CN118215046A

CN118215046A - Equipment public key certificate acquisition method and communication device

Info

Publication number: CN118215046A
Application number: CN202410430380.6A
Authority: CN
Inventors: 欧阳靖; 沈翀
Original assignee: Ruijie Networks Co Ltd
Current assignee: Ruijie Networks Co Ltd
Priority date: 2024-04-10
Filing date: 2024-04-10
Publication date: 2024-06-18

Abstract

The application provides a device public key certificate acquisition method and a communication device, wherein configuration equipment receives a first message from first access equipment, and the first message is used for requesting the public key certificate of the first access equipment; sending a second message to the wireless network, wherein the second message is used for notifying the wireless network that the open service set identifier serves the first access equipment; receiving a third message from the first access device, the third message indicating a public key certificate of the first access device; and acquiring the public key certificate of the first access device according to the third message. According to the method, the public key certificate of the access equipment can be obtained on line, so that potential safety hazards can be reduced on one hand, and the obtaining efficiency of the public key certificate can be improved on the other hand compared with the method of scanning codes.

Description

Equipment public key certificate acquisition method and communication device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method for obtaining a public key certificate of a device and a communications device.

Background

In the third generation Wi-Fi network protection standard pointed out by the wireless network (WIRELESS FIDELITY, wi-Fi) alliance, a device-on-line protocol (Device Provision Protocol, DPP) is proposed. The DPP is proposed for joining different devices (such as routers, mobile phones, various internet of things devices, etc.) into a network through a configurator. Typically DPP includes 4 processing flows: preprocessing (Bootstrapping), authentication (Authentication), configuration (Configuration) and network introduction (Network introduction). The Bootstrapping procedure is mainly used for obtaining public key certificates of access devices (such as the router and the mobile phone) and the like; the Authentication flow is mainly used for authenticating the public key certificate of the access equipment; the Configuration flow generally comprises that an access device initiates a Configuration requirement to a configurator, the configurator encrypts sent information through a secret key, and the configurator sends Configuration information to the access device after receiving requirement information initiated by the access device; network introduction are generally configured to provide an introduction to the configurator to the access device, and to initiate a connection request by the access device to the network access port via the introduction, thereby entering a Wi-Fi connection procedure.

In the Bootstrapping process, the configurator typically obtains the public key certificate of the device by scanning the two-dimensional code of the device. If the two-dimensional code of the device is replaced, the configurator cannot acquire the real public key certificate of the device. In addition, when a large number of devices need to join a network, the configurator is frequently used for scanning two-dimensional codes of the large number of devices to acquire public key certificates of the devices, and the efficiency is low.

Disclosure of Invention

The application provides a method and a device for acquiring a public key certificate of equipment, which are used for reducing potential safety hazards existing in the process of acquiring the equipment certificate.

In a first aspect, the present application provides a method for obtaining a public key certificate of a device, where the method is applied to a configuration device, where the configuration device may be understood as a device such as a mobile phone, and the application is not specifically limited herein, and the method is performed as follows:

Receiving a first message from a first access device, wherein the first message comprises a service set identifier requested by the first access device, and the first message is used for requesting a public key certificate of the first access device; sending a second message to the wireless network so that the first access device obtains a public key certificate of the first access device after accessing the wireless network; the second message is used for notifying the wireless network that the open service set is identified as the service of the first access equipment; receiving a third message from the first access device, the third message indicating a public key certificate of the first access device; and acquiring the public key certificate of the first access device according to the third message.

The application receives the first message from the first access device through the configuration device, and sends the second message to the wireless network, informs the wireless network to allow the access and the certificate acquisition of the first access device, and receives the third message from the first access device to acquire the public key certificate of the first access device. According to the method, the public key certificate of the access equipment can be obtained on line, compared with a code scanning mode, the potential safety hazard can be reduced, the obtaining efficiency of the public key certificate can be improved, meanwhile, the prefabricated certificate when the access equipment leaves a factory is avoided through on-line obtaining of the public key certificate, and the leaving cost of the access equipment is reduced.

In one possible implementation, the first message further comprises an address of the first access device; before sending the second message to the wireless network, further comprising: determining an association relationship between a preconfigured address list and an address of the first access device, wherein the preconfigured address list is used for indicating the address of the access device which is allowed to acquire the public key certificate; and determining that the preconfigured address list comprises the address of the first access device according to the association relation.

In this way, the present application determines, according to the first message, whether the service set identifier belongs to the wireless network, and if so, determines an association relationship between the preconfigured address list and the address of the first access device, and determines that the address of the first access device is included in the preconfigured address list. By confirming the service set identifier of the first access device, the problems that the first access device fails in access are avoided, the address of the first access device is verified, the safety of device access is guaranteed, the access of strange devices is avoided, and potential safety hazards are reduced.

In one possible implementation, the configuration device sends the address of the first access device to the credential server; a response message is received from the credential server, the response message indicating that the preconfigured address list includes an address of the first access device.

According to the method and the device, the address of the first access device is sent to the certificate server through the configuration device, whether the address of the first access device is contained in the preset address list is inquired through the preset address list in the certificate server, the access device can be controlled in the mode, access strange devices are avoided, only the access devices in the preset address list are allowed to access, the access safety of the devices is guaranteed, and potential hidden danger is reduced.

