FR3116981A1 - Method and system for configuring access to a local area network. - Google Patents

Abstract

Method and system for configuring access to a local network. The invention relates to a method and a device for configuring access to a local network (1) administered by a network gateway. It allows at least one terminal (TAD) associated with a user, called a user terminal, to access said local network (1). The method is implemented on the gateway, and comprises the following steps: - reception (E10) of a request to generate at least one network access identifier, called password (K), said request comprising a number N indicating a number of fragments to be generated; - generation (E12) of a password comprising N fragments; - transmission (E13) of the password fig. 1

Description

Method and system for configuring access to a local area network.

Field of the invention

The invention relates to the field of communications security.

The invention applies to any device handling secure passwords to protect access to a hardware or software resource. In particular, it concerns the connection of a user to a local network controlled by a gateway.

Prior art

In known manner, a password is an authenticator allowing a user to access a certain number of hardware and/or software resources of a computer, a server, a set of computers connected in a network, etc

The invention relates in particular to passwords for local networks. According to the state of the art, to access a local network, a user must connect to a routing element, referred to below as "service gateway", or more simply "gateway", from a terminal . To connect to the gateway, the user enters the identification parameters of the local network in the terminal, for example of the Wifi type. In particular, by a process known as prior "pairing", well known to those skilled in the art, he enters or selects the name of the home network, known by the abbreviation SSID (for "Service Set Identifier"), which takes often in the form of an alphanumeric string (for example: "Livebox_666") and, in most cases, a key, or password, for access to the home network, such as a WEP key (for "Wired Equivalent Privacy”) or WPA (for “WiFi Protected Access”). Defining a security key for a WiFi network requires generating relatively long alphanumeric security keys, due to the compromise to be made between network security and the ease of memorizing and/or sharing the key. The WEP key generated to protect access to the user's local network can be in the known form of a sequence of 26 hexadecimal characters (for example, "32F34DA4CFE9EAD355A49EAE17").

The user is often reluctant to use such keys, which are long and complex and difficult to memorize. This is also the case for the administrator, for example the owner of the gateway, when he wishes to manipulate and share the key with, for example, a guest wishing to temporarily access the local network. A solution to help the user or administrator consists in offering him the possibility of generating simpler keys himself to transmit them for example to his guests. This opportunity can lead the user to generate very short, very simple keys (“Mabox” “Guest”) and not respecting the basic rules of robustness of a key, that is to say its resistance to hacking . Indeed, the robustness of a password depends on its length (the number of words, or symbols, of a given dictionary) and the total number of words of the dictionary used.

To overcome this problem, the WPS standard (for "Wi-Fi Protected Setup"), proposed by the WiFi Alliance, aims to facilitate access to WiFi networks, in particular by offering "WPS PIN" and "WPS PBC" modes. (pressing a button provided on the access point), which simplifies the connection of a terminal to the WiFi network. However, these two modes suffer from known security flaws and do not allow you to manage specific rights for guests.

There is therefore a need to offer the user the possibility of connecting to a device such as a local network gateway, using very simple passwords while ensuring high security on the local network.

The invention improves the state of the art.

To this end, it proposes a method for configuring access to a local network administered by a service gateway, said method being implemented on the gateway, and comprising the following steps:
- receipt of a request to generate at least one network access identifier, said password, said request comprising a number N of fragments to be generated;
- generation of a password comprising N fragments;
- transmission of the password.

“Password” means a sequence of symbols making up an access key, for example a WEP type key. By "symbol" we mean any symbol belonging to a dictionary, for example a character. By dictionary, we mean here any source of symbols (alphabet, syllables, words, letters, numbers, sequences of numbers and letters, special characters, etc.).

Advantageously according to the invention, when the gateway receives a request to generate a password, for example a guest password, with a number N of fragments to be generated, it generates such a password in N fragments, by example by dividing a WEP key into a succession of N fragments whose concatenation corresponds to the key, then transmits it to a dedicated terminal for storage. The dedicated terminal can easily associate each of the fragments with a push button, a digit, etc. Subsequently, when a guest wishes to access the local network, all he has to do is connect the dedicated terminal having memorized the password to his access terminal, then replay the code to reconstitute the N fragments in order, and therefore the network access password. For example, the password can be an access key to one of several guest networks. For example, the gateway may have generated and transmitted several guest passwords in the form of fragments, and the network administrator may indicate to his guest which code to dial on the dedicated terminal.

