JP2012531822A - System and method for obtaining network credentials - Google Patents

Abstract

Disclosed are systems and methods for obtaining network credentials. In some embodiments, the method receives a network identifier from a network device using a digital device and provides a first credential request including the network identifier to another digital device on the network. Receiving a request for additional network information from the other digital device, providing a second credential request including additional network information to the other digital device, and from the other digital device. Receiving a credential request response including a network credential and providing the network device with the network credential extracted from the credential request response.
[Selection] FIG.

Description

  The present invention relates generally to access to communication networks. More particularly, the present invention relates to obtaining network credentials and accessing a network.

  Increasing access to information using the network has increased the reliance on network communications for various activities. With this dependency, there is a growing expectation that network access will be possible everywhere. Due to improvements in wireless technology, network access for mobile users has been particularly enhanced. Extensive access options for potential network users with various cellular (GSM, CDMA, etc.), Wi-Fi (ie IEEE 802.11), WiMax (ie IEEE 802.16) and other technologies Has become possible. Many wireless access points or “hot spots” can only be accessed in a local geographic area and may be as narrow as a particular company or other address. Also, strategically located hotspots can provide public or private network access to all people.

US patent application Ser. No. 11 / 899,697 US patent application Ser. No. 11 / 899,638

  The hotspot owner or administrator often requires a password or the like to allow user access. As a result, users of multiple hotpots may need to store, remember, or otherwise manage a large number of passwords. Many users can store their passwords on the laptop computer used to access the hotspot. However, not all devices that can access the hotspot are laptop computers, and mobile phones, personal digital assistants (PDAs), and many other devices are now wirelessly accessible. Unfortunately, users often cannot easily enter a password on the device or store the password in the device. For example, some wirelessly accessible devices do not have a keyboard. Even if the device includes a keyboard, the keyboard is often small and may have limited functionality, especially for users whose fingertips are not dexterous.

  When a user stores a password on a laptop computer, the user must first access the laptop computer to store the correct password on the computer. When the password changes, the user needs to update the password in the computer. Further, storing the user name and password in the device causes a security problem when the device is lost or stolen.

  In addition, the user usually needs to enter a password, a username, and walk around the website to gain network access. This process takes time and may require the user to enter incorrect information and re-enter the data.

  When a user manually enters a password, the user does not try to remember a difficult password. As a result, access with a simple password is subject to hacking and can compromise the user's network access, hotspots and / or user's personal information. Furthermore, if a user's simple password is hacked or simply guessed, the user's network access may be stolen.

  Until now, connecting to a wireless network has been a complex process for other reasons for users of wireless devices. Typically, a user enters an area where two or more Wi-Fi networks exist, selects a Wi-Fi function on his laptop, and a series of “scans” listing available Wi-Fi networks. See Results. In one example, the list of available Wi-Fi networks includes a list of Wi-Fi network SSID identifiers. In many cases, the user must identify a Wi-Fi network for which there is no encryption or other security mechanism (such as a login page). While there are several functional wireless networks, there are also wireless networks that are misconfigured to render the network unusable, increasing user dissatisfaction.

  Usually, the user arbitrarily determines which Wi-Fi network to connect to based on the list. Typically, when a user determines which Wi-Fi network to connect to, whether the selected Wi-Fi network provides sufficient quality of service or whether the network is via Dynamic Host Configuration Protocol (DHCP). I do not know if I can provide an IP address.

  It is not uncommon for different network devices to share similar SSIDs or other identifiers. For example, the SSIDs of a plurality of public libraries may indicate “library”. Since the SSID is not unique, it can be difficult to determine which network credentials to provide to gain access based solely on the SSID. For example, some libraries with an SSID of “library” allow access when the user indicates that they are “guests”. Some libraries with the same SSID require a library card identifier.

  An exemplary method and system for providing network credentials for network access is described. The exemplary method includes receiving a credential request from a digital device via a network device, identifying a network record based on at least some information in the credential request, and the network Extracting one network credential from a plurality of network credentials based on the record, and transmitting a credential request response including the network credential extracted from the plurality of network credentials to the digital device. Including.

  The method can further include decrypting the credential request, authenticating the credential request, and encrypting the credential request response. Further, the method can include retrieving the encryption key based on the digital device. The credential request can be received via a network device standard protocol. This standard protocol can be DNS.

  The credential request can include a location identifier. The method can further include receiving a confirmed access response from the digital device.

  An exemplary system for providing network credentials may include a credential request module and a credential request response module. The credential request module can be configured to receive a credential request from a digital device via a network device. The credential request response module identifies a network record based on at least some information in the credential request, and based on the network record, obtains one network credential from a plurality of network credentials. It can be configured to retrieve and send a credential request response including this network to the digital device.

  An exemplary computer readable medium may include a program. This program can be executed by a processor for implementing a method for providing network credentials. The method includes receiving a credential request from a digital device via a network device, identifying a network record based on at least some information in the credential request, and based on the network record. Retrieving one network credential from a plurality of network credentials and sending a credential request response including the network credential retrieved from the plurality of network credentials to the digital device. Can do.

  Disclosed are systems and methods for selecting a wireless network. In some embodiments, the method includes receiving a first network device identifier for the first network device and a second network device identifier for the second network device, and a first attribute. Obtaining a first network profile based on the first network device identifier; obtaining a second network profile based on the second network device identifier including the second attribute; and the first attribute And selecting a first network device identifier or a second network device identifier based on an attribute analysis of the second attribute.

  In various embodiments, a first network device identifier and a second network device identifier are received by a server from a digital device. The method can further include performing a wireless network selection based on the selection. The method may further include providing a credential request response based on the selection.

  In some embodiments, the network selection identifier includes a first network device identifier. The network selection identifier may also include a sorted list that includes a first network device identifier and a second network device identifier, the list being sorted based on an attribute analysis of the first attribute and the second attribute. The Attributes can include performance metrics, shared indicators, and service identifiers.

  The method can further include comparing the first attribute and the second attribute to a minimum requirement, and selecting the first network identifier or the second network device identifier includes the step of selecting the attribute and the minimum requirement. The comparison is also based at least in part. The method may also further include the step of comparing the first attribute and the second attribute with the personal setting, wherein selecting the first network identifier or the second network device identifier is personalized with the attribute. The comparison is also based at least in part. The method can also include receiving a user identifier and retrieving the personal settings from the user account based on the user identifier.

  In various embodiments, the system includes a digital device and a server. The digital device can be coupled to a communication network and receives a first network device identifier for the first network device and a second network device identifier for the second network device via the communication network. It can be constituted as follows. A first network profile based on the first network device identifier, wherein the server can also be coupled to the communication network, receives the first network device identifier and the second network device identifier from the digital device, and includes a first attribute To obtain a second network profile based on a second network device identifier including a second attribute, and based on attribute analysis of the first attribute and the second attribute, the first network device identifier or A second network device identifier may be selected.

  The computer readable storage medium may be configured to store instructions including a method, the method including a first network device identifier for a first network device and a second for a second network device. Receiving a network device identifier of the first network device, obtaining a first network profile based on the first network device identifier including the first attribute, and based on the second network device identifier including the second attribute Obtaining a second network profile; and selecting a first network device identifier or a second network device identifier based on an attribute analysis of the first attribute and the second attribute.

  Disclosed are systems and methods for obtaining network credentials. In some embodiments, the method receives a network identifier from a network device using a digital device and provides a first credential request including the network identifier to another digital device on the network. Receiving a request for additional network information from the other digital device, providing a second credential request including additional network information to the other digital device, and from the other digital device. Receiving a credential request response including a network credential and providing the network device with the network credential extracted from the credential request response.

  In some embodiments, the first credential request is formatted using the DNS protocol. The first credential request can be provided to other digital devices via an open port on the network device. The open port may be port 53.

  The network identifier can be any identifier that identifies the network, such as an SSID. Additional network information includes, but is not limited to, BSSID, web page title received by digital device from network device, URL of web page received by digital device from network device, or digital device is network device Any information related to the network, such as a hash of a web page received from.

  An exemplary system may comprise a request module and a response module. The request module can be configured to receive a network identifier from a network device. The response module provides a first credential including this network identifier to another digital device on the network, receives a request for additional network information from the other digital device, and adds the additional credentials to the other digital device. Providing a second credential request including network information, receiving a credential request response including a network credential from the other digital device, and networking the network credential extracted from the credential request response It can be configured to be provided to the device.

  An exemplary computer readable storage medium that is configured may be configured to store instructions. This instruction can include a method. The method includes using a digital device to receive a network identifier from a network device, providing a first credential request including the network identifier to another digital device on the network, and the another digital device. Receiving a request for additional network information from the device; providing a second credential request including additional network information to the other digital device; and including a network credential from the other digital device. Receiving the credential request response and providing the network device with the network credential retrieved from the credential request response.

It is a figure which shows the environment which can implement embodiment of this invention. FIG. 3 is a block diagram of an exemplary credential server. FIG. 6 is a flow diagram of an exemplary process for providing network access to a digital device. FIG. 3 is a block diagram of an exemplary credential request. FIG. 3 is a block diagram of an exemplary credential request response. FIG. 3 is a flow diagram of an exemplary method for providing network credentials. FIG. 4 is another flow diagram of an exemplary method for providing network credentials. FIG. 3 is a flow diagram of an exemplary method for receiving and storing network credentials. FIG. 3 is a block diagram of an exemplary credential server. FIG. 6 illustrates another environment in which embodiments of the present invention can be implemented. FIG. 6 is a flow diagram of an example process for providing wireless network selection. FIG. 6 is a flow diagram of an exemplary process for selecting a wireless network. FIG. 6 is a schematic diagram for selecting a wireless network and accessing the selected wireless network. FIG. 2 is a box diagram of a digital device in some embodiments. FIG. FIG. 3 is a flow diagram of an example method for retrieving network credentials when the network identifier may be insufficient to identify the network credentials in some embodiments. FIG. 6 is a flow diagram of an exemplary method for a digital device to receive network credentials when network identifiers are insufficient in some embodiments. FIG. 4 is a flow diagram of an exemplary method for a credential server 116 to provide network credentials in some embodiments. FIG. 6 is a flow diagram of another exemplary method for a digital device to receive network credentials when two or more networks can share a network identifier in some embodiments.

  Embodiments of the present invention provide systems and methods for providing network credentials. In an exemplary embodiment, a credential server receives a request for network credentials from a digital device at a hot spot. This request can be formatted as a standard protocol relayed from the hotspot to the credential server. The credential server can identify a network record based on at least some information included in the request, and can transmit a transmission network credential associated with the network record to the digital device. The digital device can receive the network credentials and provide it to the network device to obtain network access.