In one possible implementation, the third message comprises a public key certificate of the first access device.

In the application, the third message comprises the public key certificate of the first access device, so that the configuration device can directly acquire the public key certificate of the first access device, thereby improving the data processing efficiency.

In one possible embodiment, the third message includes a public key certificate acquisition notification of the first access device, the public key certificate acquisition notification of the first access device being used to instruct the configuration device to acquire the public key certificate of the first access device from the certificate server.

In the application, the third message comprises the notice of acquiring the public key certificate of the first access device, so that the configuration device can acquire the public key certificate of the first access device by itself after determining that the public key certificate of the first access device can be acquired, and the potential safety hazard caused by the fact that the public key certificate of the first access device is tampered by other non-transmitting devices after being directly transmitted through the first access device can be avoided.

In a second aspect, the present application provides a method for obtaining a public key certificate of a device, where the method is applied to a first access device, and the first access device may be understood as a mobile phone, an internet of things device, etc., and the application is not specifically limited herein, and the method is implemented as follows:

sending a first message to the configuration device so that the configuration device informs the wireless network of opening the service set identifier requested by the first access device; the first message comprises a service set identifier requested by the first access device, and the first message is used for requesting a public key certificate of the first access device; determining a wireless network open service set identifier; acquiring a public key certificate of a first access device through a wireless network; and sending a third message to the configuration device, wherein the third message is used for indicating the public key certificate of the first access device.

According to the method, the public key certificate of the access equipment can be obtained on line, so that potential safety hazards can be reduced on one hand, and the obtaining efficiency of the public key certificate can be improved on the other hand compared with the method of scanning codes.

In one possible implementation, obtaining, by a wireless network, a public key certificate of a first access device includes: sending a public key certificate request message of the first access device to a certificate server through a wireless network; a response message is received from the certificate server, the response message including a public key certificate of the first access device.

In this way, the security of the public key certificate acquisition process of the first access device is ensured.

In one possible implementation, the third message includes: public key certificates of the first access device.

In one possible implementation, the third message includes: a public key certificate acquisition notice of the first access device, the public key certificate acquisition notice of the first access device being used for instructing the configuration device to acquire the public key certificate of the first access device from the certificate server.

In one possible implementation, the first message further includes: an address of the first access device.

In a third aspect, an embodiment of the present application provides a device public key certificate obtaining apparatus, which is applied to a configuration apparatus, including: a receiving and transmitting unit and a processing unit.

The receiving and transmitting unit is used for receiving a first message from the first access equipment, wherein the first message comprises a service set identifier requested by the first access equipment, and the first message is used for requesting a public key certificate of the first access equipment; the processing unit is used for sending a second message to the wireless network so that the public key certificate of the first access device can be obtained after the first access device accesses the wireless network; the second message is used for notifying the wireless network that the open service set is identified as the service of the first access equipment; the receiving and transmitting unit is further used for receiving a third message from the first access device, wherein the third message is used for indicating the public key certificate of the first access device; and the processing unit is also used for acquiring the public key certificate of the first access device according to the third message.

In a possible implementation, the first message further comprises an address of the first access device.

In a possible embodiment, the processing unit is further configured to: determining an association relationship between a preconfigured address list and an address of the first access device, wherein the preconfigured address list is used for indicating the address of the access device which is allowed to acquire the public key certificate; and determining that the preconfigured address list comprises the address of the first access device according to the association relation.

In a possible embodiment, the transceiver unit is specifically configured to: sending the address of the first access device to a certificate server; a response message is received from the credential server, the response message indicating that the preconfigured address list includes an address of the first access device.

In a fourth aspect, an embodiment of the present application provides a device public key certificate obtaining apparatus, which is applied to a first access device, including: a receiving and transmitting unit and a processing unit.

The receiving and transmitting unit is used for sending a first message to the configuration equipment so that the configuration equipment informs the wireless network of opening the service set identifier requested by the first access equipment; the first message comprises a service set identifier requested by the first access device, and the first message is used for requesting a public key certificate of the first access device; a processing unit, configured to determine a wireless network open service set identifier; the processing unit is also used for acquiring a public key certificate of the first access device through the wireless network; and the transceiver unit is further used for sending a third message to the configuration device, wherein the third message is used for indicating the public key certificate of the first access device.

In a possible embodiment, the transceiver unit is specifically configured to: sending a public key certificate request message of the first access device to a certificate server; a response message is received from the certificate server, the response message including a public key certificate of the first access device.

In a fifth aspect, the present application also provides a computing device comprising: a memory for storing program instructions; and a processor for calling program instructions stored in the memory and executing any method for implementing the first aspect or the second aspect according to the obtained program instructions.

In a sixth aspect, the present application also provides a computer readable storage medium having stored therein computer readable instructions which, when read and executed by a computer, implement any of the methods of the first or second aspects described above.

In a seventh aspect, the present application provides a computer program product comprising a computer program executable by a computer device to cause the computer device to perform any of the methods of the first or second aspects described above when the program is run on the computer device.

