WO2019021770A1 - Communication device, control method for communication device and program - Google Patents

Communication device, control method for communication device and program Download PDF

Info

Publication number
WO2019021770A1
WO2019021770A1 PCT/JP2018/025342 JP2018025342W WO2019021770A1 WO 2019021770 A1 WO2019021770 A1 WO 2019021770A1 JP 2018025342 W JP2018025342 W JP 2018025342W WO 2019021770 A1 WO2019021770 A1 WO 2019021770A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
sharing
request
communication
portable device
Prior art date
Application number
PCT/JP2018/025342
Other languages
French (fr)
Japanese (ja)
Inventor
篤志 皆川
Original Assignee
キヤノン株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2018082463A external-priority patent/JP7109243B2/en
Application filed by キヤノン株式会社 filed Critical キヤノン株式会社
Priority to CN201880049650.1A priority Critical patent/CN110999351B/en
Priority to EP18837789.9A priority patent/EP3637814B1/en
Priority to KR1020207004920A priority patent/KR102283325B1/en
Publication of WO2019021770A1 publication Critical patent/WO2019021770A1/en
Priority to US16/743,401 priority patent/US20200154276A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to a communication device, a control method of the communication device, and a program.
  • Non-Patent Document 1 the configurator sets, for the access point, communication parameters for forming a wireless network using the configurator's private key and public key pair. Further, Non-Patent Document 1 also provides communication parameters for connecting to an access point to an enrollee using a pair of a secret key and a public key of a configurator used for setting the access point.
  • the distribution processing efficiency of communication parameters will be increased, and user convenience can be achieved. Improve.
  • Wi-Fi Alliance Wi-Fi Device Provisioning Protocol (DPP) DRAFT Technical Specification v0.0.35
  • the private key-public key pair used by the configurator to encrypt and decrypt communication parameters provided to the enrollee is unique for each network. This is because the access point accepts the connection only when the communication parameter included in the connection request transmitted by the wireless terminal can be decrypted using the public key of the configurator provided at the time of network setting. Thus, only an enrollee holding communication parameters provided using the configurator's private key and public key pair used to set the access point can connect to the access point. Therefore, in order to provide communication parameters for connecting a device to an access point that has already been configured by another configurator, it is necessary to obtain the configurator's private key and public key pair used for the configuration. there were.
  • Non-Patent Document 1 describes that an external storage medium (for example, a USB memory or a wireless storage) is used to share the configurator's private key and public key pair with a plurality of electronic devices.
  • an external storage medium for example, a USB memory or a wireless storage
  • a communication device In one embodiment of the present invention, a communication device, its control method, and a program are provided that simplify the time and effort required to provide other devices with unique information used for setting communication parameters.
  • a communication device is a communication device that communicates with an external device, and the authentication device performs authentication processing by exchanging information for authentication with the external device, and the authentication by the authentication device.
  • detecting means for detecting a request for sharing unique information used for providing communication parameters, and when the request is detected by the detecting means, the unique means after successful authentication by the authentication means Sharing means for sharing information with the external device.
  • the time and effort of providing unique information used for setting communication parameters to other devices is simplified.
  • FIG. 7 is a sequence diagram showing wireless connection processing of a printer and an access point.
  • FIG. 7 is a sequence diagram showing a process of sharing a key pair according to the first embodiment.
  • 6 is a flowchart showing the operation of the mobile device 101 in the first embodiment.
  • 6 is a flowchart showing the operation of the mobile device 102 in the first embodiment.
  • FIG. 10 is a sequence diagram illustrating another example of key pair sharing processing according to the first embodiment.
  • FIG. 10 is a sequence diagram illustrating another example of key pair sharing processing according to the first embodiment.
  • FIG. 7 is a sequence diagram showing a process of sharing a key pair according to the first embodiment.
  • 9 is a flowchart showing the operation of the mobile device 101 in the second embodiment.
  • 9 is a flowchart showing the operation of the mobile device 102 in the second embodiment.
  • 9 is a flowchart showing the operation of the mobile device 102 in the second embodiment.
  • FIG. 14 is a sequence diagram showing key pair sharing processing according to the third embodiment.
  • 12 is a flowchart showing the operation of the mobile device 101 in the third embodiment.
  • 12 is a flowchart showing the operation of the mobile device 102 in the third embodiment.
  • 12 is a flowchart showing the operation of the mobile device 102 in the third embodiment.
  • FIG. 1 shows a configuration example of a communication system in the first embodiment.
  • the portable device 101 has a wireless LAN function, and operates, for example, as a configurator defined in DPP.
  • the portable device 101 can provide the access point 103 with communication parameters for forming the wireless network 104.
  • the communication parameters include setting items necessary for performing wireless communication, such as an SSID (Service Set Identifier) as a network identifier, an encryption method, an encryption key, an authentication method, and the like.
  • the communication parameters provided by the portable device 101 which is a configurator, are encrypted by the configurator-specific secret key held by the portable device 101.
  • the portable device 101 can pass a pair of a configurator-dedicated secret key and a public key (hereinafter referred to as a key pair) used for setting of the access point 103 to the portable device 102.
  • the portable device 102 has a wireless LAN function, and operates, for example, as a configurator or enrollee defined in DPP.
  • the portable device 102 can operate as an enrollee, obtain a key pair dedicated to the configurator from the portable device 101, and operate as a configurator providing communication parameters for connecting to the wireless network 104.
  • the access point 103 operates as an access point defined in, for example, DPP.
  • the access point 103 operates as an enrollee and can form the wireless network 104 by acquiring communication parameters from the portable device 101 which is a configurator.
  • the printer 105 and the printer 106 have a wireless LAN function, and operate as an enrollee defined in, for example, DPP.
  • the printer 105 and the printer 106 can be connected to the wireless network 104 by acquiring encrypted communication parameters from the portable device 101 or the portable device 102 which is a configurator and decrypting and using them.
  • Examples of the mobile device of the present embodiment include electronic devices such as a mobile phone, a digital camera, a video camera, a PC, a PDA, a smartphone, and a smart watch, but the present invention is not limited thereto. Further, in the present embodiment, a description will be made using a portable device and a printer as the electronic devices connected to the wireless network, but the present invention is not limited thereto, and any electronic devices connectable to the wireless network may be used. It does not have to be a type. Further, the access point in the present embodiment may be an electronic device (such as a printer or a digital camera) that operates as an access point defined in DPP and has a specific function.
  • FIG. 2 is a block diagram showing an example of the functional configuration of the mobile device 101 and the mobile device 102 in the present embodiment.
  • Each functional unit shown in FIG. 2 is realized by the computer (processor) executing a program stored in the memory. However, some or all of the functions may be realized by dedicated hardware.
  • a wireless communication control unit 201 controls communication using an antenna, a circuit, and the like for transmitting and receiving a wireless signal to and from another wireless device via a wireless LAN.
  • the transmission / reception unit 202 performs transmission / reception control of data according to the protocol of each communication layer.
  • the operation unit 203 is used by the user to operate the portable device 101.
  • the operation unit 203 includes a button for activating the imaging unit 207 and the like.
  • the operation unit 203 may be configured by hardware, or may be configured by a UI provided using the display unit 204 by software.
  • the display unit 204 performs various display processing such as outputting information that can be recognized visually and aurally like an LCD, an LED, or a speaker.
  • the control unit 205 controls the entire portable device 101.
  • the storage unit 206 includes a ROM in which programs and data for controlling the portable device 101 are stored, and a RAM that manages temporary storage. Various operations to be described later are performed by the CPU (not shown) executing a control program stored in the storage unit 206 to realize functional units such as the control unit 205 and the like.
  • the imaging unit 207 includes an imaging element, a lens, and the like, and captures a still image or a moving image.
  • the image processing unit 208 performs image processing of an image or the like captured by the imaging unit 207.
  • the image processing unit 208 analyzes the image of the QR code captured by the imaging unit 207, decodes the encoded information, and acquires the information (QR code information).
  • the code generation unit 209 generates QR code information, and performs control to display the generated QR code information on the display unit 204 as a QR code (image).
  • the QR code is used as the image of the code information.
  • the present invention is not limited to this, and a barcode, a two-dimensional code, or the like may be used.
  • the communication parameter processing unit 210 performs processing for providing and acquiring communication parameters for connecting to the wireless network 104.
  • the role determination unit 211 determines the role of the partner device that transmits and receives communication parameters.
  • the types of roles to be determined include a “configurator” that provides communication parameters, an “enrollee” that acquires communication parameters, and the like, but the present invention is not limited thereto.
  • the key sharing processing unit 212 performs processing for sharing the pair (key pair) of the secret key and the public key used to provide the communication parameter to the access point 103 with another device.
  • the key sharing processing unit 212 receives the instruction from the user for key sharing and the permission of the sharing request from the other device, and executes the key sharing process.
  • FIG. 3 is a flowchart showing a process in which the portable device 101 as a configurator provides communication parameters to the access point 103 as an enrollee.
  • the control unit 205 when the control unit 205 receives a parameter provision instruction from the user, the control unit 205 activates the imaging unit 207 to capture a QR code displayed by the access point 103 (S301). Then, the control unit 205 determines whether the imaging unit 207 of the portable device 101 has captured a QR code (S302).
  • the QR code displayed by the access point 103 is not limited to one displayed on a display or the like, and may be printed on a label or the like attached to a housing or an accessory of an electronic device.
  • the QR code may be, for example, one described in a manual or the like. If the QR code can not be captured within a predetermined time after activation of the imaging unit 207 in S302, the process of providing the communication parameter may end.
  • the image processing unit 208 decodes the QR code in the captured image, and acquires QR code information including the public key for authentication of the access point 103 (S303) ).
  • the control unit 205 transmits an authentication request to the access point 103 using the transmission / reception unit 202 and the wireless communication control unit 201 (S304).
  • This authentication request is, for example, a DPP Authentication Request frame defined by the DPP standard.
  • the authentication request includes authentication information to be used for authentication, identification information of the portable device 101, role information, random numbers, and a public key for generating a shared key.
  • the authentication information is a hash value of a public key for authentication of the access point 103 included in the QR code.
  • the identification information is a hash value of the public key for authentication of the mobile device 101.
  • Role information is information indicating the role (such as a configurator or an enrollee) of the mobile device 101. The random number is used for authentication when receiving an authentication response described later.
  • the public key for shared key generation is a key from which a shared key generated with the access point 103 is generated.
  • the access point 103 that has received the authentication request determines whether the device that has transmitted the authentication request is a device that has captured a QR code. This determination is performed using the authentication information contained in the authentication request. That is, the access point 103 calculates the hash value of the public key included in the displayed QR code, compares the calculated hash value with the hash value (authentication information) included in the authentication request, and the two match. To determine that the verification was successful.
  • the hash function used to calculate the hash value at this time is assumed to be agreed in advance with the portable device 101 that transmits the authentication request.
  • the public key included in the authentication request is a key serving as a generation source of a shared key used for encrypting and decrypting information to be transmitted and received with the access point 103 such as tag information described later.
  • the portable device 101 which is a configurator, uses both the public key for generating the shared key of the access point 103 (included in the authentication response described later) and the secret key for generating the shared key of the portable device 101.
  • the access point 103 which is an enrollee, generates a shared key using both the public key for generating the shared key of the mobile device 101 and the secret key for generating the shared key of the access point 103.
  • the shared key is generated based on, for example, an ECDH (Elliptic Curve Diffie-Hellman) scheme.
  • ECDH Elliptic Curve Diffie-Hellman
  • the shared key is generated based on this ECDH system, it is not limited to this system, and may be generated by another public key cryptosystem.
  • the control unit 205 of the portable device 101 After transmitting the authentication request to the access point 103 in S304, the control unit 205 of the portable device 101 waits to receive an authentication response from the access point 103 (S305). If the authentication response can not be received within the predetermined time in S304, the process of providing communication parameters is ended.
  • the authentication response is, for example, a DPP Authentication Response frame defined by the DPP standard.
  • the authentication response includes a public key for generating a shared key of the access point 103, role information, random numbers, and tag information.
  • the portable device 101 generates a shared key using the public key for generating the shared key of the access point 103 and the secret key for generating the shared key of itself. The generation of the shared key is as described above.
  • the tag information is a random number included in the authentication request transmitted by the portable device 101, and both of the secret key for generating the shared key of the access point 103 and the public key for generating the shared key of the portable device 101 are It is encrypted with the shared key generated using it.
  • the portable device 101 determines that the authentication is successful when the tag information is correctly decrypted by the shared key generated by itself. More specifically, the control unit 205 is equivalent to the access point 103 generating the shared key using the secret key for generating the shared key of the portable device 101 and the public key for generating the shared key of the access point 103. Generate a shared key in the following way, and verify tag information using that shared key. The control unit 205 determines that the authentication is successful if the tag information can be decrypted with the shared key generated by itself, and determines that the authentication is unsuccessful if the decryption is not possible.
  • the control unit 205 of the portable device 101 verifies the content of the authentication response (S306). As described above, the control unit 205 determines whether or not the authentication is successful by using the tag information included in the authentication response, and whether or not the role information of the access point 103 included in the authentication response indicates the enrollee. judge. When it is determined that the authentication fails or the role of the access point 103 that has transmitted the authentication response does not indicate the enrollee (NO in S306), the control unit 205 displays a message indicating an error on the display unit 204. (S310), the parameter provision processing ends.
  • the control unit 205 transmits an authentication confirmation to the access point 103 (S307).
  • This authentication confirmation is, for example, a DPP Authentication Confirm frame defined by the DPP standard.
  • This authentication confirmation includes tag information.
  • the tag information is obtained by the control unit 205 encrypting the random number included in the authentication response transmitted by the access point 103 using the shared key.
  • the control unit 205 of the portable device 101 waits for the setting request to be transmitted from the access point 103 which is the enrollee (S308).
  • the access point 103 determines that the authentication is successful. If it is determined that the authentication is successful, the access point 103 recognizes the mobile device 101 that has transmitted the authentication request as a configurator, and transmits a setting request to the mobile device 101.
  • the configuration request is, for example, a DPP Configuration Request frame defined by the DPP standard.
  • the setting request includes device information of the access point 103 and role information after receiving communication parameters.
  • the device information is, for example, the device name of the access point 103.
  • the role information after receiving the communication parameter is information indicating whether the enrollee operates as an access point constructing a wireless network or operates as an apparatus connected to the wireless network. Here, information is set that indicates that it operates as an access point for establishing a wireless network.
  • the information included in the setting request is encrypted with the shared key used by the access point 103 to encrypt the tag information when transmitting the authentication response.
  • the communication parameter processing unit 210 of the portable device 101 performs processing for providing communication parameters for forming the wireless network 104 as a setting response (S309).
  • the setting response is, for example, a DPP Configuration Response frame defined by the DPP standard.
  • the setting response transmitted by the communication parameter processing unit 210 of the portable device 101 includes the communication parameter, the expiration date of the parameter, the public key dedicated to the configurator of the portable device 101, and the like.
  • the communication parameter is encrypted with a secret key dedicated to the configurator of the portable device 101.
  • the information included in the setting response is encrypted with the shared key used for encrypting the tag information in S307.
  • the communication parameter includes, as an encryption key, the public key of the communication partner used to generate the shared key (in this case, the public key included in the authentication response from the access point 103).
  • the access point 103 After transmitting the setting request, the access point 103, which is an enrollee, waits for the setting response to be transmitted from the portable device 101, which is a configurator.
  • the access point 103 that has received the setting response decrypts the information included in the setting response with the shared key used for encrypting the tag information. Further, the access point 103 decrypts the communication parameter encrypted by the secret key dedicated to the configurator of the portable device 101 with the public key dedicated to the configurator of the portable device 101.
  • the access point 103 can form the wireless network 104 with the communication parameters obtained by decoding.
  • FIG. 4 is a sequence diagram showing processing in which the portable device 101 provides the access point 103 with communication parameters.
  • the access point 103 When the access point 103 receives an instruction for parameter reception from the user (S401), the access point 103 displays a QR code on the display (S402) and waits for an authentication request. If the authentication request can not be received within a predetermined time, the access point 103 may end waiting for the authentication request. In addition, when the access point 103 is not provided with a display or the like for displaying the QR code, and the QR code is printed on a label or the like attached to a housing or an accessory of the electronic device, S402 is skipped. That is, when the access point 103 receives an instruction to receive a parameter (S401), the access point 103 waits for an authentication request without performing the processing in S402.
  • the portable device 101 when the portable device 101 receives a parameter provision instruction from the user (S403), the portable device 101 activates the imaging unit 207 to capture the QR code displayed by the access point 103 (S404). Then, the imaging unit 207 of the mobile device 101 captures a QR code displayed by the access point 103, thereby acquiring information indicated by the QR code (S405).
  • the portable device 101 that has acquired the information indicated by the QR code generates and transmits an authentication request, and the access point 103 receives this authentication request (S406).
  • the access point 103 verifies the content of the received authentication request. If it is determined that the portable device 101 that has transmitted the authentication request is the device that has captured the QR code, the role information is verified (S407).
  • the access point 103 determines that the role of the device that has transmitted the authentication request indicates the configurator as a result of verifying the role information
  • the access point 103 generates and transmits an authentication response (S408).
  • the access point 103 that has transmitted the authentication response to the portable device 101 waits for the authentication confirmation to be transmitted from the portable device 101.
  • the portable device 101 having received the authentication response verifies the contents of the authentication response (S409). If the portable device 101 succeeds in the authentication of the authentication response and determines that the role information included in the authentication response indicates an enrollee, it transmits an authentication confirmation to the access point 103 (S410).
  • the access point 103 that has received the authentication confirmation from the portable device 101 verifies the content of the authentication confirmation.
  • the access point 103 determines that the authentication is successful when the tag information can be correctly decrypted by the shared key generated by itself. If it is determined that the authentication is successful, the access point 103 performs communication parameter setting processing with the portable device 101 (S411). More specifically, the access point 103 transmits a setting request to perform communication parameter setting processing, and waits for a setting response to be transmitted from the portable device 101.
  • the portable device 101 having received the setting request transmits, in the setting response, the communication parameter encrypted with the secret key dedicated to the configurator of the portable device 101 and the public key dedicated to the configurator.
  • the access point 103 that has received the setting response decrypts the communication parameter with the public key dedicated to the configurator of the mobile device 101.
  • the access point 103 forms a wireless network 104 using this decoded communication parameter.
  • the portable device 101 can provide the communication parameter to the access point 103 by the process described with reference to FIGS. 3 and 4. Further, the communication parameter can be provided to the printer 105 which is the enrollee of the portable device 101 which is the configurator by the processing similar to the processing described using FIG. 3 and FIG. 4.
  • the shared key used for encryption of tag information or the like is a key different from the shared key generated between the portable device 101 and the access point 103. This is because the key pair for shared key generation of the printer 105 is different from the key pair for shared key generation of the access point 103.
  • the contents included in the communication parameters are also different. This is because the communication parameters received by the printer 105 from the portable device 101 do not include the public key for generating the shared key of the access point 103 but include the public key for generating the shared key of the printer 105 itself.
  • FIG. 5 is a sequence diagram showing processing of connecting the printer 105 to the wireless network 104 formed by the access point 103.
  • the printer 105 When the printer 105 receives an instruction to connect to the wireless network 104 from the user (S501), the printer 105 transmits a search request (S502).
  • This search request is, for example, a DPP Peer Discovery Request frame defined by the DPP standard.
  • the search request includes the communication parameters acquired by the printer 105 from the portable device 101. This communication parameter is encrypted with the secret key dedicated to the configurator of the portable device 101 as described above.
  • the access point 103 that has received the search request decrypts the communication parameters included in the search request using the configurator-dedicated public key of the portable device 101 acquired in S411 (S503). If the decryption is not possible, the search request is discarded.
  • the access point 103 that has decrypted the communication parameters generates a master key (Pairwise Master Key (PMK)) to be shared with the printer 105 (S 504).
  • PMK Physical Master Key
  • This master key is a source of various keys in an encryption standard called Wi-Fi Protected Access (WPA), and is used when establishing a wireless connection.
  • the master key is generated using both the public key for generating the shared key of the printer 105 included in the communication parameter and the secret key for generating the shared key of the access point 103.
  • the access point 103 that has generated the master key in S504 transmits a search response (S505).
  • This search response is, for example, a DPP Peer Discovery Response frame defined by the DPP standard.
  • the search response includes the communication parameter acquired by the access point 103 from the portable device 101 in S411. This communication parameter is similarly encrypted with a secret key dedicated to the configurator of the portable device 101.
  • the printer 105 that has received the search response decodes the communication parameters included in the search response using the public key dedicated to the configurator acquired from the portable device 101 (S506). If the decryption is not possible, the search response is discarded.
  • the printer 105 that has decrypted the communication parameter generates a master key shared with the access point 103 (S507).
  • the master key is generated using both the public key for generating the shared key of the access point 103 included in the communication parameter and the secret key for generating the shared key of the printer 105.
  • the printer 105 and the access point 103 sharing the master key perform connection processing using the master key (S508). As described above, the printer 105 can be connected to the wireless network 104 formed by the access point 103.
  • the portable device 102 also operates as a configurator that provides communication parameters for connecting to the wireless network 104 formed by the access point 103.
  • the portable device 102 needs to acquire a key pair dedicated to the configurator of the portable device 101 used by the portable device 101 to encrypt communication parameters.
  • the portable device 102 not holding the key pair dedicated to the configurator of the portable device 101 provides the printer 106 with the communication parameters acquired as an enrollee from the portable device 101.
  • the portable device 102 provides the printer 106 with communication parameters as they are encrypted with a secret key dedicated to the configurator of the portable device 101.
  • the printer 106 transmits a search request including the acquired communication parameters to the access point 103.
  • the access point 103 that has received the search request decrypts the communication parameter using the public key dedicated to the configurator of the mobile device 101.
  • the public key included in the communication parameter is the public key for generating the shared key of the mobile device 102. .
  • the access point 103 generates a master key using both the public key for generating the shared key of the portable device 102 included in the communication parameter and the secret key for generating the shared key of the access point 103.
  • the printer 106 generates a master key using both the public key for generating the shared key of the access point 103 included in the communication parameters transmitted from the access point 103 and the secret key for generating the shared key of the printer 106. Do. Therefore, the master key generated between the access point 103 and the printer 106 is a different key, and a wireless connection can not be established.
  • the portable device 102 encrypts the communication parameter decrypted with the public key dedicated to the configurator of the portable device 101 with the secret key dedicated to the configurator of the portable device 102 and provides the encrypted data to the printer 106.
  • the printer 106 transmits a search request including the communication parameters acquired from the portable device 102 to the access point 103.
  • the access point 103 that has received the search request tries to decode the communication parameter, but discards the search request because the public key dedicated to the configurator of the portable device 101 can not decode this communication parameter. As a result, the printer 106 can not connect to the wireless network 104.
  • the mobile device 102 in order to operate as a configurator for providing communication parameters for connecting the mobile device 102 to the wireless network 104, the mobile device 102 needs to acquire a key pair dedicated to the configurator of the mobile device 101.
  • a process of providing a key pair dedicated to the configurator of the portable device 101 used for encryption and decryption of communication parameters for connection to the wireless network 104 from the portable device 101 to the portable device 102 will be described.
  • a process when the portable device 102 requests the portable device 101 to share the key pair dedicated to the configurator of the portable device 101 used for setting the access point 103 will be described.
  • FIG. 6 is a sequence diagram showing processing between the mobile device 101 and the mobile device 102 in the present embodiment.
  • the portable device 101 and the portable device 102 can communicate with the portable device 102 and the portable device 101 which are external devices, respectively.
  • the portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator providing communication parameters for connecting to the wireless network 104 (S601). Then, the portable device 102 causes the display unit 204 of the own device to display the QR code, and waits for an authentication request (S602). On the other hand, when the portable device 101 receives a parameter provision start instruction from the user (S603), the portable device 101 captures an image of the QR code displayed by the portable device 102 to acquire QR code information (S604, S605).
  • Steps S606, S609, and S613 are authentication processes for exchanging a frame including information (in the present embodiment, authentication information, random numbers, tag information) for the mobile device 101 and the mobile device 102 to authenticate each other. Then, during this authentication process, a request for sharing with the enrollee unique information (in the present embodiment, the configurator's secret key) used by the configurator to provide communication parameters, and permission for the request are exchanged. .
  • information in the present embodiment, authentication information, random numbers, tag information
  • the portable device 101 generates an authentication request based on the acquired QR code information and transmits it (S606).
  • the processes of S603 to S606 are similar to the processes of S403 to S406 described in FIG.
  • the portable device 102 receives the authentication request (S606), the portable device 102 verifies the contents of the authentication request. If the portable device 102 verifies the authentication information included in the authentication request and determines that the mobile device 101 that has transmitted the authentication request is a device that has captured the QR code (authentication success), the role information included in the authentication request is It verifies (S607).
  • the portable device 102 determines that the role information included in the authentication request transmitted by the portable device 101 is the configurator, the portable device 102 performs a process of including information indicating the key pair sharing request in the authentication response (S 608).
  • the key pair sharing request is indicated by, for example, setting a predetermined bit of the DPP Authentication Response frame. Although the predetermined bit is used to indicate the key pair request, the present invention is not limited to this.
  • the role information included in the authentication response may indicate a role other than the configurator representing the “parameter provider” or the enrollee representing the “parameter receiver”, for example, the role representing the “key pair receiver”.
  • the portable device 102 transmits an authentication response including the key pair sharing request generated as described above (S609). After transmitting the authentication response, the mobile device 102 waits for the authentication confirmation to be transmitted from the mobile device 101 that has transmitted the authentication request.
  • the portable device 101 receives the authentication response (S609), and when the authentication based on the tag information succeeds, the role information of the portable device 102 included in the authentication response is verified (S610). If it is determined by the verification of the role information that the role of the device that has transmitted the authentication response indicates an enrollee (or a “role indicating a key pair receiving device”), the portable device 101 continues the parameter providing process. On the other hand, when the role information indicates a role other than the above, the parameter providing process is ended.
  • the portable device 101 continuing the parameter provision processing checks whether the authentication response contains a request for sharing the key pair (S611). If the authentication response includes a key pair sharing request, the portable device 101 displays on the display unit 204 that there is a key pair sharing request, and notifies the user, and the user using the operation unit 203 Listen for permission instructions for sharing the key pair. When sharing of the key pair is permitted by the user, the portable device 101 includes information indicating permission for sharing the key pair in the authentication confirmation (S612). The key pair sharing permission is indicated, for example, by raising a predetermined bit of the DPP Authentication Confirm frame. The portable device 101 transmits an authentication confirmation including information indicating permission for sharing the key pair to the portable device 102 (S613).
  • processing may be performed to include information indicating permission for sharing the key pair in the authentication confirmation without receiving a permission instruction from the user.
  • the indication that there is a key pair sharing request may be omitted.
  • the key pair provision process (S616) described later is not performed.
  • the process may be terminated without performing the parameter providing process by not transmitting the authentication confirmation.
  • a message including information indicating that the key pair is not permitted may be transmitted to the portable device 102.