  In various embodiments, the rules server can identify a preferred network from multiple available networks to which a digital device can connect based on various network attributes. In one example, a digital device can scan the physical area for available networks and generate a list of available wireless networks. This list is provided to a rule server, which can identify and retrieve the network profiles of individual wireless networks on the list. The rule server can then compare individual network profiles (such as through attributes contained in the individual profiles) and select a preferred network from the list. The rule server can then send the wireless network selection to a digital device that can access the network at this point.

  In some embodiments, the digital device uses the credentials provided by the credential server to access the selected wireless network. In one example, when the rule server selects a preferred wireless network, the rule server (or another server in communication with the rule server) requests a credential request that includes a network credential associated with the selected wireless network. Responses can be provided simultaneously (or nearly simultaneously).

  FIG. 1 shows a diagram of an environment 100 in which embodiments of the present invention may be implemented. In the exemplary embodiment, a user with digital device 102 enters a hotspot. The digital device 102 can automatically send a credential request as a standard protocol beyond the network device 104. The credential request may be forwarded to the credential server 116, which may send a credential request response to the digital device 102 based on information contained in the credential request. it can. The credential request response includes a network credential, which the digital device 102 can provide to the network device 104, the authentication server 108, or the access controller 112 to obtain access to the communication network 114.

  In various embodiments, the hotspot includes a network device 104, an authentication server 108, a DNS server 110, and an access controller 112 coupled to a local area network 106 (such as a “walled garden”). Network device 104 may include an access point that allows digital device 102 to communicate with authentication server 108, DNS server 110, and access controller 112 via local area network 106. Digital device 102 may include a laptop, mobile phone, camera, personal digital assistant, or any other computer device. The authentication server 108 is a server that requests network credentials from the digital device 102 before allowing the digital device 102 to access the communication network 114. The DNS server 110 can provide DNS services via the local area network 106 and can relay requests across the communication network 114 to other DNS servers (not shown). Access controller 112 is an access device such as a router or bridge that can allow communication between a device operatively coupled to network device 104 and a device coupled to communication network 114.

  Although the hotspots in FIG. 1 show separate servers coupled to the local area network 106, those skilled in the art will understand that devices coupled to the local area network 106 (servers, digital devices, access controllers and network devices). It will be understood that there can be any number. In some embodiments, the local area network 106 is optional. In one example, authentication server 108, DNS server 110, and access controller 112 are directly coupled to network device 104. In various embodiments, the authentication server 108, DNS server 110, and access controller 112 can be combined in one or more servers, or one or more digital devices. In addition, although FIG. 1 shows wireless access, the digital device 102 can be coupled to the network device 104 wirelessly or via a wire (such as 10baseT).

  In order to access the communication network 114, the authentication server 108 may require the digital device 102 to provide one or more network credentials for accessing the hotspot. The network credentials can include, for example, a username and password for an account associated with the hotspot. In alternative embodiments, network credentials other than username and password may be utilized.

  According to an exemplary embodiment, the digital device 102 can dynamically obtain network credentials from the credential server 116. The digital device 102 sends a credential request that includes details about the identity of the digital device 102 (or the user of the digital device 102) and details about the network device 104 (such as the network device 104 or Wi-Fi service provider name). 116 can be transmitted.

  In one example, when the digital device 102 enters a hotspot, the network device 104 can provide an IP address of a partner to which a DNS query can be submitted, for example via DHCP (Dynamic Host Configuration Protocol). . The credential request can be formatted as a standard protocol. In one example, the credential request can be formatted as a DNS request. The credential request can be a text recording request that includes a standard recording format (such as TXT) so that the network infrastructure (such as access controller 112) does not block the request. Further details regarding the process of obtaining network credentials can be found in co-pending US patent application Ser. No. 11/899, filed Sep. 6, 2007, entitled “System and Method for Obtaining Network Credentials”. No. 6,697, which is incorporated herein by reference.

  In some embodiments, the credential request is received by the DNS server 110, which can forward the credential request to the credential server 116 for network credentials. In the exemplary embodiment, the credential server 116 performs a search to determine the appropriate network credential (s) and sends it back to the DNS server 110, which is the requesting digital device. Network credentials can be returned to 102. In various embodiments, the appropriate network credential (s) is transmitted from the credential server 116 to the digital device 102 via the same path as the transmission of the credential request.

  Although only one DNS server 110 is shown in FIG. 1, before a credential request is received by the credential server 116, it can be trusted through any number of servers, including but not limited to DNS servers. The certificate request can be transferred. In other embodiments, the credential request is forwarded directly from the network device 104 to the credential server 116.

  In some embodiments, the credential request response from the credential server 116 may include a username, password, and / or login procedure information. The login procedure information can include, for example, an HTML format element name, a submission URL, or a submission protocol. In some embodiments, the credential server 116 may encrypt using a cryptographic key associated with the digital device 102 before sending the network credential response to the digital device 102.

  When the digital device 102 receives the network credential response, the digital device 102 can submit the network credential (taken from the network credential response) to the network device 104 in the form of an authentication response. In the exemplary embodiment, an authentication response may be forwarded to authentication server 108 for verification. In some embodiments, the authentication server 108 can include an AAA server or a RADIUS server. Further details regarding the process of obtaining network access are described in copending US patent application Ser. No. 11 / 899,638, filed Sep. 6, 2007, entitled “Systems and Methods for Obtaining Network Access”. Which is incorporated herein by reference.

  Note that FIG. 1 is exemplary. Alternative embodiments may include more, fewer, or functionally equivalent components, which are also within the scope of this embodiment. For example, as described above, the functions of various servers (such as DNS server 110, credential server 116, and authentication server 108) can be combined into one or two servers. That is, for example, when the authentication server 108 and the DNS server 110 can be configured by the same server, the functions of the authentication server 108, the DNS server 110, and the access controller 112 can be combined into a single device.

  FIG. 2 is a block diagram of an exemplary credential server 116. The credential server 116 includes an authentication module 200, a network module 202, a credential request module 204, a credential request response module 206, an encryption / decryption module 208, a network record storage 210, and an encryption key storage 212. Modules may include software, hardware, firmware or circuitry individually or in combination.

  The authentication module 200 can be configured to authenticate the credential request and provide security to the credential request response. In various embodiments, the digital device 102 encrypts a credential request using an encryption key (such as a shared encryption key or an encryption key that is part of a key pair) or digitally signs a credential request. can do. The authentication module 200 can authenticate the credential request by decrypting the credential request with the appropriate encryption key retrieved from the encryption key storage 212. In one example, the digital device 102 generates a hash of the credential request and stores the hash in the encrypted portion of the credential request. The authentication module 200 can decrypt the credential request, generate a hash of the credential request response, and compare the generated hash with the hash included in the credential request for authentication.

  In other embodiments, the digital device 102 may generate a nonce (ie, a random value) and store the nonce in a portion of the digitally signed credential request. The authentication module 200 can decrypt the digital signature to authenticate the credential request and retrieve the nonce. In various embodiments, the authentication module 200 can include a nonce in the credential request response when the credential request response module 206 generates the credential request response (described below). The authentication module 200 or encryption / decryption module 208 can then encrypt the credential request response. When the digital device 102 decrypts the credential request response, the digital device 102 extracts the nonce from the credential request response and compares this nonce with the nonce sent in the credential request for further authentication. It can be carried out.

  The network module 202 may be configured to receive a credential request and send a credential request response over the communication network 114.

  The credential request module 204 can receive a credential request from the network module 202. The credential request can be a standard protocol. In one example, the credential request is a UDP protocol (such as DNS).

  In the exemplary embodiment, the credential request module 204 can retrieve the DDID and SSID from the credential request. The DDID may identify the digital device 102, the user of the digital device 102, and / or the user associated with the network record. The SSID can identify a hotspot or hotspot service provider (ie, operating company).

  The credential request module 204 or the credential request response module 206 can identify the network record based on the DDID and SSID. A network record is a record associated with a DDID and SSID (directly or indirectly (like a relational database)). In one example, the network record includes the network credentials necessary to provide network access to the digital device 102 associated with the DDID at a hot spot associated with the SSID. Network records can be stored in the network record storage 210.

  The credential request response module 206 can generate a credential request response. In various embodiments, the credential request response module 206 receives network credentials associated with the DDID and SSID from the network record. In some embodiments, the network credentials can include a credit card number. In one example, the digital device 102 receives the network credentials, retrieves the credit card number, and provides this credit card number to the authentication server 108. In some examples, the authentication server 108 can then charge the credit card associated with the credit card number or use this information to verify the user's identity before granting network access. .

  Further, in various embodiments, the network credentials can include login procedure information. In one example, the credentials will include a username and password that will be provided in a form (such as an authentication form) that is retrieved by the digital device 102 from the authentication server 108. In some embodiments, the login procedure information may instruct the digital device 102 to load the completed form to the authentication server 108 after reading the network credentials into specific fields in the form. . One skilled in the art will appreciate that there are many ways to provide credentials to the authentication server 108. The process of providing credentials to an authentication server is further described in co-pending US patent application Ser. No. 11 / 899,638, filed Sep. 6, 2007, entitled “System and Method for Obtaining Network Access”. Have been described.

  The credential request response module 206 or the encryption / decryption module 208 can encrypt the credential request response with a DDID or encryption key associated with the credential request. In one example, the credential server 116 stores one or more shared encryption keys. Individual shared cryptographic keys can be shared by at least one digital device 102. The credential request response module 206 can encrypt the credential request response with a shared encryption key associated with the digital device 102 (eg, can associate the shared encryption key with the DDID). The credential request response module 206 or the encryption / decryption module 208 can also encrypt the credential request with an encryption key that is part of the key pair. There can be many ways for the encryption / decryption module 208 to encrypt the credential request.

  The encryption / decryption module 208 can decrypt the credential request and encrypt the credential request response. As described above, the encryption / decryption module 208 can decrypt the digital signature of the credential request. In one example, the encryption / decryption module 208 decrypts the digital signature based on the encryption key associated with the DDID included in the credential request. The encryption / decryption module 208 can also encrypt the credential request response. In one example, the encryption / decryption module 208 encrypts the credential request response based on an encryption key associated with the DDID (such as a shared encryption key or an encryption key that is part of a key pair).

  In various embodiments, the encryption / decryption module 208 can encrypt the network records included in the network record storage 210 and manage the encryption key storage 212. The encryption / decryption module 208 may also establish secure communication with the digital device (such as via SSL and HTTP) when storing network credentials. This process will be further described with reference to FIG. According to some embodiments, the encryption / decryption module 208 may be optional.

  The network recording storage 210 and the encryption key storage 212 can store network records and encryption keys, respectively. The network recording storage 210 and the encryption key storage 212 can include one or more databases. In one example, the network record storage 210 can store network records. The network record can include a DDID, SSID, and network credentials. The network record may also include a username and password for the user to access the network record and change, update, or store it on the credential server 116.

