stations in the Wi-Fi standard. On the other hand, in Personal, the authentication server is not used, and for example, the AP uses PSK (abbreviation of Pre-Shared Key) to authenticate the slave station.

In WPA3 Enterprise, a 192-bit Option is provided as a next-generation security protocol. Communication that conforms to the 192-bit Option requires an encryption method that satisfies a predetermined standard with an encryption strength of 192 bits or more. The encryption method includes a common key cryptographic algorithm, a public key cryptographic algorithm, a hash function, and the like. A symmetric key cryptographic algorithm that satisfies a predetermined standard is an algorithm that uses a key length of 192 bits or more, such as 192-bit-AES (abbreviation of Advanced Encryption Standard), 256-bit-AES, and the like. Algorithms of public key cryptography that meet a predetermined standard are algorithms that use keys with a length of 384 bits or more. abbreviation), 7680-bit-DH (abbreviation of Diffie-Hellman key exchange), 384-bit-ECDSA (abbreviation of Elliptic Curve Digital Signature Algorithm), 384-bit-ECDH (abbreviation of Elliptic curve Diffie-Hellman key exchange), and the like. A hash function that satisfies a predetermined criterion is a function that outputs a return value of 384 bits or more, such as SHA-384, SHA-512, and SHA-3. Wi-Fi I/F16 supports 192bit Option.

The print execution unit 20 includes a printing mechanism such as an inkjet method or a laser method. The scan executing unit 22 includes a scanning mechanism such as a CCD (Charge Coupled Device) image sensor, a CIS (Contact Image Sensor), or the like.

The control unit 30 has a CPU 32 and a memory 34 . The CPU 32 executes various processes according to programs 40 stored in the memory 34 . The memory 34 is composed of a volatile memory, a nonvolatile memory, or the like.

The memory 34 also stores screen setting information 42 . The screen setting information 42 is either "ON" that permits the display of a partial selection screen (see S12 in FIG. 6), which will be described later, or "OFF" that does not permit the display of the partial selection screen (see FIG. 6). or The screen setting information 42 is input by the user via the operation section 12 .

(Configuration of AP 200, 300, 400; Fig. 1)
APs 200-400 support WPA3. AP200 does not support 192bit Option. APs 300 and 400 support 192bit Option. The APs 200, 300, and 400 are assigned SSIDs (abbreviations for Service Set Identifiers) 'ap01', 'ap02', and 'ap03', respectively.

(Wireless connection establishment processing; Fig. 2)
Processing for establishing wireless connection between the MFP 10 and the AP will be described with reference to FIG. All the following communications performed by the MFP 10 are performed via the Wi-Fi I/F 16 . In the following description of processing related to communication, the description “via the Wi-Fi I/F 16” may be omitted. Further, in the following description, for ease of understanding, operations executed by the CPU (eg, CPU 32, etc.) of each device may be described mainly with respect to each device (eg, MFP 10) instead of mainly describing the CPU. be.

In the case of FIG. 2, three APs 200-400 exist around the MFP 10. In the case of FIG. Each of the APs 200-400 broadcasts a beacon signal.

When the MFP 10 receives an instruction to establish a wireless connection from the operation unit 12 at T5, it receives a beacon signal including the SSID of the AP from each of the three APs 200 to 400 surrounding the MFP 10 at T10A to T10C. .

At T20, the MFP 10 executes selection screen processing (FIG. 6), which will be described later. The selection screen process is a process for displaying a selection screen for selecting one AP to be connected from among the three APs 200 to 400 that are the transmission sources of the three beacon signals T10A to T10C. In this case, the MFP 10 accepts the selection of the SSID "ap02" assigned to the AP 300 on the selection screen displayed at T20.

At T30, the MFP 10 sends a Probe request to the AP 300 indicated by the selected SSID "ap02". At T32, the MFP 10 receives a Probe response to the Probe request from the AP300.

At T40, Authentication communication for the AP 300 to authenticate the MFP 10 is executed. In this case, the Authentication communication is successful, and the Association communication is executed at T42.

At T50, the MFP 10 transmits an EAPoL (abbreviation for EAP over LAN) Start signal to the AP 300. FIG. The EAPoL Start signal is a signal requesting the AP 300 to start authentication according to EAP (Extensible Authentication Protocol). At T52, the MFP 10 receives an EAP Request signal as a response to the EAPoL Start signal. The EAP Request signal is a signal requesting user information (user name and password) used for authentication in authentication server 210 .

At T54, the MFP 10 transmits an EAP Response signal including user information (for example, user name and password) indicating the user who uses the MFP 10 to the AP 300 as a response to the EAP Request signal. The AP 300 thereby transmits the EAP Response signal to the authentication server 210 .

Upon receiving the EAP Response signal from AP 300 at T54, authentication server 210 transmits an EAP Request PEAP signal to MFP 10 via AP 300 at T56 as a response to the EAP Response signal.