  • the portable device 102 that has received the authentication confirmation confirms the information indicating the sharing permission of the key pair included in the authentication confirmation (S614). If the information indicating permission for sharing the key pair is not included in the authentication confirmation, the portable device 102 ends the parameter reception process. If the information indicating permission for sharing the key pair is not included in the authentication confirmation, the mobile device 102 may display a message indicating an error on the display unit 204 to notify the user.
  • setting of communication parameters is performed (S615). More specifically, after the portable device 102 completes the authentication based on the authentication confirmation, a setting request is transmitted to the portable device 101. The portable device 101 transmits a setting response including the communication parameter to the portable device 102 in response to the setting request. Thus, communication parameter provision processing is performed. When the process of providing the communication parameters is completed, the portable device 101 encrypts a pair of a secret key and a public key dedicated to the configurator of the portable device 101 using the shared key between the portable device 101 and the portable device 102, It transmits to the portable device 102 (S616).
  • the setting response transmitted in S615 includes the public key dedicated to the configurator of the portable device 101, only the secret key may be transmitted in S616.
  • the portable device 101 may transmit the setting response including the secret key dedicated to the configurator of the portable device 101 in the parameter providing process in S615. In that case, the process of S616 is unnecessary.
  • the portable device 101 may provide a key pair dedicated to the configurator of the portable device 101 before the communication parameter provision processing in S615 is completed. Furthermore, the portable device 101 may provide a key pair dedicated to the configurator of the portable device 101 even when transmitting the authentication confirmation without including the information indicating permission for sharing the key pair.
  • the portable device 102 that has acquired a pair of a private key dedicated to the configurator of the portable device 101 used for setting the access point 103 and a public key can provide communication parameters to the printer 106, which is an enrollee, as a configurator.
  • the printer 106 can connect to the wireless network 104 formed by the access point 103 by performing the process shown in the sequence of FIG. 5 using the communication parameters acquired from the portable device 102.
  • the information confirmation indicating the key pair sharing permission is included in the authentication confirmation without waiting for the permission instruction from the user in S612. You may process.
  • only the key pair may be provided without providing the communication parameter, that is, without performing the parameter setting of S615.
  • the communication parameter provision processing in S615 can be omitted, the convenience of the user is improved.
  • the process of providing only the key pair may be executed when an instruction to pass only the key pair is received from the user in S612. If the start of key pair sharing is instructed instead of the parameter provision instruction in S603, processing for providing only the key pair is performed without waiting for the permission instruction from the user in S612. Good. Also in the processing shown in the sequence diagrams of FIGS. 9 to 11 described later, the processing for providing the key pair may be executed without performing the processing for providing the communication parameter.
  • FIG. 7 is a flowchart showing processing in which the portable device 101 provides the portable device 102 with a key pair (private key and public key) of the configurator held by the portable device 101 in response to a request from the portable device 102.
  • the process from activation of the imaging unit 207 to verification of the authentication response is the same as that in FIG. 3 (S301 to S306).
  • FIG. 7 shows the process after the authentication using the authentication response is successful in the process of FIG. 3 and it is determined that the role information indicates an enrollee (YES in S306).
  • the control unit 205 of the mobile device 101 determines whether or not there is a key pair sharing request in the authentication response (S701). ). If it is determined that there is a key pair sharing request, the control unit 205 uses the display unit 204 and the operation unit 203 to confirm with the user whether or not the key pair can be shared (S702). If the user permits sharing (OK in S702), the key sharing processing unit 212 sets information indicating sharing permission in the authentication confirmation (S703), and transmits this to the portable device 102 (S704).
  • the control unit 205 waits for a setting request from the portable device 102 (S705).
  • the communication parameter processing unit 210 provides communication parameters to the portable device 102 (S706). This providing process is similar to that of S310.
  • the key sharing processing unit 212 provides the portable device 102 with a key pair, which is the configurator's secret key and public key (S 707).
  • the key pair is encrypted by the shared key. Further, as shown in S807 of FIG. 8 described later, since the setting request is not received if the sharing permission is not set in S703, the key pair is not shared. However, for the sake of security, provision of the key pair may be performed only when the supply permission is set in S703 in S707.
  • the portable device 102 receives an instruction from the user to share the key pair held by the portable device 101, and acquires a key pair dedicated to the configurator of the portable device 101 used in the setting process of the access point 103. Is a flowchart showing
  • the code generation unit 209 of the portable device 102 generates a QR code upon receiving an instruction from the user via the operation unit 203 to share a key pair dedicated to the configurator of the portable device 101 held by the portable device 101, and displays the QR code. It is displayed on the unit 204 (S801). Thereafter, the control unit 205 waits for an authentication request (S802). If the authentication request can not be received within a predetermined time, the access point 103 may end waiting for the authentication request.
  • the control unit 205 When the authentication request is received from the portable device 101, the control unit 205 performs authentication using the authentication information included in the received authentication request, and the role determination unit 211 verifies the role information to determine the role. The control unit 205 determines whether the authentication using the authentication information is successful and whether the role determined by the role determination unit 211 is a configurator (S803). If the authentication fails or it is determined that the role of the portable device 101 is not the configurator, the control unit 205 displays a message indicating an error on the display unit 204 (S811), and ends the process. Note that the display of the error message (S811) may be omitted.
  • the key sharing processing unit 212 authenticates the information indicating the key pair sharing request. It sets to (S804). Thereafter, the control unit 205 transmits an authentication response in which the sharing request is set to the portable device 101 (S805), and waits for an authentication confirmation from the portable device 101.
  • the control unit 205 succeeds in the authentication using the tag information included in the authentication confirmation, and the information indicating permission of sharing the key pair is included in the authentication confirmation. It is determined whether or not (S807). If it is determined that the authentication is successful, and it is determined that the information indicating permission for sharing the key pair is included in the authentication confirmation, the communication parameter processing unit 210 transmits a setting request to the portable device 101 (S808) ). Thereafter, the communication parameter processing unit 210 acquires a communication parameter by receiving the setting response from the portable device 101 (S809). Then, the key sharing processing unit 212 acquires a key pair dedicated to the configurator of the portable device 101 (S810).
  • control unit 205 causes the display unit 204 to display an error message. Is displayed, and the process ends (S811).
  • FIG. 6 from the frame for the portable device 101 and the portable device 102 to exchange information for authentication, a request to share unique information (a key pair in this embodiment) used by the configurator to provide communication parameters.
  • An example is shown in which (sharing request) is detected.
  • the method of notifying the portable device 101 of the sharing request is not limited to this.
  • notification may be performed using an Action frame including information indicating a request for sharing a key pair addressed to the portable device 101, or a request for sharing a key pair may be notified using a QR code.
  • FIG. 9 is a sequence diagram showing processing in the case where information indicating a key pair sharing request is included in the QR code.
  • the portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator providing communication parameters for connecting to the wireless network 104 (S901).
  • the portable device 102 that has received the instruction to share the key pair embeds the information indicating the sharing request of the key pair in the QR code (S902), and displays this (S903).
  • the processing in S904 to S906 for the portable device 101 to acquire the information of the QR code displayed by the portable device 102 is the same as the processing from S403 to S405 in FIG. 4.
  • a QR code including a sharing request may be provided in the form of a printed matter or the like.
  • the portable device 101 confirms that the key pair sharing request exists in the acquired QR code information (S907).
  • the portable device 101 that has confirmed the key pair sharing request includes information indicating permission for sharing the key pair in the authentication request (S 908) and transmits the information to the portable device 102 (S 909).
  • the processing of S907 and S908 is the same as that of S611 and S612.
  • the portable device 102 confirms information indicating permission of sharing of the key pair included in the authentication request (S911).
  • the key pair sharing permission is indicated, for example, by having a predetermined bit set in the DPP Authentication Request frame. Note that the method of indicating permission for sharing the key pair in the authentication request is not limited to this.
  • the key pair sharing permission is indicated by setting the role information included in the authentication request so as to indicate that the role is not the configurator representing “parameter providing device” but “key pair providing device”. It is also good.
  • the portable device 102 that has confirmed the information indicating permission for sharing the key pair from the authentication request transmits an authentication response (S912), and waits for transmission of an authentication confirmation from the portable device 101.
  • the portable device 101 having received the authentication response verifies the tag information included in the authentication response and the role information of the portable device 102 (S913). Then, if it is determined that the tag information is correctly decoded and the authentication is successful, and the role information indicates an enrollee, the portable device 101 transmits an authentication confirmation (S914).
  • S915 to S916 which are the process of setting the communication parameter and the process of providing the key pair, are the same as the processes of S615 to S616 in FIG.
  • the key pair dedicated to the configurator of the portable device 101 can be shared by notifying the key pair sharing request using the QR code.
  • FIG. 10 is a sequence diagram showing processing in which the portable device 101 displays a QR code and the portable device 102 requests the portable device 101 for a key bearer.
  • the portable device 101 When the portable device 101 receives a parameter provision instruction from the user (S1001), the portable device 101 displays a QR code on the display unit 204 of its own device and waits for an authentication request (S1002). On the other hand, the portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator providing communication parameters for connecting to the wireless network 104 (S1003). In response to the instruction, the portable device 102 activates the imaging unit 207 to capture a QR code (S1004). The portable device 102 images the QR code displayed on the display unit 204 of the portable device 101 by the imaging unit 207 of the portable device 102, and acquires information indicated by the QR code (S1005).
  • the portable device 102 generates an authentication request using the QR code information, includes information indicating a key pair sharing request in the authentication request (S1006), and transmits this to the portable device 101 (S1007).
  • the key pair sharing request is indicated, for example, by setting a predetermined bit of the DPP Authentication Request frame.
  • the portable device 101 having received the authentication request verifies the role information contained in the authentication request when the authentication is successful by the authentication information contained in the authentication request (S1008). If it is confirmed by this verification that the role information indicates an enrollee, the portable device 101 confirms whether the request for sharing the key pair is included in the authentication request (S1009). Upon confirming that the request for sharing the key pair is included in the request for authentication, the portable device 101 includes information indicating permission for sharing the key pair in the request for authentication (S1010) and transmits this to the portable device 102 (S1011). .
  • the key pair sharing permission is indicated, for example, by the fact that a predetermined bit of the DPP Authentication Response frame is set.
  • the processes of S1009 and S1010 are the same as those of S611 and S612.
  • the portable device 102 When the portable device 102 receives the authentication response, it verifies the tag information and the role information included in the authentication response (S1012). Then, if the authentication using the tag information is successful and the role information indicates the configurator, the portable device 102 checks whether the authentication response includes the key pair sharing permission (S1013). The portable device 102 that has confirmed the key pair sharing permission transmits an authentication confirmation to the portable device 101 (S1014). Thus, when the authentication is completed, a communication parameter providing process (S1015) and a key pair providing process (S1016) are performed.
  • the processes in S1015 to S1016 which are the process of setting the communication parameter and the process of providing the key pair, are the same as the processes in S615 to S616 of FIG.
  • the key pair dedicated to the configurator of the portable device 101 can be shared.
  • the portable device 102 requests the portable device 101 to share the pair of the secret key and the public key dedicated to the configurator of the portable device 101 used for the setting of the access point 103. can do.
  • sharing the key pair it becomes possible to duplicate a configurator that distributes communication parameters for connecting to the wireless network 104, thereby improving user convenience.
  • Second Embodiment In the first embodiment, the case where the portable device 102 requests the portable device 101 to share the key pair dedicated to the configurator of the portable device 101 used for setting the access point 103 has been described. In the second embodiment, a process when the portable device 101 requests the portable device 102 to share a key pair dedicated to the configurator of the portable device 101 used for setting of the access point 103 will be described.
  • FIG. 11 is a sequence diagram showing processing between the mobile device 101 and the mobile device 102 in the second embodiment.
  • the portable device 102 When the portable device 102 receives an instruction to receive communication parameters from the user (S1101), the portable device 102 displays a QR code on the display (S1102), and waits for an authentication request. On the other hand, the portable device 101 receives an instruction from the user to share a key pair with the portable device 102 in order to operate the portable device 102 as a configurator providing communication parameters for connecting to the wireless network 104. (S1103).
  • the portable device 101 activates the imaging unit 207 to capture a QR code (S1104).
  • the portable device 101 captures an image of the QR code displayed on the display unit 204 of the portable device 102 by the imaging unit 207, and acquires information indicated by the QR code (S1105).
  • the portable device 101 that has acquired the information indicated by the QR code includes the information indicating the key pair sharing request in the authentication request (S1106), and transmits the authentication request to the portable device 102 (S1107).
  • the portable device 102 that has received the authentication request from the portable device 101 in S1107 verifies the authentication information and the role information included in the authentication request.
  • the mobile device 102 confirms whether the information indicating the key pair sharing request is included in the authentication request (S1109).
  • the mobile device 102 inquires of the user whether sharing is possible and waits for a sharing permission instruction from the user using the operation unit 203.
  • the portable device 102 includes information indicating permission to share the key pair in the authentication request (S1110), and transmits this to the portable device 101 (S1111).
  • sharing of the key pair is not permitted, the process of providing the key pair in S1116 described later is not performed. If sharing of the key pair is not permitted, the process may be terminated without performing the parameter providing process by not transmitting the authentication response. Furthermore, when sharing of the key pair is not permitted, a message (authentication response) including information indicating that the supply of the key pair is not permitted may be transmitted to the portable device 101.
  • the portable device 101 Upon receiving the authentication response, the portable device 101 verifies the tag information and the role information included in the authentication response (S1112). When the portable device 101 confirms that the authentication based on the tag information is successful and indicates that the role information indicates an enrollee, the portable device 101 confirms permission of sharing of the key pair included in the authentication response (S1113). If the key pair sharing permission is confirmed, the portable device 101 transmits an authentication confirmation (S1114). Thus, when the authentication is completed, communication parameter provision processing is performed (S1115), and then key pair provision processing is performed (S1116). The processes of S1115 to S1116 are the same as the processes of S615 to S616 in FIG.
  • FIG. 12 is a flowchart showing processing for providing a key pair dedicated to the configurator of the portable device 101 used in the setting process of the access point 103 by the portable device 101.
  • the key sharing processing unit 212 of the portable device 101 activates the imaging unit 207 (S1201). Then, the key sharing processing unit 212 determines whether the imaging unit 207 has captured a QR code (S1202). If it is determined in S1202 that the QR code has been captured, the image processing unit 208 decodes the QR code in the captured image, and acquires QR code information including the public key for authentication of the mobile device 102.
  • the control unit 205 generates an authentication request using the acquired QR code information (S1203).
  • the control unit 205 includes information indicating a key pair sharing request in the authentication request (S1204), and transmits the authentication request to the portable device 102 (S1205). After that, the key sharing processing unit 212 waits for an authentication response from the portable device 102 (S1206). If the authentication response can not be received within the predetermined time in S1206, the key pair sharing process may be ended.
  • the control unit 205 determines whether the authentication based on the tag information included in the authentication response is successful or not and whether the role information of the portable device 102 indicates an enrollee (S1207). If the authentication fails, or if it is determined that the role information does not indicate an enrollee, the control unit 205 displays a message indicating an error on the display unit 204, and ends the key pair sharing process (S1213). If the authentication is successful and it is determined that the role information is an enrollee, the control unit 205 determines whether the key pair sharing permission is included in the authentication response (S1208). If it is determined that the key pair sharing permission is not included in the authentication response (NO in S1208), the key sharing processing unit 212 displays a message indicating an error on the display unit 204, and ends the key sharing processing ((S1208) S1213).
  • the control unit 205 transmits an authentication confirmation (S1209), and waits for a setting request from the portable device 102 (S1210) .
  • the communication parameter processing unit 210 performs a process of providing communication parameters and provides the portable device 102 with the communication parameters (S1211).
  • the key sharing processing unit 212 provides a key pair (S1212).
  • the processes of S1211 and S1212 are the same as the processes of S706 and S707.
  • 13A and 13B are flowcharts showing processing in which the portable device 102 receives provision of a key pair dedicated to the configurator by the portable device 101.
  • the code generation unit 209 In response to the user receiving the parameter reception instruction, the code generation unit 209 generates a QR code and controls to display it on the display unit 204 (S1301). Thereafter, the control unit 205 waits for an authentication request (S1302). If the authentication request can not be received within a predetermined time, the access point 103 may end waiting for the authentication request.
  • the control unit 205 verifies the authentication information of the authentication request and determines whether the authentication is successful (whether the device as the transmission source of the authentication request is a device that has captured the QR code)
  • the role determination unit 211 determines the role information (S1303). If the authentication fails or the role information is other than the configurator (NO in S1303), the control unit 205 displays a message indicating an error on the display unit 204 (S1313), and ends the processing. Note that the display of the error message (S1313) may be omitted.
  • the control unit 205 determines whether a key pair sharing request is set in the authentication request (S1304). If the key pair sharing request is set in the authentication request, the control unit 205 confirms with the user whether or not the sharing setting can be made (S1305). If the user permits sharing setting (YES in S1305), the control unit 205 sets sharing permission as an authentication response (S1306), and transmits this to the portable device 101 (S1307). On the other hand, when the information indicating the key pair supply request is not set in the authentication request (NO in S1304), or when the user does not permit the sharing setting (NO in S1305), the control unit 205 sets the supply permission. An authentication response without a key is sent to the portable device 101 (S1307). Then, the control unit 205 waits for an authentication confirmation from the portable device 101 which is the transmission destination of the authentication response (S1308).
  • the control unit 205 When receiving the authentication confirmation from the portable device 101, the control unit 205 performs authentication using the tag information, and when the authentication is successful (YES in S1309), transmits a setting request to the portable device 101 (S1310). Thereafter, the communication parameter processing unit 210 acquires communication parameters by the communication parameter provision processing with the portable device 101 (S1311). When the sharing permission is set in S1306, the key sharing processing unit 212 receives the provision of the key pair of the configurator of the portable device 101, and acquires the key pair (S1312).
  • the secret key dedicated to the configurator of the portable device 101 used for setting of the access point 103 and the disclosure are made public. You can share key pairs. As a result of sharing the key pair, configurators for distributing communication parameters for connecting to the wireless network 104 are increased, and user convenience is improved.
  • the QR code is used as in the process (modification 1) described with reference to FIG.
  • the key pair may be shared by notifying the key pair sharing request. Also, as in the process (modification 2) described with reference to FIG. 10, the key pair may be shared even when the portable device 101 displays the QR code.
  • the portable device 101 and the portable device 102 notify the key pair sharing request using a frame or a QR code for exchanging information for authentication.
  • the portable device 101 requests the portable device 102 to share the key pair dedicated to the configurator of the portable device 101 used for setting the access point 103 using a frame for performing communication parameter setting processing. The process in the case of performing will be described.
  • FIG. 14 is a sequence diagram showing processing between the mobile device 101 and the mobile device 102 in the third embodiment.
  • the portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator for providing communication parameters for connecting to the wireless network 104 (S 1401). Then, the portable device 102 causes the display unit 204 of the own device to display the QR code, and waits for an authentication request (S1402).
  • the processes of S1401 to S1402 are similar to the processes of S601 to S602 described with reference to FIG.
  • the portable device 101 when the portable device 101 receives an instruction to start parameter provision from the user (S1403), the portable device 101 captures an image of the QR code displayed by the portable device 102 to acquire QR code information (S1404, S1405). The portable device 101 generates an authentication request based on the acquired QR code information and transmits it (S1406).
  • the portable device 102 When the portable device 102 receives the authentication request (S1406), the portable device 102 verifies the contents of the authentication request. If the portable device 102 verifies the authentication information included in the authentication request and determines that the mobile device 101 that has transmitted the authentication request is a device that has captured the QR code (authentication success), the role information included in the authentication request is It verifies (S1407). As a result of verifying the role information, when the portable device 102 determines that the role of the device that has transmitted the authentication request indicates the configurator, the portable device 102 generates and transmits an authentication response (S1408). The mobile device 102 that has transmitted the authentication response to the mobile device 101 waits for the authentication confirmation to be sent from the mobile device 101.
  • the portable device 101 receives the authentication response (S1408), and if the authentication based on the tag information is successful, verifies the role information of the portable device 102 included in the authentication response (S1409). If the portable device 101 succeeds in the authentication of the authentication response and determines that the role information included in the authentication response indicates the enrollee, it transmits an authentication confirmation to the portable device 102 (S1410).
  • the processes of S1403 to S1410 are similar to the processes of S403 to S410 described in FIG.
  • the portable device 102 When the portable device 102 receives the authentication confirmation (S1410), the content of the authentication confirmation is verified. As a result of verifying the contents of the authentication confirmation, if it is determined that the authentication is successful, a process of including information indicating a key pair sharing request in the setting request is performed (S1411).
  • the key pair sharing request is indicated, for example, by setting a predetermined bit of the DPP Configuration Request frame. Although the predetermined bit is used to indicate the key pair request, the present invention is not limited to this.
  • the role information after receiving the communication parameters included in the setting request may indicate a role other than the “access point” or the “device connected to the wireless network”, for example, a role representing the “configurator”.
  • the portable device 102 transmits a setting request including the key pair sharing request generated as described above (S1412). After transmitting the setting request, the mobile device 102 waits for the setting response to be transmitted from the mobile device 101 that has transmitted the authentication confirmation.
  • the portable device 101 having received the setting request confirms whether the setting request includes the key pair sharing request (S1413). If the setting request includes a key pair sharing request, the portable device 101 displays on the display unit 204 that there is a key pair sharing request and notifies the user, and the user using the operation unit 203 Listen for permission instructions for sharing the key pair. If sharing of the key pair is permitted by the user, the portable device 101 includes information indicating permission for sharing the key pair in the setting response (S1414). The sharing permission of the key pair is indicated, for example, by setting a predetermined bit of the DPP Configuration Response frame. The portable device 101 transmits a setting response including information indicating permission for sharing the key pair to the portable device 102 (S1415).
  • the portable device 101 that has transmitted the setting response encrypts the pair of the secret key and the public key dedicated to the configurator of the portable device 101 using the shared key between the portable device 101 and the portable device 102, and transmits it to the portable device 102. It transmits (S1416). Since the setting response transmitted in S1415 includes the public key dedicated to the configurator of the portable device 101, only the secret key may be transmitted in S1416. In addition, the portable device 101 may transmit the setting response transmitted in S1415 including the secret key dedicated to the configurator of the portable device 101. In that case, the process of S1416 is unnecessary.
  • the present invention is not limited thereto.
  • the key pair may be provided without receiving a permission instruction from the user.
  • processing may be performed to include information indicating permission for sharing the key pair in the setting response without receiving a permission instruction from the user. In this case, the indication that there is a key pair sharing request may be omitted.
  • the key pair provision process (S1416) is not performed.
  • the setting response may not be transmitted, and the process may be ended without performing the parameter providing process.
  • a setting response including information indicating that the key pair is not permitted may be transmitted to the portable device 102.
  • the portable device 102 having received the setting response confirms information indicating permission of sharing of the key pair included in the setting response (S1417). If the setting response does not include information indicating permission for sharing the key pair, the portable device 102 ends the parameter reception process. If the information indicating permission for sharing the key pair is not included in the setting response, the mobile device 102 may notify the user by displaying a message indicating an error on the display unit 204.
  • FIG. 15 is a flowchart showing processing in which the portable device 101 provides the portable device 102 with a key pair (secret key and public key) of the configurator held by the portable device 101 in response to a request from the portable device 102.
  • the process from the start of the imaging unit 207 to the reception of the setting request is the same as that in FIG. 3 (S301 to S308).
  • FIG. 15 shows the process after it is determined in the process of FIG. 3 that the setting request has been received (YES in S308).
  • the control unit 205 of the portable device 101 having received the setting request transmitted by the portable device 102 determines whether or not there is a request for sharing the key pair in the setting request (S1501). If it is determined that there is a key pair sharing request, the control unit 205 uses the display unit 204 and the operation unit 203 to confirm with the user whether or not the key pair can be shared (S1502). If the user permits sharing (OK in S1502), the key sharing processing unit 212 sets information indicating sharing permission in the setting response (S1503), and transmits this to the portable device 102 (S1504).
  • the key sharing processing unit 212 provides the portable device 102 with a key pair, which is the configurator's secret key and public key (S1505).
  • the key pair is encrypted by the shared key. Also, for the sake of security, in S1505, provision of the key pair may be executed only when sharing permission is set in S1503.
  • the control unit 205 of the portable device 102 When the control unit 205 of the portable device 102 receives an instruction from the user via the operation unit 203 to share the key pair, the control unit 205 generates a QR code and displays the QR code on the display unit 204 (S1601). Thereafter, the control unit 205 waits for an authentication request (S1602). When receiving the authentication request from the portable device 101, the control unit 205 performs authentication, verifies the role information, and determines whether the role is a configurator (S1603). If the authentication fails, or if it is determined that the role of the portable device 101 is not the configurator (NO in S1603), the control unit 205 displays a message indicating an error on the display unit 204 (S1612), and ends the process. .
  • the control unit 205 transmits an authentication response (S1604), It waits for authentication confirmation from the portable device 101.
  • the control unit 205 determines whether the authentication using the tag information included in the authentication confirmation has succeeded (S1606).
  • control unit 205 When the control unit 205 receives the authentication confirmation from the portable device 101, the authentication is performed using the tag information, and when the authentication is successful (YES in S1606), the key sharing processing unit 212 performs the information indicating the key pair sharing request.
  • the setting request is set (S1607). After that, the control unit 205 transmits a setting request in which the sharing request is set to the portable device 101 (S1608), and waits for a setting response from the portable device 101.
  • the control unit 205 displays a message indicating an error on the display unit 204, and ends the processing (S1612).
  • the control unit 205 determines whether the information indicating permission for sharing the key pair is included in the setting response (S1610). Then, when it is determined that the information indicating permission for sharing the key pair is included in the setting response (YES in S110), the key sharing processing unit 212 acquires a key pair dedicated to the configurator of the portable device 101 (S1611). ). If it is determined in S1610 that the information indicating permission for sharing the key pair is not included in the authentication confirmation (NO in S1610), the control unit 205 ends the parameter reception processing or indicates an error on the display unit 204. The message is displayed, and the process ends (S1612).
  • the QR code (registered trademark) to be read may be not only the QR code displayed on the display unit, but also the QR code attached to the housing of the communication device in the form of a seal or the like.
  • the QR code (registered trademark) to be read may be attached to a package such as a handling instruction manual or a cardboard at the time of sales of the communication device.
  • a QR code not a QR code but a barcode or a two-dimensional code may be used.
  • machine-readable information such as QR code, it may be information in a format that can be read by the user.
  • wireless communication medium such as wireless USB, MBOA, Bluetooth (registered trademark), UWB, ZigBee, NFC and the like.
  • MBOA is an abbreviation for Multi Band OFDM Alliance.
  • UWB includes wireless USB, wireless 1394, WINET and the like.
  • the communication parameter for connecting to the access point of wireless LAN was provided was described in each embodiment, it does not restrict to this.
  • communication parameters for connecting to a Wi-Fi Direct (registered trademark) group owner may be provided.
  • the pair of the secret key and the public key used by the configurator for encryption and decryption of communication parameters is shared by a request from another device or a request from the configurator. Can.
  • the number of configurators providing communication parameters to connect to the access point can be easily increased.
  • a configurator key pair can be shared with the configurator without using a storage medium or another protocol (for example, HTTP).
  • the present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or storage medium, and one or more processors in a computer of the system or apparatus read and execute the program. Can also be realized. It can also be implemented by a circuit (eg, an ASIC) that implements one or more functions.
  • a circuit eg, an ASIC

