FR2974261A1 - Method for establishing communication between terminals via e.g. communication path, involves utilizing configuration data, and performing communication with step of authentication of set of terminals on communication path - Google Patents

Abstract

The method involves providing a set of communication path i.e. Wireless Fidelity (Wi-Fi)network, where one of the communication path requires configuration information (DC). The configuration data that is utilized for connection of a set of terminals (TRM1, TRM2) is transmitted from one terminal to another terminal via another communication path. A communication between the two terminals is performed with a step of authentication of the set of terminals on the latter communication path. Independent claims are also included for the following: (1) a computer system (2) a computer program comprising instructions for performing a method for establishing communication between two terminals.

Description

Method for obtaining configuration data for establishing a communication between two terminals Technical field The invention relates to a method for obtaining configuration data for establishing a communication between two terminals through two terminals. a communication means such as a telecommunication network. The terminals in question encompass any data processing device, that is to say equipped with physical resources and / or software including at least one microprocessor, able to communicate through at least two communication means. State of the art Generally, a communication between two terminals requires a prior configuration step able to guarantee the legitimacy of the terminals wishing to communicate with each other.

For example, if the means used is a WI-FI network (contraction of the term Wireless Fidelity, IEEE 802.11 standard), the configuration step corresponds to a mutual authentication step between the two terminals which takes place before these two terminals can communicate with each other. This authentication step ensures that two terminals communicating together on a WI-FI network are legitimate terminals. Several types of mutual authentication exist including the following. A first type of authentication is to include in the terminals of the certificate mechanisms signed by a certification authority recognized by the different terminals. With these certificates, two devices can communicate with each other securely. This solution has the disadvantage of being complex to deploy and maintain because it requires a trusted third party namely a certification authority.

A second type of authentication uses a network device acting as a trusted third party on which the two terminals are connected and authenticated via a communication means such as a telecommunications network. The trusted third party establishes a communication by creating a secure link between the two terminals and certifying that both terminals are legitimate terminals. The problem is that this solution is expensive because it requires a third party accessible at the time of connection. The invention improves the situation. The invention For this purpose, according to a functional aspect, the subject of the invention is a method for establishing a connection between two terminals, a first terminal and a second terminal capable of communicating through at least two means of communication. communication including a first means of communication requiring configuration data, characterized in that the configuration data necessary for the connection of the two terminals via the first communication means are communicated by the first terminal to the second terminal via a second communication means on which a communication between the two terminals includes a terminal authentication step.

Thus, according to the invention, the configuration data relating to the first means are transmitted via another means of communication that the first means of communication, here the second means, capable of ensuring a legitimacy of the terminals, for example by means of mutual authentication, before a communication between two terminals. The invention thus avoids a new phase of verification of the legitimacy of the terminals on the first communication means. The invention thus avoids the intervention of a trusted third party on the first means of communication while ensuring the legitimacy of the terminals concerned on this first means of communication. Both terminals in question are suitable for use by a respective user. According to a first particular embodiment, the transmission of the configuration data is controlled following an action of a user on one of the two terminals and in that the action is performed by the user when the two terminals are located in the field of view of at least one user selected from the first or second user. In the same way as for the transmission, the reception of the data can also be ordered following an action of a user on one of the two terminals. Thus, a user has control of the moment of transmission and / or reception; in addition, the user visualizes the scene and is assured that the terminals involved in a communication via this second means of communication are legitimate terminals. This mode avoids the use of a certification authority or a device connected to the second network acting as a trusted third party. According to a second embodiment that can be implemented cumulatively or alternatively with the first mode, the second communication means is a means of communication of a range limited in distance. The range will be judiciously chosen so that the coverage of the second means is in the field of view of a user. In this way, this feature avoids that a third additional terminal located in the cover in question, for example an electromagnetic field, captures the configuration data transmitted from a first to a second terminal, in particular for malicious purposes. Recall here that the range of a means of communication corresponds to the maximum distance below which communication is possible. According to a variant of the two modes above, a terminal is equipped with shooting means, another terminal is equipped with a means for restoring information representative of the configuration data. In this configuration, for the communication of the configuration data via the second connection means, the shooting means capture the information. For example, if the rendering means is a screen capable of displaying the configuration data, and the capturing means are a camera, the camera takes a picture of the configuration data displayed on the screen.