Upon receiving the EAP Request PEAP signal from the authentication server 210 at T56, the MFP 10 transmits a Client Hello signal to the authentication server 210 at T58. Communication between the MFP 10 and the authentication server 210 is encrypted according to TLS (abbreviation of Transport Layer Security). The Client Hello signal is a signal that notifies the authentication server 210 that the MFP 10 will start operating as a TLS client.

At T60, the MFP 10 receives a Sever Hello signal from authentication server 210 via AP 300 as a response to the Client Hello signal. The Sever Hello signal is a signal that notifies the MFP 10 that the authentication server 210 will start operating as a TLS server. The Sever Hello signal includes Cipher Suites information (hereinafter referred to as “CS information”) indicating an encryption method used in T62 EAP authentication, which will be described later. EAP authentication is processing for authentication server 210 to authenticate the user of MFP 10 and provide both AP 300 and MFP 10 with an encryption key used in establishing wireless connection with AP 300 .

At T<b>62 , the MFP 10 performs EAP authentication communication with the authentication server 210 . Specifically, EAP authentication includes user authentication and key exchange. For user authentication, the authentication server 210 uses the user information in the EAP Response signal of T54 and the public key encryption algorithm (for example, RSA) according to the CS information in the Sever Hello signal of T60. This is communication for authenticating the user. In the key exchange, when the user authentication is successful, the authentication server 210 uses a public key encryption algorithm (for example, DH) according to the CS information to exchange the encryption key used in T70 communication, which will be described later, with the MFP 10. This communication is provided to both APs 300 .

At T70, the MFP 10 executes 4-way handshake communication with the AP 300 using the encryption key provided at T62. As a result, in T80, a wireless connection is established between the MFP 10 and the AP 300 for performing wireless communication according to the Wi-Fi standard. That is, the MFP 10 is connected to the wireless LAN formed by the AP300.

For example, in a situation where the MFP 10 and the terminal device 100 are connected to a wireless LAN formed by the AP 300, the terminal device 100 transmits print data indicating an image to be printed to the MFP 10 via the AP 300 at T90. .

Upon receiving the print data from the terminal device 100 at T90, the MFP 10 causes the print executing unit 20 to print the image indicated by the received print data at T92.

In the case of FIG. 2, three APs 200-400 exist around the MFP 10. In the case of FIG. The three APs 200-300 include one AP 200 that does not support 192-bit Option and two APs 300 and 400 that support 192-bit Option. For example, when the user wants to use an AP (for example, 300) that supports 192-bit Option, if a beacon signal is received from AP 200 that does not support 192-bit Option, the user may mistake AP 200. have the possibility to choose. In this embodiment, the selection screen process (see FIG. 6) of T20 is executed to deal with this problem.

(Packet structure of beacon signal; Figures 3 to 5)
In the selection screen processing of FIG. 6, which will be described later, information in the beacon signal is used to determine whether or not the AP that is the transmission source of the beacon signal supports the 192-bit option. The configuration of a beacon signal packet will be described with reference to FIGS. 3 to 5. FIG. In FIGS. 3 to 5, part of the beacon signal packet is omitted.

FIG. 3 shows an example of the configuration of a beacon signal packet transmitted by the AP 200 when the AP 200 is operating in a mode of executing wireless communication according to WPA3 Personal. As shown in FIG. 3, in WPA3 Personal, a packet includes an SSID Parameter set tag (hereinafter referred to as "SSID tag") and an RSN Information tag (hereinafter referred to as "RSN tag"). The SSID tag includes the AP 200 SSID “ap01”. Also, the RSN tag contains a value regarding the encryption method used in the communication for establishing the wireless connection. In this case, the RSN tag contains the values "AES (CCM)", "SAE (SHA256)". Here, SAE (abbreviation for Simultaneous Authentication of Equals) is a communication method executed in Personal Authentication (see T40 in FIG. 2). In Personal, an encryption key used in 4way-handshake (see T70 in FIG. 2) is provided to both MFP 10 and AP 300 in Authentication.

FIG. 4 shows an example of the configuration of a beacon signal packet transmitted by the AP 200 when the AP 200 operates in a mode of executing wireless communication according to WPA3 Enterprise. As mentioned above, AP 200 does not support 192bit Option. In this case, the RSN tag contains the values "AES (CCM)", "WPA (SHA256)". As shown in FIGS. 3 and 4, in Personal, the RSN tag contains the value "SAE (SHA256)", whereas in Enterprise the RSN tag contains the value "WPA (SHA256)". The value “WPA (SHA256)” indicates that the Authentication communication method in Enterprise is different from Personal.

FIG. 5 shows an example of the configuration of a beacon signal packet transmitted by the AP 300 when the AP 300 is operating in a mode of executing wireless communication according to WPA3 Enterprise. As mentioned above, the AP 300 supports 192bit Option. In this case, the RSN tag contains the values "GCMP(256)", "WPA (SHA384-SuiteB)". Furthermore, the RSN tag in this case has an item "Group Management Cipher Suite" that is not included in the case of FIG. 4, and the RSN tag includes the value "BIP (GCMC-256)" as that item.