Abstract

A communication device that performs communication with an external device performs authentication by exchanging information for authentication processing with the external device. When detecting a request to share unique information used for providing a communication parameter in the authentication processing, the communication device shares the unique information with the external device after succeeding in authentication.

Description

通信装置、通信装置の制御方法及びプログラムCommunication device, control method of communication device, and program
 本発明は、通信装置、通信装置の制御方法及びプログラムに関する。 The present invention relates to a communication device, a control method of the communication device, and a program.
 近年、デジタルカメラ、プリンタ、携帯機器、スマートフォンなどの無線通信機能が搭載された電子機器を無線ネットワークに接続して使用するケースが増えている。電子機器を無線ネットワークに接続するには、暗号方式、暗号鍵、認証方式、認証鍵等のさまざまな通信パラメータを設定する必要がある。これらの通信パラメータの設定を容易にする技術として、QRコード(登録商標)等を用いた通信パラメータの設定プロトコル(Wi-Fi Device Provisioning Protocol、以下DPPと称する)が策定されている(非特許文献1)。 BACKGROUND In recent years, electronic devices equipped with a wireless communication function such as digital cameras, printers, portable devices, and smartphones are increasingly used in connection with wireless networks. In order to connect an electronic device to a wireless network, it is necessary to set various communication parameters such as an encryption method, an encryption key, an authentication method, and an authentication key. As a technology for facilitating setting of these communication parameters, a setting protocol (Wi-Fi Device Provisioning Protocol, hereinafter referred to as DPP) of communication parameters using QR code (registered trademark) or the like has been formulated (non-patent document) 1).
 非特許文献1のDPPでは、コンフィギュレータがアクセスポイントに対して、コンフィギュレータの秘密鍵と公開鍵のペアを用いて、無線ネットワークを形成するための通信パラメータを設定する。また、非特許文献1では、エンローリに対しても、アクセスポイントの設定に用いたコンフィギュレータの秘密鍵と公開鍵のペアを用いて、アクセスポイントに接続するための通信パラメータを提供する。ここで、アクセスポイントに接続させたいエンローリの数が多い場合、そのアクセスポイントに接続するための通信パラメータを提供可能なコンフィギュレータが複数存在すると、通信パラメータの配布処理効率が上がるため、ユーザの利便性が向上する。 In the DPP of Non-Patent Document 1, the configurator sets, for the access point, communication parameters for forming a wireless network using the configurator's private key and public key pair. Further, Non-Patent Document 1 also provides communication parameters for connecting to an access point to an enrollee using a pair of a secret key and a public key of a configurator used for setting the access point. Here, when there are a large number of enrollees who want to connect to an access point, if there are multiple configurators that can provide communication parameters for connecting to the access point, the distribution processing efficiency of communication parameters will be increased, and user convenience can be achieved. Improve.
 コンフィギュレータが、エンローリに提供する通信パラメータの暗号化と復号に用いる秘密鍵と公開鍵のペアは、ネットワークごとに一意となる。これは、アクセスポイントが、ネットワーク設定時に提供されたコンフィギュレータの公開鍵を用いて無線端末の送信した接続要求に含まれる通信パラメータを復号できた場合にのみ接続を受け付けるためである。よって、アクセスポイントの設定に使用されたコンフィギュレータの秘密鍵と公開鍵のペアを用いて提供された通信パラメータを保持するエンローリのみが、そのアクセスポイントに接続することができる。そのため、ある装置が他のコンフィギュレータによって設定が完了しているアクセスポイントに接続するための通信パラメータを提供するためには、その設定に用いたコンフィギュレータの秘密鍵と公開鍵のペアを取得する必要があった。 The private key-public key pair used by the configurator to encrypt and decrypt communication parameters provided to the enrollee is unique for each network. This is because the access point accepts the connection only when the communication parameter included in the connection request transmitted by the wireless terminal can be decrypted using the public key of the configurator provided at the time of network setting. Thus, only an enrollee holding communication parameters provided using the configurator's private key and public key pair used to set the access point can connect to the access point. Therefore, in order to provide communication parameters for connecting a device to an access point that has already been configured by another configurator, it is necessary to obtain the configurator's private key and public key pair used for the configuration. there were.
 非特許文献1では、コンフィギュレータの秘密鍵と公開鍵のペアを複数の電子機器でシェアするために、外部の記憶媒体(例えば、USBメモリまた無線ストレージ)を用いることが記載されている。しかしながら、この方法では、通信パラメータの設定に用いられる固有の情報であるコンフィギュレータの秘密鍵と公開鍵を、一旦外部の記憶媒体に格納し、他の電子機器でこれらを読み出すという手間が生じる。 Non-Patent Document 1 describes that an external storage medium (for example, a USB memory or a wireless storage) is used to share the configurator's private key and public key pair with a plurality of electronic devices. However, in this method, it takes time and effort to temporarily store the configurator's secret key and public key, which are unique information used for setting communication parameters, in an external storage medium and read them out with another electronic device.
 本発明の一実施形態では、通信パラメータの設定に用いられた固有の情報を他の装置に提供する際の手間を簡略化する通信装置、およびその制御方法、プログラムが提供される。 In one embodiment of the present invention, a communication device, its control method, and a program are provided that simplify the time and effort required to provide other devices with unique information used for setting communication parameters.
 本発明の一態様による通信装置は、外部装置と通信を行う通信装置であって、前記外部装置と認証のための情報を交換することにより認証処理を行う認証手段と、前記認証手段による前記認証処理に際して、通信パラメータを提供するのに用いられる固有の情報を共有する要求を検出する検出手段と、前記検出手段により前記要求が検出された場合、前記認証手段による認証に成功した後に前記固有の情報を前記外部装置と共有する共有手段と、を備える。 A communication device according to an aspect of the present invention is a communication device that communicates with an external device, and the authentication device performs authentication processing by exchanging information for authentication with the external device, and the authentication by the authentication device. In processing, detecting means for detecting a request for sharing unique information used for providing communication parameters, and when the request is detected by the detecting means, the unique means after successful authentication by the authentication means Sharing means for sharing information with the external device.
 本発明によれば、通信パラメータの設定に用いられた固有の情報を他の装置に提供する際の手間が簡略化される。 According to the present invention, the time and effort of providing unique information used for setting communication parameters to other devices is simplified.
 本発明のその他の特徴及び利点は、添付図面を参照とした以下の説明により明らかになるであろう。なお、添付図面においては、同じ若しくは同様の構成には、同じ参照番号を付す。 Other features and advantages of the present invention will become apparent from the following description taken in conjunction with the accompanying drawings. In the attached drawings, the same or similar configurations are denoted by the same reference numerals.
実施形態における通信システムの構成例を示す図。BRIEF DESCRIPTION OF THE DRAWINGS The figure which shows the structural example of the communication system in embodiment. 実施形態における携帯機器の構成例を示すブロック図。BRIEF DESCRIPTION OF THE DRAWINGS The block diagram which shows the structural example of the portable apparatus in embodiment. 携帯機器による通信パラメータ提供処理を表すフローチャート。The flowchart showing the communication parameter provision process by a portable apparatus. 携帯機器とアクセスポイントの間の通信パラメータ提供処理を表すシーケンス図。The sequence diagram showing the communication parameter provision process between a portable device and an access point. プリンタとアクセスポイントの無線接続処理を表すシーケンス図。FIG. 7 is a sequence diagram showing wireless connection processing of a printer and an access point. 第1実施形態による鍵ペアの共有処理を表すシーケンス図。FIG. 7 is a sequence diagram showing a process of sharing a key pair according to the first embodiment. 第1実施形態における携帯機器101の動作を表すフローチャート。6 is a flowchart showing the operation of the mobile device 101 in the first embodiment. 第1実施形態における携帯機器102の動作を表すフローチャート。6 is a flowchart showing the operation of the mobile device 102 in the first embodiment. 第1実施形態における鍵ペアの共有処理の他の例を表すシーケンス図。FIG. 10 is a sequence diagram illustrating another example of key pair sharing processing according to the first embodiment. 第1実施形態における鍵ペアの共有処理の他の例を表すシーケンス図。FIG. 10 is a sequence diagram illustrating another example of key pair sharing processing according to the first embodiment. 第1実施形態による鍵ペアの共有処理を表すシーケンス図。FIG. 7 is a sequence diagram showing a process of sharing a key pair according to the first embodiment. 第2実施形態における携帯機器101の動作を表すフローチャート。9 is a flowchart showing the operation of the mobile device 101 in the second embodiment. 第2実施形態における携帯機器102の動作を表すフローチャート。9 is a flowchart showing the operation of the mobile device 102 in the second embodiment. 第2実施形態における携帯機器102の動作を表すフローチャート。9 is a flowchart showing the operation of the mobile device 102 in the second embodiment. 第3実施形態による鍵ペアの共有処理を表すシーケンス図。FIG. 14 is a sequence diagram showing key pair sharing processing according to the third embodiment. 第3実施形態における携帯機器101の動作を表すフローチャート。12 is a flowchart showing the operation of the mobile device 101 in the third embodiment. 第3実施形態における携帯機器102の動作を表すフローチャート。12 is a flowchart showing the operation of the mobile device 102 in the third embodiment. 第3実施形態における携帯機器102の動作を表すフローチャート。12 is a flowchart showing the operation of the mobile device 102 in the third embodiment.
 以下に、添付図面に従って本発明に係る各実施形態を説明する。ただし、本発明の技術範囲は、特許請求の範囲によって確定されるのであって、以下の個別の実施形態によって限定されるものではない。 Hereinafter, each embodiment according to the present invention will be described according to the attached drawings. However, the technical scope of the present invention is determined by the scope of the claims, and is not limited by the following individual embodiments.
 <第1実施形態>
 図1に、第1実施形態における通信システムの構成例を示す。 First Embodiment
FIG. 1 shows a configuration example of a communication system in the first embodiment.
 携帯機器101は、無線LAN機能を有し、例えば、DPPに規定されるコンフィギュレータとして動作する。携帯機器101は、アクセスポイント103に対して無線ネットワーク104を形成するための通信パラメータを提供することができる。ここで、通信パラメータには、ネットワーク識別子としてのSSID(Service Set Identifier)、暗号方式、暗号鍵、認証方式等の、無線通信を行うために必要な設定項目が含まれる。なお、コンフィギュレータである携帯機器101の提供する通信パラメータは、携帯機器101の保持するコンフィギュレータ専用の秘密鍵によって暗号化される。携帯機器101は、アクセスポイント103の設定に用いたコンフィギュレータ専用の秘密鍵と公開鍵のペア(以下、鍵ペアと称する)を携帯機器102に渡すことができる。 The portable device 101 has a wireless LAN function, and operates, for example, as a configurator defined in DPP. The portable device 101 can provide the access point 103 with communication parameters for forming the wireless network 104. Here, the communication parameters include setting items necessary for performing wireless communication, such as an SSID (Service Set Identifier) as a network identifier, an encryption method, an encryption key, an authentication method, and the like. The communication parameters provided by the portable device 101, which is a configurator, are encrypted by the configurator-specific secret key held by the portable device 101. The portable device 101 can pass a pair of a configurator-dedicated secret key and a public key (hereinafter referred to as a key pair) used for setting of the access point 103 to the portable device 102.
 携帯機器102は、無線LAN機能を有し、例えば、DPPに規定されるコンフィギュレータまたはエンローリとして動作する。携帯機器102は、エンローリとして動作して携帯機器101からコンフィギュレータ専用の鍵ペアを取得し、無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作することができる。 The portable device 102 has a wireless LAN function, and operates, for example, as a configurator or enrollee defined in DPP. The portable device 102 can operate as an enrollee, obtain a key pair dedicated to the configurator from the portable device 101, and operate as a configurator providing communication parameters for connecting to the wireless network 104.
 アクセスポイント103は、例えばDPPに規定されるアクセスポイントとして動作する。また、アクセスポイント103はエンローリとして動作し、コンフィギュレータである携帯機器101から通信パラメータを取得することで無線ネットワーク104を形成することができる。プリンタ105およびプリンタ106は、無線LAN機能を有し、例えばDPPに規定されるエンローリとして動作する。プリンタ105およびプリンタ106は、コンフィギュレータである携帯機器101もしくは携帯機器102から暗号化された通信パラメータを取得し、これを復号して用いることで、無線ネットワーク104に接続することができる。 The access point 103 operates as an access point defined in, for example, DPP. In addition, the access point 103 operates as an enrollee and can form the wireless network 104 by acquiring communication parameters from the portable device 101 which is a configurator. The printer 105 and the printer 106 have a wireless LAN function, and operate as an enrollee defined in, for example, DPP. The printer 105 and the printer 106 can be connected to the wireless network 104 by acquiring encrypted communication parameters from the portable device 101 or the portable device 102 which is a configurator and decrypting and using them.
 なお、本実施形態の携帯機器としては、携帯電話、デジタルカメラ、ビデオカメラ、PC、PDA、スマートフォン、スマートウォッチなどの電子機器があげられるがこれらに限られるものではない。また、本実施形態では、無線ネットワークに接続される電子機器として携帯機器とプリンタを用いて説明を行うがこれらに限られるものではなく、無線ネットワークに接続が可能な電子機器であればよく、携帯型でなくてもよい。また、本実施形態におけるアクセスポイントは、DPPに規定されるアクセスポイントとして動作するとともに特定の機能をもつ電子機器(プリンタやデジタルカメラなど)であってもよい。 Examples of the mobile device of the present embodiment include electronic devices such as a mobile phone, a digital camera, a video camera, a PC, a PDA, a smartphone, and a smart watch, but the present invention is not limited thereto. Further, in the present embodiment, a description will be made using a portable device and a printer as the electronic devices connected to the wireless network, but the present invention is not limited thereto, and any electronic devices connectable to the wireless network may be used. It does not have to be a type. Further, the access point in the present embodiment may be an electronic device (such as a printer or a digital camera) that operates as an access point defined in DPP and has a specific function.
 図2は、本実施形態における携帯機器101および携帯機器102の機能構成例を示すブロック図である。図2に示される各機能部は、コンピュータ(プロセッサ)が、メモリに格納されたプログラムを実行することにより実現される。ただし、各機能の一部またはすべてが専用のハードウェアにより実現されてもよい。 FIG. 2 is a block diagram showing an example of the functional configuration of the mobile device 101 and the mobile device 102 in the present embodiment. Each functional unit shown in FIG. 2 is realized by the computer (processor) executing a program stored in the memory. However, some or all of the functions may be realized by dedicated hardware.
 図2において、無線通信制御部201は、無線LANを介して他の無線装置との間で無線信号の送受信を行うための、アンテナおよび回路等を用いた通信を制御する。送受信部202は、各通信レイヤのプロトコルに応じたデータの送受信制御を行う。操作部203は、ユーザが携帯機器101を操作するために用いられる。操作部203には撮像部207を起動するためのボタン等が含まれる。なお、操作部203はハードウェアで構成されていてもよいし、ソフトウェアにより表示部204を用いて提供されるUIで構成されてもよい。表示部204は、LCDやLED、あるいはスピーカのように視覚・聴覚で認知可能な情報を出力するなど、各種表示処理を行う。 In FIG. 2, a wireless communication control unit 201 controls communication using an antenna, a circuit, and the like for transmitting and receiving a wireless signal to and from another wireless device via a wireless LAN. The transmission / reception unit 202 performs transmission / reception control of data according to the protocol of each communication layer. The operation unit 203 is used by the user to operate the portable device 101. The operation unit 203 includes a button for activating the imaging unit 207 and the like. The operation unit 203 may be configured by hardware, or may be configured by a UI provided using the display unit 204 by software. The display unit 204 performs various display processing such as outputting information that can be recognized visually and aurally like an LCD, an LED, or a speaker.
 制御部205は、携帯機器101全体を制御する。記憶部206は、携帯機器101を制御するためのプログラムやデータが格納されたROMと、一時的な記憶を司るRAMとを備えている。後述する各種動作は、記憶部206に記憶された制御プログラムを不図示のCPUが実行して、制御部205などの機能部を実現することにより行われる。 The control unit 205 controls the entire portable device 101. The storage unit 206 includes a ROM in which programs and data for controlling the portable device 101 are stored, and a RAM that manages temporary storage. Various operations to be described later are performed by the CPU (not shown) executing a control program stored in the storage unit 206 to realize functional units such as the control unit 205 and the like.
 撮像部207は、撮像素子、レンズ等を含み、静止画や動画の撮影を行う。画像処理部208は、撮像部207で撮影された画像等の画像処理を行う。また、画像処理部208は、撮像部207により撮影されたQRコードの画像を解析し、符号化された情報を復号してその情報(QRコード情報)を取得する。コード生成部209は、QRコード情報を生成し、生成したQRコード情報をQRコード(画像)として表示部204へ表示するための制御を行う。なお、本実施形態では、コード情報の画像としてQRコードを用いたがこれに限られるものではなく、バーコード、二次元コードなどが用いられてもよい。 The imaging unit 207 includes an imaging element, a lens, and the like, and captures a still image or a moving image. The image processing unit 208 performs image processing of an image or the like captured by the imaging unit 207. The image processing unit 208 analyzes the image of the QR code captured by the imaging unit 207, decodes the encoded information, and acquires the information (QR code information). The code generation unit 209 generates QR code information, and performs control to display the generated QR code information on the display unit 204 as a QR code (image). In the present embodiment, the QR code is used as the image of the code information. However, the present invention is not limited to this, and a barcode, a two-dimensional code, or the like may be used.
 通信パラメータ処理部210は、無線ネットワーク104に接続するための通信パラメータの提供や取得を行うための処理を行う。役割判定部211は、通信パラメータの送受信を行う相手機器の役割を判定する。本実施形態では、判定される役割の種類として、通信パラメータを提供する「コンフィギュレータ」、通信パラメータを取得する「エンローリ」などが存在するが、これらに限らない。例えば、コンフィギュレータ専用の鍵ペアを提供する役割や、コンフィギュレータ専用の鍵ペアを取得する役割が存在してもよい。 The communication parameter processing unit 210 performs processing for providing and acquiring communication parameters for connecting to the wireless network 104. The role determination unit 211 determines the role of the partner device that transmits and receives communication parameters. In the present embodiment, the types of roles to be determined include a “configurator” that provides communication parameters, an “enrollee” that acquires communication parameters, and the like, but the present invention is not limited thereto. For example, there may be a role of providing a key pair dedicated to the configurator, and a role of obtaining a key pair dedicated to the configurator.
 鍵共有処理部212は、アクセスポイント103への通信パラメータの提供に用いた秘密鍵と公開鍵のペア(鍵ペア)を、他の装置との間で共有するための処理を行う。鍵共有処理部212は、鍵共有を行うためのユーザからの指示受信や相手装置からの共有要求の許可を受け付けて、鍵共有処理を実行する。 The key sharing processing unit 212 performs processing for sharing the pair (key pair) of the secret key and the public key used to provide the communication parameter to the access point 103 with another device. The key sharing processing unit 212 receives the instruction from the user for key sharing and the permission of the sharing request from the other device, and executes the key sharing process.
 なお、上記機能ブロックは一例であり、複数の機能ブロックが1つの機能ブロックを構成するようにしてもよいし、何れかの機能ブロックが更に複数の機能を行うブロックに分かれてもよい。 Note that the above functional blocks are an example, and a plurality of functional blocks may constitute one functional block, or any functional block may be further divided into blocks performing a plurality of functions.
 次に、DPP規格で規定された通信パラメータの提供処理に関して、図3、図4を用いて説明する。また、DPP規格で規定されたアクセスポイントへの接続処理に関して、図5を用いて説明する。 Next, the process of providing communication parameters defined by the DPP standard will be described using FIGS. 3 and 4. Further, connection processing to an access point defined by the DPP standard will be described with reference to FIG.
 まず、コンフィギュレータである携帯機器101が、アクセスポイント103に無線ネットワーク104を形成させるために、また、プリンタ105を無線ネットワーク104へ接続させるために、通信パラメータを提供する処理について述べる。図3は、コンフィギュレータである携帯機器101が、エンローリであるアクセスポイント103に通信パラメータを提供する処理を示すフローチャートである。 First, a process of providing communication parameters in order to cause the access point 103 to form the wireless network 104 and to connect the printer 105 to the wireless network 104 will be described. FIG. 3 is a flowchart showing a process in which the portable device 101 as a configurator provides communication parameters to the access point 103 as an enrollee.
 携帯機器101において、制御部205は、パラメータ提供の指示をユーザから受けると、アクセスポイント103の表示するQRコードを撮影するために撮像部207を起動する(S301)。そして、制御部205は、携帯機器101の撮像部207がQRコードを撮影したか否かを判定する(S302)。ここで、アクセスポイント103の表示するQRコードは、ディスプレイ等で表示されたものに限らず、電子機器の筺体や付属品に貼り付けられたラベル等に印刷されたものであってもよい。また、QRコードは、例えば説明書等に記載されたものでもよい。なお、S302にて、撮像部207の起動から所定の時間内にQRコードを撮影できなかった場合、通信パラメータの提供処理を終了してもよい。 In the portable device 101, when the control unit 205 receives a parameter provision instruction from the user, the control unit 205 activates the imaging unit 207 to capture a QR code displayed by the access point 103 (S301). Then, the control unit 205 determines whether the imaging unit 207 of the portable device 101 has captured a QR code (S302). Here, the QR code displayed by the access point 103 is not limited to one displayed on a display or the like, and may be printed on a label or the like attached to a housing or an accessory of an electronic device. Also, the QR code may be, for example, one described in a manual or the like. If the QR code can not be captured within a predetermined time after activation of the imaging unit 207 in S302, the process of providing the communication parameter may end.
 QRコードを撮影したと判定されると(S302でYES)、画像処理部208は撮像画像中のQRコードを復号し、アクセスポイント103の認証用の公開鍵を含むQRコード情報を取得する(S303)。次に、制御部205は、送受信部202、無線通信制御部201を用いて、アクセスポイント103に認証要求を送信する(S304)。この認証要求は、例えばDPP規格で規定されたDPP Authentication Requestフレームである。この認証要求には、認証に用いるための認証情報と、携帯機器101の識別情報、役割情報、乱数、共有鍵生成用の公開鍵が含まれる。 If it is determined that the QR code has been captured (YES in S302), the image processing unit 208 decodes the QR code in the captured image, and acquires QR code information including the public key for authentication of the access point 103 (S303) ). Next, the control unit 205 transmits an authentication request to the access point 103 using the transmission / reception unit 202 and the wireless communication control unit 201 (S304). This authentication request is, for example, a DPP Authentication Request frame defined by the DPP standard. The authentication request includes authentication information to be used for authentication, identification information of the portable device 101, role information, random numbers, and a public key for generating a shared key.
 認証情報は、QRコードに含まれるアクセスポイント103の認証用の公開鍵のハッシュ値である。識別情報は、携帯機器101の認証用の公開鍵のハッシュ値である。役割情報は、携帯機器101の役割(コンフィギュレータまたはエンローリなど)を示す情報である。乱数は、後述する認証応答の受信時に、認証のために使用される。共有鍵生成用の公開鍵は、アクセスポイント103との間で生成される共有鍵の生成元となる鍵である。 The authentication information is a hash value of a public key for authentication of the access point 103 included in the QR code. The identification information is a hash value of the public key for authentication of the mobile device 101. Role information is information indicating the role (such as a configurator or an enrollee) of the mobile device 101. The random number is used for authentication when receiving an authentication response described later. The public key for shared key generation is a key from which a shared key generated with the access point 103 is generated.
 認証要求を受信したアクセスポイント103は、認証要求を送信した装置がQRコードを撮影した装置であるか否かを判定する。この判定は、認証要求に含まれている認証情報を用いて行われる。すなわち、アクセスポイント103が、表示したQRコードに含めた公開鍵のハッシュ値を計算し、計算されたハッシュ値と認証要求に含まれるハッシュ値(認証情報)とを比較し、両者が一致した場合に検証が成功したと判定する。なお、このときのハッシュ値の計算に用いられるハッシュ関数は、認証要求を送信する携帯機器101との間で予め合意されているものとする。 The access point 103 that has received the authentication request determines whether the device that has transmitted the authentication request is a device that has captured a QR code. This determination is performed using the authentication information contained in the authentication request. That is, the access point 103 calculates the hash value of the public key included in the displayed QR code, compares the calculated hash value with the hash value (authentication information) included in the authentication request, and the two match. To determine that the verification was successful. The hash function used to calculate the hash value at this time is assumed to be agreed in advance with the portable device 101 that transmits the authentication request.
 認証要求に含まれている公開鍵は、後述するタグ情報などアクセスポイント103との間で送受信する情報を暗号化および復号するために用いられる共有鍵の生成元となる鍵である。コンフィギュレータである携帯機器101は、アクセスポイント103の共有鍵生成用の公開鍵(後述の認証応答に含まれている)と、携帯機器101の共有鍵生成用の秘密鍵の双方を用いて共有鍵を生成する。一方、エンローリであるアクセスポイント103は、携帯機器101の共有鍵生成用の公開鍵と、アクセスポイント103の共有鍵生成用の秘密鍵の双方を用いて共有鍵を生成する。共有鍵は、例えば、ECDH(Elliptic Curve Diffie-Hellman)方式に基づいて生成される。以下、共有鍵は、このECDH方式に基づいて生成されるものとするが、この方式に限定されるものではなく、その他の公開鍵暗号方式で生成してもよい。 The public key included in the authentication request is a key serving as a generation source of a shared key used for encrypting and decrypting information to be transmitted and received with the access point 103 such as tag information described later. The portable device 101, which is a configurator, uses both the public key for generating the shared key of the access point 103 (included in the authentication response described later) and the secret key for generating the shared key of the portable device 101. Generate On the other hand, the access point 103, which is an enrollee, generates a shared key using both the public key for generating the shared key of the mobile device 101 and the secret key for generating the shared key of the access point 103. The shared key is generated based on, for example, an ECDH (Elliptic Curve Diffie-Hellman) scheme. Hereinafter, although the shared key is generated based on this ECDH system, it is not limited to this system, and may be generated by another public key cryptosystem.
 S304にてアクセスポイント103に認証要求を送信した後、携帯機器101の制御部205は、アクセスポイント103から認証応答を受信するのを待つ(S305)。S304にて所定の時間内に認証応答を受信できなかった場合、通信パラメータの提供処理を終了する。 After transmitting the authentication request to the access point 103 in S304, the control unit 205 of the portable device 101 waits to receive an authentication response from the access point 103 (S305). If the authentication response can not be received within the predetermined time in S304, the process of providing communication parameters is ended.
 認証応答は、例えばDPP規格で規定されたDPP Authentication Responseフレームである。この認証応答には、アクセスポイント103の共有鍵生成用の公開鍵、役割情報、乱数、タグ情報が含まれる。携帯機器101は、アクセスポイント103の共有鍵生成用の公開鍵と自身の共有鍵生成用の秘密鍵を用いて共有鍵を生成する。共有鍵の生成については上述したとおりである。 The authentication response is, for example, a DPP Authentication Response frame defined by the DPP standard. The authentication response includes a public key for generating a shared key of the access point 103, role information, random numbers, and tag information. The portable device 101 generates a shared key using the public key for generating the shared key of the access point 103 and the secret key for generating the shared key of itself. The generation of the shared key is as described above.
 また、タグ情報は、携帯機器101の送信した認証要求に含まれていた乱数であり、アクセスポイント103の共有鍵生成用の秘密鍵と、携帯機器101の共有鍵生成用の公開鍵の双方を用いて生成された共有鍵で暗号化されている。携帯機器101は、タグ情報を自身が生成した共有鍵で正しく復号できた場合に、認証に成功したと判定する。より具体的には、制御部205が、携帯機器101の共有鍵生成用の秘密鍵とアクセスポイント103の共有鍵生成用の公開鍵を用いて、アクセスポイント103が共有鍵を生成したのと同等の方法で共有鍵を生成し、その共有鍵を使ってタグ情報を検証する。制御部205は、自身が生成した共有鍵でタグ情報を復号できた場合に認証成功と判定し、復号できなかった場合に認証失敗と判定する。 Further, the tag information is a random number included in the authentication request transmitted by the portable device 101, and both of the secret key for generating the shared key of the access point 103 and the public key for generating the shared key of the portable device 101 are It is encrypted with the shared key generated using it. The portable device 101 determines that the authentication is successful when the tag information is correctly decrypted by the shared key generated by itself. More specifically, the control unit 205 is equivalent to the access point 103 generating the shared key using the secret key for generating the shared key of the portable device 101 and the public key for generating the shared key of the access point 103. Generate a shared key in the following way, and verify tag information using that shared key. The control unit 205 determines that the authentication is successful if the tag information can be decrypted with the shared key generated by itself, and determines that the authentication is unsuccessful if the decryption is not possible.
 図3において、認証応答を受信すると(S305でYES)、携帯機器101の制御部205は、認証応答の内容を検証する(S306)。上述のように、制御部205は、認証応答に含まれるタグ情報を用いて認証成功か否かを判定し、認証応答に含まれているアクセスポイント103の役割情報がエンローリを示すか否かを判定する。認証に失敗した、または、認証応答を送信したアクセスポイント103の役割がエンローリを示さないと判定された場合(S306でNO)、制御部205は、表示部204にエラーを示すメッセージを表示して(S310)、パラメータ提供処理を終了する。 In FIG. 3, when the authentication response is received (YES in S305), the control unit 205 of the portable device 101 verifies the content of the authentication response (S306). As described above, the control unit 205 determines whether or not the authentication is successful by using the tag information included in the authentication response, and whether or not the role information of the access point 103 included in the authentication response indicates the enrollee. judge. When it is determined that the authentication fails or the role of the access point 103 that has transmitted the authentication response does not indicate the enrollee (NO in S306), the control unit 205 displays a message indicating an error on the display unit 204. (S310), the parameter provision processing ends.
 認証成功と判定され、且つ、アクセスポイント103の役割がエンローリであると判定された場合(S306でYES)、制御部205は、アクセスポイント103へ認証確認を送信する(S307)。この認証確認は、例えばDPP規格で規定されたDPP Authentication Confirmフレームである。この認証確認は、タグ情報を含む。タグ情報は、アクセスポイント103が送信した認証応答に含まれていた乱数を制御部205が共有鍵によって暗号化したものである。携帯機器101の制御部205は、認証確認を送信後、エンローリであるアクセスポイント103から設定要求が送信されるのを待つ(S308)。 If it is determined that the authentication is successful and if the role of the access point 103 is determined to be an enrollee (YES in S306), the control unit 205 transmits an authentication confirmation to the access point 103 (S307). This authentication confirmation is, for example, a DPP Authentication Confirm frame defined by the DPP standard. This authentication confirmation includes tag information. The tag information is obtained by the control unit 205 encrypting the random number included in the authentication response transmitted by the access point 103 using the shared key. After transmitting the authentication confirmation, the control unit 205 of the portable device 101 waits for the setting request to be transmitted from the access point 103 which is the enrollee (S308).
 認証確認を受信したアクセスポイント103は、その認証確認に含まれているタグ情報を自身が生成した共有鍵で正しく復号できた場合に、認証成功と判定する。認証成功と判定すると、アクセスポイント103は、認証要求を送信した携帯機器101をコンフィギュレータと認定し、携帯機器101に対して設定要求を送信する。設定要求は、例えばDPP規格で規定されたDPP Configuration Requestフレームである。この設定要求には、アクセスポイント103のデバイス情報や通信パラメータ受領後の役割情報が含まれる。デバイス情報は、アクセスポイント103のデバイス名などである。また、通信パラメータ受領後の役割情報は、エンローリが無線ネットワークを構築するアクセスポイントとして動作するか無線ネットワークに接続する装置として動作するかを示す情報である。ここでは、無線ネットワークを構築するアクセスポイントとして動作することを示す情報が設定される。設定要求に含まれる情報は、アクセスポイント103が認証応答の送信時においてタグ情報の暗号化に使用した共有鍵で暗号化される。 When the access point 103 that has received the authentication confirmation successfully decrypts the tag information included in the authentication confirmation with the shared key generated by itself, the access point 103 determines that the authentication is successful. If it is determined that the authentication is successful, the access point 103 recognizes the mobile device 101 that has transmitted the authentication request as a configurator, and transmits a setting request to the mobile device 101. The configuration request is, for example, a DPP Configuration Request frame defined by the DPP standard. The setting request includes device information of the access point 103 and role information after receiving communication parameters. The device information is, for example, the device name of the access point 103. The role information after receiving the communication parameter is information indicating whether the enrollee operates as an access point constructing a wireless network or operates as an apparatus connected to the wireless network. Here, information is set that indicates that it operates as an access point for establishing a wireless network. The information included in the setting request is encrypted with the shared key used by the access point 103 to encrypt the tag information when transmitting the authentication response.