The technical effects achieved by the third aspect to the seventh aspect are described with reference to the corresponding possible designs in the first aspect and the second aspect, and the description of the technical effects achieved by the embodiments is not repeated here.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is an application scenario diagram provided in an embodiment of the present application;

Fig. 2 is a schematic flow chart of an on-line protocol of a device according to an embodiment of the present application;

fig. 3 is a schematic flow chart of an on-line protocol of a device according to an embodiment of the present application;

Fig. 4 is a schematic diagram of a method for obtaining a public key certificate of a device according to an embodiment of the present application;

fig. 5 is a schematic diagram of a method for obtaining a public key certificate of a device according to an embodiment of the present application;

fig. 6 is a schematic diagram of a device public key certificate obtaining apparatus according to an embodiment of the present application;

Fig. 7 is a schematic diagram of a device public key certificate obtaining apparatus according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a computing device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.

In the following embodiments of the present application, "and/or" describing the association relationship of the association object indicates that three relationships may exist, for example, a and/or B may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "may be a relationship that generally indicates that the front and rear associated objects are an" or ". "under at least one item(s) or the like, refers to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural. The singular expressions "a", "an", "the" and "the" are intended to include, for example, also "one or more" such expressions, unless the context clearly indicates to the contrary. And, unless specified to the contrary, references to "first," "second," etc. ordinal words of embodiments of the present application are used for distinguishing between multiple objects and are not used for limiting the order, timing, priority, or importance of the multiple objects.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

As background art, currently, with the push of the third generation Wi-Fi security protocol (Wi-Fi Protected Access, wpa 3) in the Wi-Fi alliance (Wi-FI ALLIANCE authentication, WFA), new protocols such as peer-to-peer authentication protocol (Simultaneous Authentication of Equals, SAE), opportunistic wireless encryption protocol (Opportunitistic Wireless Encryption, OWE), and device on-line protocol (Device Provision Protocol, DPP) are mentioned. The new protocols such as SAE and OWE have due scenes and can be directly popularized through software upgrading, and the DPP protocol is supported by android equipment but is not promoted in the market. The DPP protocol is proposed to join different access devices (e.g. routers, handsets or various internet of things devices, etc.) to the network by configuring the devices (Configurator). For example, in the practical application process, a mobile phone is generally used as a configuration device, a two-dimensional code carried on a certain Access device (Enrolee) is scanned, information such as a public key certificate of the Access device is obtained through the two-dimensional code, and configuration operation is completed through the mobile phone, so that the Access device can be connected with a configured wireless Access Point (AP), and further the Access device is connected with a target network to complete network configuration of the Access device.

Fig. 1 is an application scenario of the DPP protocol according to the embodiment of the present application, and as shown in fig. 1, the application scenario of the embodiment of the present application includes an access device 10, a configuration device 20 and a wireless network 30; the configuration device 20 is configured to access the access device 10 to the wireless network 30, so as to realize access of the access device 10 to the wireless network 30. In practical application, the access device may be multiple different types of devices, for example, the access device may be a printer 101, a television 102 or a mobile phone 103, or the access device may also be other devices that need to access a wireless network, and in an application scenario of the present application, multiple different access devices may exist at the same time, or only one access device may exist, which is not limited by the embodiment of the present application. Likewise, the configuration device 20 may be a plurality of different devices that can access the access device to the internet, for example, the access device 10 may be a mobile phone 201, a tablet computer 202, or other devices, and in an actual application scenario of the present application, a plurality of different configuration devices may exist at the same time, or only one configuration device may exist, which is not limited in the embodiment of the present application. The wireless network 30 is a wireless network that the access device wants to access or access, and in practical application, the wireless network in the embodiment of the present application may be a centralized control wireless network formed by a controller-based access Point architecture (FIT ACCESS Point, thin AP) and a wireless controller, or may be a wireless network formed by a conventional independent access Point architecture (FAT ACCESS Point, fat AP), which is not limited in the embodiment of the present application.

The DPP protocol is a protocol supporting access of an access device to a network, and in order to realize its functions, four main flows are usually required, which are a preprocessing flow (Bootstrapping), an Authentication flow (Authentication), a Configuration flow (Configuration), and a network introduction flow (Network introduction), respectively, as shown in fig. 2 below.

The Bootstrapping procedure is mainly used to obtain a public key certificate of an access device (such as the router, the mobile phone, etc.). Public key certificates are typically encrypted using diffie-Hellman (Deffie-Hellman) algorithms, and the obtained public key certificates are used to support the implementation of subsequent flows of the DPP protocol. In the standard document of Wi-Fi alliance, a lot of implementation manners of Bootstrapping process are mentioned, for example, a device supporting DPP protocol usually carries a two-dimensional code tag, and a configuration device can obtain a public key certificate of a corresponding access device by scanning the two-dimensional code tag. In addition, the public key certificate can be obtained through a near field Communication (NEAR FIELD Communication) mode, a bluetooth transmission mode and the like.

The Authentication process is mainly used for authenticating the public key certificate of the access device. Specifically, one party initiating the Authentication flow is called an Initiator (Initiator), and the other party is called a replier (Responser); when the Authentication process is completed, the initiator believes that this replier is indeed the true owner of the public key certificate it acquired, and determines which party is the configuration device and which party is the access device. In addition, the process generates session keys for use in subsequent Configuration processes.