The configurations shown in FIGS. 3-5 are only examples. For example, in the case of FIG. 5, the value "GCMP(256)" indicates that 256-bit-AES is used as the common key encryption algorithm, and the value "WPA (SHA384-SuiteB)" indicates that SHA384 is used as the hash function. indicate that Alternatively, for example in the case of FIG. 5, the RSN tag may contain a value different from the value "GCMP(256)", for example a value indicating an algorithm different from 256bit-AES (eg 192bit-AES). . The RSN tag may also include a value different from the value “WPA (SHA384-SuiteB)”, eg, a value indicating a hash function different from SHA384 (eg, SHA512).

(Selection screen processing; Fig. 6)
The selection screen processing executed at T20 in FIG. 2 will be described with reference to FIG. CPU 32 of MFP 10 executes selection screen processing according to program 40 in memory 34 .

In S2, the CPU 32 determines whether or not the screen setting information 42 in the memory 34 indicates "ON". When the CPU 32 determines that the screen setting information 42 indicates "ON" (YES in S2), the process proceeds to S10.

In S10, the CPU 32 utilizes two or more beacon signals received from two or more APs (for example, three APs 200 to 300) existing around the MFP 10, and in the two or more APs, Determine whether there is an AP that supports 192-bit Option. As shown in the case of FIG. 5, in the beacon signal of the AP supporting 192-bit Option, the RSN tag has the item "Group Management Cipher Suite". If there is a beacon signal including an RSN tag with the item "Group Management Cipher Suite" among the two or more beacon signals, the CPU 32 determines whether the two or more APs support the 192-bit Option. determine that exists. On the other hand, the CPU 32 supports 192-bit Option in two or more APs when there is no beacon signal including an RSN tag with the item "Group Management Cipher Suite" in the two or more beacon signals. It is determined that there is no AP present.

When the CPU 32 determines that there is an AP supporting the 192-bit Option among the two or more APs (YES in S10), the process proceeds to S12. In S12, the CPU 32 causes the display section 14 to display a partial selection screen. The partial selection screen is a screen for selecting one AP from among two or more APs existing around the MFP 10 and one or more APs supporting the 192-bit option. The partial selection screen includes, for each of one or more APs, an SSID assigned to the AP and a button for selecting the SSID. The partial selection screen does not include SSIDs assigned to remaining APs other than one or more of the two or more APs. This prevents the user from mistakenly selecting an AP that does not support the 192-bit option from among two or more APs.

Also, the partial selection screen further includes an "other AP" button. The "Other AP" button is a button for displaying a first all-selection screen described later, which is a screen on which APs that do not support 192-bit Option can also be selected.

The CPU 32 monitors selection of the "other AP" button in the partial selection screen in S14, and monitors selection of any SSID in the partial selection screen in S16. When the "another AP" button is selected (YES in S14), the CPU 32 causes the display unit 14 to display the first all selection screen in S30. The first full selection screen includes not only SSIDs of APs that support 192-bit Option, but also SSIDs of APs that do not support 192-bit Option. For example, even if there are APs supporting 192-bit Option around the MFP 10, the user may want to use an AP that does not support 192-bit Option. According to the above configuration, the user can use APs that do not support 192-bit Option.

In subsequent S32, the CPU 32 monitors selection of any SSID within the first full selection screen. When any SSID in the first all-selection screen is selected (YES in S32), the CPU 32 ends the process of FIG. As a result, the CPU 32 executes processing for establishing wireless connection with the AP selected on the first full selection screen.

Further, when any SSID in the partial selection screen is selected (YES in S16), the CPU 32 ends the processing of FIG. As a result, the CPU 32 executes processing for establishing wireless connection with the AP selected on the partial selection screen, ie, the AP supporting the 192-bit Option (see the case of FIG. 2).

Further, when the CPU 32 determines that there is no AP supporting the 192-bit Option among the two or more APs (NO in S10), the process proceeds to S22. In S22, the CPU 32 causes the display unit 14 to display a confirmation screen. The confirmation screen includes a message for confirming the display of the second all-selection screen, which will be described later, and a "YES" button (see FIG. 7).

In S24, the CPU 32 monitors selection of the "YES" button in the confirmation screen. When the "YES" button in the confirmation screen is selected (YES in S24), the CPU 32 proceeds to S40. According to such a configuration, when there is no AP supporting the 192-bit Option around the MFP 10, the user can confirm the use of an AP that does not support the 192-bit Option. Also, it is possible to prevent the user from erroneously selecting an AP that does not support 192-bit Option before confirming the use of the AP that does not support 192-bit Option with the user.