 アクセスポイント103からの設定要求が受信されると(S308でYES)、携帯機器101の通信パラメータ処理部210は、設定応答として、無線ネットワーク104を形成するための通信パラメータの提供処理を行う(S309)。設定応答は、例えばDPP規格で規定されたDPP Configuration Responseフレームである。携帯機器101の通信パラメータ処理部210が送信する設定応答には、通信パラメータ、パラメータの有効期限、携帯機器101のコンフィギュレータ専用の公開鍵などが含まれる。設定応答において、通信パラメータは、携帯機器101のコンフィギュレータ専用の秘密鍵で暗号化されている。さらに、設定応答に含まれる情報は、S307にてタグ情報の暗号化に使用した共有鍵で暗号化される。なお、通信パラメータは、暗号鍵として、共有鍵の生成に用いた通信相手の公開鍵(この場合、アクセスポイント103からの認証応答に含まれる公開鍵)を含む。 When the setting request from the access point 103 is received (YES in S308), the communication parameter processing unit 210 of the portable device 101 performs processing for providing communication parameters for forming the wireless network 104 as a setting response (S309). ). The setting response is, for example, a DPP Configuration Response frame defined by the DPP standard. The setting response transmitted by the communication parameter processing unit 210 of the portable device 101 includes the communication parameter, the expiration date of the parameter, the public key dedicated to the configurator of the portable device 101, and the like. In the setting response, the communication parameter is encrypted with a secret key dedicated to the configurator of the portable device 101. Furthermore, the information included in the setting response is encrypted with the shared key used for encrypting the tag information in S307. The communication parameter includes, as an encryption key, the public key of the communication partner used to generate the shared key (in this case, the public key included in the authentication response from the access point 103).
 エンローリであるアクセスポイント103は、設定要求を送信後、コンフィギュレータである携帯機器101から設定応答が送信されるのを待ち受ける。設定応答を受信したアクセスポイント103は、設定応答に含まれる情報を、タグ情報の暗号化に使用した共有鍵で復号する。さらに、アクセスポイント103は、携帯機器101のコンフィギュレータ専用の秘密鍵で暗号化された通信パラメータを、携帯機器101のコンフィギュレータ専用の公開鍵で復号する。アクセスポイント103は、復号して得られた通信パラメータで無線ネットワーク104を形成することができる。 After transmitting the setting request, the access point 103, which is an enrollee, waits for the setting response to be transmitted from the portable device 101, which is a configurator. The access point 103 that has received the setting response decrypts the information included in the setting response with the shared key used for encrypting the tag information. Further, the access point 103 decrypts the communication parameter encrypted by the secret key dedicated to the configurator of the portable device 101 with the public key dedicated to the configurator of the portable device 101. The access point 103 can form the wireless network 104 with the communication parameters obtained by decoding.
 以上のような処理を行う携帯機器101がアクセスポイント103に通信パラメータを提供するまでの、携帯機器101とアクセスポイント103の動作についてさらに説明する。図4は、携帯機器101が、アクセスポイント103に通信パラメータを提供する処理を示すシーケンス図である。 The operations of the portable device 101 and the access point 103 until the portable device 101 performing the processing as described above provides the communication parameters to the access point 103 will be further described. FIG. 4 is a sequence diagram showing processing in which the portable device 101 provides the access point 103 with communication parameters.
 アクセスポイント103は、パラメータ受領の指示をユーザから受けると(S401)、ディスプレイにQRコードを表示し(S402)、認証要求を待ち受ける。なお、所定の時間内に認証要求を受信できなかった場合、アクセスポイント103は認証要求の待ち受けを終了してもよい。また、アクセスポイント103がQRコードを表示するディスプレイ等を備えておらず、電子機器の筺体や付属品に貼り付けられたラベル等にQRコードが印刷されている場合、S402はスキップされる。すなわち、アクセスポイント103は、パラメータ受領の指示を受け付けると(S401)、S402での処理を行わずに認証要求を待ち受ける。 When the access point 103 receives an instruction for parameter reception from the user (S401), the access point 103 displays a QR code on the display (S402) and waits for an authentication request. If the authentication request can not be received within a predetermined time, the access point 103 may end waiting for the authentication request. In addition, when the access point 103 is not provided with a display or the like for displaying the QR code, and the QR code is printed on a label or the like attached to a housing or an accessory of the electronic device, S402 is skipped. That is, when the access point 103 receives an instruction to receive a parameter (S401), the access point 103 waits for an authentication request without performing the processing in S402.
 一方、携帯機器101は、パラメータ提供の指示をユーザから受けると(S403)、アクセスポイント103の表示するQRコードを撮影するために撮像部207を起動する(S404)。そして、携帯機器101の撮像部207がアクセスポイント103の表示するQRコードを撮影することで、そのQRコードが示す情報を取得する(S405)。 On the other hand, when the portable device 101 receives a parameter provision instruction from the user (S403), the portable device 101 activates the imaging unit 207 to capture the QR code displayed by the access point 103 (S404). Then, the imaging unit 207 of the mobile device 101 captures a QR code displayed by the access point 103, thereby acquiring information indicated by the QR code (S405).
 QRコードが示す情報を取得した携帯機器101は、認証要求を生成、送信し、アクセスポイント103はこの認証要求を受信する(S406)。アクセスポイント103は、受信した認証要求の内容を検証する。認証要求を送信した携帯機器101がQRコードを撮影した装置であると判定すると、役割情報を検証する(S407)。アクセスポイント103は、役割情報を検証した結果、認証要求を送信した装置の役割がコンフィギュレータを示すと判定すると、認証応答を生成、送信する(S408)。携帯機器101へ認証応答を送信したアクセスポイント103は、携帯機器101から認証確認が送信されるのを待ち受ける。 The portable device 101 that has acquired the information indicated by the QR code generates and transmits an authentication request, and the access point 103 receives this authentication request (S406). The access point 103 verifies the content of the received authentication request. If it is determined that the portable device 101 that has transmitted the authentication request is the device that has captured the QR code, the role information is verified (S407). When the access point 103 determines that the role of the device that has transmitted the authentication request indicates the configurator as a result of verifying the role information, the access point 103 generates and transmits an authentication response (S408). The access point 103 that has transmitted the authentication response to the portable device 101 waits for the authentication confirmation to be transmitted from the portable device 101.
 認証応答を受信した携帯機器101は、認証応答の内容を検証する(S409)。携帯機器101は、認証応答の認証に成功し、認証応答に含まれる役割情報がエンローリを示すと判定すると、アクセスポイント103へ認証確認を送信する(S410)。 The portable device 101 having received the authentication response verifies the contents of the authentication response (S409). If the portable device 101 succeeds in the authentication of the authentication response and determines that the role information included in the authentication response indicates an enrollee, it transmits an authentication confirmation to the access point 103 (S410).
 携帯機器101から認証確認を受信(S410)したアクセスポイント103は、認証確認の内容を検証する。アクセスポイント103は、自身が生成した共有鍵でタグ情報を正しく復号できた場合に認証に成功したと判定する。認証に成功したと判定されると、アクセスポイント103は、携帯機器101との間で通信パラメータの設定処理を行う(S411)。より具体的には、アクセスポイント103は、通信パラメータの設定処理を行うために設定要求を送信し、携帯機器101から設定応答が送信されるのを待ち受ける。設定要求を受信した携帯機器101は、携帯機器101のコンフィギュレータ専用の秘密鍵で暗号化した通信パラメータと、コンフィギュレータ専用の公開鍵を設定応答に含めて送信する。設定応答を受信したアクセスポイント103は、携帯機器101のコンフィギュレータ専用の公開鍵で通信パラメータを復号する。アクセスポイント103は、この復号された通信パラメータを用いて無線ネットワーク104を形成する。 The access point 103 that has received the authentication confirmation from the portable device 101 (S410) verifies the content of the authentication confirmation. The access point 103 determines that the authentication is successful when the tag information can be correctly decrypted by the shared key generated by itself. If it is determined that the authentication is successful, the access point 103 performs communication parameter setting processing with the portable device 101 (S411). More specifically, the access point 103 transmits a setting request to perform communication parameter setting processing, and waits for a setting response to be transmitted from the portable device 101. The portable device 101 having received the setting request transmits, in the setting response, the communication parameter encrypted with the secret key dedicated to the configurator of the portable device 101 and the public key dedicated to the configurator. The access point 103 that has received the setting response decrypts the communication parameter with the public key dedicated to the configurator of the mobile device 101. The access point 103 forms a wireless network 104 using this decoded communication parameter.
 以上、図3、図4を用いて説明した処理によって、携帯機器101が、アクセスポイント103に通信パラメータを提供することができる。また、図3、図4を用いて説明した処理と同様の処理によって、コンフィギュレータである携帯機器101がエンローリであるプリンタ105に対して通信パラメータを提供することができる。ただし、タグ情報の暗号化などに使用される共有鍵は、携帯機器101とアクセスポイント103との間で生成した共有鍵とは異なる鍵となる。これは、プリンタ105の共有鍵生成用の鍵ペアが、アクセスポイント103の共有鍵生成用の鍵ペアと異なるためである。また、通信パラメータに含まれる内容も異なるものとなる。これは、プリンタ105が携帯機器101から受領する通信パラメータには、アクセスポイント103の共有鍵生成用の公開鍵は含まれず、プリンタ105自身の共有鍵生成用の公開鍵が含まれるためである。 As described above, the portable device 101 can provide the communication parameter to the access point 103 by the process described with reference to FIGS. 3 and 4. Further, the communication parameter can be provided to the printer 105 which is the enrollee of the portable device 101 which is the configurator by the processing similar to the processing described using FIG. 3 and FIG. 4. However, the shared key used for encryption of tag information or the like is a key different from the shared key generated between the portable device 101 and the access point 103. This is because the key pair for shared key generation of the printer 105 is different from the key pair for shared key generation of the access point 103. In addition, the contents included in the communication parameters are also different. This is because the communication parameters received by the printer 105 from the portable device 101 do not include the public key for generating the shared key of the access point 103 but include the public key for generating the shared key of the printer 105 itself.
 続いて、コンフィギュレータである携帯機器101から通信パラメータを取得したプリンタ105が、アクセスポイント103の形成する無線ネットワーク104に接続する処理について述べる。図5は、プリンタ105が、アクセスポイント103の形成する無線ネットワーク104に接続する処理を示すシーケンス図である。 Subsequently, a process will be described in which the printer 105 that has acquired the communication parameters from the portable device 101, which is the configurator, connects to the wireless network 104 formed by the access point 103. FIG. 5 is a sequence diagram showing processing of connecting the printer 105 to the wireless network 104 formed by the access point 103.
 プリンタ105は、無線ネットワーク104への接続指示をユーザから受けると(S501)、検索要求を送信する(S502)。この検索要求は、例えばDPP規格で規定されたDPP Peer Discovery Requestフレームである。この検索要求には、プリンタ105が携帯機器101から取得した通信パラメータが含まれている。この通信パラメータは、上述した通り携帯機器101のコンフィギュレータ専用の秘密鍵で暗号化されている。 When the printer 105 receives an instruction to connect to the wireless network 104 from the user (S501), the printer 105 transmits a search request (S502). This search request is, for example, a DPP Peer Discovery Request frame defined by the DPP standard. The search request includes the communication parameters acquired by the printer 105 from the portable device 101. This communication parameter is encrypted with the secret key dedicated to the configurator of the portable device 101 as described above.
 検索要求を受信したアクセスポイント103は、S411にて取得した携帯機器101のコンフィギュレータ専用の公開鍵を使用して、検索要求に含まれる通信パラメータを復号する(S503)。なお、復号できない場合は、検索要求を破棄する。通信パラメータを復号したアクセスポイント103は、プリンタ105との間で共有するマスター鍵(PMK(Pairwise Master Key))を生成する(S504)。このマスター鍵は、WPA(Wi-Fi Protected Access)と呼ばれる暗号化規格において様々な鍵のもとになり、無線接続を確立する際に用いられる。マスター鍵は、通信パラメータに含まれるプリンタ105の共有鍵生成用の公開鍵と、アクセスポイント103の共有鍵生成用の秘密鍵の双方を用いて生成される。 The access point 103 that has received the search request decrypts the communication parameters included in the search request using the configurator-dedicated public key of the portable device 101 acquired in S411 (S503). If the decryption is not possible, the search request is discarded. The access point 103 that has decrypted the communication parameters generates a master key (Pairwise Master Key (PMK)) to be shared with the printer 105 (S 504). This master key is a source of various keys in an encryption standard called Wi-Fi Protected Access (WPA), and is used when establishing a wireless connection. The master key is generated using both the public key for generating the shared key of the printer 105 included in the communication parameter and the secret key for generating the shared key of the access point 103.
 S504にてマスター鍵を生成したアクセスポイント103は、検索応答を送信する(S505)。この検索応答は、例えばDPP規格で規定されたDPP Peer Discovery Responseフレームである。この検索応答には、S411にてアクセスポイント103が携帯機器101から取得した通信パラメータが含まれている。この通信パラメータも同様に、携帯機器101のコンフィギュレータ専用の秘密鍵で暗号化されている。 The access point 103 that has generated the master key in S504 transmits a search response (S505). This search response is, for example, a DPP Peer Discovery Response frame defined by the DPP standard. The search response includes the communication parameter acquired by the access point 103 from the portable device 101 in S411. This communication parameter is similarly encrypted with a secret key dedicated to the configurator of the portable device 101.
 検索応答を受信したプリンタ105は、携帯機器101から取得したコンフィギュレータ専用の公開鍵を使用して、検索応答に含まれる通信パラメータを復号する(S506)。なお、復号できない場合は、検索応答を破棄する。通信パラメータを復号したプリンタ105は、アクセスポイント103との間で共有するマスター鍵を生成する(S507)。マスター鍵は、通信パラメータに含まれるアクセスポイント103の共有鍵生成用の公開鍵と、プリンタ105の共有鍵生成用の秘密鍵の双方を用いて生成される。マスター鍵を共有したプリンタ105とアクセスポイント103は、マスター鍵を用いて接続処理を行う(S508)。以上により、プリンタ105は、アクセスポイント103の形成する無線ネットワーク104に接続することができる。 The printer 105 that has received the search response decodes the communication parameters included in the search response using the public key dedicated to the configurator acquired from the portable device 101 (S506). If the decryption is not possible, the search response is discarded. The printer 105 that has decrypted the communication parameter generates a master key shared with the access point 103 (S507). The master key is generated using both the public key for generating the shared key of the access point 103 included in the communication parameter and the secret key for generating the shared key of the printer 105. The printer 105 and the access point 103 sharing the master key perform connection processing using the master key (S508). As described above, the printer 105 can be connected to the wireless network 104 formed by the access point 103.
 次に、携帯機器101に加えて、携帯機器102も、アクセスポイント103の形成する無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作させる場合を考える。この場合、携帯機器101が通信パラメータを暗号化するために用いた携帯機器101のコンフィギュレータ専用の鍵ペアを、携帯機器102が取得する必要がある。その理由を説明するために、携帯機器101のコンフィギュレータ専用の鍵ペアを保持していない携帯機器102が、携帯機器101からエンローリとして取得した通信パラメータをプリンタ106に提供する場合を考える。 Next, in addition to the portable device 101, it is assumed that the portable device 102 also operates as a configurator that provides communication parameters for connecting to the wireless network 104 formed by the access point 103. In this case, the portable device 102 needs to acquire a key pair dedicated to the configurator of the portable device 101 used by the portable device 101 to encrypt communication parameters. In order to explain the reason, it is assumed that the portable device 102 not holding the key pair dedicated to the configurator of the portable device 101 provides the printer 106 with the communication parameters acquired as an enrollee from the portable device 101.
 例えば、携帯機器102が、携帯機器101のコンフィギュレータ専用の秘密鍵で暗号化されたままの通信パラメータを、プリンタ106に提供する。プリンタ106は、取得した通信パラメータを含めた検索要求をアクセスポイント103に送信する。検索要求を受信したアクセスポイント103は携帯機器101のコンフィギュレータ専用の公開鍵を用いて通信パラメータの復号を行うが、通信パラメータに含まれる公開鍵は携帯機器102の共有鍵生成用の公開鍵である。アクセスポイント103は、この通信パラメータに含まれる携帯機器102の共有鍵生成用の公開鍵と、アクセスポイント103の共有鍵生成用の秘密鍵の双方を用いてマスター鍵を生成する。一方、プリンタ106は、アクセスポイント103から送信された通信パラメータに含まれるアクセスポイント103の共有鍵生成用の公開鍵と、プリンタ106の共有鍵生成用の秘密鍵の双方を用いてマスター鍵を生成する。そのため、アクセスポイント103およびプリンタ106の間で生成するマスター鍵は異なる鍵となり、無線接続を確立することができない。 For example, the portable device 102 provides the printer 106 with communication parameters as they are encrypted with a secret key dedicated to the configurator of the portable device 101. The printer 106 transmits a search request including the acquired communication parameters to the access point 103. The access point 103 that has received the search request decrypts the communication parameter using the public key dedicated to the configurator of the mobile device 101. The public key included in the communication parameter is the public key for generating the shared key of the mobile device 102. . The access point 103 generates a master key using both the public key for generating the shared key of the portable device 102 included in the communication parameter and the secret key for generating the shared key of the access point 103. On the other hand, the printer 106 generates a master key using both the public key for generating the shared key of the access point 103 included in the communication parameters transmitted from the access point 103 and the secret key for generating the shared key of the printer 106. Do. Therefore, the master key generated between the access point 103 and the printer 106 is a different key, and a wireless connection can not be established.
 また、例えば、携帯機器102が、携帯機器101のコンフィギュレータ専用の公開鍵で復号した通信パラメータを、携帯機器102のコンフィギュレータ専用の秘密鍵で暗号化してプリンタ106に提供したとする。プリンタ106は、携帯機器102から取得した通信パラメータを含めた検索要求をアクセスポイント103に送信する。検索要求を受信したアクセスポイント103は通信パラメータの復号を試みるが、携帯機器101のコンフィギュレータ専用の公開鍵ではこの通信パラメータを復号できないため、検索要求を破棄する。その結果、プリンタ106は、無線ネットワーク104に接続することができない。 Further, for example, it is assumed that the portable device 102 encrypts the communication parameter decrypted with the public key dedicated to the configurator of the portable device 101 with the secret key dedicated to the configurator of the portable device 102 and provides the encrypted data to the printer 106. The printer 106 transmits a search request including the communication parameters acquired from the portable device 102 to the access point 103. The access point 103 that has received the search request tries to decode the communication parameter, but discards the search request because the public key dedicated to the configurator of the portable device 101 can not decode this communication parameter. As a result, the printer 106 can not connect to the wireless network 104.
 以上の理由により、携帯機器102を無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作させるためには、携帯機器101のコンフィギュレータ専用の鍵ペアを携帯機器102が取得する必要がある。以下、無線ネットワーク104に接続するための通信パラメータの暗号化および復号に用いる携帯機器101のコンフィギュレータ専用の鍵ペアを、携帯機器101から携帯機器102に提供する処理を説明する。なお、第1実施形態では、アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の鍵ペアの共有を、携帯機器102が携帯機器101に要求する場合の処理について述べる。 From the above reasons, in order to operate as a configurator for providing communication parameters for connecting the mobile device 102 to the wireless network 104, the mobile device 102 needs to acquire a key pair dedicated to the configurator of the mobile device 101. Hereinafter, a process of providing a key pair dedicated to the configurator of the portable device 101 used for encryption and decryption of communication parameters for connection to the wireless network 104 from the portable device 101 to the portable device 102 will be described. In the first embodiment, a process when the portable device 102 requests the portable device 101 to share the key pair dedicated to the configurator of the portable device 101 used for setting the access point 103 will be described.
 図6は、本実施形態における携帯機器101と携帯機器102の間の処理を示すシーケンス図である。携帯機器101、携帯機器102は、それぞれ外部装置である携帯機器102、携帯機器101と通信が可能である。 FIG. 6 is a sequence diagram showing processing between the mobile device 101 and the mobile device 102 in the present embodiment. The portable device 101 and the portable device 102 can communicate with the portable device 102 and the portable device 101 which are external devices, respectively.
 携帯機器102は、無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作するために、携帯機器101のコンフィギュレータ専用の鍵ペアを共有するようにユーザから指示を受ける(S601)。そして、携帯機器102は、QRコードを自装置の表示部204に表示させ、認証要求を待ち受ける(S602)。一方、携帯機器101は、ユーザからパラメータ提供の開始指示を受けると(S603)、携帯機器102が表示するQRコードの画像を撮像してQRコード情報を取得する(S604、S605)。S606、S609、S613は、携帯機器101と携帯機器102が互いを認証するための情報(本実施形態では、認証情報、乱数、タグ情報)を含むフレームを交換する認証処理である。そして、この認証処理の間に、コンフィギュレータが通信パラメータを提供するのに用いる固有の情報(本実施形態ではコンフィギュレータの秘密鍵)をエンローリと共有するための要求、およびその要求に対する許可がやり取りされる。 The portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator providing communication parameters for connecting to the wireless network 104 (S601). Then, the portable device 102 causes the display unit 204 of the own device to display the QR code, and waits for an authentication request (S602). On the other hand, when the portable device 101 receives a parameter provision start instruction from the user (S603), the portable device 101 captures an image of the QR code displayed by the portable device 102 to acquire QR code information (S604, S605). Steps S606, S609, and S613 are authentication processes for exchanging a frame including information (in the present embodiment, authentication information, random numbers, tag information) for the mobile device 101 and the mobile device 102 to authenticate each other. Then, during this authentication process, a request for sharing with the enrollee unique information (in the present embodiment, the configurator's secret key) used by the configurator to provide communication parameters, and permission for the request are exchanged. .
 携帯機器101は取得したQRコード情報に基づいて認証要求を生成し、送信する(S606)。これらのS603~S606の処理は、図4で説明したS403~S406までの処理と同様である。携帯機器102は、認証要求を受信すると(S606)、認証要求の内容を検証する。携帯機器102は、認証要求に含まれる認証情報を検証して、認証要求を送信した携帯機器101がQRコードを撮影した装置であると判定(認証成功)すると、認証要求に含まれる役割情報を検証する(S607)。携帯機器102は、携帯機器101の送信した認証要求に含まれる役割情報がコンフィギュレータであると判定すると、鍵ペアの共有要求を示す情報を認証応答に含める処理を行う(S608)。鍵ペアの共有要求は、例えば、DPP Authentication Responseフレームの所定のビットを立てることで示される。なお、鍵ペアの要求を示すために所定のビットを用いるとしたがこれに限られるものではない。例えば、認証応答に含める役割情報が、「パラメータ提供装置」を表すコンフィギュレータや「パラメータ受領装置」を表すエンローリ以外の役割、例えば「鍵ペア受領装置」を表す役割を示すようにしてもよい。携帯機器102は、以上のようにして生成した、鍵ペアの共有要求を含む認証応答を送信する(S609)。認証応答を送信後、携帯機器102は、認証要求を送信した携帯機器101から認証確認が送信されるのを待つ。 The portable device 101 generates an authentication request based on the acquired QR code information and transmits it (S606). The processes of S603 to S606 are similar to the processes of S403 to S406 described in FIG. When the portable device 102 receives the authentication request (S606), the portable device 102 verifies the contents of the authentication request. If the portable device 102 verifies the authentication information included in the authentication request and determines that the mobile device 101 that has transmitted the authentication request is a device that has captured the QR code (authentication success), the role information included in the authentication request is It verifies (S607). When the portable device 102 determines that the role information included in the authentication request transmitted by the portable device 101 is the configurator, the portable device 102 performs a process of including information indicating the key pair sharing request in the authentication response (S 608). The key pair sharing request is indicated by, for example, setting a predetermined bit of the DPP Authentication Response frame. Although the predetermined bit is used to indicate the key pair request, the present invention is not limited to this. For example, the role information included in the authentication response may indicate a role other than the configurator representing the “parameter provider” or the enrollee representing the “parameter receiver”, for example, the role representing the “key pair receiver”. The portable device 102 transmits an authentication response including the key pair sharing request generated as described above (S609). After transmitting the authentication response, the mobile device 102 waits for the authentication confirmation to be transmitted from the mobile device 101 that has transmitted the authentication request.
 携帯機器101は、認証応答を受信し(S609)、タグ情報による認証に成功すると、認証応答に含まれる携帯機器102の役割情報を検証する(S610)。役割情報の検証により、認証応答を送信した装置の役割がエンローリ(もしくは「鍵ペア受領装置を示す役割」)を示すと判定されると、携帯機器101は、パラメータ提供処理を継続する。一方、役割情報が上記以外の役割を示す場合、パラメータ提供処理を終了する。 The portable device 101 receives the authentication response (S609), and when the authentication based on the tag information succeeds, the role information of the portable device 102 included in the authentication response is verified (S610). If it is determined by the verification of the role information that the role of the device that has transmitted the authentication response indicates an enrollee (or a “role indicating a key pair receiving device”), the portable device 101 continues the parameter providing process. On the other hand, when the role information indicates a role other than the above, the parameter providing process is ended.
 パラメータ提供処理を継続する携帯機器101は、認証応答に鍵ペアの共有要求が含まれているかを確認する(S611)。認証応答に鍵ペアの共有要求が含まれている場合、携帯機器101は、鍵ペアの共有要求がある旨を表示部204に表示してユーザに通知し、操作部203を用いたユーザからの鍵ペアの共有に対する許可の指示を待ち受ける。鍵ペアの共有がユーザから許可された場合、携帯機器101は、鍵ペアの共有許可を示す情報を認証確認に含める(S612)。鍵ペアの共有許可は、例えば、DPP Authentication Confirmフレームの所定のビットを立てることで示される。携帯機器101は、鍵ペアの共有許可を示す情報を含めた認証確認を携帯機器102に送信する(S613)。 The portable device 101 continuing the parameter provision processing checks whether the authentication response contains a request for sharing the key pair (S611). If the authentication response includes a key pair sharing request, the portable device 101 displays on the display unit 204 that there is a key pair sharing request, and notifies the user, and the user using the operation unit 203 Listen for permission instructions for sharing the key pair. When sharing of the key pair is permitted by the user, the portable device 101 includes information indicating permission for sharing the key pair in the authentication confirmation (S612). The key pair sharing permission is indicated, for example, by raising a predetermined bit of the DPP Authentication Confirm frame. The portable device 101 transmits an authentication confirmation including information indicating permission for sharing the key pair to the portable device 102 (S613).
 なお、鍵ペアの共有要求がある旨を表示部204に表示し、操作部203を用いたユーザからの許可指示を受け付けることを鍵ペアの共有の条件としたが、これに限られるものではない。例えば、ユーザからの許可指示を受けることなく鍵ペアの共有許可を示す情報を認証確認に含める処理実行してもよい。この場合、鍵ペアの共有要求がある旨の表示が省略されてもよい。 Although it is displayed on the display unit 204 that there is a key pair sharing request and the permission instruction from the user using the operation unit 203 is accepted as the key pair sharing condition, the present invention is not limited thereto. . For example, processing may be performed to include information indicating permission for sharing the key pair in the authentication confirmation without receiving a permission instruction from the user. In this case, the indication that there is a key pair sharing request may be omitted.
 一方、ユーザが鍵ペアの共有を許可しない場合、後述する鍵ペアの提供処理(S616)は行われない。あるいは、鍵ペアの共有が許可されない場合、認証確認を送信しないことで、パラメータ提供処理を行わずに終了してもよい。さらに、鍵ペア共有を許可しない場合、許可しないことを示す情報を含めたメッセージを携帯機器102に送信するようにしてもよい。 On the other hand, when the user does not permit sharing of the key pair, the key pair provision process (S616) described later is not performed. Alternatively, when sharing of the key pair is not permitted, the process may be terminated without performing the parameter providing process by not transmitting the authentication confirmation. Furthermore, when key pair sharing is not permitted, a message including information indicating that the key pair is not permitted may be transmitted to the portable device 102.
 認証確認を受信した携帯機器102は、認証確認に含まれる鍵ペアの共有許可を示す情報を確認する(S614)。鍵ペアの共有許可を示す情報が認証確認に含まれていない場合、携帯機器102はパラメータ受領処理を終了する。なお、鍵ペアの共有許可を示す情報が認証確認に含まれていない場合、携帯機器102は、表示部204にエラーを示すメッセージを表示してユーザに通知してもよい。 The portable device 102 that has received the authentication confirmation confirms the information indicating the sharing permission of the key pair included in the authentication confirmation (S614). If the information indicating permission for sharing the key pair is not included in the authentication confirmation, the portable device 102 ends the parameter reception process. If the information indicating permission for sharing the key pair is not included in the authentication confirmation, the mobile device 102 may display a message indicating an error on the display unit 204 to notify the user.
 認証確認による認証が完了すると、通信パラメータの設定が行われる(S615)。より具体的には、携帯機器102が認証確認による認証を完了した後、携帯機器101に対して設定要求を送信する。携帯機器101は、この設定要求に応答して、通信パラメータを含む設定応答を携帯機器102に送信する。これにより通信パラメータの提供処理が行われる。通信パラメータの提供処理が完了すると、携帯機器101は、携帯機器101のコンフィギュレータ専用の秘密鍵と公開鍵のペアを、携帯機器101と携帯機器102との間の共有鍵を使用して暗号化し、携帯機器102に送信する(S616)。なお、S615で送信した設定応答に携帯機器101のコンフィギュレータ専用の公開鍵が含まれているため、S616では秘密鍵だけを送信するようにしてもよい。また、携帯機器101は、S615でのパラメータ提供処理にて、設定応答に携帯機器101のコンフィギュレータ専用の秘密鍵を含めて送信してもよい。その場合、S616の処理が不要となる。 When the authentication by the authentication confirmation is completed, setting of communication parameters is performed (S615). More specifically, after the portable device 102 completes the authentication based on the authentication confirmation, a setting request is transmitted to the portable device 101. The portable device 101 transmits a setting response including the communication parameter to the portable device 102 in response to the setting request. Thus, communication parameter provision processing is performed. When the process of providing the communication parameters is completed, the portable device 101 encrypts a pair of a secret key and a public key dedicated to the configurator of the portable device 101 using the shared key between the portable device 101 and the portable device 102, It transmits to the portable device 102 (S616). Since the setting response transmitted in S615 includes the public key dedicated to the configurator of the portable device 101, only the secret key may be transmitted in S616. In addition, the portable device 101 may transmit the setting response including the secret key dedicated to the configurator of the portable device 101 in the parameter providing process in S615. In that case, the process of S616 is unnecessary.