  In various embodiments, the network record may also allow multiple digital devices 102 to use the same network credentials. In one example, a user can own multiple digital devices 102. Multiple DDIDs, each associated with a different digital device 102, can be included in the same network record. In some embodiments, multiple devices can be associated with one or more network records, and the one or more network records are associated with the user. As a result, the user can use any number of digital devices 102 to retrieve network credentials for the hotspot. There are many methods (eg, different data structures, databases, records, systematization schemes and / or methods) by which those skilled in the art can store and organize network records and / or information contained therein. You will understand that.

  FIG. 3 is a flow diagram of an exemplary process for providing network access to the digital device 102. In step 300, the digital device 102 may scan for the local area network 106 upon first entering the hot spot. As a result of the scanning, in step 302, the network device 104 can provide network configuration information. This network configuration information may include one or more IP addresses for accessing the DNS server 110.

  In step 304, the digital device 102 generates a credential request. Thereafter, in step 306, a credential request can be sent to the DNS server 110 using one of the IP addresses received from the network device 104 previously.

  In step 308, the DNS server 110 identifies the credential server 116 based on the credential request. In other embodiments, the DNS server 110 forwards the credential request to the credential server 116. If the DNS server 110 cannot parse the DNS request locally, the credential request is forwarded to another DNS server on the communication network 114 (eg, via port 53), after which the DNS server Can be transferred to the credential server 116. In step 310, the credential request is forwarded directly to the credential server 116 or indirectly through one or more DNS servers on the communication network 114.

  In step 312, the credential server 116 identifies the required network credentials based on the credential request. For example, the credential request may include an identifier for the digital device 102 (ie, DDID) as well as an identifier for a hotspot SSID (eg, a service provider such as an operating company). The credential request module 204 or the credential request response module 206 can compare these identifiers with a table of such identifiers (such as a network record) to determine an appropriate network credential. Thereafter, in step 314, the credential request response module 206 generates a credential request response, which is relayed back to the DNS server 110 in step 316. In step 318, DNS server 110 forwards the credential request response to the digital device.

  Thereafter, in step 320, the digital device 102 can retrieve the network credentials from the credential request response. Thereafter, in step 322, this network credential can be provided to the network device 104. In step 324, the network device 104 provides network access to the digital device 102 after verifying the network credentials.

  Referring now to FIG. 4, an exemplary credential request 400 is shown in more detail. According to an exemplary embodiment, the credential request response module 204 can generate the credential request response 400. In one embodiment, the credential request 400 may be a DNS string having a structure that includes a location identifier 402, a sequence identifier 404, a signature 406, a DDID 408, a service set identifier (SSID) 410, and a version identifier 412. it can.

  Any location identifier 402 may indicate the physical or geographical location of the digital device 102, the network device 104, the authentication server 108, or the access controller 112. In various embodiments, the credential server 116 can use the location identifier 402 to track hotspot usage, users of the digital device 102, and the digital device 102.

  The sequence identifier 404 can include any number or set of numbers used to determine whether the login was successful in response to a subsequent request to the credential server 116. That is, the sequence identifier 404 provides a correlation mechanism by which the credential server 116 can confirm the login process.

  In the exemplary embodiment, signature 406 includes a cryptographic signature (ie, a digital signature) that is used to prevent spoofing. The request signature 406 from the digital device 102 is verified by the credential server 116. If the signature 406 is not valid, the request is rejected by the credential server 116.

  DDID 408 includes an identifier of digital device 102. For example, the DDID 408 can include the MAC address of the digital device 102 or any other identifier.

  The SSID 410 includes an identifier of a network access point or Wi-Fi service provider. For example, the SSID 410 can include a service provider name or the name of the location where the network device 104 is operating.

  Version identifier 412 may identify the protocol or format of credential request 400. For example, the digital device 102 can generate the credential request 400 and organize the data in a number of different formats. Each different format can be associated with a different version identifier. In some embodiments, the components of the credential request response module 206 can be updated, reconfigured, or gradually changed, which can affect the structure of the credential request 400. As a result, the credential server 116 can receive a plurality of credential requests 400 that are formatted differently. The credential server 116 can access information required by individual credential requests based on the respective version identifier.

  FIG. 5 is a block diagram of an exemplary credential request response. According to an exemplary embodiment, the credential request response module 206 can generate the credential request response 500. In one embodiment, the credential request response 500 can include the ciphertext 502. The ciphertext can include any nonce 504 and credential information 506. The credential information may include key / value pairs 508-510.

  As described above, the credential request response can be formatted as a DNS response that includes ciphertext 502. The ciphertext 502 includes network credentials (such as username, password, and login procedure information). Although the credential request response 500 is shown to include the encrypted text 502, the text in the credential request response 500 need not be encrypted.

  The ciphertext 502 can include a nonce. As described above, this nonce can be extracted from the credential request. Upon receiving the credential request response 500, the digital device 102 can perform authentication by comparing the nonce in the credential request response 500 with the nonce transmitted in the credential request. In FIG. 5, the nonce is shown in a form included in the credential request response 500, but the nonce is arbitrary.

  The credentials information 506 can include a username, password, login procedure information, or a combination thereof. The credential information 506 may include key / value pairs 508-510. There can be any number of key / value pairs in the credential information 506. The key / value pair may represent credential information that the digital device 102 receives and interprets. The credential information 506 is shown as a key / value pair for exemplary purposes only, and the credential information can be in any format that is not necessarily limited to a key / value pair.

  FIG. 6 is a flow diagram of an exemplary method for providing network credentials. In step 602, the credential server 116 receives a credential request from the digital device 102.

  In various embodiments, the credential server 116 decrypts and authenticates the digital signature with an encryption key. Thereafter, in step 604, the credential server 116 can identify the network record based on the DDID and SSID included in the network record. In one example, the credential request response module 206 retrieves one or more network records associated with the DDID in the credential request. Thereafter, the credential request response module 206 identifies at least one network credential associated with the SSID in the retrieved network record (s).

  In step 606, the credential request response module 206 retrieves the identified network credential (s) from the selected network record. In one example, the credential request response module 206 identifies a username and password that a user of the digital device 102 must provide to the authentication server 108 to gain network access. In step 608, the credential request response module 206 generates a credential request response to the digital device 102 that includes network credentials (such as a username, password, etc.).

  In some embodiments, the credential request response module 206 can identify login procedure information as part of the network credential. The credential request response module 206 can retrieve login procedure information from a network record (such as the same network record that includes the password associated with the SSID). The login procedure information can include a form identifier and instructions (such as parameters) for the digital device 102 to follow to obtain network access. In one example, the digital device 102 retrieves the form identifier and instructions from the network credentials in the credential request response. Based on the form identifier and command, the digital device 102 can identify the form received from the authentication server 108 and the input data. In another example, digital device 102 provides authentication server 108 with information for obtaining network access based on login procedure information included in the credential request response. The process of providing information to the authentication server 108 is further described in US patent application Ser. No. 11 / 899,638, filed Sep. 6, 2007, entitled “System and Method for Obtaining Network Access”. .

  FIG. 7 is another flow diagram of an exemplary method for providing network credentials. The digital device 102 can search for and discover available wireless networks via the network device 104. In step 702, the digital device 102 can receive network configuration information while connected to the hotspot. The network configuration information can include an identifier of the network device 104 or the DNS server 110. In one example, the digital device 102 receives the IP address of a DNS server (such as the DNS server 110) during the connection process.

  In step 704, the digital device 102 generates a credential request. This credential request may include a sequence identifier, DDID, and SSID. In step 706, the digital device 102 optionally generates a nonce and digitally signs the credential request using the encryption key. In step 708, the digital device 102 sends the credential request as a standard protocol. Network device 104 may receive and forward the credential request to communication network 114. In various embodiments, the network device 104 provides a credential request to the DNS server 110, which can forward the credential request to the credential server 116.

  In the exemplary embodiment, the credential request module 204 of the credential server 116 receives the credential request. The credential request module 204 can retrieve the encryption key associated with the DDID in the credential server from the encryption key storage 212. Thereafter, the credential request module 204 can authenticate by decrypting the digital signature of the credential request. The credential request module 204 can further retrieve the nonce and sequence identifier from the credential request.

  Thereafter, the credential request response module 206 of the credential server 116 can retrieve the network record associated with the DDID and SSID from the network record storage 210. The credential request response module 206 extracts the network credential from the network record and generates a credential request response. The credential request response can include a network credential and a nonce. The encryption / decryption module 208 can encrypt the credential request response using the encryption key associated with the DDID retrieved from the encryption key storage 212. In some embodiments, the credential request response is formatted as a standard protocol (such as DNS).

  In step 710, the digital device 102 receives a credential request response. Thereafter, in step 712, the digital device 102 authenticates the credential request response. In one example, the digital device 102 decrypts the credential request response using the same encryption key that is used to digitally sign the credential request. The digital device 102 can further retrieve the nonce in the credential request response and compare this nonce with the nonce transmitted in the credential request for further authentication. If the credential request response is found to be authentic, in step 714, the digital device 102 retrieves the network credential from the credential request response.

  In step 716, the digital device 102 identifies authentication requirements associated with network access. In various embodiments, the digital device 102 determines suitable information and network credentials to provide to the authentication server 108. In one example, the digital device 102 retrieves one or more network access pages from the authentication server 108. The digital device 102 can access the correct network access page from the authentication server and make a selection automatically. In one example, the digital device 102 can automatically activate the selection (eg, activate a button in the network access page, check a box, and select a radio button).

  For example, the credential request response module 206 can provide instructions to the digital device 102 for automatic selection in the network access page. As described herein, the network access page may include one or more web pages retrieved from the authentication server 108, one or more tags, or a combination of both. In one example, software in the digital device 102 can automatically check all selection boxes in the network access page. The digital device 102 can then uncheck the selection box based on the login procedure information. One skilled in the art will appreciate that there are many ways to allow automatic selection. In other embodiments, the digital device 102 receives an XML tag from the authentication server 108. The digital device 102 can provide information based on the XML tag and command in the login procedure information to the authentication server 108 to obtain network access.

  In step 718, digital device 102 provides network credentials to network device 104 to obtain network access to communication network 114. In one example, the credential request response module 206 retrieves one or more forms from the authentication server 108, reads one or more network credentials into the form, and sends the completed form to the authentication server 108. provide. In another example, the credential request response module 206 provides network credentials to the authentication server 108 as needed. Upon receiving the network credentials, the authentication server 108 can enable communication between the digital device 102 and the communication network 114. In one example, the authentication server 108 instructs the access controller 112 to authorize the digital device 102 to access the communication network 114.