In S<b>40 , CPU 32 causes display unit 14 to display a second all-selection screen for selecting one AP from two or more APs existing around MFP 10 . The second all-selection screen includes the SSIDs of two or more APs existing around the MFP 10, ie, two or more APs that do not support the 192-bit option. According to such a configuration, even in a situation where there is no AP supporting 192-bit Option around the MFP 10, the user can use an AP that does not support 192-bit Option to perform communication via the AP. can be executed.

In S42, the CPU 32 monitors selection of any SSID within the second all selection screen. CPU 32 terminates the process of FIG. 6 when any SSID in the second all selection screen is selected (YES in S42). Accordingly, the CPU 32 executes processing for establishing wireless connection with the AP selected on the second all-selection screen.

When the CPU 32 determines that the screen setting information 42 indicates "OFF" (NO in S2), the process proceeds to S40. For example, in a situation where there are three APs 200 to 400 around the MFP 10, if the screen setting information 42 indicates "ON", two SSIDs "ap02" and "ap03" of two AP300 and AP400 are displayed. is displayed (S12). On the other hand, in the same situation, when the screen setting information 42 indicates "OFF", a second full selection screen including three SSIDs "ap01", "ap02" and "ap03" of the three APs 200 to 400 is displayed. is displayed (S40). According to such a configuration, by inputting "OFF" as the screen setting information 42, one AP is selected from two or more APs existing around the MFP 10 regardless of whether or not the 192-bit Option is supported. can be selected.

According to the process of FIG. 6, in a situation where beacon signals are received from each of two or more APs existing around the MFP 10, the SSID of the AP that does not support the 192-bit Option among the two or more APs is A partial selection screen including SSIDs of APs that support 192-bit Option among two or more APs is displayed (S12). In a situation where APs that support 192-bit Option and APs that do not support 192-bit Option coexist, it is possible to prevent an AP that does not support 192-bit Option from being erroneously selected.

(Specific aspects of the partial selection screen; FIG. 6)
A specific aspect of the partial selection screen displayed in a situation where two APs 300 and 400 supporting 192-bit Option exist around the MFP 10 will be described. The key length of the common key encryption algorithm supported by the AP 300 is longer than the key length of the common key encryption algorithm supported by the AP 400 . For example, the beacon signal transmitted by AP 300 includes a value indicating 256bit-AES as the value of the RSN tag. Here, "256" indicates the key length in AP300. Also, the beacon signal transmitted by the AP 400 includes a value indicating 192bit-AES as the value of the RSN tag. Here, "192" indicates the key length in AP400. In this case, the CPU 32 acquires from each of the two beacon signals received from the two APs 300 and 400 the key length of the common key encryption algorithm supported by the APs. Then, the CPU 32 causes the display unit 14 to display a partial selection screen in which the SSID "ap02" of the AP300 corresponding to the 256-bit key length is positioned above the SSID "ap03" of the AP400 corresponding to the 192-bit key length. (S12). In general, the longer the key length used in the encryption algorithm, the stronger the encryption strength. According to such a configuration, it is possible to encourage the user to use an AP with a relatively strong encryption strength.

Further, the information for determining the sequence of SSIDs in the partial selection screen is not limited to the key length of the common key encryption algorithm. For example, assume that the length of the output value of the hash function supported by AP300 is longer than the length of the output value of the hash function supported by AP400. In this case, for example, the beacon signal transmitted by AP 300 includes a value indicating SHA512 as the value of the RSN tag. Here, "512" indicates the length of the output value in AP300. Also, the beacon signal transmitted by the AP 400 includes a value indicating SHA384 as the value of the RSN tag. Here, "384" indicates the length of the output value in AP400. In this case, the CPU 32 obtains from each of the two beacon signals received from the two APs 300 and 400 the length of the output value of the hash function supported by that AP. Then, the CPU 32 displays a partial selection screen in which the SSID "ap02" of the AP300 corresponding to the length of the 512-bit output value is positioned above the SSID "ap03" of the AP400 corresponding to the length of the 384-bit output value. It is displayed on the unit 14 (S12). Generally, the longer the length of the output value of the hash function, the stronger the cryptographic strength. Even with such a configuration, it is possible to encourage the user to use an AP with a relatively strong encryption strength.

(Specific case; Figure 7)
A specific case implemented by the screen selection process of FIG. 6 will be described with reference to FIG. At the initial stage of this case, only APs 200 that do not support the 192-bit Option exist around the MFP 10 . Also, in the initial stage of this case, the screen setting information of the MFP 10 indicates "ON".

T95 is the same as T5 in FIG. At T100, the MFP 10 receives a beacon signal from the AP200. In T101, the MFP 10 determines that the screen setting information 42 indicates "ON" (YES in S2 of FIG. 6). At T102, the MFP 10 determines that there is no AP supporting the 192-bit Option around the MFP 10 (NO in S10). At T104, the MFP 10 displays a confirmation screen (S22). At T106, the MFP 10 receives selection of the "YES" button in the confirmation screen (YES at S24). At T108, the MFP 10 displays a second full selection screen including the SSID "ap01" of the AP 200 (S40).