The password transmission step consists of transmitting each of the fragments, one after the other or in groups, to the terminal dedicated to memorization, hereinafter called “memory terminal”.

According to a particular embodiment of the invention, in the method as described above, the password transmission step consists in transmitting each of the fragments in association with a symbol.

Advantageously in this mode, each fragment of the password is associated with a symbol (1 <=> 32F34D; 2 <=> A4CFE9, etc.) before being transmitted to the storage terminal. This allows the storage terminal to record a fragment in association with a symbol such as a number from 0 to 9, corresponding to a key on its keyboard. This also makes it possible to impose a certain robustness on the generated symbols. For example, it is thus possible to prohibit the memorization of the password in association with a code deemed too simple, such as for example "0000" or "1234", etc. According to another example, the configuration process helps the administrator by proposing passwords that make sense for the generated guest network (for example "SIMPLE" or "VIDEO" or "INV_0", etc.)

According to a particular embodiment of the invention, in the method as described above, the request received further comprises data indicating a complexity of the password and the password is generated according to said data. of complexity.

Advantageously, according to this mode, the generated password takes account of complexity data. Thus, and in particular if the password to be generated is associated with a guest network, the complexity data makes it possible to generate a password in line with the wishes of the administrator concerning the vulnerability of this guest network: a guest network giving access to the entire local network (in terms of features and equipment) requires greater security than a guest network giving only access to the Internet, and therefore a more robust password.

The complexity can relate to different elements: number of generated symbols, length of the generated password, constraints on numbers, special characters, upper and lower case letters, etc. For example, a minimum entropy threshold to be respected can be taken into account. An entropy is most generally defined, in the field of information and communication, as a mathematical function which corresponds to the quantity of information contained or delivered in a message (the password in our case) by a source information, in this context a dictionary of characters. From a receiver's point of view, the more the source transmits different symbols with equal probability, the higher the entropy. We can thus generate on the gateway a password of entropy, and therefore of robustness, given, which will ensure a certain security on the guest local network.

According to a particular embodiment of the invention, in the method as described above, the request received further comprises data indicating a type of access to the local network and the password is generated according to said type of access.

Advantageously according to this mode, the generated password takes account of data of the type of access required. Thus, and in particular if the password to be generated is associated with a guest network, the complexity data makes it possible to generate a password in line with the wishes of the administrator concerning the vulnerability of this guest network: a guest network giving access to the entire local network (in terms of features and equipment) requires greater security than a guest network giving only access to the Internet, and therefore a more robust password. The type of access can relate to different elements, such as access rights to local network equipment (connected objects, hard drives, servers, digital decoder, etc.), to other networks (Internet, mobile network , etc.), protocols (access to Wi-Fi, Bluetooth, UPnP, etc.), certain services (video, games, etc.), certain speed categories, etc. Thus, the configuration will be able to associate more complex passwords with greater rights, or passwords associated with sequences of symbols related to the targeted service(s) (for example, NET for network access, VOD for access to video on demand, NAS for access to the hard disk associated with the gateway, etc.)

Correlatively, the invention also proposes a device for configuring access to a local area network comprising at least one transmission module, a memory and a processor configured for:
- receive a request to generate at least one network access identifier, said password, said request comprising a number N of fragments to be generated;
- generate a password comprising N fragments;
- transmit the password.

The invention also relates to such a device in which the transmission module is a serial type interface.

The invention also relates to such a device in which the transmission module is a radio interface.

The invention also relates to a home gateway comprising such a configuration device.

The invention also relates to a system comprising

- a home gateway as defined above;
- A password storage device capable of storing the fragments of the password transmitted by the configuration device.

The invention also relates to a computer program comprising instructions for implementing the above method according to any one of the particular embodiments described above, when said program is executed by a processor. The method can be implemented in various ways, in particular in wired form or in software form. This program may use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in partially compiled form, or in any other desirable form.