The Configuration flow generally initiates a Configuration requirement from an access device to a configurator, encrypts the sent information through a key, and the configurator sends the Configuration information to the access device after receiving the requirement information initiated by the access device. Meanwhile, in the Configuration phase, the access device needs to inform the Configuration device whether the access device is a device or an access point, or the access device may be a Configuration device. After receiving the request message of the access device, the configuration device sends configuration information to the access device, wherein the configuration information comprises service set identification (SERVICE SET IDENTIFIER, SSID) of the target network, authentication and key management (Authentication AND KEY MANAGEMENT) and Credit (CREDENTIAL) information, the information can be provided according to the type of the target network and the version of the DPP protocol, at the moment, information such as a shared key (Pre-SHARED KEY), a Connector (Connector) and the like can also be provided according to different requirements, and if the credit information received by the access device is the shared key, the DPP flow is ended and the network connection process is directly entered.

Network introduction are generally configured to provide an introduction to the configurator to the access device, and to initiate a connection request by the access device to the network access port via the introduction, thereby entering a Wi-Fi connection procedure. This flow only occurs when the access device is a device and not an access point, the reply message received during the Configuration phase contains a Connector, and this flow occurs between the device and the access point, independent of the Configuration device. At this time, the access device initiates a connection to the access point through an introduction (for example, connector) acquired at the configuration device, and sends a DPP peer discovery request (DPP Peer discovery request) to the access point, after receiving the request, the access point generates a pairwise master key (PAIRWISE MASTER KEY, PMK) according to the acquired information and replies with a reply message, and after receiving the reply, the access device derives the pairwise master key and enters a Wi-Fi connection procedure.

Through the four processes, the DPP protocol can be completely implemented, in the actual application process, the process of Bootstrapping process is shown in fig. 3 below, and the configuration device obtains Bootstrapping information of one access device offline through an out-of-band data mechanism (for example, scanning a two-dimensional code, an NFC platform, bluetooth exchange, etc.). The Bootstrapping information of the first access device is DPP (Internet protocol) online bulletin, and the first access device sends the DPP online bulletin to the configuration device, wherein the DPP online bulletin comprises a public key certificate of the access device, a global operation level channel and a channel list for DPP authentication. During this time, the access device may optionally send an online advertisement to the configuration device in order for the configuration device to discover the access device. However, since the DPP protocol specifies that an out-of-band data mechanism is adopted for obtaining the key certificate of the access device offline, for example, the key certificate information of the access device is obtained by means of scanning a two-dimensional code, NFC or bluetooth by a mobile phone, which causes a security hole to easily appear in the obtaining of the public key certificate, and the problem that the two-dimensional code cannot be replaced in time may not be found, which causes that the configurator cannot obtain the real public key certificate of the device, and meanwhile, the mode of separately obtaining and sequentially configuring by the two-dimensional code is troublesome in operation, the mobile phone is required as the configurator, the mobile phone is required to operate separately on one access device, the access device is more suitable for being used in families, and when a large number of devices need to join a network, the configurator is frequently used for scanning the two-dimensional code of a large number of devices to obtain the public key certificate of the device, and the efficiency is low.

In order to solve the problems, the embodiment of the application provides a device public key certificate acquisition method for a Bootstrapping process of a DPP protocol, which is based on the angles of configuration devices and access devices respectively, and realizes the process of online acquisition and then transmission of the public key certificates of the access devices and online acquisition of the public key certificates of the configuration devices. A method for obtaining a device public key certificate based on a configuration device angle is shown in fig. 4, and the method may be performed through interaction of the configuration device, the wireless network, and the first access device, and the present application is not particularly limited herein. The configuration device may be a device including a memory, a processor, etc., for example, a mobile phone, a tablet computer, etc., the first access device may be a device that needs to access a wireless network, for example, a mobile phone, an intelligent television, an intelligent refrigerator, etc., the wireless network may be a wireless network provided by a wireless router, etc., where the present application is not particularly limited, for example, the configuration device is a mobile phone, and the first access device is an intelligent refrigerator; the configuration equipment is a tablet personal computer, and the first access equipment is a mobile phone and the like. In practical use, the number of configuration devices and first access devices is not limited, and one configuration device may be a plurality of configuration devices, and one or a plurality of first access devices may be a plurality of configuration devices, which are described herein as an example of one configuration device. The following is performed:

in step 401, the first access device sends a first message to a configuration device. Accordingly, the configuration device receives the first message.

Wherein the first message includes a service set identification requested by the first access device, the first message being for requesting a public key certificate of the first access device.

Specifically, the first access device sends a first message to the configuration device, where the first message may be a DPP protocol online advertisement (DPP PRESENCE announcement), and the DPP protocol online advertisement includes a service set identifier that the access device needs to access when obtaining the certificate. For example, the access device carries a section of DPP protocol online advertisement in a Probe request message (Probe request) or a Beacon message (Beacon), and the configuration device receives the corresponding DPP protocol online advertisement and obtains a service set identifier of the first access device requesting access according to the obtained DPP protocol online advertisement.

In one possible implementation, the first message may further comprise an address of the first access device.