At T122, the MFP 10 receives the selection of the SSID "ap01" in the second all selection screen from the user. Further, the MFP 10 receives input of user information from the user. T140-T180 are similar to T40-T80 in FIG. 2, except that AP200 is used. A wireless connection is thereby established between the MFP 10 and the AP 200 . In FIG. 7 as well, communications similar to T30, T32, and T50 to T60 in FIG. 2 are executed, but the description thereof is omitted.

Subsequently, in this case, the wireless connection established at T180 is disconnected, and an AP300 is newly installed around the MFP10. In this situation, when the MFP 10 receives an instruction to establish a wireless connection at T195, it receives beacon signals from each of the two APs 200 and 300 at T200A and T200B. T201 is similar to T101. In T202, it is determined that an AP 300 supporting the 192-bit Option exists around the MFP 10 (YES in S10). At T202, the MFP 10 displays a partial selection screen that includes the SSID "ap02" of AP300 and does not include the SSID "ap01" of AP200 (S12 in FIG. 6).

According to this case, even after the MFP 10 has established a wireless connection with the AP 200 that does not support the 192-bit Option, when a beacon signal is received from each of the two APs 200 and 300, the MFP 10 receives the AP 300 A partial selection screen including the SSID "ap02" of AP200 and excluding the SSID "ap01" of AP200 is displayed (T202). Although there is a track record of establishing a wireless connection with an AP 200 that does not support the 192-bit Option, the user is urged to establish a new wireless connection with the AP 300 that supports the 192-bit Option rather than the AP 200 that has a track record of connection. be able to.

(Correspondence relationship in the first embodiment)
The MFP 10, the display section 14, and the Wi-Fi I/F 16 are examples of the "communication device,""displaysection," and "wireless interface," respectively. APs 200-400 are examples of two or more access points. AP300, AP200, and AP400 are examples of "first access point,""second access point," and "third access point," respectively. The authentication server 210 is an example of an "external server." The 192-bit Option and the standard of encryption strength in the 192-bit Option are examples of the "predetermined method" and the "predetermined standard", respectively. The screen setting information 42, "ON" and "OFF", are examples of "predetermined setting information", "first value" and "second value", respectively. The information in the packet in FIG. 5 and the information in the packet in FIG. 4 are examples of the "first method information" and the "second method information", respectively.

A beacon signal is an example of a "signal." The partial selection screen of S12 in FIG. 6 and the "another AP" button are examples of the "first selection screen" and the "predetermined button". The first all selection screen of S30 in FIG. 6 is an example of the "second selection screen". The output value of the hash function and the key of the common key encryption algorithm supported by the AP are examples of "the value used in the encryption method supported by each access point". The AP 200 in FIG. 7 is an example of "one or more access points". The "YES" button in the confirmation screen of T104 in FIG. 7 is an example of the "confirmation button". The second all-selection screen at T108 in FIG. 7 is an example of the "fourth selection screen."

T10A in FIG. 2 and S12 in FIG. 6 are examples of processing implemented by the "first receiving unit" and the "first display control unit", respectively.

(Modification of the first embodiment; FIG. 6)
In the partial selection screen of the first embodiment, the SSID "ap02" of the AP 300, which supports the common key encryption algorithm using a relatively long key, supports the common key encryption algorithm using a relatively short key. It is located above the SSID "ap03" of the supporting AP300. In the partial selection screen of this modified example, the SSID "ap03" of the AP 300, which supports the common key encryption algorithm using a relatively short key, supports the common key encryption algorithm using a relatively long key. is located above the SSID "ap02" of the AP 300 that is In general, the longer the key length used in the encryption algorithm, the stronger the encryption strength, but the longer the processing time for encryption and decryption. According to such a configuration, it is possible to urge the user to use an AP with fast encryption and decryption processing times.

(Second embodiment)
This embodiment is the same as the first embodiment, except that the contents of the wireless connection establishment process are partially different.

(Wireless connection establishment processing; FIG. 8)
Processing for establishing a wireless connection between the MFP 10 and the AP in this embodiment will be described with reference to FIG.

T295-T300C are the same as T5-T10C in FIG. At T310A, the MFP 10 transmits an inquiry signal for inquiring CS information to the authentication server 210 via the AP300. At T312A, MFP 10 receives CS information CS1 of authentication server 210 from authentication server 210 via AP 300 as a response to the inquiry signal. Further, MFP 10 transmits an inquiry signal to authentication server 410 via AP 400 at T310B, and receives CS information CS2 of authentication server 410 via AP 400 at T312B.