 また、携帯機器101は、S613にて認証確認を送信後、S615での通信パラメータ提供処理が完了する前に携帯機器101のコンフィギュレータ専用の鍵ペアを提供するようにしてもよい。さらに、携帯機器101は、鍵ペアの共有許可を示す情報を含めずに認証確認を送信した場合でも、携帯機器101のコンフィギュレータ専用の鍵ペアを提供してもよい。 In addition, after transmitting the authentication confirmation in S613, the portable device 101 may provide a key pair dedicated to the configurator of the portable device 101 before the communication parameter provision processing in S615 is completed. Furthermore, the portable device 101 may provide a key pair dedicated to the configurator of the portable device 101 even when transmitting the authentication confirmation without including the information indicating permission for sharing the key pair.
 アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の秘密鍵と公開鍵のペアを取得した携帯機器102は、コンフィギュレータとしてエンローリであるプリンタ106に通信パラメータを提供することができる。プリンタ106は、携帯機器102から取得した通信パラメータを用いて、図5のシーケンスで示した処理を実施することで、アクセスポイント103が形成する無線ネットワーク104に接続することが可能となる。 The portable device 102 that has acquired a pair of a private key dedicated to the configurator of the portable device 101 used for setting the access point 103 and a public key can provide communication parameters to the printer 106, which is an enrollee, as a configurator. The printer 106 can connect to the wireless network 104 formed by the access point 103 by performing the process shown in the sequence of FIG. 5 using the communication parameters acquired from the portable device 102.
 なお、S603にてパラメータ提供の開始を指示ではなく、鍵ペア共有の開始を指示された場合、S612においてユーザからの許可指示を待ち受けずに、鍵ペアの共有許可を示す情報を認証確認に含める処理を行ってもよい。 When the start of the key pair sharing is instructed instead of the instruction to start the parameter provision in S603, the information confirmation indicating the key pair sharing permission is included in the authentication confirmation without waiting for the permission instruction from the user in S612. You may process.
 なお、通信パラメータを提供せずに、すなわちS615のパラメータ設定を行わずに、鍵ペアだけが提供されるようにしてもよい。その場合、S615での通信パラメータ提供処理を省くことができるため、ユーザの利便性が向上する。この鍵ペアだけを提供する処理は、S612にてユーザから鍵ペアだけを渡す旨の指示も受けた場合に実行されるようにしてもよい。なお、S603にてパラメータ提供の指示ではなく、鍵ペア共有の開始が指示された場合に、S612においてユーザからの許可指示を待ち受けずに、鍵ペアだけを提供する処理が行われるようにしてもよい。なお、後述の図9~図11のシーケンス図に示される処理においても、通信パラメータの提供処理を行わずに鍵ペアの提供処理が実行されるようにしてもよい。 Note that only the key pair may be provided without providing the communication parameter, that is, without performing the parameter setting of S615. In that case, since the communication parameter provision processing in S615 can be omitted, the convenience of the user is improved. The process of providing only the key pair may be executed when an instruction to pass only the key pair is received from the user in S612. If the start of key pair sharing is instructed instead of the parameter provision instruction in S603, processing for providing only the key pair is performed without waiting for the permission instruction from the user in S612. Good. Also in the processing shown in the sequence diagrams of FIGS. 9 to 11 described later, the processing for providing the key pair may be executed without performing the processing for providing the communication parameter.
 続いて、図7、図8のフローチャートを用いて、携帯機器101、携帯機器102の処理を説明する。 Subsequently, processing of the portable device 101 and the portable device 102 will be described using the flowcharts of FIGS. 7 and 8.
 図7は、携帯機器101が、携帯機器102の要求に応じて、自身が保持するコンフィギュレータの鍵ペア(秘密鍵と公開鍵)を携帯機器102に提供する処理を示すフローチャートである。撮像部207を起動してから、認証応答の検証を行うまでの処理は図3(S301~S306)と同様である。図7では、図3の処理において、認証応答を用いた認証に成功し、役割情報がエンローリを示すと判定された後(S306でYES)の処理を示す。 FIG. 7 is a flowchart showing processing in which the portable device 101 provides the portable device 102 with a key pair (private key and public key) of the configurator held by the portable device 101 in response to a request from the portable device 102. The process from activation of the imaging unit 207 to verification of the authentication response is the same as that in FIG. 3 (S301 to S306). FIG. 7 shows the process after the authentication using the authentication response is successful in the process of FIG. 3 and it is determined that the role information indicates an enrollee (YES in S306).
 携帯機器102が送信した認証応答について、役割がエンローリであり、タグ情報の検証に成功すると、携帯機器101の制御部205は、認証応答に鍵ペアの共有要求があるかどうかを判定する(S701)。鍵ペアの共有要求があると判定された場合、制御部205は表示部204と操作部203を用いて鍵ペアの共有の可否をユーザに確認する(S702)。ユーザが共有を許可した場合(S702でOK)、鍵共有処理部212は認証確認に共有許可を示す情報を設定し(S703)、これを携帯機器102に送信する(S704)。他方、認証応答に鍵ペアの共有要求がないと判定された場合(S701でNO)、または、ユーザが共有を許可しない場合(S702でNG)、S703はスキップされ、共有許可を示す情報のない認証確認を携帯機器102に送信する(S704)。 With regard to the authentication response transmitted by the mobile device 102, if the role is an enrollee and verification of the tag information is successful, the control unit 205 of the mobile device 101 determines whether or not there is a key pair sharing request in the authentication response (S701). ). If it is determined that there is a key pair sharing request, the control unit 205 uses the display unit 204 and the operation unit 203 to confirm with the user whether or not the key pair can be shared (S702). If the user permits sharing (OK in S702), the key sharing processing unit 212 sets information indicating sharing permission in the authentication confirmation (S703), and transmits this to the portable device 102 (S704). On the other hand, if it is determined that there is no request for sharing of the key pair in the authentication response (NO in S701), or if the user does not permit sharing (NG in S702), S703 is skipped and there is no information indicating sharing permission An authentication confirmation is sent to the mobile device 102 (S704).
 その後、制御部205は、携帯機器102からの設定要求を待ち受ける(S705)。設定要求が受信されると、通信パラメータ処理部210は、通信パラメータを携帯機器102に提供する(S706)。この提供処理は、S310と同様である。続いて、鍵共有処理部212は、コンフィギュレータの秘密鍵と公開鍵である鍵ペアを携帯機器102に提供する(S707)。なお、鍵ペアは、共有鍵により暗号化される。また、後述の図8のS807に示されるように、S703で共有許可が設定されていないと設定要求が受信されないため、鍵ペアの共有は実行されない。但し、安全のために、S707では、S703で供給許可を設定した場合にのみ、鍵ペアの提供を実行するようにしてもよい。 After that, the control unit 205 waits for a setting request from the portable device 102 (S705). When the setting request is received, the communication parameter processing unit 210 provides communication parameters to the portable device 102 (S706). This providing process is similar to that of S310. Subsequently, the key sharing processing unit 212 provides the portable device 102 with a key pair, which is the configurator's secret key and public key (S 707). The key pair is encrypted by the shared key. Further, as shown in S807 of FIG. 8 described later, since the setting request is not received if the sharing permission is not set in S703, the key pair is not shared. However, for the sake of security, provision of the key pair may be performed only when the supply permission is set in S703 in S707.
 図8は、携帯機器102が、携帯機器101の保持する鍵ペアを共有するようにユーザから指示を受け、アクセスポイント103の設定処理に用いた携帯機器101のコンフィギュレータ専用の鍵ペアを取得する処理を示すフローチャートである。 In FIG. 8, the portable device 102 receives an instruction from the user to share the key pair held by the portable device 101, and acquires a key pair dedicated to the configurator of the portable device 101 used in the setting process of the access point 103. Is a flowchart showing
 携帯機器102のコード生成部209は、携帯機器101の保持する携帯機器101のコンフィギュレータ専用の鍵ペアを共有するようにユーザから操作部203を介して指示を受けると、QRコードを生成し、表示部204に表示する(S801)。その後、制御部205は、認証要求を待ち受ける(S802)。なお、所定の時間内に認証要求を受信できなかった場合、アクセスポイント103は認証要求の待ち受けを終了してもよい。 The code generation unit 209 of the portable device 102 generates a QR code upon receiving an instruction from the user via the operation unit 203 to share a key pair dedicated to the configurator of the portable device 101 held by the portable device 101, and displays the QR code. It is displayed on the unit 204 (S801). Thereafter, the control unit 205 waits for an authentication request (S802). If the authentication request can not be received within a predetermined time, the access point 103 may end waiting for the authentication request.
 携帯機器101から認証要求を受信すると、制御部205は受信した認証要求に含まれている認証情報を用いて認証を行い、役割判定部211は役割情報を検証してその役割を判定する。制御部205は、認証情報を用いた認証に成功し、且つ、役割判定部211により判定された役割がコンフィギュレータであるかを判定する(S803)。認証に失敗した、または、携帯機器101の役割がコンフィギュレータでないと判定されると、制御部205は、表示部204にエラーを示すメッセージを表示(S811)し、処理を終了する。なお、エラーメッセージの表示(S811)は省略されてもよい。 When the authentication request is received from the portable device 101, the control unit 205 performs authentication using the authentication information included in the received authentication request, and the role determination unit 211 verifies the role information to determine the role. The control unit 205 determines whether the authentication using the authentication information is successful and whether the role determined by the role determination unit 211 is a configurator (S803). If the authentication fails or it is determined that the role of the portable device 101 is not the configurator, the control unit 205 displays a message indicating an error on the display unit 204 (S811), and ends the process. Note that the display of the error message (S811) may be omitted.
 一方、S803において認証成功と判定され、且つ、認証要求を送信した携帯機器101の役割がコンフィギュレータであると判定された場合、鍵共有処理部212は、鍵ペアの共有要求を示す情報を認証応答に設定する(S804)。その後、制御部205は、携帯機器101に共有要求が設定された認証応答を送信し(S805)、携帯機器101からの認証確認を待ち受ける。 On the other hand, when it is determined in S803 that the authentication is successful, and it is determined that the role of the portable device 101 that has transmitted the authentication request is the configurator, the key sharing processing unit 212 authenticates the information indicating the key pair sharing request. It sets to (S804). Thereafter, the control unit 205 transmits an authentication response in which the sharing request is set to the portable device 101 (S805), and waits for an authentication confirmation from the portable device 101.
 携帯機器101から認証確認を受信すると(S806)、制御部205は認証確認に含まれているタグ情報を用いた認証に成功し、且つ、鍵ペアの共有許可を示す情報が認証確認に含まれているか否かを判定する(S807)。認証に成功したと判定され、且つ、鍵ペアの共有許可を示す情報が認証確認に含まれていると判定された場合、通信パラメータ処理部210は、携帯機器101へ設定要求を送信する(S808)。その後、通信パラメータ処理部210は、携帯機器101からの設定応答を受信することにより通信パラメータを取得する(S809)。そして、鍵共有処理部212は、携帯機器101のコンフィギュレータ専用の鍵ペアを取得する(S810)。一方、S807において、タグ情報の検証に失敗した、または、鍵ペアの共有許可を示す情報が認証確認に含まれていないと判定された場合、制御部205は、表示部204にエラーを示すメッセージを表示し、処理を終了する(S811)。 When the authentication confirmation is received from the portable device 101 (S806), the control unit 205 succeeds in the authentication using the tag information included in the authentication confirmation, and the information indicating permission of sharing the key pair is included in the authentication confirmation. It is determined whether or not (S807). If it is determined that the authentication is successful, and it is determined that the information indicating permission for sharing the key pair is included in the authentication confirmation, the communication parameter processing unit 210 transmits a setting request to the portable device 101 (S808) ). Thereafter, the communication parameter processing unit 210 acquires a communication parameter by receiving the setting response from the portable device 101 (S809). Then, the key sharing processing unit 212 acquires a key pair dedicated to the configurator of the portable device 101 (S810). On the other hand, if it is determined in S807 that the verification of the tag information fails or that the information indicating permission for sharing the key pair is not included in the authentication confirmation, the control unit 205 causes the display unit 204 to display an error message. Is displayed, and the process ends (S811).
 <変形例1>
 図6では、携帯機器101と携帯機器102が認証のための情報を交換するためのフレームから、コンフィギュレータが通信パラメータを提供するのに用いる固有の情報(本実施形態では鍵ペア)を共有する要求(共有要求)が検出される例を示した。しかしながら共有要求を携帯機器101に通知する方法はこれに限られるものではない。例えば、携帯機器101宛の鍵ペアの共有要求を示す情報を含むActionフレームを用いて通知してもよいし、QRコードを用いて鍵ペアの共有要求を通知してもよい。図9は、鍵ペアの共有要求を示す情報をQRコード内に含める場合の処理を示すシーケンス図である。 <Modification 1>
In FIG. 6, from the frame for the portable device 101 and the portable device 102 to exchange information for authentication, a request to share unique information (a key pair in this embodiment) used by the configurator to provide communication parameters. An example is shown in which (sharing request) is detected. However, the method of notifying the portable device 101 of the sharing request is not limited to this. For example, notification may be performed using an Action frame including information indicating a request for sharing a key pair addressed to the portable device 101, or a request for sharing a key pair may be notified using a QR code. FIG. 9 is a sequence diagram showing processing in the case where information indicating a key pair sharing request is included in the QR code.
 携帯機器102は、無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作するために、携帯機器101のコンフィギュレータ専用の鍵ペアを共有するようにユーザから指示を受ける(S901)。鍵ペアを共有する指示を受けた携帯機器102は、鍵ペアの共有要求を示す情報をQRコードに埋め込み(S902)、これを表示する(S903)。携帯機器102の表示したQRコードの情報を携帯機器101が取得するためのS904からS906での処理は、図4のS403からS405までの処理と同様である。なお、共有要求を含むQRコードが、印刷物などの形態で提供されてもよい。 The portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator providing communication parameters for connecting to the wireless network 104 (S901). The portable device 102 that has received the instruction to share the key pair embeds the information indicating the sharing request of the key pair in the QR code (S902), and displays this (S903). The processing in S904 to S906 for the portable device 101 to acquire the information of the QR code displayed by the portable device 102 is the same as the processing from S403 to S405 in FIG. 4. Note that a QR code including a sharing request may be provided in the form of a printed matter or the like.
 携帯機器101は、取得したQRコード情報に、鍵ペアの共有要求が存在することを確認する(S907)。鍵ペアの共有要求を確認した携帯機器101は、鍵ペアの共有を許可する場合、鍵ペアの共有許可を示す情報を認証要求に含め(S908)、これを携帯機器102に送信する(S909)。なお、S907、S908の処理はS611、S612と同様である。 The portable device 101 confirms that the key pair sharing request exists in the acquired QR code information (S907). The portable device 101 that has confirmed the key pair sharing request includes information indicating permission for sharing the key pair in the authentication request (S 908) and transmits the information to the portable device 102 (S 909). . The processing of S907 and S908 is the same as that of S611 and S612.
 携帯機器102は、認証要求を受信し(S909)、認証要求に含まれる認証情報による認証に成功(認証要求を送信した携帯機器101がQRコードを撮影した装置であると判定)すると、認証要求に含まれている役割情報を検証する(S910)。認証情報の検証により、携帯機器101がコンフィギュレータであることを確認すると、携帯機器102は、認証要求に含まれる鍵ペアの共有許可を示す情報を確認する(S911)。鍵ペアの共有許可は、例えば、DPP Authentication Requestフレームの所定のビットが立っていることで示される。なお、認証要求において鍵ペアの共有許可を示す方法はこれに限られるものではない。例えば、役割が「パラメータ提供装置」を表すコンフィギュレータではなく「鍵ペア提供装置」であることを表すように、認証要求に含まれる役割情報を設定することで、鍵ペアの共有許可が示されてもよい。 When the portable device 102 receives the authentication request (S909) and succeeds in the authentication based on the authentication information included in the authentication request (determines that the portable device 101 that has transmitted the authentication request is a device that has captured the QR code), the authentication request Verify the role information contained in (S910). When verifying that the portable device 101 is the configurator by verification of the authentication information, the portable device 102 confirms information indicating permission of sharing of the key pair included in the authentication request (S911). The key pair sharing permission is indicated, for example, by having a predetermined bit set in the DPP Authentication Request frame. Note that the method of indicating permission for sharing the key pair in the authentication request is not limited to this. For example, the key pair sharing permission is indicated by setting the role information included in the authentication request so as to indicate that the role is not the configurator representing “parameter providing device” but “key pair providing device”. It is also good.
 認証要求から鍵ペアの共有許可を示す情報を確認した携帯機器102は、認証応答を送信し(S912)、携帯機器101から認証確認が送信されるのを待ち受ける。一方、認証応答を受信した携帯機器101は、認証応答に含まれるタグ情報と携帯機器102の役割情報を検証する(S913)。そして、タグ情報が正しく復号されて認証に成功したと判定され、役割情報がエンローリを示す場合、携帯機器101は認証確認を送信する(S914)。こうして認証が完了すると、設定要求と設定応答による通信パラメータの提供処理が行われる。通信パラメータの設定処理および鍵ペアの提供処理であるS915からS916の処理は、図6のS615からS616の処理と同様である。 The portable device 102 that has confirmed the information indicating permission for sharing the key pair from the authentication request transmits an authentication response (S912), and waits for transmission of an authentication confirmation from the portable device 101. On the other hand, the portable device 101 having received the authentication response verifies the tag information included in the authentication response and the role information of the portable device 102 (S913). Then, if it is determined that the tag information is correctly decoded and the authentication is successful, and the role information indicates an enrollee, the portable device 101 transmits an authentication confirmation (S914). Thus, when the authentication is completed, processing for providing communication parameters by the setting request and the setting response is performed. The processes of S915 to S916, which are the process of setting the communication parameter and the process of providing the key pair, are the same as the processes of S615 to S616 in FIG.
 以上のように、図9を用いて説明した処理によれば、QRコードを用いて鍵ペアの共有要求を通知することで、携帯機器101のコンフィギュレータ専用の鍵ペアを共有することができる。 As described above, according to the process described with reference to FIG. 9, the key pair dedicated to the configurator of the portable device 101 can be shared by notifying the key pair sharing request using the QR code.
 <変形例2>
 また、図6を用いて説明した処理によれば、鍵ペアの共有を要求する携帯機器102がQRコードを表示していたがこれに限られるものではない。携帯機器101がQRコードを表示する場合でも、鍵ペアの共有を携帯機器102が携帯機器101に要求するようにしてもよい。図10は、携帯機器101がQRコードを表示し、携帯機器102が携帯機器101に鍵ベアの要求を行う処理を示すシーケンス図である。 <Modification 2>
Further, according to the processing described with reference to FIG. 6, the portable device 102 that requests sharing of the key pair displays the QR code, but the present invention is not limited to this. Even when the portable device 101 displays the QR code, the portable device 102 may request the portable device 101 to share the key pair. FIG. 10 is a sequence diagram showing processing in which the portable device 101 displays a QR code and the portable device 102 requests the portable device 101 for a key bearer.
 携帯機器101は、パラメータ提供の指示をユーザから受けると(S1001)、QRコードを自装置の表示部204に表示させ、認証要求を待ち受ける(S1002)。一方、携帯機器102は、無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作するために、携帯機器101のコンフィギュレータ専用の鍵ペアを共有するようにユーザから指示を受ける(S1003)。携帯機器102は、この指示を受けてQRコードを撮影するために撮像部207を起動する(S1004)。携帯機器102は、携帯機器101の表示部204に表示されているQRコードを、携帯機器102の撮像部207により撮像して、そのQRコードが示す情報を取得する(S1005)。携帯機器102は、QRコード情報を用いて認証要求を生成し、鍵ペアの共有要求を示す情報をこの認証要求に含め(S1006)、これを携帯機器101に送信する(S1007)。鍵ペアの共有要求は、例えば、DPP Authentication Requestフレームの所定のビットを立てることで示される。 When the portable device 101 receives a parameter provision instruction from the user (S1001), the portable device 101 displays a QR code on the display unit 204 of its own device and waits for an authentication request (S1002). On the other hand, the portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator providing communication parameters for connecting to the wireless network 104 (S1003). In response to the instruction, the portable device 102 activates the imaging unit 207 to capture a QR code (S1004). The portable device 102 images the QR code displayed on the display unit 204 of the portable device 101 by the imaging unit 207 of the portable device 102, and acquires information indicated by the QR code (S1005). The portable device 102 generates an authentication request using the QR code information, includes information indicating a key pair sharing request in the authentication request (S1006), and transmits this to the portable device 101 (S1007). The key pair sharing request is indicated, for example, by setting a predetermined bit of the DPP Authentication Request frame.
 認証要求を受信した携帯機器101は、認証要求に含まれる認証情報により認証に成功すると、認証要求に含まれている役割情報を検証する(S1008)。この検証により役割情報がエンローリを示すことを確認すると、携帯機器101は、認証要求に鍵ペアの共有要求が含まれているか否かを確認する(S1009)。認証要求に鍵ペアの共有要求が含まれていることを確認すると、携帯機器101は、鍵ペアの共有許可を示す情報を認証要求に含め(S1010)これを携帯機器102に送信する(S1011)。鍵ペアの共有許可は、例えば、DPP Authentication Responseフレームの所定のビットが立っていることで示される。なお、S1009、S1010の処理はS611、S612と同様である。 The portable device 101 having received the authentication request verifies the role information contained in the authentication request when the authentication is successful by the authentication information contained in the authentication request (S1008). If it is confirmed by this verification that the role information indicates an enrollee, the portable device 101 confirms whether the request for sharing the key pair is included in the authentication request (S1009). Upon confirming that the request for sharing the key pair is included in the request for authentication, the portable device 101 includes information indicating permission for sharing the key pair in the request for authentication (S1010) and transmits this to the portable device 102 (S1011). . The key pair sharing permission is indicated, for example, by the fact that a predetermined bit of the DPP Authentication Response frame is set. The processes of S1009 and S1010 are the same as those of S611 and S612.
 携帯機器102は、認証応答を受信すると、認証応答に含まれているタグ情報、役割情報を検証する(S1012)。そして、タグ情報を用いた認証が成功し、役割情報がコンフィギュレータを示す場合、携帯機器102は、認証応答に鍵ペアの共有許可が含まれているかを確認する(S1013)。鍵ペアの共有許可を確認した携帯機器102は、認証確認を携帯機器101に送信する(S1014)。こうして認証が完了すると、通信パラメータの提供処理(S1015)と鍵ペアの提供処理(S1016)が行われる。通信パラメータの設定処理および鍵ペアの提供処理であるS1015からS1016での処理は、図6のS615からS616までの処理と同様である。 When the portable device 102 receives the authentication response, it verifies the tag information and the role information included in the authentication response (S1012). Then, if the authentication using the tag information is successful and the role information indicates the configurator, the portable device 102 checks whether the authentication response includes the key pair sharing permission (S1013). The portable device 102 that has confirmed the key pair sharing permission transmits an authentication confirmation to the portable device 101 (S1014). Thus, when the authentication is completed, a communication parameter providing process (S1015) and a key pair providing process (S1016) are performed. The processes in S1015 to S1016, which are the process of setting the communication parameter and the process of providing the key pair, are the same as the processes in S615 to S616 of FIG.
 以上のように、図10を用いて説明した処理によれば、携帯機器101がQRコードを表示する場合にも、携帯機器101のコンフィギュレータ専用の鍵ペアを共有することができる。 As described above, according to the process described using FIG. 10, even when the portable device 101 displays the QR code, the key pair dedicated to the configurator of the portable device 101 can be shared.
 以上のように、第1実施形態によれば、携帯機器102が携帯機器101に要求することで、アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の秘密鍵と公開鍵のペアを共有することができる。鍵ペアを共有した結果、無線ネットワーク104に接続するための通信パラメータを配布するコンフィギュレータを複製することが可能となるため、ユーザの利便性が向上する。 As described above, according to the first embodiment, the portable device 102 requests the portable device 101 to share the pair of the secret key and the public key dedicated to the configurator of the portable device 101 used for the setting of the access point 103. can do. As a result of sharing the key pair, it becomes possible to duplicate a configurator that distributes communication parameters for connecting to the wireless network 104, thereby improving user convenience.
 <第2実施形態>
 第1実施形態では、アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の鍵ペアの共有を携帯機器102が携帯機器101に要求する場合について説明した。第2実施形態では、アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の鍵ペアの共有を、携帯機器101が携帯機器102に要求する場合の処理について説明する。 Second Embodiment
In the first embodiment, the case where the portable device 102 requests the portable device 101 to share the key pair dedicated to the configurator of the portable device 101 used for setting the access point 103 has been described. In the second embodiment, a process when the portable device 101 requests the portable device 102 to share a key pair dedicated to the configurator of the portable device 101 used for setting of the access point 103 will be described.
 図11は、第2実施形態における携帯機器101と携帯機器102の間の処理を示すシーケンス図である。 FIG. 11 is a sequence diagram showing processing between the mobile device 101 and the mobile device 102 in the second embodiment.
 携帯機器102は、通信パラメータ受領の指示をユーザから受けると(S1101)、ディスプレイにQRコードを表示し(S1102)、認証要求を待ち受ける。一方、携帯機器101は、無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして携帯機器102を動作させるために、携帯機器102との間で鍵ペアを共有するようにユーザから指示を受ける(S1103)。携帯機器101は、S1103で指示を受けると、QRコードを撮影するために撮像部207を起動する(S1104)。携帯機器101は、携帯機器102の表示部204に表示されているQRコードを撮像部207により撮像し、そのQRコードが示す情報を取得する(S1105)。QRコードが示す情報を取得した携帯機器101は、鍵ペアの共有要求を示す情報を認証要求に含め(S1106)、この認証要求を携帯機器102に送信する(S1107)。 When the portable device 102 receives an instruction to receive communication parameters from the user (S1101), the portable device 102 displays a QR code on the display (S1102), and waits for an authentication request. On the other hand, the portable device 101 receives an instruction from the user to share a key pair with the portable device 102 in order to operate the portable device 102 as a configurator providing communication parameters for connecting to the wireless network 104. (S1103). When the portable device 101 receives the instruction in S1103, the portable device 101 activates the imaging unit 207 to capture a QR code (S1104). The portable device 101 captures an image of the QR code displayed on the display unit 204 of the portable device 102 by the imaging unit 207, and acquires information indicated by the QR code (S1105). The portable device 101 that has acquired the information indicated by the QR code includes the information indicating the key pair sharing request in the authentication request (S1106), and transmits the authentication request to the portable device 102 (S1107).
 S1107にて携帯機器101から認証要求を受信した携帯機器102は、認証要求に含まれる認証情報や役割情報を検証する。携帯機器102は、認証に成功し、役割情報がコンフィギュレータを示すことを確認すると、鍵ペアの共有要求を示す情報が認証要求に含まれているか否かを確認する(S1109)。鍵ペアの共有要求を示す情報が含まれていることを確認した携帯機器102は、共有の可否をユーザに問合せ、操作部203を用いたユーザからの共有許可の指示を待ち受ける。鍵ペアの共有を許可する指示が入力されると、携帯機器102は、鍵ペアの共有許可を示す情報を認証要求に含め(S1110)、これを携帯機器101へ送信する(S1111)。 The portable device 102 that has received the authentication request from the portable device 101 in S1107 verifies the authentication information and the role information included in the authentication request. When the mobile device 102 confirms that the authentication is successful and the role information indicates the configurator, the mobile device 102 confirms whether the information indicating the key pair sharing request is included in the authentication request (S1109). After confirming that the information indicating the key pair sharing request is included, the mobile device 102 inquires of the user whether sharing is possible and waits for a sharing permission instruction from the user using the operation unit 203. When an instruction to permit sharing of the key pair is input, the portable device 102 includes information indicating permission to share the key pair in the authentication request (S1110), and transmits this to the portable device 101 (S1111).
 鍵ペアの共有が許可されない場合、後述するS1116での鍵ペア提供の処理は行われない。なお、鍵ペアの共有が許可されない場合、認証応答を送信しないことで、パラメータ提供処理を行わずに終了してもよい。さらに、鍵ペアの共有が許可されない場合、鍵ペアの供給を許可しないことを示す情報を含めたメッセージ(認証応答)を携帯機器101に送信してもよい。 If sharing of the key pair is not permitted, the process of providing the key pair in S1116 described later is not performed. If sharing of the key pair is not permitted, the process may be terminated without performing the parameter providing process by not transmitting the authentication response. Furthermore, when sharing of the key pair is not permitted, a message (authentication response) including information indicating that the supply of the key pair is not permitted may be transmitted to the portable device 101.
 携帯機器101は、認証応答を受信すると、認証応答に含まれるタグ情報と役割情報を検証する(S1112)。携帯機器101は、タグ情報による認証に成功し、役割情報がエンローリを示すことを確認すると、認証応答に含まれる鍵ペアの共有許可を確認する(S1113)。鍵ペアの共有許可が確認されると、携帯機器101は認証確認を送信する(S1114)。こうして、認証を完了すると通信パラメータの提供処理が行われ(S1115)、続いて鍵ペアの提供処理が行われる(S1116)。S1115からS1116の処理は、図6のS615からS616の処理と同様である。 Upon receiving the authentication response, the portable device 101 verifies the tag information and the role information included in the authentication response (S1112). When the portable device 101 confirms that the authentication based on the tag information is successful and indicates that the role information indicates an enrollee, the portable device 101 confirms permission of sharing of the key pair included in the authentication response (S1113). If the key pair sharing permission is confirmed, the portable device 101 transmits an authentication confirmation (S1114). Thus, when the authentication is completed, communication parameter provision processing is performed (S1115), and then key pair provision processing is performed (S1116). The processes of S1115 to S1116 are the same as the processes of S615 to S616 in FIG.
 続いて、上述の動作を実現する携帯機器101の動作と携帯機器102の動作を、図12、図13A、図13Bのフローチャートを用いて説明する。図12は、携帯機器101が、アクセスポイント103の設定処理に用いた携帯機器101のコンフィギュレータ専用の鍵ペアを提供する処理を示すフローチャートである。 Subsequently, the operation of the mobile device 101 and the operation of the mobile device 102 for realizing the above-described operation will be described with reference to the flowcharts of FIGS. 12, 13A, and 13B. FIG. 12 is a flowchart showing processing for providing a key pair dedicated to the configurator of the portable device 101 used in the setting process of the access point 103 by the portable device 101.
 携帯機器102との間で鍵ペアを共有するようにユーザから指示を受けた携帯機器101の鍵共有処理部212は、撮像部207を起動する(S1201)。そして、鍵共有処理部212は、撮像部207がQRコードを撮影したか否かを判定する(S1202)。S1202にてQRコードを撮影したと判定されると、画像処理部208は撮像画像中のQRコードを復号し、携帯機器102の認証用の公開鍵を含むQRコード情報を取得する。制御部205は、取得されたQRコード情報を用いて認証要求を生成する(S1203)。制御部205は、鍵ペアの共有要求を示す情報を認証要求に含め(S1204)、認証要求を携帯機器102に送信する(S1205)。その後、鍵共有処理部212は、携帯機器102からの認証応答を待ち受ける(S1206)。なお、S1206にて所定の時間内に認証応答を受信できなかった場合、鍵ペア共有処理を終了するようにしてもよい。 The key sharing processing unit 212 of the portable device 101 that has received an instruction from the user to share the key pair with the portable device 102 activates the imaging unit 207 (S1201). Then, the key sharing processing unit 212 determines whether the imaging unit 207 has captured a QR code (S1202). If it is determined in S1202 that the QR code has been captured, the image processing unit 208 decodes the QR code in the captured image, and acquires QR code information including the public key for authentication of the mobile device 102. The control unit 205 generates an authentication request using the acquired QR code information (S1203). The control unit 205 includes information indicating a key pair sharing request in the authentication request (S1204), and transmits the authentication request to the portable device 102 (S1205). After that, the key sharing processing unit 212 waits for an authentication response from the portable device 102 (S1206). If the authentication response can not be received within the predetermined time in S1206, the key pair sharing process may be ended.