The invention also relates to a recording medium or information medium readable by a computer, and comprising instructions of a computer program as mentioned above. The recording media mentioned above can be any entity or device capable of storing the program. For example, the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a hard disk. On the other hand, the recording media may correspond to a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means. The programs according to the invention can in particular be downloaded from an Internet-type network.

Alternatively, the recording media may correspond to an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.

This device and this computer program have characteristics and advantages similar to those previously described in relation to the method for configuring access to a local area network.

List of Figures

Other characteristics and advantages of the invention will appear more clearly on reading the following description of particular embodiments, given by way of simple illustrative and non-limiting examples, and the appended drawings, among which:

There illustrates an example of an environment for implementing the invention according to a particular embodiment;

There illustrates an architecture of a device for configuring access to a local area network according to one embodiment of the invention;

There illustrates steps of the method for configuring access to a local area network according to one embodiment of the invention.

Description of an embodiment of the invention

General principle of the invention

The general principle of the invention consists in connecting to the home gateway a very simple terminal, hereinafter called storage terminal, dedicated to the storage of passwords in the form of fragments, for example of the keyboard type, which will be recognized later as an access device by a guest user terminal.

On request for degeneration of a password, in particular for a guest network, the gateway transmits to the dedicated terminal a password, for example a WEP key, cut into fragments so as to be able to be stored on the terminal in the form of fragments . For example, if the storage terminal expects a 4-digit or letter code, the key will be cut into 4 and transmitted in 4 fragments from the gateway to the storage terminal. If the storage terminal is a simple button key, the key will not be cut, but supplied in its entirety, that is, as a single fragment.

Once the password(s) have been memorized in the form of fragments, if each fragment is associated with a key on the keyboard, when the guest wishes to connect to the local network, all he has to do is dial the code corresponding to the different fragments of the password. goes to its storage terminal, connected to an access terminal. This code will be transcoded on the storage terminal into a local network access password, as expected by the service gateway. If the password is correct, the access terminal will be able to access the guest local network.

It is thus possible to generate a WEP key of standard length for a guest network, with a minimum number of digits or letters to be memorized by the user, administrator or guest.

Particular embodiments of the invention.

There represents the context of an embodiment of the invention according to which a user (AD) administrator of the local area network controlled by the PAS gateway wishes to generate one or more guest passwords to give access to all or part of the resources of the local area network via a so-called "guest network".

We recall here that a local area network, also called home network, is a computer network that connects together, with or without wires, the terminals of a house (computers, printing, restitution, storage, etc.) able to communicate with each other. A home network generally includes router equipment, also commonly called home gateway, or service gateway, an intermediate element ensuring the redirection, or routing, of data packets between the various terminals and the networks connected to it. Such a home network often connects the various terminals using wireless WiFi or wired Ethernet technology, the two types of support being provided for communications based on the protocols of the IP (Internet Protocol) family, the basic protocol for communication networks. type Internet and by extension, name of the network itself. To this end, the service gateway has a WiFi communication function, or WiFi access point (AP, for Access Point), which allows it to communicate wirelessly with the terminals of the network.

The storage terminal C is, according to this example, a very simple USB keyboard which makes it possible to enter numerical data of the digit type, to convert them into a complex password and to transmit them to the gateway via an access terminal during of subsequent use.

According to this embodiment, to configure one or more guest networks, the administrator user AD connects his terminal dedicated to the storage of passwords C to the home gateway PAS by a communication link (L). The connection can be of any type, wired or wireless. According to one embodiment, it is of the USB (Universal Serial Bus) type for a serial connection with the gateway, which has an interface of the same type (USB).