The table in FIG. 8 exemplifies multiple types of CS information. For example, for the first type CS information, ECDH is used in EAP authentication key exchange, RSA is used in EAP authentication user authentication, and 256-bit-AES is used as a common key encryption algorithm used in EAP authentication. , indicates that SHA384 is used as a hash function in EAP authentication. The second type CS information is the same as the first type CS information except that DH is used in key exchange for EAP authentication. Also, the third type CS information is the same as the first type CS information except that ECDSA is used in user authentication of EAP authentication. Note that the table in FIG. 8 is merely an example of multiple types of CS information. For example, the multiple types of CS information may include fourth type CS information indicating that SHA512 is used as a hash function in EAP authentication.

T320 is the same as T30 in FIG. 2 except that the order of SSIDs in the partial selection screen is determined using the CS information CS1 of T312A and the CS information CS2 of T312B. For example, the CS information CS1 is the second type CS information indicating that DH is used in EAP authentication key exchange, and the CS information CS2 is second type CS information indicating that ECDH is used in EAP authentication key exchange. Assume a situation where it is one type of CS information. As described above, DH uses a key with a length of 7680 bits, and ECDH uses a key with a length of 384 bits. In the partial selection screen of this embodiment, the SSID "ap02" of the AP 300 connected to the authentication server 210 that executes EAP authentication using DH is connected to the authentication server 410 that executes EAP authentication using ECDH. It is positioned above the SSID "ap03" of the AP 400 that is located. That is, in the partial selection screen of the present embodiment, the SSID "ap02" of AP300 using EAP authentication using a relatively long key is changed to the SSID "ap02" of AP400 using EAP authentication using a relatively short key. It is positioned above "ap03". Even with such a configuration, it is possible to encourage the user to use an AP with a relatively strong encryption strength. Further, in the partial selection screen of the modified example, the SSID "ap03" of AP400 using EAP authentication using a relatively short key is changed to the SSID "ap03" of AP300 using EAP authentication using a relatively long key. ap02" may be positioned above. Even with such a configuration, the user can be urged to use an AP with fast encryption and decryption processing times. In addition, in the modified example of the present embodiment, the sequence of SSIDs may be determined based on the length of the output value of the hash function used in EAP authentication.

Alternatively, for example, the processes T310A to T312B are not executed, and the processes T30 to T60 in FIG. is used to determine the sequence of SSIDs in the partial selection screen. In this comparative example, the processes from T30 to T60 in FIG. 2 are executed for all two or more APs. Processing from T30 to T60 is processing for establishing wireless connection with the AP. In this comparative example, the processing of T30 to T60 is executed unnecessarily for APs that are not targets for wireless connection establishment. On the other hand, in this embodiment, before executing the processes T30 to T60 in FIG. 2, the processes T310A to T312B are executed to display the partial selection screen. In this embodiment, it is possible to prevent unnecessary execution of the processes of T30 to T60 for APs for which wireless connection is not to be established. Note that in the modification, the configuration of the above comparative example may be adopted, and in the modification, the CS information of T60 is an example of "value length information."

(Correspondence relationship in the second embodiment)
EAP authentication is an example of an "authentication process." The output value of the encryption algorithm key and hash function used in EAP authentication is an example of the "value used in authentication processing". The inquiry signal of T310A in FIG. 7 is an example of a "predetermined request."

Specific examples of the technology disclosed in this specification have been described above, but these are merely examples and do not limit the scope of the claims. The technology described in the claims includes various modifications and changes of the specific examples illustrated above. For example, the following modifications may be adopted.

(Modification 1) In each of the above embodiments, the AP 200 supports WPA3 but does not support 192-bit Option. Alternatively, the AP 200 may not support the 192-bit Option due to not supporting WPA3. In this modified example, the AP 200 that does not support WPA3 is an example of the "second access point."

(Modification 2) The “signal” is not limited to the beacon signal, and may be, for example, a probe response to a probe request broadcast by the MFP 10 .

(Modification 3) The partial selection screen in each of the above embodiments does not include the SSID of an AP that does not support 192-bit Option (hereinafter referred to as "non-supporting SSID"). Instead, on the partial selection screen, the SSID of the AP that supports the 192-bit Option (hereinafter referred to as "supported SSID") is displayed in the first mode, and the non-supported SSID is displayed in the first mode. may be displayed in a second manner (eg, grayed out, light color, small font, etc.) different from the In another modification, the compatible SSID may be arranged above the non-compatible SSIS on the partial selection screen. These modified examples are also examples of displaying "information indicating the first access point" with "priority".

(Modification 4) The process of S2 in FIG. 6 may not be executed. In this modified example, the "predetermined setting information" can be omitted.

(Modification 5) The processes of S14 and S30 in FIG. 2 may not be executed. In this modified example, the "predetermined button" and the "third selection screen" can be omitted.

(Modification 6) The processes of S22 to S42 when it is determined as NO in S10 of FIG. 6 may not be executed. In this modified example, the "fourth selection screen" can be omitted.