The information in question may be coded to prevent a third malicious terminal from using this information for malicious purposes. According to a third embodiment, which may be implemented alternatively or cumulatively with the preceding embodiments, a digital datum created by the second terminal is added to the configuration data when the configuration data is communicated to the first terminal, and in that the digital data received by the first terminal is transmitted from the first terminal to the second terminal via the first communication means. We will see that this numerical data, designated by the term "token" in the description, will have a value able to be modified in the time to avoid a possible replay by a malicious third party. Recall that a "replay attack" is a "Man in the middle" attack consisting of intercepting data packets and replaying them, ie retransmitting them as which (without any decryption) to a destination terminal. This digital data is for example different with each communication of configuration data from the second to the first terminal. Thus, the second terminal verifies whether the token that it has transmitted to the first terminal via the second communication means and the token that it subsequently receives via the first communication means are the same; in the affirmative, the first terminal is authenticated on the first network, and this without a trusted third party intervened on this first network. According to a material aspect, the invention also relates to a computer system comprising a first terminal and a second terminal capable of communicating through at least two communication means including a first communication means requiring configuration data, characterized in that the second terminal comprises means for transmitting the configuration data via a second communication means on which a communication between the two terminals includes a terminal authentication step, and in that the first terminal comprises means for receiving the data configuration via this second means of communication. It will be seen later that the first terminal further comprises means for taking into account the received configuration data to establish a communication via the first network with the second terminal. According to another material aspect, the invention relates to a terminal, said second terminal, able to communicate with another terminal, said first terminal, via at least two communication means including a first communication means requiring configuration data, characterized in that it comprises means for transmitting the configuration data via a second communication means on which a communication between two terminals includes a terminal authentication step. According to one variant, the second terminal comprises means for creating a digital datum, called first digital datum. According to this variant, the digital data accompanies the configuration data during the transmission of the configuration data. The second terminal comprises - means for receiving a second digital data item - comparison means able to compare the first and second data - means able to condition a communication with the first terminal via the first network according to the result of the comparison. According to another material aspect, the invention relates to a terminal, said first terminal, able to communicate with another terminal, said second terminal, through at least two communication means including a first means of communication requiring data. configuration, characterized in that it comprises means for receiving the configuration data via a second communication means, and means for taking into account the received configuration data to establish a communication via the first communication means with the second terminal.

According to a particular embodiment, in connection with the third embodiment relating to the method, the first terminal comprises receiving means able to receive the configuration data as well as the digital data, and transmission means capable of transmitting the data. digital data to the second terminal via the first communication means after the terminals have established a connection via the first means. According to another material aspect, the invention relates to a computer program adapted to be implemented on said second terminal, the program comprising code instructions which, when executed by a processor performs a transmission step. configuration data relating to a first communication means via a second communication means on which a communication between two terminals includes a terminal authentication step. According to another material aspect, the invention relates to a computer program adapted to be implemented on said first terminal, the program comprising code instructions which, when executed by a processor performs a reception step configuration data via a second means of communication, and means for taking into account the configuration data received to establish a communication via a first network with the second terminal. The invention will be better understood on reading the description which follows, given by way of example and with reference to the accompanying drawings. The figures: FIG. 1 represents a computer system on which is illustrated an exemplary embodiment of the method of the invention. FIG. 2 represents a scene illustrating an exemplary embodiment. Figure 3 is a flowchart illustrating the steps of an exemplary embodiment of the invention.