To generate one or more guest passwords, the administrator connects to the gateway via a TAD terminal known to the gateway (because it is part of the gateway's local network). For example, he accesses the gateway configuration interface via this terminal and creates one or more guest accounts. To this end, he just needs to configure the guest network in the usual way (validity time, authorized access, etc.) and to ask the gateway for a key, or password, specifying the number of fragments desired, and optionally an indication of robustness (or length) and/or type of access. The gateway generates a password (for example a WEP key "32F34DA4CFE9EAD355A49EAE17") then cuts it into as many fragments as required (for example 4), which it transmits to the storage device. Optionally, each of the fragments is associated with a number (for example, for the WEP key mentioned above: 1 <=> 32F34D; 2 <=> A4CFE9; 3 <=> EAD355; 9 <=> A49EAE17). According to one example, each of the guest passwords corresponds to a 128-bit WEP key. In another example, the length is generated based on the complexity and/or type of access required.

The dedicated storage terminal stores the fragments, in association with the symbols transmitted or chosen by the user. For example, the user enters on the terminal, using his keyboard, a code of the “PIN code” type, that is to say an ordered sequence of 4 digits. Each of the fragments is recorded by the terminal in conjunction with these digits. Optionally, the code and/or the password can be displayed for verification on the terminal screen and the entry is validated by validation keys.

Once the configuration is complete, the dedicated terminal can be disconnected. Subsequently, when a guest wishes to access a guest network via an access terminal (PC, smartphone, etc.), it suffices that he connects to this terminal the storage terminal (for example small keyboard) of the gateway administrator, and enter the simple code associated with one of the guest networks. The password, for example a WEP key, is regenerated from this simple code, by concatenation of the fragments associated with the symbols of the code. Optionally, the code can be displayed for verification on the screen of the access or storage terminal and the entry is validated by validation keys, triggering a transmission to the PAS gateway according to the USB serial protocol.

Naturally, many variants are possible without departing from the context of the invention:

• other wired or wireless communication interfaces and protocols within the reach of those skilled in the art could replace the USB or Bluetooth protocols mentioned for communication between the gateway and the storage device: for example a Wi-Fi type radio interface Fi, or bright Li-Fi type, etc.
• A different interface can be used for configuration and later use of the storage terminal. For example, it can be connected to the gateway via Bluetooth during the configuration process, then via a serial link to the access terminal of the guest user during effective access to the network.
• etc

There represents the architecture of a gateway-type device that implements an embodiment of the invention.

The PAS gateway conventionally comprises memories (MEM) associated with a processor (PROC) controlled by a processing unit (UT). The memories can be of the ROM (Read Only Memory) or RAM (Random Access Memory) or Flash type. A part of the memory M contains in particular, according to the invention, the software part of the device of the invention. It also includes a NAT routing module to ensure the redirection, or routing, of data packets between the various terminals and networks connected to it. The gateway 2 also comprises a certain number of modules which allow it to communicate with the local and extended networks, via different protocols on different physical links; on the , there is thus schematized an Ethernet module (ETH) allowing wired communications with the Internet network and the local network 1, and a Wi-Fi module (WIFI) for wireless communications, as well as a USB-type communication module for communication with terminal C dedicated to storing passwords. It also includes an HMI module for communication with the AD administrator and his TAD terminal, used for configuring the gateway.

The gateway PAS finally comprises, according to the invention, a device for providing DMAS passwords, as well as, according to embodiments, an ASS module for the analysis and the establishment of a list of associations possible between a symbol and a password fragment.

There illustrates steps of the method for configuring access to a local area network according to one embodiment of the invention.

During a step E10 , the administrator sends a request to the service gateway to generate a guest password. To this end, it connects to the gateway (for example via its configuration interface, on a TAD access terminal connected to the gateway's local network) and also connects a password storage device C to the gateway domestic via a link L, for example of the USB type. Optionally, the gateway offers the administrator a help interface for configuring his dedicated terminal during a step E11 . This interface is displayed on the administrator's terminal, TAD. It can for example propose an association between a symbol (to be entered on the storage terminal, or on the TAD terminal) and a password fragment (for example 1 b7b2a385c; 2e79av; 39099; 4 32414c279f52, etc.).

During a step E12 , the gateway generates a password (for example a WEP key “32F34DA4CFE9EAD355A49EAE17”) then cuts it into as many fragments as required (for example 4).