(Modification 7) The processes of S22 and S24 in FIG. 6 may not be executed. In this modified example, the "confirmation button" can be omitted.

(Modification 8) The process of FIG. 7 may not be executed. For example, a second full selection screen may be displayed after a wireless connection with the AP 200 is established. Generally speaking, the 'first selection screen' may not be displayed 'after the wireless connection with the second access point is established'.

(Modification 9) In the partial selection screen of each of the above embodiments, the SSID is the key length of the encryption method used in the process for establishing wireless connection with the AP (for example, Authentication, EAP authentication). are sorted based on Alternatively, the SSIDs may be ordered based on the version of the encryption scheme in question. For example, the SSID of an AP that supports the latest version of encryption scheme may be arranged above the SSID of an AP that supports an older version of encryption scheme.

(Modification 10) In the partial selection screen of each of the above embodiments, the SSID "ap02" of AP300 corresponding to the 256-bit key length is higher than the SSID "ap03" of AP400 corresponding to the 192-bit key length. Located on the upper level. Alternatively, SSID "ap02" may be positioned to the left of SSID "ap03". In this modified example, the left side is an example of the "priority position".

(Modification 11) In the second embodiment described above, the MFP 10 transmits an inquiry signal to the authentication server 210 and receives CS information from the authentication server 210 (T310A, T312A in FIG. 8). Alternatively, the MFP 10 may acquire CS information from a predetermined database (not shown). The predetermined database may store, for each of a plurality of APs, the SSID of the AP and the CS information of the authentication server connected to the AP in association with each other. In this modified example, the "second receiver" can be omitted.

(Modification 12) The "communication device" is not limited to the MFP 10, and may be a terminal device such as a printer, scanner, or PC.

(Modification 13) In the above embodiment, the processes of FIGS. 2 to 8 are realized by software (for example, the program 40), but at least one of these processes may be realized by hardware such as a logic circuit. good.

The technical elements described in this specification or in the drawings exhibit technical usefulness alone or in various combinations, and are not limited to the combinations described in the claims as of the filing. In addition, the techniques exemplified in this specification or drawings achieve multiple purposes at the same time, and achieving one of them has technical utility in itself.

2: communication system 10: MFP
12: Operation unit 14: Display unit 16: Wi-Fi I/F
20: print execution unit 22: scan execution unit 30: control unit 32: CPU
34: memory 40: program 42: screen setting information 100: terminal devices 210, 410: authentication servers CS1, CS2: CS information

Claims (15)