  The digital device 102 can then test network connectivity to confirm network access. In one example, the digital device 102 sends a request to the credential server 116 to determine whether the communication network 114 is available. In some embodiments, the query or command includes a sequence identifier that was previously included in the credential request. If the network access is successful, the credential server 116 can receive this request and retrieve the sequence identifier. As a result, the credential server 116 can confirm that the network access is successful.

  FIG. 8 is a flow diagram of an exemplary method for receiving and storing network credentials. In various embodiments, a user can create a network record and store it on the credential server 116. For example, the credential server 116 includes a credential storage module (not shown) that provides a graphical user interface (GUI) that allows a user to create, store, update, delete, and modify network records. Can do.

  In step 802, the credential server 116 provides the user with a network credential request form. In one example, the credential server 116 provides the network credential request form to the user as one or more web pages over the Internet. The network credential request form is configured to receive a service provider name (such as an operating company name) and / or an SSID and network credentials.

  The service provider name may include a hot spot, one or more components related to the hot spot (eg, network device 104), or the name of an entity operating the infrastructure of the local area network 106. In some embodiments, the service provider name includes the name of an organization that manages one or more hotspots of another service provider. In one example, both coffee shops and bookstores can use a third administrator to manage the hotspot, even if there are different service providers at the hotspot. In some embodiments, the network credential request form can be configured to receive a third administrator name. In some embodiments, the service provider name includes the name of an organization (such as an aggregator) that resells access to the hotspot network.

  The network credential request form may also receive an SSID as a network service selection. In one example, the network credential request form includes pull-down menus of different service providers and / or hot spots that can be selected by the user. For example, the user can select “Starbucks” or “San Francisco International Airport” as a hotspot. The user can be given further choices such as the hotspot's geographical location. The user can also select a service provider. For example, the user can select “T-Mobile” as the service provider. As a result, the network credential request form may allow the user to select from one or more of various hot spots associated with the T-mobile. These (single) selections can then be stored as network records. Alternatively, a network service identifier associated with the selection (s) is generated as an SSID.

  Further, the network credential request form can receive network credentials from the user. For example, the user can enter a user name, password, and passcode as network credentials in the network credentials request form. In some embodiments, the network credential request form determines the required network credential type after receiving the SSID. For example, the network credential request form identifies the information required to access the network at the San Francisco International Airport hotspot that the user has just selected. The network credential request form then generates fields or options that allow the user to enter only the information (username, password, etc.) necessary to gain network access at this hot spot.

  The credential server 116 may also require the user to register before receiving the network credential request form. During registration, the user must agree to the service terms and enter customer information. The customer information includes a username and password for accessing the credential server 116 and storing the network credentials. Optionally, the customer information can include the user's address, contact information, and payment options for the user to use the services provided by the credential server 116.

  In step 804, the credential server 116 receives customer information and network service selection via a network credential request form. In step 806, the credential server can retrieve the network credentials. In step 808, the credential server 116 receives customer information. In step 810, the credential server 116 associates the network credential with the customer information, the network service selection, and the network credential (s) and creates a network record. Thereafter, in step 812, the network record is stored.

  In some embodiments, a user can manually access the credential server 116 via the Internet. In other embodiments, the user can download and install network credential software on the digital device 102. This network credential software can identify the DDID of the digital device 102 and send it to the credential server 116. In other embodiments, network credential software can be preinstalled on the digital device 102. When the digital device 102 first launches the network credential software, the network credential software can identify the DDID of the digital device 102 and send it to the credential server.

  The user can enter the SSID into the network credential software (eg, identify a service provider or hotspot). The user can also enter network credentials into the network credentials software. The network credential software uploads this information to the credential server 116 after obtaining the DDID, SSID, and network credential, and the credential server 116 may store this information in the network record. it can. In various embodiments, network credential software can be downloaded from the credential server 116.

  FIG. 9 is a block diagram of an exemplary digital device. The credential server 116 includes a processor 900, a memory system 902, a storage system 904, an input / output interface 906, a communication network interface 908, and a display interface 910. The processor 900 is configured to execute executable instructions (such as a program). In some embodiments, processor 900 includes circuitry or any processor capable of processing executable instructions.

  Memory system 902 is any memory configured to store data. Some examples of the memory system 902 include storage devices such as RAM or ROM. The memory system 902 can include a ram cache. In various embodiments, data is stored in the memory system 902. Data in the memory system 902 can be cleared or eventually transmitted to the storage system 904.

  The storage system 904 is any storage configured to retrieve and store data. Some examples of storage system 904 include flash drives, hard drives, optical drives, and / or magnetic tape. In some embodiments, the credential server 116 includes a memory system 902 in the form of RAM and a storage system 904 in the form of flash data. Memory system 902 and storage system 904 both include computer readable media that can store instructions or programs executable by a computer processor, such as processor 900.

  Any input / output (I / O) interface 906 is any device that receives input from a user and outputs data. Any display interface 910 is any device configured to output graphics and data to a display. In one example, the display interface 910 is a graphics adapter. It should be understood that not all digital devices 102 include an input / output interface 906 or a display interface 910.

  A communication network interface (com. Network interface) 908 can be coupled to a network (such as the local area network 106 and the communication network 114) via a link 912. The communication network interface 908 can support communication via, for example, an Ethernet connection, a serial connection, a parallel connection, or an ATA connection. The communication network interface 908 may also support wireless communication (such as 802.11 / b / g / n, WiMax). It will be apparent to those skilled in the art that communications network interface 908 can support many wired and wireless standards.

  Various embodiments allow a digital device to automatically select and access an available wireless network from multiple available wireless networks based on various rules in order to achieve satisfactory service quality. A system and method for performing this will be described. Such rules can be implemented within the digital device itself, on a server in communication with the digital device, or a combination of both. In various embodiments, the wireless network is a network that allows wireless access between the digital device and a communication network such as the Internet.

  According to some embodiments, a user of a wireless digital device (such as a digital device capable of Wi-Fi communication) creates an account on a web server and uses the account to use one or more ( Register digital devices (such as computers, laptops, personal digital assistants and mobile phones). Registered digital devices can be managed so that network records are provided by a central server (such as a profile server or a credential server) via a network communication mechanism such as HTTP.

  FIG. 10 is a diagram illustrating another environment in which embodiments of the present invention may be implemented. In various embodiments, a user with a digital device 1002 enters an area that exists near network devices 1004 and 1006. In one example, network devices 1004 and 1006 are separate access points, each of which can be used to establish communication between digital device 1002 and communication network 1008.

  The digital device 1002 can scan the area surrounding the digital device 1002, detect two network devices 1004 and 1006, and generate a list of available wireless networks with which the digital device 1002 can establish communication. In some embodiments, the list of available wireless networks includes DDID identifiers, SSID identifiers and / or BBSID identifiers of network devices 1004 and 1006.

  The digital device 1002 then provides the list of available wireless networks to the rule server 1010. In one example, the digital device 1002 provides a list of available wireless networks to the communication network 1008 as a standard protocol for the network device 1004 or the open port of the network device 1006 and ultimately to the rules server 1010. . In another example, the digital device 1002 can be utilized via another network (such as a CDMA, GSM, 3G, or EVDO) such as a cellular communication network not shown, or (Wi-Fi, Provide a list of other wireless networks (such as Wimax or LTE networks).

  The rules server 1010 can receive a list of available wireless networks and retrieve network profiles for individual wireless networks identified in the list. A network profile is a record associated with a wireless network and including attributes relating to performance and / or quality of service provided by the associated network. In one example, the rules server 1010 identifies individual networks in the list and provides the SSID and / or BBSID of the individual networks to the profile server 1014. The profile server 1014 can then provide individual server network profiles (based on SSID and / or BBSID) to the rules server 1010. In some embodiments, profile server 1014 retrieves a network profile from a database or other server (such as network database server 1012).

  The rules server 1010 may select a preferred wireless network from a list of available wireless networks based on attributes in the network profile and / or any attributes received from the digital device 1002. An attribute is a characteristic of a wireless network. In various embodiments, the attribute includes a performance metric, a shared indicator, or a service identifier. A wireless network performance metric is any measure of network performance. In some examples, the performance metric may include a latency metric, a bandwidth metric, or a quality of service (QOS) metric. One skilled in the art will appreciate that the performance metrics can include any type of metric that represents the performance of the wireless network.

  A latency metric is a measure that represents the time to transmit a data packet from a digital device to a server over a network. In some embodiments, the digital device 1002 can send an ICMP “echo request” packet to the server and listen to an ICMP “echo response” response. The latency metric includes an estimate of round trip time (typically in milliseconds) and / or can include any packet loss. In another example, the latency metric is half of the estimated round trip time.

  A bandwidth metric is a measure of the available bandwidth of a wireless network. In one example, a digital device can test available bandwidth by sending data blocks to a server over a wireless network and timing the response.

  A QOS metric is any measure that measures the quality of service of a wireless network, access device 1004, access device 1006, and / or communication network 1008. In one example, the QOS metric represents DHCP reliability as determined by measuring the length of time required to obtain an IP address. The reliability of DHCP can include statistical measurements, the probability of receiving any IP address, and / or a time allocation.

  The sharing indicator indicates whether the wireless network is shared. In some embodiments, the sharing indicator can be in one of three states including “shared”, “not shared”, “unknown”. A sharing indicator can include only one state (such as “non-shared”), but those skilled in the art will understand that a sharing indicator can have any number of states. A wireless network that includes a sharing indicator that indicates that the network is “shared” can indicate that the owner of the wireless network indicates that someone else is intending to use the network. One example of a “shared” network is a wireless network that is intentionally “open” (eg, unencrypted) for use by someone else.

  A wireless network that includes a sharing indicator that indicates that the network is “non-shared” can indicate that the owner of the wireless network does not want someone without explicit permission to access the network. In one example, unshared wireless networks are often intentionally encrypted (such as via WEP or WPA) to limit access to unauthorized users. However, not all “unshared” networks are encrypted. For example, even if the network is not intended to be shared, the owner of the network may misconfigure the network device, or the network may be open (ie unencrypted) through an error.

  A wireless network that includes a sharing indicator that indicates that the network is “unknown” can indicate that the wireless network can be either “shared” or “not shared”. For example, the intention of the open network owner may be unknown.

  The service identifier can identify one or more services supported by the wireless network. In one example, one or more service identifiers indicate that the wireless network supports VoIP, video conferencing and / or video conferencing. The service identifier can identify any type of service supported by the wireless network. In some embodiments, the service identifier may identify a service that the wireless network does not support.

  One skilled in the art will appreciate that a network profile can include any number of attributes. Further, those skilled in the art will appreciate that a network profile can include only one or more performance metrics, only one shared indicator, or only one or more service identifiers.