The Address of the first access device may be a physical Address, a media access Control Address (MEDIA ACCESS Control Address, MAC Address), a local area network Address (LAN ADDRESS), or another Address form capable of representing the first access device, which is not limited in this application. The service set identifier of the first access device requesting access is used for ensuring that the first access device accesses to a specific wireless network through the correct service set identifier, and performs data transmission and communication in the network.

Specifically, after the configuration device determines that the service set identifier belongs to the wireless network, the association relationship between the pre-configured address list and the first access device is determined.

Wherein the pre-configured address list is used to indicate the addresses of access devices that are allowed to obtain public key certificates.

In the implementation process, after the configuration equipment acquires a first message of the first access equipment, the configuration equipment sends an address of the first access equipment to the certificate server; the certificate server (CERTIFICATE AUTHORITY, CA) is used for managing public key certificates in order to ensure that the certificate acquirer is an authorized person, that is, the certificate server can ensure the identities of the parties of the information exchange and ensure the security of the information exchange process.

Further, the configuration device receives a response message from the certificate server, the response message indicating that the pre-configured address list includes an address of the first access device.

Specifically, for security, the address of the target access device is also preconfigured in the certificate server, the target access device is a plurality of access devices allowed to access the network, and in the DPP protocol flow, only the access devices with addresses in the address list of the certificate server are allowed to perform online certificate application.

In one possible implementation, after the configuration device receives the first message from the first access device, it first needs to verify on the certificate server whether the address of the first access device is legal. Taking the acquired address as a physical address here as an example, if the certificate server acquires that the physical address of a first access device is "01100100.00000100.00000101.01100100", the certificate server firstly segments the physical address according to the symbol "", to obtain four groups of binary digits, namely "01100100", "00000100", "00000101" and "01100100", respectively, then the certificate server judges whether the segmented array is four groups, if not, the address is illegal, for example, the array segmented by a series of addresses of "01100100.00000100.00000101.01100100.01100100" is five groups, and then the address is illegal; if the divided arrays are four groups, continuing to judge whether the content of each array is digital, and if not, judging whether the value range of each binary array is between 0 and 255 of decimal numbers, if not, the address is illegal, for example, the address '01100100.00000100.00000101.01100100' in the above example is converted into the decimal and then is '100.4.5.100', so that the divided binary arrays are respectively '100', '4', '5', and '100' after being converted into the decimal, and the four groups of the series of the address are all numbers, and the value range is between 0 and 255, so that the address is legal; if a group of arrays exist in the address, the value range of the array is not between 0 and 255, or a group of arrays are not numbers, the address message is illegal; if the address information in the first message is illegal, the address verification is not passed, and the address information is discarded. It should be noted that the above-mentioned process of verifying the validity of the physical address is only an example, and the local area network address or the mac address may also be verified by other ways, which is not limited by the present application.

Further, after the address validity judgment is completed, the certificate server further judges whether the address of the first access device exists in the pre-configured address list, if so, the address verification is passed, the configuration device broadcasts a second message, and the wireless network is informed of opening the corresponding service set identifier; if not, discarding the address information; for example, after the address server obtains the address "01100100.00000100.00000101.01100100.01100100", it first determines that the address is a legal address, then queries the address "01100100.00000100.00000101.01100100.01100100" in the preconfigured address list, and if the address "01100100.00000100.00000101.01100100.01100100" exists in the preconfigured address list, the address check passes; if the address '01100100.00000100.00000101.01100100.01100100' does not exist in the preconfigured address list, the address verification is not passed, and the address information is discarded.

In step 402, the configuration device sends a second message to the wireless network, and accordingly, the wireless network receives the second message informing the wireless network of the open service set identification.

Wherein the second message is for notifying the wireless network that the open service set identifier is served by the first access device.

For example, taking the configuration device as a mobile phone, the first access device is taken as a refrigerator as an example, the service set identifier of the mobile phone which receives the refrigerator and requests to access is "bingxiang", and at this time, the corresponding service set identifier "bingxiang" does not exist in the service set identifier of the wireless network, so that the configuration device notifies the wireless network of the open service set identifier "bingxiang" so that the first access device can connect to the wireless network through the service set identifier "bingxiang". It should be noted that the configuration device and the first access device, the service set identifier, and the like are all examples, which are not limited by the present application.

In step 403, the first access device determines a wireless network open service set identifier and accesses the wireless network.

After the configuration device informs the wireless network of the service set identifier which is opened by the wireless network, the first access device inquires the corresponding service set identifier in the service set identifier which is opened by the wireless network and accesses the wireless network through the service set identifier.

It should be noted that, in order to secure connection and access, the wireless network at this stage only opens the right to access the certificate server to the first access device.

Specifically, the configuration device notifies the wireless network to open a corresponding service identifier to the first access device, and the first access device determines the wireless network open service set identifier, at this time, the first access device can successfully associate with the service set identifier of the wireless network.

In one possible implementation manner, the first access device may search for the service set identifier when accessing the network for the first time, determine that the wireless network opens the service set identifier, access the wireless network, and perform certificate acquisition, where the first access device does not search for access to the wireless network when accessing the wireless network subsequently, and directly accesses the wireless network through the corresponding service set identifier.

In step 404, the first access device obtains a public key certificate of the first access device through the wireless network.