A communication device,
a wireless interface for performing wireless communication according to a predetermined wireless standard;
a display unit;
A first receiver that receives a signal from each of the two or more access points via the wireless interface in a situation where two or more access points exist around the communication device,
The two or more access points include a first access point that supports a predetermined method in the predetermined wireless standard and a second access point that does not support the predetermined method;
The predetermined method includes an encryption method that satisfies predetermined criteria,
the signal received from the first access point includes first scheme information indicating an encryption scheme supported by the first access point;
the signal received from the second access point includes second scheme information indicating an encryption scheme supported by the second access point;
The encryption scheme indicated by the first scheme information is a scheme that satisfies the predetermined criteria,
The encryption method indicated by the second method information is a method that does not satisfy the predetermined criteria,
the first receiving unit;
A first selection screen for selecting one access point from among the two or more access points is displayed on the display unit when the signals are received from each of the two or more access points. the first display control unit, wherein on the first selection screen, the information indicating the first access point that supports the encryption method indicated by the first method information is the first access point; the first display control unit that is displayed preferentially over the information indicating the second access point that supports the encryption method indicated by the method information No. 2;
A communication device comprising: The communication device further comprises a memory for storing predetermined setting information,
The first display control unit causes the display unit to display the first selection screen when the predetermined setting information indicates a first value,
The communication device further
a second display control unit for displaying a second selection screen different from the first selection screen on the display unit when the predetermined setting information indicates a second value different from the first value wherein, on the second selection screen, the information indicating the first access point and the information indicating the second access point are displayed in a manner different from that of the first selection screen. 2. The communication device according to claim 1, comprising the second display control unit displayed with . The communication device according to claim 1 or 2, wherein the first selection screen includes the information indicating the first access point and does not include the information indicating the second access point. The first selection screen includes a predetermined button,
The first display control unit displays a third selection screen including the information indicating the second access point on the display unit when the predetermined button in the first selection screen is selected. 4. The communication device according to claim 3, for displaying. In a situation where one or more access points including the second access point exist around the communication device and the first access point does not exist around the communication device, receiving the signal from each of the one or more access points over the wireless interface;
The communication device further
A fourth selection screen for selecting one access point from among the one or more access points is displayed on the display unit when the signal is received from each of the one or more access points. a third display controller, wherein the fourth selection screen includes information indicating all of the one or more access points, the third display controller comprising: Item 5. The communication device according to any one of Items 1 to 4. The communication device further
a fourth display control unit that causes the display unit to display a screen including a confirmation button for confirming display of the fourth selection screen when the signal is received from each of the one or more access points; ,
The communication device according to claim 5, wherein the third display control section causes the display section to display the fourth selection screen when the confirmation button is selected. The communication device further
When the second access point among the one or more access points is selected on the fourth selection screen, the second access point that does not support the predetermined scheme is selected via the wireless interface. An establishing unit for establishing a wireless connection with an access point,
After the wireless connection with the second access point is established, the first receiving unit is configured to operate in a situation where the two or more access points including the first access point exist around the communication device in receiving the signal from each of the two or more access points via the wireless interface;
If the signal is received from each of the two or more access points even after the wireless connection with the second access point is established, the first display control unit displays the 7. The display unit displays the first selection screen in which the information indicating the first access point is preferentially displayed over the information indicating the second access point. communication equipment. The two or more access points include, in addition to the first access point, a third access point supporting the predetermined scheme;
the first selection screen includes the information indicating the first access point and the information indicating the third access point;
In the first selection screen, the information indicating the first access point and the information indicating the third access point are lengths of values used in encryption schemes supported by each access point. 8. A communication device as claimed in any one of claims 1 to 7, ordered based on the degree. In the first selection screen, the information indicating the first access point that supports an encryption scheme using a first length value that satisfies the predetermined criterion is the first length. prior to said information indicating said third access point supporting an encryption scheme utilizing a second length value that satisfies said predetermined criteria, which is shorter than said information 9. A communication device according to claim 8. In the first selection screen, the information indicating the first access point that supports an encryption scheme using a first length value that satisfies the predetermined criterion is the first length. is positioned prior to said information indicating said third access point supporting an encryption scheme utilizing a third length value that satisfies said predetermined criteria, which is longer than said information. 9. A communication device according to claim 8. the predetermined wireless standard is a Wi-Fi standard;
The predetermined method includes Enterprise in the Wi-Fi standard,
The processing for establishing a wireless connection according to the Enterprise includes authentication processing in which an external server authenticates the communication device,
The two or more access points include, in addition to the first access point, a third access point supporting the predetermined scheme;
the first selection screen includes the information indicating the first access point and the information indicating the third access point;
on the first selection screen, the information indicating the first access point and the information indicating the third access point are arranged based on the length of the value used in the authentication process; 8. A communication device according to any one of claims 1-7. wherein, on the first selection screen, the information indicating the first access point with which the wireless connection can be established upon success of the authentication process using a first length value that satisfies the predetermined criterion; , indicating the third access point with which the wireless connection can be established upon success of the authentication process utilizing a second length value that is shorter than the first length and that satisfies the predetermined criterion; 12. The communication device according to claim 11, arranged in a position of priority over information. wherein, on the first selection screen, the information indicating the first access point with which the wireless connection can be established upon success of the authentication process using a first length value that satisfies the predetermined criterion; , indicating the third access point with which the wireless connection can be established upon success of the authentication process utilizing a third length value that is longer than the first length and satisfies the predetermined criterion; 12. The communication device according to claim 11, arranged in a position of priority over information. The communication device further
sending a predetermined request to each of the two or more servers, and from each of the two or more servers, as a response to the predetermined request, the length of the value used in the authentication process executed by the server; a second receiving unit configured to receive length information, wherein the two or more servers include a first value used in processing for establishing a wireless connection with the first access point; the second receiving unit including a server and a second server used in processing for establishing a wireless connection with the third access point;
In the first selection screen, the information indicating the first access point and the information indicating the third access point are the value length information received from the first server and the second 14. A communication device according to any one of claims 11 to 13, arranged based on the value length information received from a server of . A computer program for a communication device, comprising:
The communication device
a wireless interface for performing wireless communication according to a predetermined wireless standard;
a display unit;
a computer;
with
The computer program causes the computer to:
A first receiver that receives a signal from each of the two or more access points via the wireless interface in a situation where two or more access points exist around the communication device,
The two or more access points include a first access point that supports a predetermined method in the predetermined wireless standard and a second access point that does not support the predetermined method;
The predetermined method includes an encryption method that satisfies predetermined criteria,
the signal received from the first access point includes first scheme information indicating an encryption scheme supported by the first access point;
the signal received from the second access point includes second scheme information indicating an encryption scheme supported by the second access point;
The encryption scheme indicated by the first scheme information is a scheme that satisfies the predetermined criteria,
The encryption method indicated by the second method information is a method that does not satisfy the predetermined criteria,
the first receiving unit;
A first selection screen for selecting one access point from among the two or more access points is displayed on the display unit when the signals are received from each of the two or more access points. the first display control unit, wherein on the first selection screen, the information indicating the first access point that supports the encryption method indicated by the first method information is the first access point; the first display control unit that is displayed preferentially over the information indicating the second access point that supports the encryption method indicated by the method information No. 2;
A computer program that acts as

Images