DETAILED DESCRIPTION OF AN EMBODIMENT EXPRESSING THE INVENTION FIG. 1 represents a SYS system comprising two terminals, a first terminal TRM1 and a second terminal TRM2, able to be used by two respective users, a first user UT1 and a second user. UT2. Note here that both users could be one and the same user. The terminals include physical and software resources, including at least one microprocessor, for processing digital data. The structure of the terminals will be described with reference to FIG. 2. In our example, the two terminals are able to communicate via a first communication means illustrated by a wireless network RES1 of the WI-FI type. The two terminals are also able to communicate via a second communication means whose range will, according to the invention, be chosen judiciously so that a communication between the two terminals can be supervised by the first user UT1 and / or the second UT2. The wireless network RES1 is formed by the emission of electromagnetic waves from a home gateway GTW such as the gateway Livebox (trademark registered by the applicant) known to those skilled in the art. In FIG. 1, the coverage of the wireless network RES1 can be likened to a disk D having a radius R in which communication is possible between a terminal and the gateway GTW. In our exemplary embodiment, the communication via the wireless network RES1 requires the knowledge of data such as connection information relating to the wireless network RES1, for example an IP address (or a terminal name) and a port number of the terminal with which a communication is desired. This data will be referred to as "configuration data" DC.

FIG. 2 is a detailed view of the circuits present on the terminals. The two terminals TRM1 and TRM2 belong to a first user UT1 and to a second user UT2, respectively. The terminals are equipped with a first microprocessor CPU1 and a second microprocessor MP2, respectively. The first terminal TRM1 further comprises: first communication means COM1, connected to a first antenna ANT1, making it possible to communicate with the first means RES1; CPT capture means capable of capturing a signal, connected to processing means able to process the captured signal; A first memory MEM1 capable of storing data; The means described above as well as the first microprocessor CPU1 are connected to each other via a first bus BUS1. The second terminal TRM2 further comprises second communication means COM2, connected to a second antenna ANT2, making it possible to communicate with the first means RES1; - EMT transmission means, for example playback means (screen, sound transmitter, etc.) capable of reproducing signals; a second memory MEM2 capable of storing data, in particular the configuration data DC.

The means described above as well as the second CPU2 microprocessor are interconnected via a second bus BUS2.

Note that the buses described above have the function of ensuring the transfer of digital data between the various circuits connected to the microprocessor by a bus. In our example, the bus in question includes a data bus and a control bus.

Note also that, in our example, the memories described above are permanent memories type ROM (acronym for Read Only Memory). We have seen previously that the two terminals can communicate via a second means of communication. In our example, the second means is chosen so that it provides an authentication step, in particular mutual authentication of the terminals, before any communication between two terminals via this second means. In particular, the second means is chosen so that the two terminals are located in the visual field CHP of the first user UT1 and / or the second user UT2, at least during the communication of the configuration data DC between the terminals via this method. second means of communication. Recall that the visual field CHV is a cone comprising a vertex C which designates an eye (or both eyes) of the user and an opening angle W.

This second means can be indifferently a means of long distance communication or having a range limited in distance. A long-distance means of communication is for example a Wide Area Network (WAN). A means of communication having a range limited in distance is for example a USB cable (acronym for "Wide Area Network"). Universal Serial Bus "), a wireless network such as a WI-FI network, an NFC (Near Fiel Communication) type of communication medium, or RFiD (acronym for" Radio Frequency Identification ") type, or a Bluetooth communication means, or a communication means formed by the CPT capture means and the EMT reproduction means as described in the following. Indeed, in our example, the EMT reproduction means, illustrated by a screen present on the second terminal, are able to restore the configuration data; and the CPT capture means present on the first terminal are able to capture the restored configuration data. The assembly including the sensor and the reproduction means forms the second network allowing the configuration data DC to be transmitted from the second terminal TRM2 to the first terminal TRM1. According to one variant, the configuration data is transformed into a code that can be restored by the screen of the second terminal TRM2. For this, the second terminal comprises a GNT code generator capable of generating a code, for example a 2D code known to those skilled in the art, representative of the configuration data. Also, the first device is equipped with a decoder DEC able to decode the code captured by the catching means.

In our example, the capture means are a digital camera and the EMT rendering means are a screen capable of displaying data such as the configuration data DC for example in the form of a 2D code. It should be noted here that other means of restitution could have been used.