In the specific implementation process, after the first access equipment is connected with the wireless network, the address of the first access equipment is sent to the certificate server; the certificate server (CERTIFICATE AUTHORITY, CA) is used for managing public key certificates in order to ensure that the certificate acquirer is an authorized person, that is, the certificate server can ensure the identities of the parties of the information exchange and ensure the security of the information exchange process.

After obtaining the corresponding public key certificate from the certificate server, the first access device receives a response message from the certificate server, wherein the response message comprises the public key certificate of the first access device.

The first access device sends a third message to the configuration device, step 405. Accordingly, the configuration device receives the third message.

Wherein the third message is for indicating a public key certificate of the first access device.

Specifically, the third message may be a public key certificate of the first access device, where the first access device connects to the wireless network and sends the public key certificate to the configuration device after obtaining the public key certificate from the certificate server, and at this time, the DPP protocol online advertisement sent by the first access device to the configuration device carries not only the public key certificate of the first access device but also the identifier that the public key certificate has been applied for; or the third message may also be a public key certificate acquisition notice of the first access device, where the public key certificate acquisition notice of the first access device is used to instruct the configuration device to acquire the public key certificate of the first access device from the certificate server.

In this way, the embodiment of the application realizes online acquisition of the public key certificate based on the configuration equipment and the access equipment respectively, avoids security holes existing in offline acquisition of the public key certificate, solves the problem of need of prefabricating the certificate in the production process of the equipment, realizes full online operation, does not need offline acquisition of the public key certificate, and can enable the terminal of the Internet of things to be online rapidly.

For example, if the first access device is an intelligent refrigerator, a first message is sent to the configuration device, where the first message is a one-phase DPP protocol online announcement, where a phase refers to a phase in which the first access device has not obtained its own public key certificate, and initiates a wireless network connection request to the configuration device. The one-stage DPP online bulletin is used for ensuring the first access device to access the wireless network, and comprises a service set identifier of the first access device requesting access, address information of the first access device and the DPP online bulletin of the first access device. The configuration equipment obtains the address of the configuration equipment as A.B.C.D according to the first message, and the service set identifier for requesting access is SSID1, and after the configuration equipment obtains the first message sent by the access equipment, the configuration equipment firstly inquires whether the address A.B.C.D is legal or not through a certificate server, if so, the configuration is continued, if not, the address of the first access equipment is abandoned, and the configuration is stopped.

And after the address validity judgment of the first access device is finished, inquiring the address A.B.C.D in the certificate server, if the address list pre-configured in the certificate server comprises the address A.B.C.D, allowing the connection of the first access device, and if the address list pre-configured does not comprise the address A.B.C.D, not allowing the connection of the first access device. After allowing the connection of the first access device, the configuration device informs the wireless network to open the SSID1 to the first access device, and the first access device accesses the wireless network through the SSID 1.

After the first access device is connected to the wireless network, the wireless network only opens the authority of accessing the certificate server to the first access device, and after the first access device acquires the self public key certificate A from the certificate server, the first access device sends a two-stage DPP protocol online notice to the configuration device, wherein the two-stage refers to the stage that the first access device has acquired the self public key certificate and sends the self public key certificate to the configuration device. The two-stage DPP online bulletin is used for enabling the configuration device to obtain the public key certificate of the first access device, wherein the public key certificate comprises a service set identifier of the first access device requesting access, address information of the first access device and the DPP online bulletin of the first access device. And after the configuration equipment receives the two-stage DPP protocol online bulletin, ending the process and completing the Bootstrapping process.

In the embodiment, the device public key certificate may be obtained according to the flow shown in fig. 5, and the flow shown in fig. 5 is a specific embodiment based on the flow diagram shown in fig. 4, where in this embodiment, a certificate server includes a preconfigured address list, and an address outside the preconfigured address list is not allowed to be accessed for illustration, and it should be noted that this embodiment is only a preferred embodiment of the present application, and the device public key certificate obtaining method according to the present application may also be implemented by other methods, which is not limited by this embodiment of the present application. The implementation flow shown in fig. 5 includes the following steps:

Step 501, the addresses of all access devices are preconfigured in a certificate server.

Specifically, for security purposes, the address of the access device may be preconfigured at the credential manager and the application of the online credential is restricted to only devices in the address list. In this way, the embodiment of the application realizes the limitation of the range of the access equipment, ensures that the access equipment capable of accessing the network is all safe equipment, and reduces the potential safety hazard in the network configuration process.

In step 502, the first access device announces to the configuration device the service set identification that needs to be acquired.

The first access device carries a one-stage DPP (dipeptidyl peptidase) online bulletin in a Probe request message (Probe request) or a Beacon message (Beacon), wherein the one-stage DPP online bulletin comprises address information of the first access device and service set identification information to be accessed.

After the configuration device obtains the address information of the first access device and the service set identification information, the certificate server verifies whether the address information is legal or not and whether the address information is in a pre-configuration address list or not. And if the address is legal and in the preconfigured address list, sending confirmation information to the configuration equipment.

In step 503, the configuration device informs the wireless network to open the required service set identification to the first access device.

Specifically, after receiving the verification result of the certificate server, the configuration device informs the wireless network to open a corresponding service set identifier to the first access device, so as to realize connection with the first access device.