  In various embodiments, the rules server 1010 selects one or more wireless networks from a list of available wireless networks based on attribute analysis. In one example, rule server 1010 applies various rules to attributes. These rules can include minimum requirements, individual settings, and attribute comparisons. In one example, the rules applied by the rules server 1010 can compare one or more wireless network attributes with one or more minimum requirements. If the attributes of the wireless network are below the minimum requirement, this wireless network cannot be selected or can be removed from the list of available wireless networks.

  In some embodiments, the rules applied by the rules server 1010 can be based on individual settings by the user. For example, the user of the digital device 1002 can indicate an individual setting indicating that the digital device 1002 should only be connected via a wireless network designated as “shared”. In this example, rule server 1010 may select only those wireless networks with attributes that include a sharing indicator that identifies the wireless network as “shared”.

  In various embodiments, the rules applied by the rules server 1010 can be based on a comparison of attributes of one wireless network with those of another network. In one example, the attribute can indicate that one wireless network has greater bandwidth and lower latency than another wireless network. In this example, the rule server 1010 can select one wireless network with better performance or higher service value compared to another wireless network. One skilled in the art will appreciate that there can be any kind of rules used for selection or assistance in selecting a wireless network from a list of available wireless networks.

  When performing wireless network selection, the rule server 1010 can apply two or more rules. In one example, the user's individual settings can be applied before the rules server 1010 compares and selects attributes from different wireless networks. In another example, the rules server 1010 can apply minimum requirements to attributes before comparing the attributes.

  Once rule server 1010 has selected a wireless network based on a comparison of attributes from the network profile, rule server 1010 can provide this wireless network selection to digital device 1002. The wireless network selection includes one or more identifiers (such as a network identifier) that identify at least one wireless network. This wireless network selection can include identifying a single wireless network or include a sorted list of wireless networks sorted in priority order.

  In some embodiments, the rules server 1010 provides the digital device 1002 with credentials (such as a credential request response) for the selected wireless network in addition to the wireless network selection. In one example, the rules server 1010 provides the selected wireless network to the credential server 1016, which in turn selects the credential server 1016 (even if no credential request was made). Provide the digital device 1002 with the requested wireless network credential request response. In other embodiments, the digital device 1002 receives the wireless network selection and then proceeds to send a credential request to the credential server 1016 as described herein to receive the credential.

  Further, in various embodiments, the digital device 1002 attempts to establish a connection based on the selected wireless network. If the connection fails, the digital device 1002 can send a credential request to the credential server 1016 to retrieve the credential for network access, as described herein. The digital device 1002 can provide a credential request to the credential server 1016 via the open port of the network device 1004. In another example, the digital device 1002 can provide a credential request via any other network, including connections with different network devices, or via a mobile phone connection.

  In FIG. 10, rule server 1010, network database server 1012, profile server 1014, credential server 1016 and web server 1018 are shown as separate servers, but these servers are all combined as one or more servers. be able to. Similarly, any function of the server may be performed by one of the other servers illustrated or any other server.

  FIG. 10 shows a plurality of servers (such as a rule server, a network database server, a profile server, a credential server, and a web server) for performing wireless network selection from a plurality of available wireless networks. One skilled in the art will appreciate that wireless network selection can also be performed within the digital device 1002. In one example, the digital device 1002 retrieves a scan result listing the available wireless networks and selects a wireless network based on the setting priority. This set priority may be based on one or more locally executed rules, preferred signal strength, or any other one or more attributes. In another example, the digital device 1002 selects a wireless network that supports a desired service (such as VoIP), meets a minimum latency standard, and meets a minimum QOS standard. In another example, the profile server 1014 provides a desired network profile to the digital device 1002, which performs an analysis to determine a preferred wireless network.

  FIG. 11 is a flow diagram of an exemplary process for providing wireless network selection. In step 1102, a server (such as rule server 1010, network database server 1012, profile server 1014, credential server 1016 or web server 1018) receives a list of available wireless networks from digital device 1002. In some examples, this list includes the SSID or BBSID of one or more network devices (such as network device 1004 and network device 1006). The list can include any information identifying the network and / or network device.

  In some embodiments, the server also receives one or more attributes associated with the network and / or network device. In various embodiments, the digital device 1002 measures signal strength, determines available services, or of one or more networks and / or network devices identified on a list of available wireless networks. Take up performance metrics.

  In step 1104, the server retrieves network profiles for each available wireless network on the list of available wireless networks from the plurality of network profiles stored in the network database. Individual network profiles can include at least one attribute. In some embodiments, not all wireless networks on the list have a network profile. If a network profile for a wireless network on the list is not found, a network profile associated with this wireless network can be created. When receiving attributes from the digital device 1002, the server can determine which attributes received from the digital device 1002 are associated with which network, network device and / or network profile.

  In step 1106, the server compares the attributes from the individual network profiles to the minimum requirements. In one example, the server compares latency metrics from all network profiles in the list (if available) to the minimum latency metric. The server can also compare the attributes received from the digital device 1002 to the minimum requirements. In step 1108, the server deletes one or more wireless networks from the list of available wireless networks and / or wireless network profiles based on the comparison (s). For example, a wireless network whose latency metric is below a minimum latency metric may not be selected. In other embodiments, wireless networks whose latency metrics are below the minimum latency metric can receive the weight value and compare it to other wireless networks to assist the selection process.

  In some embodiments, the user of digital device 1010 determines the minimum requirements. In other embodiments, a minimum requirement can be selected for a user (such as an administrator).

In step 1110, the server retrieves the individual settings for the user. The user can send this individual setting to the server. In some embodiments, the user has an account with a web server 1018 that includes personal settings. In one example, the server receives a user identifier along with a list of available wireless networks. The server then accesses the user's account and receives the individual settings, which are then applied to the attributes of the network profile associated with the wireless network on the list. In various embodiments, a user can set an individual setting (such as “aggressiveness”) and the digital device 1002 can connect to a wireless network with this setting. Such settings can include:
(A) Connect to something open regardless of the sharing indicator.
(B) Open except for what the default manufacturer SSID (such as “linksys”) indicates that the owner may be confused and leave the access point simply open and not knowing how to set the security function Connect to things.
(C) Connect to an open one that the profile server 108 recognizes (or already stores information about the Wi-Fi network). Or
(D) Connect to an open that includes a sharing indicator of “shared” or that is indicated as shared by some other means. One skilled in the art will appreciate that there can be many individual settings.

  In step 1112, the server deletes one or more wireless networks from the list or network profile based on the individual settings. For example, the personal settings may indicate that the user only wants to connect to a wireless network that supports video conferencing and maintains user defined QoS requirements. The server may then remove any wireless network from the list of available wireless networks based on attributes obtained from the network profile or recently received from the digital device 1002 that do not meet the user's personal settings. it can.

  In some embodiments, individual settings can then be considered before or after comparison of attributes derived from the network profile. In one example, the personal setting indicates that the user does not want to connect to a wireless network that is not designated as “shared” or that does not provide a particular service. In one example, the rules server 1010 does not retrieve network profiles associated with networks that do not provide the required services and / or does not compare attributes associated with these networks. In other embodiments, the digital device 1002 accesses the preferred wireless network after applying the individual settings to the results received from the rule server 1010 (such as wireless network selection).

  In step 1114, the server compares the attributes of the remaining wireless networks on the list. In various embodiments, the server applies weights to normalize one or more of the attributes (such as metrics) obtained from within the network profile. In some embodiments, old attributes can be deleted or weighted lower than other newer attributes. In one example, any metric older than one week can be weighted lower than a similar newer metric. In another example, metrics older than one month can be deleted from the network profile or excluded from consideration in the comparison. One skilled in the art will appreciate that not all attributes or information obtained from within a network profile can be considered in the comparison.

  An individual network profile can include any number of attributes. In one example, the rules server 1010 performs radio network selection based on a comparison of metrics from two different network profiles. In some embodiments, the rules server 1010 selects a wireless network based on a comparison between two similar metrics (ie, the latency metric from the first network profile is the second network profile). Compared to latency metrics from). One skilled in the art will appreciate that the rules server 1010 can select a wireless network based on a comparison between two similar recently received metrics or a recently received metric and another metric in the network profile. I will.

  In other embodiments, the rules server 1010 selects a wireless network based on a comparison between two different metrics (i.e., the latency metric from the first network profile is from the second network profile). Compared to bandwidth metrics). The rule server 1010 may execute an algorithm that weights and normalizes similar and / or different metrics or attributes to make a comparison to select an appropriate wireless network. In one example, the rules server 1010 compares the latency metric in the first network profile with the bandwidth metric in the second network profile. The rule server 1010 can execute an algorithm that weights and standardizes the measurement standard. Since latency is considered to have a greater impact on network performance, this algorithm can weight latency metrics more than bandwidth metrics.

  An attribute or metric can receive different weights depending on any number of factors. For example, the latency metric can receive a predetermined weight when the metric is within an acceptable range, otherwise it can be a significantly lower weight. A recently received metric from digital device 1002 may receive a greater weight than a similar type of metric in the network profile. One skilled in the art will appreciate that there are many ways to compare similar and / or different performance and / or qualitative metrics.

  In step 1116, the server selects a wireless network based on the attribute comparison. The wireless network selection can include a single preferred wireless network or a list of wireless networks sorted in priority order. In one example, the rules server 1010 identifies the most preferred network, the second most preferred network, and so forth. Thereafter, in step 1118, the rules server 1010 can send a wireless network selection to the digital device 1002.

  In various embodiments, the rules server 1010 compares only metrics that have recently been received from the digital device 1002. In one example, two latency metrics are received from the digital device 1002. Individual latency metrics are associated with separate wireless networks identified on the list of available networks. In this example, rule server 1010 can select a wireless network based on a comparison of two attributes.

  FIG. 12 is a flow diagram of an exemplary process for selecting a wireless network. In step 1202, digital device 1002 enters an area that includes two wireless networks, and digital device 1002 scans for networks to access. In step 1204, the digital device 1002 receives the network identifiers of the first and second available wireless networks. As described herein, the first and second network identifiers may include a BBSID, an SSID, or any other network identifier. For example, the first network identifier can include a BBSID, and the second network identifier can include an SSID identifier. In another example, the first network can provide multiple identifiers including BBSID and SSID, while the second network provides only SSID. In this example, the first network identifier can include both the BBSID and SSID of the first network device, while the second network identifier includes only the SSID of the second network device.

  In step 1206, the digital device 1002 generates a list of available wireless networks. For example, the digital device 1002 can generate a list that includes a first network identifier and a second network identifier. Thereafter, in step 1208, the list is provided to the server.