The transmitter transmitting the configuration data could include a sound emitting device, or light emitter instead of an apparatus of a screen, for transmitting signals able to carry information, in particular the configuration data. The configuration data is then transmitted in the form of sound or light, respectively. Also, the receiving terminal is accordingly equipped with a microphone and a light sensor, respectively. Note that if the means of reproduction are a sound transmitter, they can emit high frequency sounds interpretable only by the terminals. Or if the means of restitution are light emitters, these can flash, and the flashing would be interpretable only by the TRT processing means of the receiving terminal. The steps of an exemplary embodiment are now described with reference to FIG.

It is assumed that the two terminals TRM1 and TRM2 are geographically close to each other. It is assumed that they are in the electromagnetic field of the gateway GTW, that is to say in the disk D, and that communication via the WI-FI network of the gateway is desired.

The two terminals TRM1 and TRM2 do not have the DC configuration data necessary for a pairing between the two terminals via the WI-FI network. A variant could have been for the user to declare by means of a command sent to the processor concerned the desire to communicate with another terminal. When obtaining the DC data, in our example, the communication process via the WI-FI network is put on hold. The hold time is reasonably chosen to allow one terminal to receive DC configuration data from the other terminal.

The steps that precede the communication process via the WI-FI network are as follows. A first step ET1 (AFF-> TRM2) during which the second user UT2 requires the display of a code representative of the configuration data DC on the second terminal TRM2. This request is representative of the desire to communicate via the wireless network RES1. In a second step ET2 (CDE1-> CPU2), the second processor CPU2 receives a display request CDE1 and commands the generation means GNT the generation of a code.

Once the generated code, the second processor CPU2 requires in a third step ET3 (AFF-> 2D) display on the EMT screen generated code. During a fourth ET4 (CHV) step, the first user approaches the first terminal of the second at a distance such that his visual field makes it possible to visualize the two terminals in order to guarantee the legitimacy of the two terminals. In a fifth step ET5 (CDE2-> CPU1), the first user UT1 requires a capture of the code displayed on the EMT screen of the second terminal. We note here that it is the user who controls the display of the 2D code and who controls the capture of the 2D code. In addition, these command actions for displaying the 2D code and for controlling the capture of the 2D code are performed when the two terminals are in the field of view of the first user UT1 and / or the second user UT2. Users have not only the control of the moment of the transmission of the configuration data but they can also visualize the terminals involved namely the first and the second terminal. The approach of the first terminal TRM1 to the second terminal TRM2 is also an action performed by the first user UT2. It should be noted here that the actions performed by a user on one or the other of the terminals are carried out through respective graphic interfaces (not shown in the figures) present on the two terminals. We will not go into the technical details of the graphical interfaces because without interest for the presentation of the invention. In a sixth step ET6 (CPU1-> PRV), the first processor 25 CPU1 receives a CDE2 command for shooting and transmits a command to the processing means TRT able to control a shooting of the code. During a seventh step ET7 (2D-> CPT), the CPT capture means capture the code, the processing means TRT processes the received code and after processing transmits them to the first processor CPU1.