In step 504, a first access device connects with a wireless network.

Specifically, the first access device is associated with the service set identifier opened by the wireless network to connect with the wireless network, and at this time, the wireless network only opens the authority of accessing the certificate server to the first access device, so that the first access device applies for an online certificate to the certificate server.

In step 505, the first access device applies for public key certificates online.

Specifically, in order to ensure security at this time, the certificate server may verify the address of the first access device again before performing online certificate application, so as to avoid the first access device from being invaded and the like.

In step 506, the first access device obtains the public key certificate and sends a two-stage DPP protocol online announcement to the configuration device.

The two-stage DPP online bulletin carries a public key certificate of the first access device, and the two-stage DPP online bulletin is sent to the configuration device to complete the Bootstrapping process.

In an alternative embodiment, the DPP protocol online bulletin may further directly carry the public key certificate of the first access device, and the configurator directly obtains the public key certificate of the first access device when receiving the first message. However, to avoid potential hazards, it is not suggested to carry the public key certificate of the first access device in DPP protocol online bulletins.

By the method, the security hole existing in the offline acquisition of the public key certificate is avoided, the problem that the certificate needs to be prefabricated in the production process of equipment is solved, the online operation is realized, the offline acquisition of the public key certificate is not needed, and the Internet of things terminal can be rapidly brought on line.

Based on the same technical concept, fig. 6 illustrates an apparatus for obtaining a device public key certificate, which is applied to a configuration apparatus and may execute a flow of a method for obtaining a device public key certificate. The device comprises: a transceiver unit 601 and a processing unit 602.

The transceiver 601 is configured to receive a first message from a first access device, where the first message includes a service set identifier requested by the first access device, and the first message is used to request a public key certificate of the first access device; a processing unit 602, configured to send a second message to the wireless network, where the second message is configured to notify the wireless network that the open service set identifier is served by the first access device; the transceiver 601 is further configured to receive a third message from the first access device, where the third message is used to indicate a public key certificate of the first access device; the processing unit 602 is further configured to obtain a public key certificate of the first access device according to the third message.

In one possible implementation, the first message further comprises an address of the first access device.

In a possible implementation, the processing unit 602 is further configured to: determining an association relationship between a preconfigured address list and an address of the first access device, wherein the preconfigured address list is used for indicating the address of the access device which is allowed to acquire the public key certificate; and determining that the preconfigured address list comprises the address of the first access device according to the association relation.

In a possible implementation, the processing unit 602 is specifically configured to: a response message is received from the credential server, the response message indicating that the preconfigured address list includes an address of the first access device.

In one possible implementation, the address of the first access device is one of the following: physical address, medium access control address, local area network address.

Based on the same technical concept, fig. 7 exemplarily shows a device public key certificate acquisition apparatus provided by an embodiment of the present application, which is applied to a first access device, and the apparatus may execute a flow of a device public key certificate acquisition method. The device comprises: a transceiver unit 701 and a processing unit 702.

The transceiver unit 701 is configured to send a first message to the configuration device, where the first message includes a service set identifier requested by the first access device, and the first message is used to request a public key certificate of the first access device; a processing unit 702, configured to determine a wireless network open service set identifier; the processing unit 702 is further configured to obtain a public key certificate of the first access device through the wireless network; the transceiver unit 701 is further configured to send a third message to the configuration device, where the third message is used to indicate the public key certificate of the first access device.

In one possible implementation manner, the transceiver unit 701 is specifically configured to: sending a public key certificate request message of the first access device to a certificate server; a response message is received from the certificate server, the response message including a public key certificate of the first access device.

Having described a control device for an intelligent sales counter in an exemplary embodiment of the present application, next, a computing device of another exemplary embodiment of the present application is described.

Those skilled in the art will appreciate that the various aspects of the application may be implemented as a system, method, or program product. Accordingly, aspects of the application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.

In some possible implementations, a computing device according to the application may include at least one processor, and at least one memory. Wherein the memory stores a computer program which, when executed by the processor, causes the processor to perform the steps in the device public key certificate acquisition method according to various exemplary embodiments of the present application described in the present specification.

A computing device 130 according to such an embodiment of the application is described below with reference to fig. 8. The computing device 130 shown in fig. 8 is merely an example and should not be taken as limiting the functionality and scope of use of embodiments of the present application. As shown in fig. 8, the computing device 130 is in the form of a general purpose smart terminal (or bluetooth headset). Components of computing device 130 may include, but are not limited to: the at least one processor 131, the at least one memory 132, and a bus 133 connecting the various system components, including the memory 132 and the processor 131.

Bus 133 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, and a local bus using any of a variety of bus architectures. Memory 132 may include readable media in the form of volatile memory such as Random Access Memory (RAM) 1321 and/or cache memory 1322, and may further include Read Only Memory (ROM) 1323. Memory 132 may also include a program/utility 1325 having a set (at least one) of program modules 1324, such program modules 1324 include, but are not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.