 認証応答を受信すると、制御部205は、認証応答に含まれるタグ情報による認証に成功したか否か、携帯機器102の役割情報がエンローリを示すか否かを判定する(S1207)。認証に失敗した場合、または、役割情報がエンローリを示さないと判定した場合、制御部205は、表示部204にエラーを示すメッセージを表示し、鍵ペア共有処理を終了する(S1213)。認証に成功し、且つ、役割情報がエンローリであると判定した場合、制御部205は、鍵ペアの共有許可が認証応答に含まれている否かを判定する(S1208)。鍵ペアの共有許可が認証応答に含まれていないと判定された場合(S1208でNO)、鍵共有処理部212は、表示部204にエラーを示すメッセージを表示し、鍵共有処理を終了する(S1213)。 When the authentication response is received, the control unit 205 determines whether the authentication based on the tag information included in the authentication response is successful or not and whether the role information of the portable device 102 indicates an enrollee (S1207). If the authentication fails, or if it is determined that the role information does not indicate an enrollee, the control unit 205 displays a message indicating an error on the display unit 204, and ends the key pair sharing process (S1213). If the authentication is successful and it is determined that the role information is an enrollee, the control unit 205 determines whether the key pair sharing permission is included in the authentication response (S1208). If it is determined that the key pair sharing permission is not included in the authentication response (NO in S1208), the key sharing processing unit 212 displays a message indicating an error on the display unit 204, and ends the key sharing processing ((S1208) S1213).
 鍵ペアの共有許可が認証応答に含まれていると判定された場合(S1208でYES)、制御部205は、認証確認を送信し(S1209)、携帯機器102からの設定要求を待つ(S1210)。携帯機器102からの設定要求が受信されると、通信パラメータ処理部210は、通信パラメータの提供処理を行い、携帯機器102に通信パラメータを提供する(S1211)。そして、鍵共有処理部212は、鍵ペアを提供する(S1212)。なお、S1211、S1212の処理はS706、S707の処理と同様である。 If it is determined that the key pair sharing permission is included in the authentication response (YES in S1208), the control unit 205 transmits an authentication confirmation (S1209), and waits for a setting request from the portable device 102 (S1210) . When the setting request from the portable device 102 is received, the communication parameter processing unit 210 performs a process of providing communication parameters and provides the portable device 102 with the communication parameters (S1211). Then, the key sharing processing unit 212 provides a key pair (S1212). The processes of S1211 and S1212 are the same as the processes of S706 and S707.
 図13A、図13Bは携帯機器102が、携帯機器101によるコンフィギュレータ専用の鍵ペアの提供を受け付ける処理を示すフローチャートである。パラメータ受領の指示をユーザから受けたことに応じて、コード生成部209は、QRコードを生成し、表示部204に表示するよう制御する(S1301)。その後、制御部205は、認証要求を待ち受ける(S1302)。なお、所定の時間内に認証要求を受信できなかった場合、アクセスポイント103は認証要求の待ち受けを終了してもよい。 13A and 13B are flowcharts showing processing in which the portable device 102 receives provision of a key pair dedicated to the configurator by the portable device 101. In response to the user receiving the parameter reception instruction, the code generation unit 209 generates a QR code and controls to display it on the display unit 204 (S1301). Thereafter, the control unit 205 waits for an authentication request (S1302). If the authentication request can not be received within a predetermined time, the access point 103 may end waiting for the authentication request.
 携帯機器101から認証要求を受信すると、制御部205は認証要求の認証情報を検証して認証成功か否か(認証要求の送信元の装置がQRコードを撮影した装置であるか否か)を判定し、役割判定部211は役割情報を検証する(S1303)。認証に失敗した、または、役割情報がコンフィギュレータ以外の場合(S1303でNO)、制御部205は、表示部204にエラーを示すメッセージを表示(S1313)し、処理を終了する。なお、エラーメッセージの表示(S1313)は省略されてもよい。 When the authentication request is received from the portable device 101, the control unit 205 verifies the authentication information of the authentication request and determines whether the authentication is successful (whether the device as the transmission source of the authentication request is a device that has captured the QR code) The role determination unit 211 determines the role information (S1303). If the authentication fails or the role information is other than the configurator (NO in S1303), the control unit 205 displays a message indicating an error on the display unit 204 (S1313), and ends the processing. Note that the display of the error message (S1313) may be omitted.
 認証に成功し、且つ、役割情報がコンフィギュレータを示す場合(S1303でYES)、制御部205は、認証要求に鍵ペアの共有要求が設定されているか否かを判定する(S1304)。認証要求に鍵ペアの共有要求が設定されている場合、制御部205は共有設定の可否をユーザに確認する(S1305)。ユーザが共有設定を許可した場合(S1305でYES)、制御部205は共有許可を認証応答に設定し(S1306)、これを携帯機器101に送信する(S1307)。一方、認証要求に鍵ペアの供給要求を示す情報が設定されていない場合(S1304でNO)、または、ユーザが共有設定を許可しない場合(S1305でNO)、制御部205は、供給許可の設定の無い認証応答を携帯機器101に送信する(S1307)。そして、制御部205は、認証応答の送信先である携帯機器101からの認証確認を待ち受ける(S1308)。 If the authentication is successful and the role information indicates a configurator (YES in S1303), the control unit 205 determines whether a key pair sharing request is set in the authentication request (S1304). If the key pair sharing request is set in the authentication request, the control unit 205 confirms with the user whether or not the sharing setting can be made (S1305). If the user permits sharing setting (YES in S1305), the control unit 205 sets sharing permission as an authentication response (S1306), and transmits this to the portable device 101 (S1307). On the other hand, when the information indicating the key pair supply request is not set in the authentication request (NO in S1304), or when the user does not permit the sharing setting (NO in S1305), the control unit 205 sets the supply permission. An authentication response without a key is sent to the portable device 101 (S1307). Then, the control unit 205 waits for an authentication confirmation from the portable device 101 which is the transmission destination of the authentication response (S1308).
 制御部205は、携帯機器101から認証確認を受信するとそのタグ情報を用いて認証を行い、認証に成功すると(S1309でYES)、携帯機器101へ設定要求を送信する(S1310)。その後、通信パラメータ処理部210は、携帯機器101との通信パラメータ提供処理により、通信パラメータを取得する(S1311)。また、鍵共有処理部212は、S1306で共有許可を設定している場合に、携帯機器101のコンフィギュレータの鍵ペアの提供を受け付け、鍵ペアを取得する(S1312)。 When receiving the authentication confirmation from the portable device 101, the control unit 205 performs authentication using the tag information, and when the authentication is successful (YES in S1309), transmits a setting request to the portable device 101 (S1310). Thereafter, the communication parameter processing unit 210 acquires communication parameters by the communication parameter provision processing with the portable device 101 (S1311). When the sharing permission is set in S1306, the key sharing processing unit 212 receives the provision of the key pair of the configurator of the portable device 101, and acquires the key pair (S1312).
 以上のように、第2実施形態によれば、携帯機器101から携帯機器102に鍵ペアの共有を要求することで、アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の秘密鍵と公開鍵のペアを共有することができる。鍵ペアを共有した結果、無線ネットワーク104に接続するための通信パラメータを配布するコンフィギュレータが増加するため、ユーザの利便性が向上する。 As described above, according to the second embodiment, when the portable device 101 requests the portable device 102 to share the key pair, the secret key dedicated to the configurator of the portable device 101 used for setting of the access point 103 and the disclosure are made public. You can share key pairs. As a result of sharing the key pair, configurators for distributing communication parameters for connecting to the wireless network 104 are increased, and user convenience is improved.
 なお、携帯機器101のコンフィギュレータ専用の鍵ペアの共有を携帯機器101が携帯機器102に要求する場合にも、図9を用いて説明した処理(変形例1)のように、QRコードを用いて鍵ペアの共有要求を通知することで鍵ペアを共有してもよい。また、図10を用いて説明した処理(変形例2)のように、携帯機器101がQRコードを表示する場合でも、鍵ペアを共有してよい。 Even when the portable device 101 requests the portable device 102 to share the key pair dedicated to the configurator of the portable device 101, the QR code is used as in the process (modification 1) described with reference to FIG. The key pair may be shared by notifying the key pair sharing request. Also, as in the process (modification 2) described with reference to FIG. 10, the key pair may be shared even when the portable device 101 displays the QR code.
 <第3実施形態>
 第1実施形態および第2実施形態では、携帯機器101と携帯機器102が認証のための情報を交換するためのフレームもしくはQRコードを用いて、鍵ペアの共有要求を通知する例を示した。第3実施形態では、アクセスポイント103の設定に用いた携帯機器101のコンフィギュレータ専用の鍵ペアの共有を、通信パラメータの設定処理を行うためのフレームを用いて、携帯機器101が携帯機器102に要求する場合の処理について説明する。 Third Embodiment
In the first embodiment and the second embodiment, an example has been shown in which the portable device 101 and the portable device 102 notify the key pair sharing request using a frame or a QR code for exchanging information for authentication. In the third embodiment, the portable device 101 requests the portable device 102 to share the key pair dedicated to the configurator of the portable device 101 used for setting the access point 103 using a frame for performing communication parameter setting processing. The process in the case of performing will be described.
 図14は、第3実施形態における携帯機器101と携帯機器102の間の処理を示すシーケンス図である。 FIG. 14 is a sequence diagram showing processing between the mobile device 101 and the mobile device 102 in the third embodiment.
 携帯機器102は、無線ネットワーク104に接続するための通信パラメータを提供するコンフィギュレータとして動作するために、携帯機器101のコンフィギュレータ専用の鍵ペアを共有するようにユーザから指示を受ける(S1401)。そして、携帯機器102は、QRコードを自装置の表示部204に表示させ、認証要求を待ち受ける(S1402)。これらのS1401~S1402の処理は、図6で説明したS601~S602までの処理と同様である。 The portable device 102 receives an instruction from the user to share a key pair dedicated to the configurator of the portable device 101 in order to operate as a configurator for providing communication parameters for connecting to the wireless network 104 (S 1401). Then, the portable device 102 causes the display unit 204 of the own device to display the QR code, and waits for an authentication request (S1402). The processes of S1401 to S1402 are similar to the processes of S601 to S602 described with reference to FIG.
 一方、携帯機器101は、ユーザからパラメータ提供の開始指示を受けると(S1403)、携帯機器102が表示するQRコードの画像を撮像してQRコード情報を取得する(S1404、S1405)。携帯機器101は取得したQRコード情報に基づいて認証要求を生成し、送信する(S1406)。 On the other hand, when the portable device 101 receives an instruction to start parameter provision from the user (S1403), the portable device 101 captures an image of the QR code displayed by the portable device 102 to acquire QR code information (S1404, S1405). The portable device 101 generates an authentication request based on the acquired QR code information and transmits it (S1406).
 携帯機器102は、認証要求を受信すると(S1406)、認証要求の内容を検証する。携帯機器102は、認証要求に含まれる認証情報を検証して、認証要求を送信した携帯機器101がQRコードを撮影した装置であると判定(認証成功)すると、認証要求に含まれる役割情報を検証する(S1407)。携帯機器102は、役割情報を検証した結果、認証要求を送信した装置の役割がコンフィギュレータを示すと判定すると、認証応答を生成、送信する(S1408)。携帯機器101へ認証応答を送信した携帯機器102は、携帯機器101から認証確認が送信されるのを待ち受ける。携帯機器101は、認証応答を受信し(S1408)、タグ情報による認証に成功すると、認証応答に含まれる携帯機器102の役割情報を検証する(S1409)。携帯機器101は、認証応答の認証に成功し、認証応答に含まれる役割情報がエンローリを示すと判定すると、携帯機器102へ認証確認を送信する(S1410)。これらのS1403~S1410の処理は、図4で説明したS403~S410までの処理と同様である。 When the portable device 102 receives the authentication request (S1406), the portable device 102 verifies the contents of the authentication request. If the portable device 102 verifies the authentication information included in the authentication request and determines that the mobile device 101 that has transmitted the authentication request is a device that has captured the QR code (authentication success), the role information included in the authentication request is It verifies (S1407). As a result of verifying the role information, when the portable device 102 determines that the role of the device that has transmitted the authentication request indicates the configurator, the portable device 102 generates and transmits an authentication response (S1408). The mobile device 102 that has transmitted the authentication response to the mobile device 101 waits for the authentication confirmation to be sent from the mobile device 101. The portable device 101 receives the authentication response (S1408), and if the authentication based on the tag information is successful, verifies the role information of the portable device 102 included in the authentication response (S1409). If the portable device 101 succeeds in the authentication of the authentication response and determines that the role information included in the authentication response indicates the enrollee, it transmits an authentication confirmation to the portable device 102 (S1410). The processes of S1403 to S1410 are similar to the processes of S403 to S410 described in FIG.
 携帯機器102は、認証確認を受信すると(S1410)、認証確認の内容を検証する。認証確認の内容を検証した結果、認証に成功したと判定されると、鍵ペアの共有要求を示す情報を設定要求に含める処理を行う(S1411)。鍵ペアの共有要求は、例えば、DPP Configuration Requestフレームの所定のビットを立てることで示される。なお、鍵ペアの要求を示すために所定のビットを用いるとしたがこれに限られるものではない。例えば、設定要求に含める通信パラメータ受領後の役割情報が、「アクセスポイント」や「無線ネットワークに接続する装置」以外の役割、例えば「コンフィギュレータ」を表す役割を示すようにしてもよい。携帯機器102は、以上のようにして生成した、鍵ペアの共有要求を含む設定要求を送信する(S1412)。設定要求を送信後、携帯機器102は、認証確認を送信した携帯機器101から設定応答が送信されるのを待つ。 When the portable device 102 receives the authentication confirmation (S1410), the content of the authentication confirmation is verified. As a result of verifying the contents of the authentication confirmation, if it is determined that the authentication is successful, a process of including information indicating a key pair sharing request in the setting request is performed (S1411). The key pair sharing request is indicated, for example, by setting a predetermined bit of the DPP Configuration Request frame. Although the predetermined bit is used to indicate the key pair request, the present invention is not limited to this. For example, the role information after receiving the communication parameters included in the setting request may indicate a role other than the “access point” or the “device connected to the wireless network”, for example, a role representing the “configurator”. The portable device 102 transmits a setting request including the key pair sharing request generated as described above (S1412). After transmitting the setting request, the mobile device 102 waits for the setting response to be transmitted from the mobile device 101 that has transmitted the authentication confirmation.
 設定要求を受信した携帯機器101は、設定要求に鍵ペアの共有要求が含まれているかを確認する(S1413)。設定要求に鍵ペアの共有要求が含まれている場合、携帯機器101は、鍵ペアの共有要求がある旨を表示部204に表示してユーザに通知し、操作部203を用いたユーザからの鍵ペアの共有に対する許可の指示を待ち受ける。鍵ペアの共有がユーザから許可された場合、携帯機器101は、鍵ペアの共有許可を示す情報を設定応答に含める(S1414)。鍵ペアの共有許可は、例えば、DPP Configuration Responseフレームの所定のビットを立てることで示される。携帯機器101は、鍵ペアの共有許可を示す情報を含めた設定応答を携帯機器102に送信する(S1415)。設定応答を送信した携帯機器101は、携帯機器101のコンフィギュレータ専用の秘密鍵と公開鍵のペアを、携帯機器101と携帯機器102との間の共有鍵を使用して暗号化し、携帯機器102に送信する(S1416)。なお、S1415で送信した設定応答に携帯機器101のコンフィギュレータ専用の公開鍵が含まれているため、S1416では秘密鍵だけを送信するようにしてもよい。また、携帯機器101は、S1415で送信した設定応答に携帯機器101のコンフィギュレータ専用の秘密鍵を含めて送信してもよい。その場合、S1416の処理が不要となる。 The portable device 101 having received the setting request confirms whether the setting request includes the key pair sharing request (S1413). If the setting request includes a key pair sharing request, the portable device 101 displays on the display unit 204 that there is a key pair sharing request and notifies the user, and the user using the operation unit 203 Listen for permission instructions for sharing the key pair. If sharing of the key pair is permitted by the user, the portable device 101 includes information indicating permission for sharing the key pair in the setting response (S1414). The sharing permission of the key pair is indicated, for example, by setting a predetermined bit of the DPP Configuration Response frame. The portable device 101 transmits a setting response including information indicating permission for sharing the key pair to the portable device 102 (S1415). The portable device 101 that has transmitted the setting response encrypts the pair of the secret key and the public key dedicated to the configurator of the portable device 101 using the shared key between the portable device 101 and the portable device 102, and transmits it to the portable device 102. It transmits (S1416). Since the setting response transmitted in S1415 includes the public key dedicated to the configurator of the portable device 101, only the secret key may be transmitted in S1416. In addition, the portable device 101 may transmit the setting response transmitted in S1415 including the secret key dedicated to the configurator of the portable device 101. In that case, the process of S1416 is unnecessary.
 なお、鍵ペアの共有要求がある旨を表示部204に表示し、操作部203を用いたユーザからの許可指示を受け付けることを鍵ペアの共有の条件としたが、これに限られるものではない。例えば、ユーザからの許可指示を受けることなく鍵ペアを提供してもよい。また、ユーザからの許可指示を受けることなく鍵ペアの共有許可を示す情報を設定応答に含める処理を実行してもよい。この場合、鍵ペアの共有要求がある旨の表示が省略されてもよい。 Although it is displayed on the display unit 204 that there is a key pair sharing request and the permission instruction from the user using the operation unit 203 is accepted as the key pair sharing condition, the present invention is not limited thereto. . For example, the key pair may be provided without receiving a permission instruction from the user. Also, processing may be performed to include information indicating permission for sharing the key pair in the setting response without receiving a permission instruction from the user. In this case, the indication that there is a key pair sharing request may be omitted.
 一方、ユーザが鍵ペアの共有を許可しない場合、鍵ペアの提供処理(S1416)は行われない。あるいは、鍵ペアの共有が許可されない場合、設定応答を送信しないことで、パラメータ提供処理を行わずに終了してもよい。さらに、鍵ペア共有を許可しない場合、許可しないことを示す情報を含めた設定応答を携帯機器102に送信するようにしてもよい。 On the other hand, when the user does not permit sharing of the key pair, the key pair provision process (S1416) is not performed. Alternatively, when sharing of the key pair is not permitted, the setting response may not be transmitted, and the process may be ended without performing the parameter providing process. Furthermore, when key pair sharing is not permitted, a setting response including information indicating that the key pair is not permitted may be transmitted to the portable device 102.
 設定応答を受信した携帯機器102は、設定応答に含まれる鍵ペアの共有許可を示す情報を確認する(S1417)。鍵ペアの共有許可を示す情報が設定応答に含まれていない場合、携帯機器102はパラメータ受領処理を終了する。なお、鍵ペアの共有許可を示す情報が設定応答に含まれていない場合、携帯機器102は、表示部204にエラーを示すメッセージを表示してユーザに通知してもよい。 The portable device 102 having received the setting response confirms information indicating permission of sharing of the key pair included in the setting response (S1417). If the setting response does not include information indicating permission for sharing the key pair, the portable device 102 ends the parameter reception process. If the information indicating permission for sharing the key pair is not included in the setting response, the mobile device 102 may notify the user by displaying a message indicating an error on the display unit 204.
 続いて、図15、図16A,図16Bのフローチャートを用いて、携帯機器101、携帯機器102の処理を説明する。 Subsequently, processing of the portable device 101 and the portable device 102 will be described using the flowcharts of FIGS. 15, 16A, and 16B.
 図15は、携帯機器101が、携帯機器102の要求に応じて、自身が保持するコンフィギュレータの鍵ペア(秘密鍵と公開鍵)を携帯機器102に提供する処理を示すフローチャートである。撮像部207を起動してから、設定要求の受信を行うまでの処理は図3(S301~S308)と同様である。図15では、図3の処理において、設定要求を受信したと判定された後(S308でYES)の処理を示す。 FIG. 15 is a flowchart showing processing in which the portable device 101 provides the portable device 102 with a key pair (secret key and public key) of the configurator held by the portable device 101 in response to a request from the portable device 102. The process from the start of the imaging unit 207 to the reception of the setting request is the same as that in FIG. 3 (S301 to S308). FIG. 15 shows the process after it is determined in the process of FIG. 3 that the setting request has been received (YES in S308).
 携帯機器102が送信した設定要求を受信した携帯機器101の制御部205は、設定要求に鍵ペアの共有要求があるかどうかを判定する(S1501)。鍵ペアの共有要求があると判定された場合、制御部205は表示部204と操作部203を用いて鍵ペアの共有の可否をユーザに確認する(S1502)。ユーザが共有を許可した場合(S1502でOK)、鍵共有処理部212は設定応答に共有許可を示す情報を設定し(S1503)、これを携帯機器102に送信する(S1504)。他方、設定要求に鍵ペアの共有要求がないと判定された場合(S1501でNO)、または、ユーザが共有を許可しない場合(S1502でNG)、S1503はスキップされ、共有許可を示す情報のない設定応答を携帯機器102に送信する(S1504)。 The control unit 205 of the portable device 101 having received the setting request transmitted by the portable device 102 determines whether or not there is a request for sharing the key pair in the setting request (S1501). If it is determined that there is a key pair sharing request, the control unit 205 uses the display unit 204 and the operation unit 203 to confirm with the user whether or not the key pair can be shared (S1502). If the user permits sharing (OK in S1502), the key sharing processing unit 212 sets information indicating sharing permission in the setting response (S1503), and transmits this to the portable device 102 (S1504). On the other hand, if it is determined that there is no key pair sharing request in the setting request (NO in S1501) or if the user does not permit sharing (NG in S1502), S1503 is skipped and there is no information indicating sharing permission The setting response is transmitted to the portable device 102 (S1504).
 続いて、鍵共有処理部212は、コンフィギュレータの秘密鍵と公開鍵である鍵ペアを携帯機器102に提供する(S1505)。なお、鍵ペアは、共有鍵により暗号化される。また、安全のために、S1505では、S1503で共有許可を設定した場合にのみ、鍵ペアの提供を実行するようにしてもよい。 Subsequently, the key sharing processing unit 212 provides the portable device 102 with a key pair, which is the configurator's secret key and public key (S1505). The key pair is encrypted by the shared key. Also, for the sake of security, in S1505, provision of the key pair may be executed only when sharing permission is set in S1503.
 図16A,図16Bは、携帯機器102が、携帯機器101の保持する鍵ペアを共有するようにユーザから指示を受け、アクセスポイント103の設定処理に用いた携帯機器101のコンフィギュレータ専用の鍵ペアを取得する処理を示すフローチャートである。 16A and 16B, when the portable device 102 receives an instruction from the user to share the key pair held by the portable device 101, the key pair dedicated to the configurator of the portable device 101 used in the setting process of the access point 103 is used. It is a flowchart which shows the process to acquire.
 携帯機器102の制御部205は、鍵ペアを共有するようにユーザから操作部203を介して指示を受けると、QRコードを生成し、表示部204に表示する(S1601)。その後、制御部205は、認証要求を待ち受ける(S1602)。携帯機器101から認証要求を受信すると、制御部205は、認証を行い、役割情報を検証してその役割がコンフィギュレータであるかを判定する(S1603)。認証に失敗した、または、携帯機器101の役割がコンフィギュレータでないと判定されると(S1603でNO)、制御部205は、表示部204にエラーを示すメッセージを表示(S1612)し、処理を終了する。 When the control unit 205 of the portable device 102 receives an instruction from the user via the operation unit 203 to share the key pair, the control unit 205 generates a QR code and displays the QR code on the display unit 204 (S1601). Thereafter, the control unit 205 waits for an authentication request (S1602). When receiving the authentication request from the portable device 101, the control unit 205 performs authentication, verifies the role information, and determines whether the role is a configurator (S1603). If the authentication fails, or if it is determined that the role of the portable device 101 is not the configurator (NO in S1603), the control unit 205 displays a message indicating an error on the display unit 204 (S1612), and ends the process. .
 一方、S1603において認証成功と判定され、且つ、認証要求を送信した携帯機器101の役割がコンフィギュレータであると判定された場合(S1603でYES)、制御部205は認証応答を送信し(S1604)、携帯機器101からの認証確認を待ち受ける。携帯機器101から認証確認を受信すると(S1605でYES)、制御部205は認証確認に含まれているタグ情報を用いた認証に成功したかを判定する(S1606)。 On the other hand, when it is determined in S1603 that the authentication is successful, and it is determined that the role of the portable device 101 that has transmitted the authentication request is the configurator (YES in S1603), the control unit 205 transmits an authentication response (S1604), It waits for authentication confirmation from the portable device 101. When the authentication confirmation is received from the portable device 101 (YES in S1605), the control unit 205 determines whether the authentication using the tag information included in the authentication confirmation has succeeded (S1606).
 制御部205は、携帯機器101から認証確認を受信するとそのタグ情報を用いて認証を行い、認証に成功すると(S1606でYES)、鍵共有処理部212は、鍵ペアの共有要求を示す情報を設定要求に設定する(S1607)。その後、制御部205は、携帯機器101に共有要求が設定された設定要求を送信し(S1608)、携帯機器101からの設定応答を待ち受ける。一方、S1606において、タグ情報の検証に失敗した場合、制御部205は、表示部204にエラーを示すメッセージを表示し、処理を終了する(S1612)。 When the control unit 205 receives the authentication confirmation from the portable device 101, the authentication is performed using the tag information, and when the authentication is successful (YES in S1606), the key sharing processing unit 212 performs the information indicating the key pair sharing request. The setting request is set (S1607). After that, the control unit 205 transmits a setting request in which the sharing request is set to the portable device 101 (S1608), and waits for a setting response from the portable device 101. On the other hand, if the verification of the tag information fails in S1606, the control unit 205 displays a message indicating an error on the display unit 204, and ends the processing (S1612).
 携帯機器101から設定応答を受信すると(S1609)、制御部205は鍵ペアの共有許可を示す情報が設定応答に含まれているか否かを判定する(S1610)。そして、鍵ペアの共有許可を示す情報が設定応答に含まれていると判定された場合(S110でYES)、鍵共有処理部212は、携帯機器101のコンフィギュレータ専用の鍵ペアを取得する(S1611)。S1610にて鍵ペアの共有許可を示す情報が認証確認に含まれていないと判定された場合(S1610でNO)、制御部205はパラメータ受領処理を終了する、または、表示部204にエラーを示すメッセージを表示し、処理を終了する(S1612)。 When the setting response is received from the portable device 101 (S1609), the control unit 205 determines whether the information indicating permission for sharing the key pair is included in the setting response (S1610). Then, when it is determined that the information indicating permission for sharing the key pair is included in the setting response (YES in S110), the key sharing processing unit 212 acquires a key pair dedicated to the configurator of the portable device 101 (S1611). ). If it is determined in S1610 that the information indicating permission for sharing the key pair is not included in the authentication confirmation (NO in S1610), the control unit 205 ends the parameter reception processing or indicates an error on the display unit 204. The message is displayed, and the process ends (S1612).
 <その他の実施形態>
 上述の各実施形態においては、QRコード(登録商標)の画像を利用して通信パラメータの設定を行うための情報を装置間でやり取りする構成について説明した。しかし、QRコード(登録商標)の撮影に代えて、NFCやBluetooth(登録商標)などの無線通信を用いてもよい。また、IEEE802.11adもしくはトランスファージェット(TransferJet)(登録商標)等の無線通信を用いてもよい。 <Other Embodiments>
In the above-mentioned each embodiment, the structure which exchanges the information for setting a communication parameter using the image of QR Code (trademark) was demonstrated between apparatuses. However, instead of shooting a QR code (registered trademark), wireless communication such as NFC or Bluetooth (registered trademark) may be used. Alternatively, wireless communication such as IEEE 802.11ad or TransferJet (registered trademark) may be used.
 なお、読みとるQRコード(登録商標)は表示部に表示されているQRコードだけではなく、通信機器の筺体にシールなどの形態で貼り付けられているQRコードであってよい。また、読みとるQRコード(登録商標)は取り扱い説明書や通信機器の販売時の段ボールなどの包装に貼り付けられているものであってもよい。また、QRコードでなく、バーコード、二次元コードであっても良い。また、QRコードなどの機械が読み取り可能な情報に代えて、ユーザが読みとれる形式の情報であっても良い。 Note that the QR code (registered trademark) to be read may be not only the QR code displayed on the display unit, but also the QR code attached to the housing of the communication device in the form of a seal or the like. In addition, the QR code (registered trademark) to be read may be attached to a package such as a handling instruction manual or a cardboard at the time of sales of the communication device. Moreover, not a QR code but a barcode or a two-dimensional code may be used. Also, instead of machine-readable information such as QR code, it may be information in a format that can be read by the user.
 また、各実施形態において、装置間の通信をIEEE802.11準拠の無線LAN通信により行う場合について説明したが、これに限る物ではない。例えば、ワイヤレスUSB、MBOA、Bluetooth(登録商標)、UWB、ZigBee、NFC等の無線通信媒体を用いて実施してもよい。ここで、MBOAは、Multi Band OFDM Allianceの略である。また、UWBは、ワイヤレスUSB、ワイヤレス1394、WINETなどが含まれる。 In each embodiment, although the case where communication between devices is performed by wireless LAN communication conforming to IEEE 802.11 has been described, the present invention is not limited to this. For example, it may be implemented using a wireless communication medium such as wireless USB, MBOA, Bluetooth (registered trademark), UWB, ZigBee, NFC and the like. Here, MBOA is an abbreviation for Multi Band OFDM Alliance. Also, UWB includes wireless USB, wireless 1394, WINET and the like.
 また、各実施形態において、無線LANのアクセスポイントに接続するための通信パラメータを提供する場合について記載したが、これに限るものではない。例えば、Wi-Fi Direct(登録商標)のグループオーナーに接続するための通信パラメータを提供するようにしてよい。 Moreover, although the case where the communication parameter for connecting to the access point of wireless LAN was provided was described in each embodiment, it does not restrict to this. For example, communication parameters for connecting to a Wi-Fi Direct (registered trademark) group owner may be provided.
 以上のように、各実施形態によれば、コンフィギュレータが通信パラメータの暗号化と復号に用いる秘密鍵と公開鍵のペアを、他の装置からの要求、あるいは、コンフィギュレータからの要求により、共有することができる。その結果、アクセスポイントに接続するための通信パラメータを提供するコンフィギュレータの数を容易に増やすことができる。例えば、DPPによる通信パラメータの設定の手続きにおいて、記憶媒体または別のプロトコル(例えばHTTP)を用いることなく、コンフィギュレータの鍵ペアを当該コンフィギュレータとエンローリで共有することができる。 As described above, according to each embodiment, the pair of the secret key and the public key used by the configurator for encryption and decryption of communication parameters is shared by a request from another device or a request from the configurator. Can. As a result, the number of configurators providing communication parameters to connect to the access point can be easily increased. For example, in the procedure of setting communication parameters by DPP, a configurator key pair can be shared with the configurator without using a storage medium or another protocol (for example, HTTP).
 本発明は、上述の実施形態の1以上の機能を実現するプログラムを、ネットワーク又は記憶媒体を介してシステム又は装置に供給し、そのシステム又は装置のコンピュータにおける1つ以上のプロセッサがプログラムを読出し実行する処理でも実現可能である。また、1以上の機能を実現する回路(例えば、ASIC)によっても実現可能である。 The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or storage medium, and one or more processors in a computer of the system or apparatus read and execute the program. Can also be realized. It can also be implemented by a circuit (eg, an ASIC) that implements one or more functions.
 本発明は上記実施の形態に制限されるものではなく、本発明の精神及び範囲から離脱することなく、様々な変更及び変形が可能である。従って、本発明の範囲を公にするために、以下の請求項を添付する。 The present invention is not limited to the above embodiment, and various changes and modifications can be made without departing from the spirit and scope of the present invention. Accordingly, the following claims are attached to disclose the scope of the present invention.