During an eighth step ET8 (CPU1-> DEC), the first processor CPU1 transmits a command to the decoding means DEC requiring the decoding of the received code. In a ninth step ET9 (DC-> MOD), once the decoding has been performed and the configuration data extracted, the first microprocessor CPU1 supplies the configuration data to a MOD module responsible for the configuration phase described above. connection with the first network RES1. The MOD module comprises for this purpose means for taking into account the received configuration data and means for continuing the communication process via the WI-FI network with these configuration data DC. Thus, during a tenth step ET10 (MOD-> COM RES1), the MOD module having knowledge of the configuration data DC continues the communication process via the WI-FI network with the second terminal. At this stage of the process the two terminals can communicate via the first network RES1. We previously saw that the configuration data were transmitted as 2D code. An alternative may be to use a 2D code representative of an identifier. The first terminal TRM1 can then interrogate a database to which it is connected via the WI-FI network for example. The database in question then provides the configuration data useful for the configuration phase. According to another variant, a digital data item (JT), hereinafter referred to as a "token", created by the second terminal TRM2 is added to the configuration data DC. In our example, the configuration data and the JT token are included in the 2D code generated by the code generator. For security reasons, this token is preferably a modified one-time password at each configuration data communication. In this configuration, in our example, the first terminal receives the 2D code including connection data accompanied by a JT token. Then, during the continuation of the communication process via the wireless network RES1, the first terminal TRM1 transmits the received token to the second terminal TRM2, which the second terminal compares with the token initially transmitted to the first terminal TRM1. If the result of the comparison is that the token transmitted to the first terminal and the received token are the same, the second terminal is assured that the first terminal is the one that has received the 2D code. In other words, the first terminal is authenticated. For this purpose, the second terminal comprises - digital data creation means (JT), called first digital data, which is in our example the GNT code generator, the first digital data item accompanying the configuration data during the transmission of configuration data; means for receiving a second digital datum; comparison means able to compare the first and the second data and means capable of conditioning a communication with the first terminal via the first network as a function of the result of the comparison. If there is a match, for example if the data is the same, the communication can take place via the first network. Also, the first terminal comprises - reception means able to receive the configuration data as well as the digital data JT; that is, in our example, the CPT sensor; - Transmission means, namely in our example the first communication means COM1, the digital data JT to the second terminal TRM2 via the first communication means after the terminals have established a connection via the first means. The token may be for example a secret key. In our example, this token is generated by the generation means GNT.

Claims (9)

REVENDICATIONS1. Method for establishing a connection between two terminals, a first terminal (TRM1) and a second terminal (TRM2) able to communicate through at least two communication means including a first means of communication (RES1) requiring data of the configuration (DC), characterized in that the configuration data required for the connection of the two terminals via the first communication means (RES1) are transmitted by the first terminal to the second terminal via a second communication means on which a communication between the two terminals. two terminals includes a terminal authentication step / step. 2. Method according to claim 1, characterized in that the two terminals (TRM1, TRM2) are suitable for use by a respective user (UT1, UT2), and. in that. the transmission of the configuration data is comrnande after a action of a user on one of the two terminals and in that the action is performed when the two terminals are in the field of view of at least one user selected from the first or second user. 3. Method according to claim 1 or 2, characterized in that the second means of communication is a means of communication of a range limited in distance. 4. Method according to claim 3, characterized in that a terminal is equipped with shooting means, another terminal is equipped with a m6yén restitution of information representative of the configuration data, and in that for the communication of the configuration data via the second connection means, the shooting means capture the information. 5. Method according to claim 1, characterized in that a digital datum (JT) created by the second terminal is added to the configuration data (DC) during the communication of the configuration data to the first terminal, and in that the data digital (JT) received by the first terminal (TRM1) is transmitted from the first terminal to the second terminal via the first communication means after the terminals have established a connection via the first means. Computer system (SYS) comprising a first terminal (TRM1) and a second terminal (TRM2) able to communicate through at least two communication means including a first: communication means requiring configuration data (DC), characterized in that the second terminal (TRM2) comprises transmission means (EMT) of the data of. configuration via a second communication means on which a communication between the two terminals includes a terminal authentication step, and in that the first terminal (TRM1) comprises. receiving means (CPT) of the configuration data (DC). via this second means of communication. 7. Terminal (TRM2), said second terminal, adapted to communicate with another terminal (TRM1), said first terminal, via at least two communication means including a first means of communication requiring data: configuration (DC), characterized in that it comprises transmission means (EMT) configuration data (DC) via a second communication means on which a communication between two terminals includes a terminal authentication step. 8. Terminal according to claim 7, characterized in that it comprises means for creating a digital datum (3T), called first numerical datum, and in that the digital datum accompanies the configuration data during the transmission of data. configuration data, in that it comprises means for receiving a second digital datum and in that it comprises comparison means capable of comparing the first and the second datum and means capable of conditioning a communication with the first datum; terminal via the first network according to the result of the comparison. 9. A computer program adapted to be implemented on a terminal as defined in claim 7, the program comprising code instructions which, when executed by a processor performs a data transmission step (EMT). for configuring (DC) a first communication means (RES1) via a second communication means (RES2) on which a communication between two terminals includes a terminal authentication step.