  In step 1210, the digital device 1002 receives a wireless network selection from the server. The wireless network selection can include an identifier (such as the BBSID and / or SSID of the network device) that identifies the selected wireless network or identifies a network device associated with the selected wireless network. In various embodiments, the wireless network selection may include a list of wireless networks sorted by priority. The list can include two or more identifiers that identify the selected wireless network or network device.

  In step 1212, the digital device 1002 receives credentials for wireless network selection from the server. In some embodiments, the credentials are received from the same server that received the list of available wireless networks from the digital device 1002.

  In various embodiments, the digital device 1002 receives a wireless network selection from the server and then provides a credential request to receive the desired network credentials. In one example, the digital device 1002 provides a credential request in the same way as it provides a list of available wireless networks (eg, via an open port of the network). In some embodiments, the preferred network does not require credentials, or the credentials are stored locally on the digital device 1002.

  In step 1214, the digital device 1002 uses the credentials to access the selected wireless network. In this specification, a process for applying a credential to a login page or the like will be described.

  In various embodiments, the digital device 1002 provides a list of available wireless networks to the server via the open port of the network device in a manner similar to providing a credential request as described herein. Can do. In other embodiments, the digital device 1002 can provide the list to the server via another network. In one example, the digital device 1002 generates a list of available Wi-Fi networks and provides the list via a mobile phone network (such as an EVDO or HSDPA network). In this example, the wireless network selection can be returned to the digital device via the cellular network, after which the digital device 1002 can attempt to access the preferred Wi-Fi network.

  In another example, digital device 1002 accesses one wireless network. The digital device 1002 can then provide a list of available wireless networks to the server. The server can return the wireless network selection to the digital device 1002. If this preferred wireless network is not the network that digital device 1002 originally accessed, digital device 1002 can interrupt the connection and access the preferred wireless network.

  FIGS. 10-12 assume a server that receives a list of available wireless networks, determines a wireless network selection, and provides this selection to the digital device 1002. You will understand that it is not essential. In one example, the digital device 1002 generates a list of available wireless networks and then (eg, from a locally stored network profile, from one or more network devices, from a local database or a remote database, And / or retrieve information from another network such as the Internet) to retrieve any available information about the network on the list. The digital device 1002 can then make a comparison based on what attributes associated with the network are available to make a selection or to generate a priority list. The digital device 1002 can then access the selected wireless network.

  In various embodiments, the digital device 1002 can generate and provide attributes for one or more networks and update the network profile. In one example, the digital device 1002 determines signal quality, bandwidth, or any other metric and provides these metrics to the server along with a list of available wireless networks. In another example, the digital device 1002 accesses a selected wireless network, measures attributes, and provides attribute update metrics in the network profile. The digital device 1002 can capture attributes (such as latency metrics, bandwidth metrics, and QOS metrics) at any time and use them to update the network profile.

  FIG. 13 is a schematic diagram for selecting a wireless network and accessing the selected wireless network. In various embodiments, at steps 1302 and 1304, network device 1004 and network device 1006 provide first and second network identifiers to digital device 1002. In step 1306, the digital device 1002 generates a metric (ie, attribute) by performing measurements on the wireless network associated with the network device 1004 and the network device 1006. In some examples, the metric can include latency, signal strength, or QOS metric.

  In step 1308, digital device 1002 generates a list of available wireless networks that can include the network identifier from network device 1004 and the network identifier from network device 1006. In some embodiments, the digital device 1002 can also include an individual setting that can indicate a priority between two network identifiers or can delete one or both of the network identifiers. In one example, the individual settings indicate that only open networks that do not have a default manufacturer SSID (such as “linksys”) can be accessed. In this example, if the network identifier from the network device 1004 indicates a default manufacturer SSID, the digital device 1002 cannot include the network identifier of this network device 1004 in the list of available wireless networks.

  In some embodiments, if the digital device 1002 cannot generate a list that identifies at least two or more networks, the digital device 1002 does not send the list. In one example, if the digital device 1002 can only identify one available wireless network that meets the user requirements, the digital device 1002 attempts to access the wireless network directly or sends a credential request to the server. Then, any credentials necessary for access can be extracted.

  In step 1310, the attributes and usages via the open port (such as port 53) of the network device 1006 that acts like a proxy when the digital device 1002 provides the network server attributes and list to the rule server 1010. Provide a list of possible wireless networks. In other embodiments, the digital device 1002 provides attributes and lists via the open port of the network device 1004. Alternatively, the digital device 1002 can provide attributes and lists via a separate network (eg, attributes via an open port of one of the network devices and a list via a cellular network). In step 1312, the network device 1006 acts as a proxy by providing attributes and lists to the rule server 1010 via DNS.

  In step 1314, rule server 1010 retrieves the network profile. In one example, the rules server 1010 retrieves a network identifier from the list and retrieves a network profile associated with this network identifier.

  In step 1316, the rules server 1010 (or profile server 1014) updates the attributes in the network profile with the attributes received from the digital device 1002. In one example, a new latency metric from digital device 1002 is used to update the network profile associated with the network identifier from network device 1004. The lifetime value associated with the attribute can also be updated to indicate that the new latency metric is recent.

  In step 1318, the rule server 1010 selects a network device based on the attribute comparison obtained from within the network profile. In some embodiments, the rules server 1010 makes the selection after also applying personal settings obtained from the digital device 1002 (such as via the web server 1018) or from an account associated with the digital device 1002. The rule server 1010 can create a priority list of two network devices from the list provided by the digital device 1002. The list is prioritized based on which of the two network devices provides the most desirable service based on metrics from the network profile.

  In step 1320, the rules server 1010 provides wireless network selection and credentials to the network device 1006 via DNS to function as a proxy for sending information to the digital device 1002. In one example, the rule server 1010 selects the network device 1004. The rule server 1010 can extract the credential of the network device 1004 based on the network identifier of the network device 1004. For example, rule server 1010 can provide a credential request to credential server 1016. The credential server 1016 can provide a credential request response including the necessary credential to the rule server 1010, after which the rule server 1010 has received the credential and radio received from the credential server 1016. Send network selection to digital device 1002.

  Thereafter, in step 1322, the network device 1006 provides the network selection and credentials to the digital device 1002 via an open port. In step 1324, the digital device 1002 provides credentials and accesses the network device 1004 to generate additional attributes for the network (ie, make additional measurements). Once the connection is established, new attributes are provided to the rules server 1010 or profile server 1014 at step 1326 to update the network profile associated with the network device 1004. In one example, the digital device 1002 can measure the time required to establish a connection with the network device 1004. The attributes in the network profile can then be updated using the time required to establish this connection. If the connection is not established or fails, this information can also be provided to update the associated network profile.

  In some embodiments, if the network connection with the selected network fails, the digital device 1002 can retry the connection. If multiple attempts to connect fail, information about this failure is sent and the associated network profile is updated. Digital device 1002 can then attempt to connect to another network device (such as network device 1006). In some embodiments, the digital device 1002 may rescan the region to generate a new list of available networks, and this list may not include networks that the digital device 1002 has failed to connect to. it can. This new list can be sent to the rule server 1010 to receive a new wireless network selection and the process can be repeated.

  In some embodiments, the rules server 1010 provides a priority list of available wireless networks sorted by priority. In one example, the rules server 1010 provides a priority list of three networks to the digital device 1002. The digital device 1002 can then attempt to access the first wireless network based on this priority list. If the digital device 1002 fails to connect to the first wireless network, the digital device 1002 can attempt to connect to the next network on the list. One skilled in the art will appreciate that this priority list can include all, one, or some of the wireless networks identified in the list of available wireless networks. For example, the rule server 1010 cannot identify a wireless network that is known to be inferior in performance, does not provide a desired service (such as a VoIP service), and / or is otherwise blacklisted. .

  In various embodiments, a user of the digital device 1002 can override any wireless network selection and access any wireless network. In one example, the user selects the priority of available wireless networks. In some embodiments, the user can reorder or otherwise modify the wireless network priority list obtained from the rules server 1010, the account with the digital device 1002, or the web server 1018. Can be configured to include different priorities. For example, before providing the list of available wireless networks to the rules server 1010, the digital device 1002 or the web server 1018 can modify this list based on the user's priority.

  In some embodiments, in addition to one or more open Wi-Fi networks, there may be one or more encrypted Wi-Fi networks in place. The digital device 1002 connects to an open Wi-Fi network, and transmits the SSID of another Wi-Fi network including the encrypted Wi-Fi network to the rule server 1010 via a network communication protocol such as HTTP. be able to.

  The rule server 1010 can then determine that an available encrypted Wi-Fi network is a preferred choice for network connectivity based on individual settings or other rules. The rule server 1010 sends the necessary encryption key to the digital device 1002 via the current open Wi-Fi network connection, and sends a command to the digital device 1002 to switch to the encrypted Wi-Fi network. Can do.

  As described herein, an SSID or other network identifier may be insufficient to identify the network credentials necessary to access the network. For example, a plurality of networks may share or be able to share the same SSID or other network identifier. Thus, the credential server can provide at least one network credential of the network having the SSID. If the digital device does not successfully access the network, it can submit a new credential request to the credential server. The credential server can then provide network credentials for different networks that share the same SSID. In some embodiments, this process may continue until the correct network credentials are provided, until a predetermined time expires, or until a predetermined number of attempts are made.

  In some embodiments, the credential server can select network credentials in any number of ways from various networks that may share the same SSID. For example, a credential server can provide network credentials for the network that most people access most. In some embodiments, a credential server may provide network credentials for the access network that is most commonly accessed by the user or digital device requesting access. Alternatively, the credential server is located closest to the user (eg, through GPS location information, AGPS location information, or through a list of other networks available to the digital device as identified by scanning with the digital device). Network credentials can be provided for the network. If the network credentials previously provided to the digital device did not work, the credential server can select a new network credential based on another method.

  In some embodiments, the credential server 116 may request additional network information rather than providing network credentials. For example, the credential server can receive a network identifier and determine that the network identifier is or may be shared by multiple networks. The credential request response can then request additional network information from the digital device. The additional network information may include any additional information about the network, such as, for example, the title of a web page or any other information from a network device associated with the network. As a result, the digital device provides additional network information to the credential server, which can then identify the correct network credential to be provided to the digital device.

  FIG. 14 is a box diagram of a digital device 102 in some embodiments. In various embodiments, if a network identifier associated with a network can be shared, the digital device 102 can be configured to provide additional network information to the credential server 116 to receive network credentials. . The digital device 102 can include a request module 1402, a confirmation module 1404, a retrieval module 1406, a network access engine 1408, and a list module 1410. In many respects, the digital device 102 can function as described herein.