Claims (35)

  1.  外部装置と通信を行う通信装置であって、
     前記外部装置と認証のための情報を交換することにより認証処理を行う認証手段と、
     前記認証手段による前記認証処理に際して、通信パラメータを提供するのに用いられる固有の情報を共有する要求を検出する検出手段と、
     前記検出手段により前記要求が検出された場合、前記認証手段による認証に成功した後に前記固有の情報を前記外部装置と共有する共有手段と、を備えることを特徴とする通信装置。     A communication device that communicates with an external device,
    An authentication unit that performs an authentication process by exchanging information for authentication with the external device;
    A detection means for detecting a request for sharing unique information used to provide communication parameters in the authentication process by the authentication means;
    A communication apparatus, comprising: sharing means for sharing the unique information with the external device after the authentication by the authentication means is successful when the request is detected by the detection means.
  2.  前記検出手段は、前記外部装置が提供するコード情報の画像を読み取ることにより、前記要求を検出することを特徴とする請求項1に記載の通信装置。 The communication apparatus according to claim 1, wherein the detection unit detects the request by reading an image of code information provided by the external apparatus.
  3.  前記検出手段は、前記認証手段が前記外部装置から受信した認証のための情報を含むフレームから、前記要求を検出することを特徴とする請求項1に記載の通信装置。 The communication apparatus according to claim 1, wherein the detection unit detects the request from a frame including information for authentication received by the authentication unit from the external apparatus.
  4.  前記検出手段により検出された前記要求に対して、前記固有の情報を共有することの許可を前記認証手段により前記外部装置へ送信される認証のための情報を含むフレームに含ませることを特徴とする請求項1乃至3のいずれか1項に記載の通信装置。 In response to the request detected by the detection means, permission for sharing the unique information is included in a frame including information for authentication transmitted to the external device by the authentication means. The communication apparatus according to any one of claims 1 to 3.
  5.  前記許可は、前記フレームの所定のビットにより示されることを特徴とする請求項4に記載の通信装置。 The communication device according to claim 4, wherein the permission is indicated by a predetermined bit of the frame.
  6.  前記許可は、前記フレームに含まれる、前記通信装置の役割を表す役割情報により示されることを特徴とする請求項4に記載の通信装置。 The communication apparatus according to claim 4, wherein the permission is indicated by role information representing a role of the communication apparatus included in the frame.
  7.  前記検出手段により前記要求が検出された場合に、前記固有の情報の共有を許可するか否かをユーザに問合わせる問合せ手段をさらに備えることを特徴とする請求項4乃至6のいずれか1項に記載の通信装置。 The method according to any one of claims 4 to 6, further comprising: inquiry means for inquiring a user whether or not sharing of the unique information is permitted when the request is detected by the detection means. The communication device according to.
  8.  前記フレームは、IEEE802.11に準拠した認証を行うためのフレームであることを特徴とする請求項3乃至7のいずれか1項に記載の通信装置。 The communication apparatus according to any one of claims 3 to 7, wherein the frame is a frame for performing authentication in accordance with IEEE 802.11.
  9.  外部装置と通信を行う通信装置であって、
     通信パラメータの提供に用いられる固有の情報を共有するためのユーザからの指示を受け付ける操作手段と、
     前記外部装置と認証のための情報を交換することにより認証を行う認証手段と、
     前記操作手段により前記ユーザからの指示を受け付けた場合、前記外部装置と前記固有の情報を共有することを前記外部装置が許可したことを前記認証手段による認証の間に確認する確認手段と、
     前記確認手段により許可を確認した場合、前記認証手段による認証に成功した後に前記固有の情報を前記外部装置と共有する共有手段と、を備えることを特徴とする通信装置。     A communication device that communicates with an external device,
    Operation means for receiving an instruction from a user for sharing specific information used for providing communication parameters;
    An authentication unit that performs authentication by exchanging information for authentication with the external device;
    Confirmation means for confirming, during authentication by the authentication means, that the external device has permitted sharing of the unique information with the external device, when an instruction from the user is received by the operation means;
    A communication apparatus, comprising: sharing means for sharing the unique information with the external device after success of authentication by the authentication means when permission is confirmed by the confirmation means.
  10.  前記操作手段により前記ユーザからの指示を受け付けた場合、前記固有の情報を前記外部装置と共有することを、前記外部装置に要求する要求手段をさらに備えることを特徴とする請求項9に記載の通信装置。 10. The apparatus according to claim 9, further comprising: request means for requesting the external device to share the unique information with the external device when an instruction from the user is received by the operation means. Communication device.
  11.  前記要求手段は、前記要求を前記認証手段により送信される認証のための情報のフレームに含ませることを特徴とする請求項10に記載の通信装置。 The communication apparatus according to claim 10, wherein the request means includes the request in a frame of information for authentication transmitted by the authentication means.
  12.  前記要求を、前記フレームの所定のビットを用いて示すことを特徴とする請求項11に記載の通信装置。 The communication device according to claim 11, wherein the request is indicated by using predetermined bits of the frame.
  13.  前記要求を、前記フレームに含まれる、前記通信装置の役割を表す役割情報を用いて示すことを特徴とする請求項11に記載の通信装置。 The communication apparatus according to claim 11, wherein the request is indicated by using role information indicating the role of the communication apparatus, which is included in the frame.
  14.  前記フレームは、IEEE802.11に準拠した認証を行うためのフレームであることを特徴とする請求項11乃至13のいずれか1項に記載の通信装置。 The communication apparatus according to any one of claims 11 to 13, wherein the frame is a frame for performing authentication in compliance with IEEE 802.11.
  15.  前記要求手段は、前記要求を、前記外部装置により読み取られるコード情報の画像に含ませることを特徴とする請求項10に記載の通信装置。 The communication device according to claim 10, wherein the request means includes the request in an image of code information read by the external device.
  16.  前記通信装置は、前記外部装置へ通信パラメータを提供する提供装置であり、
     前記共有手段は、前記通信パラメータと前記固有の情報を提供することを特徴とする請求項1乃至15のいずれか1項に記載の通信装置。     The communication device is a providing device for providing communication parameters to the external device,
    The communication apparatus according to any one of claims 1 to 15, wherein the sharing unit provides the communication parameter and the unique information.
  17.  前記通信装置は、前記外部装置から通信パラメータの提供を受ける装置であって、
     前記共有手段は、前記外部装置から前記固有の情報を取得することを特徴とする請求項1乃至15のいずれか1項に記載の通信装置。     The communication device is a device that receives provision of communication parameters from the external device,
    The communication apparatus according to any one of claims 1 to 15, wherein the sharing unit acquires the unique information from the external apparatus.
  18.  前記共有手段は、前記外部装置から前記通信パラメータと前記固有の情報を取得することを特徴とする請求項17に記載の通信装置。 The communication apparatus according to claim 17, wherein the sharing unit acquires the communication parameter and the unique information from the external apparatus.
  19.  外部装置へ通信パラメータを提供する通信装置であって、
     前記外部装置と認証のための情報を交換することにより認証処理を行う認証手段と、
     前記認証手段による認証に成功した後に通信パラメータを提供するのに用いられる固有の情報を共有する要求を検出する検出手段と、
     前記検出手段により前記要求が検出された場合、前記固有の情報を前記外部装置と共有する共有手段と、を備えることを特徴とする通信装置。     A communication device for providing communication parameters to an external device, the communication device comprising:
    An authentication unit that performs an authentication process by exchanging information for authentication with the external device;
    Detection means for detecting requests to share unique information used to provide communication parameters after successful authentication by the authentication means;
    A communication apparatus, comprising: sharing means for sharing the unique information with the external device when the request is detected by the detection means.
  20.  前記検出手段により前記要求が検出された場合に、前記固有の情報の共有を許可するか否かをユーザに問合わせる問合せ手段をさらに備えることを特徴とする請求項19に記載の通信装置。 20. The communication apparatus according to claim 19, further comprising: inquiry means for inquiring a user whether or not sharing of the unique information is permitted when the request is detected by the detection means.
  21.  前記共有手段は、前記通信パラメータと前記固有の情報を提供することを特徴とする請求項19又は20に記載の通信装置。 21. A communication apparatus according to claim 19, wherein the sharing means provides the communication parameter and the unique information.
  22.  外部装置から通信パラメータの提供を受ける通信装置であって、
     通信パラメータの提供に用いられる固有の情報を共有するためのユーザからの指示を受け付ける操作手段と、
     前記外部装置と認証のための情報を交換することにより認証処理を行う認証手段と、
     前記操作手段により前記ユーザからの指示を受け付けた場合、前記認証手段による認証に成功した後に、前記固有の情報を前記外部装置と共有することを前記外部装置に要求する要求手段と、
     前記固有の情報を前記外部装置と共有する共有手段と、を備えることを特徴とする通信装置。     A communication device that receives provision of communication parameters from an external device,
    Operation means for receiving an instruction from a user for sharing specific information used for providing communication parameters;
    An authentication unit that performs an authentication process by exchanging information for authentication with the external device;
    Request means for requesting the external device to share the unique information with the external device after success of authentication by the authentication means when an instruction from the user is accepted by the operation means;
    A communication unit that shares the unique information with the external device.
  23.  前記共有手段は、前記外部装置から前記固有の情報を取得することを特徴とする請求項22に記載の通信装置。 The communication apparatus according to claim 22, wherein the sharing unit acquires the unique information from the external apparatus.
  24.  前記共有手段は、前記外部装置から前記通信パラメータと前記固有の情報を取得することを特徴とする請求項23に記載の通信装置。 The communication apparatus according to claim 23, wherein the sharing unit acquires the communication parameter and the unique information from the external apparatus.
  25.  前記検出手段は、前記認証手段による認証に成功した後に受信したフレームから、前記要求を検出することを特徴とする請求項19乃至21のいずれか1項に記載の通信装置。 22. The communication apparatus according to any one of claims 19 to 21, wherein the detection means detects the request from a frame received after success of authentication by the authentication means.
  26.  前記要求手段は、前記要求を前記認証手段により送信される通信パラメータを要求するためのフレームに含ませることを特徴とする請求項22乃至24のいずれか1項に記載の通信装置。 The communication apparatus according to any one of claims 22 to 24, wherein the request means includes the request in a frame for requesting a communication parameter transmitted by the authentication means.
  27.  前記要求を、前記フレームの所定のビットを用いて示すことを特徴とする請求項25又は26に記載の通信装置。 The communication device according to claim 25 or 26, wherein the request is indicated by using predetermined bits of the frame.
  28.  前記要求を、前記フレームに含まれる、前記外部装置の役割を表す役割情報を用いて示すことを特徴とする請求項25又は26に記載の通信装置。 The communication device according to claim 25 or 26, wherein the request is indicated by using role information indicating the role of the external device, which is included in the frame.
  29.  前記フレームは、IEEE802.11に準拠した通信パラメータを要求するためのフレームであることを特徴とする請求項25乃至28のいずれか1項に記載の通信装置。 The communication apparatus according to any one of claims 25 to 28, wherein the frame is a frame for requesting a communication parameter compliant with IEEE 802.11.
  30.  前記固有の情報は、通信パラメータの提供において前記通信パラメータの暗号化に用いられる秘密鍵を含むことを特徴とする請求項1乃至18のいずれか1項に記載の通信装置。 The communication apparatus according to any one of claims 1 to 18, wherein the unique information includes a secret key used to encrypt the communication parameter in providing the communication parameter.
  31.  外部装置と通信する通信装置の制御方法であって、
     前記外部装置と認証のための情報を交換することにより認証処理を行う認証工程と、
     前記認証工程による前記認証処理に際して、通信パラメータを提供するのに用いられる固有の情報を共有する要求を検出する検出工程と、
     前記検出工程により前記要求が検出された場合、前記認証工程による認証に成功した後に前記固有の情報を前記外部装置と共有する共有工程と、を有すことを特徴とする通信装置の制御方法。     A control method of a communication device for communicating with an external device, comprising:
    An authentication process for performing an authentication process by exchanging information for authentication with the external device;
    A detection step of detecting a request for sharing unique information used to provide communication parameters during the authentication process by the authentication step;
    A control method of a communication apparatus, comprising: a sharing step of sharing the unique information with the external device after success of authentication by the authentication step when the request is detected by the detection step.
  32.  外部装置と通信する通信装置の制御方法であって、
     通信パラメータの提供に用いられる固有の情報を共有するためのユーザからの指示を受け付ける入力工程と、
     前記外部装置と認証のための情報を交換することにより認証を行う認証工程と、
     前記入力工程で前記ユーザからの指示を受け付けた場合、前記外部装置と前記固有の情報を共有することを前記外部装置が許可したことを前記認証工程における認証の間に確認する確認工程と、
     前記確認工程で許可が確認された場合、前記認証工程による認証に成功した後に前記固有の情報を前記外部装置と共有する共有工程と、を有することを特徴とする通信装置の制御方法。     A control method of a communication device for communicating with an external device, comprising:
    An input step of receiving an instruction from a user for sharing specific information used to provide communication parameters;
    An authentication step of performing authentication by exchanging information for authentication with the external device;
    A confirmation step of confirming, during the authentication in the authentication step, that the external device has permitted sharing the unique information with the external device when an instruction from the user is received in the input step;
    A control method of a communication apparatus, comprising: a sharing step of sharing the unique information with the external device after success of authentication in the authentication step if permission is confirmed in the confirmation step.
  33.  外部装置へ通信パラメータを提供する制御方法であって、
     前記外部装置と認証のための情報を交換することにより認証処理を行う認証工程と、
     前記認証工程による認証に成功した後に、通信パラメータを提供するのに用いられる固有の情報を共有する要求を検出する検出工程と、
     前記検出工程により前記要求が検出された場合、前記固有の情報を前記外部装置と共有する共有工程と、を有すことを特徴とする通信装置の制御方法。     A control method for providing communication parameters to an external device, comprising:
    An authentication process for performing an authentication process by exchanging information for authentication with the external device;
    A detection step of detecting a request to share unique information used to provide communication parameters after successful authentication by the authentication step;
    And a sharing step of sharing the unique information with the external device when the request is detected in the detecting step.
  34.  外部装置から通信パラメータの提供を受ける通信装置であって、
     通信パラメータの提供に用いられる固有の情報を共有するためのユーザからの指示を受け付ける入力工程と、
     前記外部装置と認証のための情報を交換することにより認証処理を行う認証工程と、
     前記入力工程で前記ユーザからの指示を受け付けた場合、前記認証工程による認証に成功した後に、前記固有の情報を前記外部装置と共有することを前記外部装置に要求する要求工程と、
     前記固有の情報を前記外部装置と共有する共有工程と、を有することを特徴とする通信装置の制御方法。     A communication device that receives provision of communication parameters from an external device,
    An input step of receiving an instruction from a user for sharing specific information used to provide communication parameters;
    An authentication process for performing an authentication process by exchanging information for authentication with the external device;
    A request step of requesting the external device to share the unique information with the external device after a successful authentication by the authentication step when an instruction from the user is received in the input step;
    And a sharing step of sharing the unique information with the external device.
  35.  請求項1乃至30のいずれか1項に記載された通信装置の各手段としてコンピュータを機能させるためのプログラム。 A program for causing a computer to function as each means of the communication device according to any one of claims 1 to 30.
PCT/JP2018/025342 2017-07-28 2018-07-04 Communication device, control method for communication device and program WO2019021770A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201880049650.1A CN110999351B (en) 2017-07-28 2018-07-04 Communication device, control method for communication device, and program
EP18837789.9A EP3637814B1 (en) 2017-07-28 2018-07-04 Communication device, control method for communication device and program
KR1020207004920A KR102283325B1 (en) 2017-07-28 2018-07-04 Communication device, control method of communication device, and program
US16/743,401 US20200154276A1 (en) 2017-07-28 2020-01-15 Communication device, control method for communication device, and non-transitory computer-readable storage medium