During a step E13 , it transmits the fragments to the storage device. Optionally, each of the transmitted fragments is associated with a symbol/digit (1 <=>32F34D; 2 <=>A4CFE9; 3 <=>EAD355; 9 <=> A49EAE, etc.) which can be chosen and transmitted by the gateway , or by the user who selects them for example on his TAD terminal. According to a variant, the connection of the storage device produces the appearance of a virtual keyboard on the screen of the TAD terminal, which makes it possible to increase the number of possibilities and to have access to an alphanumeric code (for example a simplified password 'garry' or 'BOX') to be associated with the password. If the fragments transmitted are not associated with a symbol, it is the user who associates them, for example with a key of the storage device, by pressing each key before or after reception of the fragment.

During a step E1 , the dedicated terminal stores the fragments, in association with the symbols transmitted by the gateway or chosen by the user. Many variants are possible for associating each fragment with a key on the storage terminal:

• according to a first example, the fragments are transmitted sequentially. They can be transmitted for example each time the user enters a symbol (by pressing a key); in this case steps E1 and E2 are carried out as many times as necessary to obtain the complete password. This is illustrated by the dotted upward arrow in the figure.
• according to another example, the fragments are transmitted together, sequentially; in this case, it is up to the storage terminal to identify the start and end of the fragments to have them associated with a symbol, and therefore with a key on the terminal.
• Etc.

During a step E14 , the method can check the validity of the generated password (robustness, number of symbols, etc.). If the password is not valid, it is possible to return to E10 or E13. Otherwise the device configuration is complete, it can be disconnected.

The storage terminal is, according to one example, a very simple device recognized as a USB keyboard, which makes it possible to enter numerical data of the digit type. During its configuration, as explained above, it associates each fragment in memory with a key on its keyboard. Later, when he is connected for example to a terminal of a guest user, he can convert a simple code, by associating each digit entered on the keyboard with one of the fragments which has been transmitted by the domestic gateway, into a complex password. For example, the guest user enters on this storage device, using his keyboard, a code of the “PIN code” type, that is to say an ordered sequence of 4 digits. Each time he enters a number, a fragment is obtained from the device's memory, and this fragment is appended to the password being generated. The password is finalized after entering the fourth digit. Advantageously, such a very simple device allows the guest to generate a complex password from a simple code, and thereby to access a guest local network, provided with the appropriate functionalities, depending on the complexity of the password and/or the type of access to which the administrator has associated it. This type of device is also very vulnerable to attacks and hacking.

It goes without saying that the embodiment which has been described above has been given purely as an indication and in no way limiting, and that many modifications can be easily made by those skilled in the art without departing from the scope. of the invention.

Claims (10)

Method for configuring access to a local network (1) administered by a network gateway, said method being implemented on the gateway, and comprising the following steps:
- reception (E10) of a request to generate at least one network access identifier, said password (K), said request comprising a number N of fragments to be generated;
- generation (E12) of a password comprising N fragments;
- transmission (E13) of the password. Method according to claim 1, characterized in that the step of transmitting the password consists in transmitting each of the fragments in association with a symbol. Method according to Claim 1, characterized in that the request received also comprises data indicating a complexity (H) of the password and in that the password is generated as a function of said complexity data. Method according to claim 1, characterized in that the request received also includes data indicating a type of access to the local network and in that the password is generated as a function of said type of access. Device (PAS) for configuring access to a local network (1) comprising at least one transmission module (COM), a memory (MEM) and a processor (PROC) configured to:
- receiving (IHM) a request to generate at least one network access identifier, said password (K), said request comprising a number N of fragments to be generated;
- generate (DMAS) a password comprising N fragments;
- transmit (USB) the password. Device (PAS) for configuring access to a local network (1) according to claim 5, in which the transmission module is a serial type interface (USB). Device for configuring access to a local network (1) according to claim 5, in which the transmission module is a radio interface (BT, NFC, Wi-Fi). Home gateway comprising a configuration device according to claim 5, 6 or 7. System comprising:
- a home gateway according to claim 8;
- A password storage device capable of storing the fragments of the password transmitted by the configuration device. Computer program capable of being implemented on a device as defined in one of Claims 5 to 8, the program comprising code instructions which, when the program is executed by a processor, carry out the steps of the method defined according to one of claims 1 to 4.