  Request module 1402 may be configured to scan an area near digital device 102 and receive one or more network identifiers, such as SSIDs associated with the wireless network (s). Request module 1402 may also be configured to generate a credential request that includes one or more network identifiers. The credential request can be formatted as a DNS protocol message. The credential request can be formatted with the UDP protocol. Request module 1402 can provide a credential request to the network via a network device associated with at least one of the scanned networks. As described herein, a network device can include at least one open port, such as port 53. Request module 1402 can provide a credential request to credential server 116 via this open port.

  The response module 1404 can receive a credential request response from the credential server 116 (such as through an open port of the network device 104). In various embodiments, the response module 1404 can retrieve a request for network credentials or additional network information from the credential request response. In one example, if the credential server 116 determines that there is insufficient information (eg, the SSID is shared by multiple networks), the credential requesting additional network information from the digital device 102. A certificate request response can be provided.

  The additional network information can include any information regarding the network. In some embodiments, the additional network information may include an SSID, BSSID, web page title received from the network device 104, a wireless internet service provider roaming (WlSPr) tag, a first header on the web page, and / or The redirect URL received from the network device 104 is included. One of ordinary skill in the art would have received this additional network information from an identifier identifying the network device, an identifier identifying the network, or a network device (such as a login page, a redirect page, or a web page including an information request field). It will be understood that any information such as information can be included.

  The retrieval module 1406 can be configured to provide additional information to the credential server 116 based on a request for additional network information. In various embodiments, retrieval module 1406 generates a second credential request that includes additional network information previously received from network device 104. In some embodiments, retrieval module 1406 retrieves additional network information from network device 104. For example, retrieval module 1406 can request and receive a web page from network device 104. Next, the retrieval module 1406 includes the web page title, URL, redirect page identifier, identifier associated with one or more fields of the web page received from the network device 104, etc. in the second credential request. Can be provided. Request module 1402 can then provide this second credential request to the network (eg, in a manner similar to that described with respect to the initial credential request). Similar to the first credential request, the second credential request can also be formatted as a DNS protocol message. The credential request can be formatted with the UDP protocol.

  If the network identifier and / or additional network information is sufficient, the response module 1404 receives a second credential request response from the credential server 116 in response to the second credential request. Can do. The second credential request can include a network credential.

  The network access engine 1408 may be configured to provide network credentials for a wireless network associated with a network identifier and / or additional network information. The network access engine 1408 is incorporated herein by reference and in co-pending US patent application Ser. No. 11 / 899,697, filed Sep. 6, 2007, entitled “System and Method for Obtaining Network Credentials”. Can be configured to provide network credentials, such as those described in this publication, which patent is incorporated herein.

  If network access is granted, the network access engine 1408 can optionally send a message to the credential server 116 confirming that the provided network credentials were successful. If network access is not allowed, the network access engine 1408 notifies the retrieval module 1406 to provide additional network information in another credential request and / or for access by the received network credential. A message can be generated to the credential server 116 that the attempt was unsuccessful. If the digital device 102 did not access the network, the digital device 102 may provide a log of information regarding the access attempt to the credential server 116 the next time it successfully accesses the network.

  In some embodiments, white lists and / or black lists can be used to reduce or avoid sending multiple credential requests. For example, the list module 1410 can be configured to check one or more network identifiers against a white list and / or a black list. The white list and / or black list can be periodically updated by the credential server 116 or any other digital device 102.

  In some embodiments, the list module 1410 checks the network identifier against the black list. If the network identifier (such as SSID) is on the black list, additional network information may be required. For example, the black list can include a list of SSIDs that can be shared by multiple networks. If the network identifier is on the black list, the list module 1410 can notify the retrieval module 1406 to provide additional network information included in the credential request. The credential server 116 that receives the credential request can use this network identifier and additional network information to provide network credentials. In some embodiments, the blacklist provides a list of SSIDs that multiple networks can share and what additional network information to increase the speed and / or likelihood of receiving the correct network credentials. Instructions regarding what to do.

  In some embodiments, the list module 1410 checks the network identifier against the white list. If the network identifier (such as an SSID) is on the white list, no additional network information may be required. For example, the white list may include a list of SSIDs that are considered not shared by multiple networks. However, if the network identifier is not on the white list, the list module 1410 can notify the retrieval module 1406 to provide additional network information included in the credential request. The credential server 116 that receives the credential request can use this network identifier and additional network information to provide network credentials.

  In some embodiments, the blacklist includes a list of network identifiers (such as SSID or BSSID) of network devices to which the digital device 102 is not authorized to access. For example, owners of unprotected network devices may want a limited number of people (such as friends or certain coffee shop customers) to access the network. In some embodiments, the digital device 102 can receive a network identifier of an unprotected network device and compare this network identifier (eg, by the digital device 102 or the credential server 116) with a blacklist. . If this network identifier is associated with a blacklist, the digital device 102 can either cease attempting to connect to the network or disconnect from the network.

  The white list may also include a list of network identifiers associated with networks that the digital device 102 is authorized to access. For example, the digital device 102 or the credential server 116 can check the network identifier against a white list to determine whether the network is associated with the white list. If the network is associated with a whitelist, the digital device 102 can be connected to the network or can remain connected. In some embodiments, the white list includes a list of preferred networks. In this example, the digital device 102 can select a network identifier associated with the whitelist from a list of available networks.

  FIG. 15 is a flow diagram of an exemplary method for retrieving network credentials when the network identifier may be insufficient to identify the network credentials in some embodiments. This flow diagram illustrates communication and activity between and by digital device 102, network device 104, DNS server 110, and credential server 116 in some embodiments. In various embodiments, the digital device 102 can scan an area near the digital device 102 to identify one or more wireless networks. In step 1502, the network device 104 can provide a network identifier in response to the scan from the digital device 102. In some embodiments, the network identifier is an SSID and / or BSSID.

  In step 1504, the digital device 102 generates a first credential request that includes the received network identifier. The first credential request may also include an identifier for the digital device 102, a software license number, or any other information. The first credential request can be encoded. For example, the information in the first credential request can be hexadecimal encoded.

  In various embodiments, the first credential request takes the form of a DNS protocol, which is provided to the DNS server 110 via an open port (such as port 53) of the network device 104. In step 1508, the DNS server 110 can redirect the first credential request to the credential server 116.

  The credential server 116 can include the rule server 1010 or can be the rule server 1010. In some embodiments, the credential server 116 can receive the first credential request and retrieve the network identifier. In some embodiments, the credential server 116 decrypts the first credential request to retrieve the network identifier.

  In step 1510, the credential server 116 determines whether the network identifier is sufficient to identify the network credential. For example, the network identifier may be shared with another network. In some embodiments, the credential server 116 scans a data structure, such as a table, database, or any other data structure, and the network identifier retrieved from the first credential request is two or more. It is determined whether there is a possibility of being shared by the above networks. In one example, the data structure is a black list that includes a list of network identifiers shared by multiple networks.

  In some embodiments, the credential server 116 may determine that there is insufficient information to identify the network credential. In one example, the network identifier can include an SSID and a BSSID. The SSID may be associated with multiple networks and the credential server 116 may not have a network credential associated with a BSSID (such as the MAC address of the network device). If the network identifier is insufficient, the credential server 116 may generate a first credential request response requesting additional network information. The credential server 116 can use this additional network information to identify the correct network and / or network credentials.

  In various embodiments, the request for additional network information includes a request for any additional information that allows the digital device 102 to gain access to the network device 104. In some embodiments, the credential server 116 determines what additional network information is needed to identify the network credential and specifically requests only this additional network information. For example, it may be sufficient to receive the title of a web page from network device 104 to identify two possible networks. The credential server 116 can include a request for the web page title of the network device 104 in the first credential request response. In other embodiments, the credential server 116 may request a variety of different types of additional network information.

  A first credential request response including a request for this additional network information can be returned to the DNS server 110. In one example, the first credential request response is formatted as a UDP protocol and returned to the digital device 102 in a manner similar to the process by which the credential server 116 receives the first credential request. In step 1514, the DNS server 110 can receive the first credential request response and redirect it to the digital device 102 via the open port of the network device 104.

  In step 1516, digital device 102 retrieves the request for additional information from the first credential request response and prepares a second credential request that includes additional network information 1516. In some embodiments, the digital device 102 requests a web page from the network device 104. This request may be a request for network access. The additional network information may include information such as the SSID, BSSID, IP address, or any other information received from the network device 104. In some embodiments, the additional network information may include a web page title, hash, WISPr tag or URL, or any portion of the web page received from the network device 104.

  In step 1518, the digital device 102 provides a second credential request to the DNS server 110. The second credential request can be encoded. Similar to the first credential request, this second credential request can also be formatted as a UDP protocol and provided to the DNS server 110 via an open port on the network device 104. Thereafter, in step 1520, the DNS server 110 can send this second credential request to the credential server 116.

  In step 1522, the credential server 116 retrieves network credentials based at least in part on this additional network information. The credential server 116 may also retrieve network credentials based at least in part on network identifiers and / or other additional network information previously received from the digital device 102. In one example, the credential server 116 can retrieve network credentials from a data structure associated with the network identifier and / or any additional network information. The credential server 116 can include the network credential in the second credential request response. The second credential request response can be encoded and / or encrypted in a manner similar to the first credential request response.

  In step 1524, the second credential request response is returned to the DNS server 110, and in step 1526, the DNS server 110 sends this second credential request response to the digital device 102. A person skilled in the art only shows a single DNS server 110 in FIG. 15, but there are several DNS servers that send different (single) credential requests and / or (single) credential request responses. You will understand. Similarly, although only one credential server 116 is shown in FIG. 15, there can be any number of credential servers communicating with the digital device 102.

  In step 1528, digital device 102 retrieves the network credentials from the second credential request response and provides the network credentials to network device 104. In various embodiments, the digital device 102 authenticates and authenticates the second credential request response in a manner similar to or different from another credential request response (such as the first credential request response). It can be combined.

  One skilled in the art will appreciate that the credential server 116 can request a variety of different network information in any order. For example, in some embodiments, the credential server 116 may provide the digital device 102 with a priority list of additional network information. The digital device 102 examines this priority list to determine if this required additional network information is available. If additional network information is available, the digital device 102 can include this additional network information in the second credential request and provide it to the credential server 116. In some embodiments, the digital device 102 can provide only some of the additional network information to the credential server 116. If the credential server 116 determines that the network identifier and / or additional network information is shared by two or more networks or otherwise insufficient, it may request a request for additional network information. It can be provided in the credential request response.

  In FIG. 15, the network identifier is described as an SSID, but those skilled in the art will understand that the network identifier may be any identifier or combination of identifiers (such as a BSSID). For example, the network device 104 can provide a BSSID to the digital device 102. If this BSSID has not been previously identified or otherwise insufficient, then at step 1512, the credential server 116 may request further information in the first credential request response. In response, the digital device 102 can provide additional network information to the credential server 116 to receive a second credential request response that includes the network credential.