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2017-146799 2017-07-28
JP2017146799 2017-07-28
JP2018082463A JP7109243B2 (en) 2017-07-28 2018-04-23 COMMUNICATION DEVICE, COMMUNICATION DEVICE CONTROL METHOD AND PROGRAM
JP2018-082463 2018-04-23

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/743,401 Continuation US20200154276A1 (en) 2017-07-28 2020-01-15 Communication device, control method for communication device, and non-transitory computer-readable storage medium

Publications (1)

Publication Number Publication Date
WO2019021770A1 true WO2019021770A1 (en) 2019-01-31

Family

ID=65040158

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/025342 WO2019021770A1 (en) 2017-07-28 2018-07-04 Communication device, control method for communication device and program

Country Status (2)

Country Link
JP (1) JP7353433B2 (en)
WO (1) WO2019021770A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020217811A1 (en) * 2019-04-22 2020-10-29 キヤノン株式会社 Communication device, control method of communication device, and program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017028455A (en) * 2015-07-21 2017-02-02 キヤノン株式会社 Communication device, control method therefor and program
JP2017028457A (en) * 2015-07-21 2017-02-02 キヤノン株式会社 Communication device, communication method and program

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160034553A1 (en) 2014-07-30 2016-02-04 Linkedln Corporation Hybrid aggregation of data sets

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017028455A (en) * 2015-07-21 2017-02-02 キヤノン株式会社 Communication device, control method therefor and program
JP2017028457A (en) * 2015-07-21 2017-02-02 キヤノン株式会社 Communication device, communication method and program

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020217811A1 (en) * 2019-04-22 2020-10-29 キヤノン株式会社 Communication device, control method of communication device, and program
CN113711633A (en) * 2019-04-22 2021-11-26 佳能株式会社 Communication device, and control method and program for communication device
JP7387283B2 (en) 2019-04-22 2023-11-28 キヤノン株式会社 Communication device, control method and program for communication device

Also Published As

Publication number Publication date
JP7353433B2 (en) 2023-09-29
JP2022141827A (en) 2022-09-29

Similar Documents

Publication Publication Date Title
JP7109243B2 (en) COMMUNICATION DEVICE, COMMUNICATION DEVICE CONTROL METHOD AND PROGRAM
JP7054341B2 (en) Communication equipment and its control method
KR102200766B1 (en) Communication device, communication method, and program to facilitate direct communication
JP4989117B2 (en) Communication apparatus and method
JP2006174423A (en) Communication control device, system, and these method
JP6732460B2 (en) Communication device, communication method, program
JP2017130727A (en) Communication device, sharing method of communication parameters, program
CN109565892B (en) Communication device, communication method and computer readable storage medium
JP7353433B2 (en) Communication device, control method and program
JP4560366B2 (en) Wireless communication device
JP2023120266A (en) Communication device, control method, and program
JP6576129B2 (en) COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP7406893B2 (en) Communication device, control method and program
WO2020090443A1 (en) Communication device, control method, and program
JP7266727B2 (en) Communication device and its control method
JP6486228B2 (en) Communication apparatus, control method, and program
WO2023053699A1 (en) Communication device, control method, and communication system
WO2023218759A1 (en) Communication device, control method therefor, and communication system
JP2017112430A (en) Communication device, communication device control method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18837789

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018837789

Country of ref document: EP

Effective date: 20200109

ENP Entry into the national phase

Ref document number: 20207004920

Country of ref document: KR

Kind code of ref document: A