Computing device 130 may also communicate with one or more external devices 134 (e.g., keyboard, pointing device, etc.), and/or with any device (e.g., router, modem, etc.) that enables computing device 130 to communicate with one or more other intelligent terminals. Such communication may occur through an input/output (I/O) interface 135. Moreover, computing device 130 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 136. As shown, network adapter 136 communicates with other modules for computing device 130 over bus 133. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in connection with computing device 130, including, but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

In some possible embodiments, aspects of the device public key certificate method provided by the present application may also be implemented in the form of a program product comprising a computer program for causing a computer device to perform the steps of the device public key certificate acquisition method according to the various exemplary embodiments of the present application as described in the present specification, when the program product is run on a computer device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product for time domain noise processing of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and comprise a computer program and may run on a smart terminal. The program product of the present application is not limited thereto, but in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The readable signal medium may comprise a data signal propagated in baseband or as part of a carrier wave in which a readable computer program is embodied. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the elements described above may be embodied in one element in accordance with embodiments of the present application. Conversely, the features and functions of one unit described above may be further divided into a plurality of units to be embodied.

Furthermore, although the operations of the methods of the present application are depicted in the drawings in a particular order, this is not required or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A device public key certificate acquisition method, applied to a configuration device, comprising:

receiving a first message from a first access device, wherein the first message comprises a service set identifier requested by the first access device, and the first message is used for requesting a public key certificate of the first access device;

Sending a second message to a wireless network so that the public key certificate of the first access device is obtained after the first access device accesses the wireless network; the second message is used for notifying a wireless network to open the service set identifier to serve the first access device;

receiving a third message from the first access device, the third message being for indicating a public key certificate of the first access device;

And obtaining the public key certificate of the first access equipment according to the third message.

2. The method of claim 1, wherein the first message further comprises an address of the first access device; the method further comprises the following steps before sending the second message to the wireless network:

Determining an association relationship between a preconfigured address list and an address of the first access device, wherein the preconfigured address list is used for indicating the address of the access device allowed to acquire the public key certificate;

and determining that the preconfigured address list comprises the address of the first access device according to the association relation.

3. The method of claim 2, wherein determining the association of the preconfigured list of addresses with the address of the first access device comprises:

transmitting an address of the first access device to a certificate server;

And receiving a response message from the certificate server, wherein the response message is used for indicating that the preconfigured address list comprises the address of the first access device.

4. A method according to any of claims 1-3, wherein the third message comprises: a public key certificate of the first access device.

5. A method according to any of claims 1-3, wherein the third message comprises: the public key certificate acquisition notice of the first access device is used for indicating the configuration device to acquire the public key certificate of the first access device from a certificate server.

6. A method for obtaining a public key certificate of a device, which is applied to a first access device, comprising the following steps:

sending a first message to configuration equipment so that the configuration equipment informs a wireless network to open a service set identifier requested by the first access equipment; wherein the first message includes a service set identifier requested by the first access device, and the first message is used for requesting a public key certificate of the first access device;

Determining that the wireless network opens the service set identifier;

acquiring a public key certificate of the first access device through the wireless network;

And sending a third message to the configuration device, wherein the third message is used for indicating the public key certificate of the first access device.

7. The method of claim 6, wherein the obtaining, via the wireless network, the public key certificate of the first access device comprises:

sending a public key certificate request message of the first access device to a certificate server through the wireless network;

A response message is received from the certificate server, the response message including a public key certificate of the first access device.

8. The method according to claim 6 or 7, wherein the third message comprises: a public key certificate of the first access device.

9. The method according to claim 6 or 7, wherein the third message comprises: the public key certificate acquisition notice of the first access device is used for indicating the configuration device to acquire the public key certificate of the first access device from a certificate server.

10. The method of claim 6 or 7, wherein the first message further comprises: an address of the first access device.

11. A communication device, the device comprising:

a transceiver unit, configured to receive a first message from a first access device, where the first message includes a service set identifier requested by the first access device, and the first message is used to request a public key certificate of the first access device;

a processing unit, configured to send a second message to a wireless network, so that after the first access device accesses the wireless network, the processing unit obtains a public key certificate of the first access device; the second message is used for notifying a wireless network to open the service set identifier to serve the first access device;

The transceiver unit is further configured to receive a third message from the first access device, where the third message is used to indicate a public key certificate of the first access device;

The processing unit is further configured to obtain a public key certificate of the first access device according to the third message.

12. A communication device, the device comprising:

A transceiver unit, configured to send a first message to a configuration device, so that the configuration device notifies a wireless network to open a service set identifier requested by the first access device; wherein the first message includes a service set identifier requested by the first access device, and the first message is used for requesting a public key certificate of the first access device;

a processing unit, configured to determine that the wireless network opens the service set identifier;

the processing unit is further configured to obtain a public key certificate of the first access device through the wireless network;

The transceiver unit is further configured to send a third message to the configuration device, where the third message is used to indicate a public key certificate of the first access device.

13. A computing device, comprising:

A memory for storing program instructions;

a processor for invoking program instructions stored in the memory and performing the method of any of claims 1-10 in accordance with the obtained program instructions.

14. A computer readable storage medium comprising computer readable instructions which, when read and executed by a computer, cause the method of any of claims 1-10 to be implemented.

15. A computer program product comprising a computer program executable by a computer device to cause the computer device to perform the steps of the method of any of claims 1-10 when the program is run on the computer device.