  FIG. 16 is a flow diagram of an example method in which the digital device 102 receives network credentials when the network identifier is insufficient in some embodiments. In step 1602, the digital device 102 scans the area for one or more available wireless networks. In one example, the digital device 102 scans a McDonald's store for an available wireless network. In this example, in step 1604, digital device 102 receives a network identifier for a wireless network. AT & T can provide network services to McDonald's stores. As a result, the network device in the McDonald's store can identify a network that can be used as “attwifi” (for example, provide an SSID).

  In step 1606, the digital device 102 generates a first credential request formatted for the DNS protocol. The first credential request may include a network identifier of “attwifi” and other information such as, but not limited to, a digital device 102 identifier (such as a MAC address). The digital device 102 can provide the first credential request through an open port on the network device, through the network, or through another network device.

  In step 1608, the digital device 102 receives a first credential request response through an open port on the network device, via the network, or via another network device. The digital device 102 can retrieve a request for additional network information from the first credential request response. In response, the digital device 102 can provide additional network information already received from the network device. In one example, the digital device 102 may have received information regarding the SSID and the web page received from the network device. The digital device 102 provided only SSID as a network identifier in the first credential request, but can provide additional network information in the second credential request.

  In step 1610, the digital device 102 generates a second credential request that includes additional network information. In one example, the second credential request response may include a previously provided network identifier (such as a network device SSID) and / or additional network information regarding the network device. The digital device 102 can then provide a second credential request over the network.

  In step 1612, the digital device 102 may receive a second credential request response. The second credential request response can include a network credential. In other embodiments, the second credential request response may request additional network information, and the process can be performed from step 1610 as a new credential request including this additional network information can be generated. Can be repeated. In some embodiments, the second credential request response may indicate that the network credential cannot be used and the process may end.

  In step 1614, if a network credential is available, the digital device 102 retrieves it from the second credential request response. As described herein, the digital device 102 can authenticate, decrypt, and / or decrypt the second credential request response. In step 1616, the digital device 102 can provide the network device with the network credentials retrieved from the second credential request response.

  FIG. 17 is a flow diagram of an exemplary method by which the credential server 116 provides network credentials in some embodiments. In step 1704, the credential server 116 may receive a first credential request from the digital device 102. At step 1704, the credential server 116 may decrypt the first credential request to retrieve a network identifier (such as an SSID for “attwifi”).

  In step 1706, the credential server 116 may determine that the network identifier is insufficient to identify one or more network credentials. In one example, an “attwifi” SSID may identify a wide number of network devices that AT & T provides network access, including other restaurants, coffee shops, and the like. One or more of the other network devices may require different network credentials. For example, AT & T can provide network access at McDonalds and make it free for a limited amount of time, while at Starbucks can ask for a purchase or card number. However, network devices in both McDonald's and Starbucks can share the same SSID.

  The credential server 116 is a network credential with the correct network identifier provided in the first credential request (for example, a network credential including a Starbucks card number, or a web page required for free access at McDonald's). It can be determined that there is a possibility that it is insufficient to obtain the correct input).

  The credential server 116 can ask for additional network information. For example, only a limited number of McDonald's may be wirelessly accessible free of charge through a network service provider, AT & T. Accordingly, the credential server 116 can determine the SSID (such as “attwifi”) and the URL of the redirected web page (such as “http: // www. McDonalds.com/ATTmobile/freeaccesses”). . When the credential server 116 receives a sufficient amount of information, it can provide the digital device 102 with network credentials.

  One skilled in the art will appreciate that the network identifier and / or additional network information may not be unique to only one network or network device. In the above example, two or more McDonalds participating in a promotion to provide free wireless access can provide the same network identifier, and at least some similar additional network information. In some embodiments, once the credential server 116 determines that the desired network credential can be sufficiently identified (eg, the network device providing this network identifier belongs to the participating McDonalds), the desired Network credentials can be provided.

  In some embodiments, the credential server 116 determines one or more aspects of the services provided by the network device to identify one or more network credentials. For example, some hotels or libraries may have multiple network devices, each of which can have a separate network identifier (such as Room 101, Room 102 ...). If the credential server 116 receives a network identifier that the credential server 116 does not recognize, it may provide a credential request response requesting additional information such as the login web page title. The digital device 102 can provide a title indicating “Hyatt Hotel. Austin. TX”. In this example, since all Hyatt hotels can share the same network credential (eg, all Hyatt hotels share the same login page), the credential server 116 can identify any Hyatt hotel in Austin, Texas. The correct network credentials can be provided without explicitly identifying whether can be associated with a particular SSID and title.

  The credential server 116 can identify in any number of ways that sufficient information has been received from the credential request. In one example, the credential server 116 compares the network identifier and additional network information with the data structure. This data structure may indicate, for example, what network identifier and / or additional network information may be sufficient to identify one or more network credentials. Alternatively, the data structure may indicate, for example, what network identifier and / or additional network information is insufficient to identify one or more network credentials. In some embodiments, this data structure can identify what additional network information can be used to identify one or more network credentials.

  If the network identifier is sufficient to identify the network credential, at step 1716, the credential server 116 may retrieve the network credential based on the network identifier. If the network identifier is not sufficient to identify the network credential, then at step 1708, the credential server 116 prepares another (ie, second) credential request response requesting additional network information. be able to. In some embodiments, the credential request response includes an identifier that allows the credential server 116 to identify what additional network information may be useful to provide the network credential (s). Can be included. In step 1710, the credential server 116 provides a credential request response to the digital device 102.

  In step 1712, the credential server 116 can receive another credential request (ie, a second credential request) from the digital device 102. The credential server 116 can retrieve additional network information from this other credential request. Next, the credential server 116 determines whether the network identifier and / or additional network information from one or more of the previously received credential requests is sufficient to identify the network credential. Can be determined. If the network identifier and / or additional network information is insufficient, then in step 1708, the credential request can continue the process of preparing another credential request response requesting additional network information. If the network identifier and / or additional network information is sufficient, at step 1716, the credential server 116 may retrieve the network credential.

  At step 1718, the credential server 116 may provide the digital device 102 with the network credential included in the credential request response.

  FIG. 18 is an illustration of another example method in which a digital device 102 having a black list in some embodiments provides sufficient additional network information to identify one or more network credentials. FIG. In step 1802, the digital device 102 scans the area for available wireless networks. Thereafter, the digital device 102 receives at least one network identifier of the wireless network.

  In step 1806, the digital device 102 determines whether the network identifier for this wireless network is identified on the blacklist. If the network identifier is identified in the blacklist or is associated with the blacklist, at step 1808, the digital device 102 may retrieve additional network information. One skilled in the art will appreciate that this additional network information can be retrieved from the network device or from a storage device (such as a RAM, cache or hard drive) of the digital device 102. In step 1810, this additional network information and / or network identifier may be provided in the credential request.

  If the network identifier is not identified in the blacklist or is not associated with the blacklist, the digital device 102 provides a credential request that includes this network identifier over the network (eg, through an open port of the network device). can do.

  In step 1814, the digital device 102 may receive a credential request response that includes a network credential. In one example, the credential server 116 may have sufficient information to receive the network identifier and / or additional network information and provide the network credential included in the credential request response. Digital device 102 may retrieve the network credentials at step 1816 and provide the network credentials to the network device at step 1818.

  A person skilled in the art will determine that the credential server 116 needs more information, even if it provides additional network information, and a credential request response that includes a request for more additional network information. Will understand. In some embodiments, the digital device 102 includes a whitelist that indicates when sufficient information can be found as described herein.

  One skilled in the art will appreciate that the blacklist and / or whitelist can be updated periodically (such as by the credential server 116). Further, the blacklist and / or whitelist can be part of an application installed on the digital device 102. In other embodiments, the credential server 116 may maintain a black list and / or a white list. In one example, the credential server 116 can receive a credential request from the digital device 102. At this time, the credential server 116 can check the network identifier against the blacklist. If the network identifier is associated with a blacklist, the credential server 116 does not provide the network credential to the network device associated with this network identifier, or a request or instruction to disconnect from the network device Can be provided to the digital device 102.

  In some embodiments, the credential server 116 checks the network identifier against a whitelist to identify preferred networks and / or indicate access permissions. In one example, if the network identifier is not associated with a whitelist, the credential server 116 does not provide network credentials to the network device associated with this network identifier or disconnects from the network device. A message can be provided to the digital device 102 that includes a request or instruction to do so.

  The functions and components described above can be comprised of instructions stored on a storage medium such as a computer readable medium. This instruction can be fetched and executed by the processor. Some examples of instructions are software, program code, and firmware. Some examples of storage media include storage devices, tapes, disks, integrated circuits, and servers. This instruction, when executed by the processor, directs the processor to operate in accordance with embodiments of the present invention. Those skilled in the art are familiar with instructions, processor (s) and storage media.

  The present invention has been described above with reference to exemplary embodiments. It will be apparent to those skilled in the art that various modifications and other embodiments can be used without departing from the broader scope of the invention. Accordingly, these and other variations on the exemplary embodiments are intended to be included in the present invention.

102: Digital device 104: Network device 110: DNS server 116: Credential server 1502: Network identifier 1504: Generate first credential request 1506: First credential request 1508: First credential Request 1510: Determine network identifier is insufficient 1512: First credential request response 1514: First credential request response 1516: Prepare second credential request including additional network information 1518 : Second credential request 1520: second credential request 1522: retrieve network credential based at least in part on additional network information 1524: second credential request response 1526: second Credential request response 1528: network credential

Claims (20)

Receiving a network identifier from a network device using a digital device;
Providing a first credential request including the network identifier to another digital device on the network;
Receiving a request for additional network information from said another digital device;
Providing a second credential request including additional network information to the another digital device;
Receiving a credential request response including a network credential from the another digital device;
Providing the network device with the network credentials extracted from the credential request response;
A method for obtaining network credentials, comprising: The first credential request is formatted as a DNS protocol message;
The method according to claim 1. The first credential request is provided to the another digital device via an open port on the network device;
The method according to claim 1. The open port is port 53;
The method according to claim 3. The network identifier is an SSID;
The method according to claim 1. The additional network information is a BSSID;
The method according to claim 1. The additional network information is a title of a web page received by the digital device from the network device;
The method according to claim 1. The additional network information is a URL of a web page received by the digital device from the network device.
The method according to claim 1. The additional network information is a hash of any part associated with a web page that the digital device received from the network device.
The method according to claim 1. A request module configured to receive a network identifier from a network device;
Providing a first credential including the network identifier to another digital device on the network, receiving a request for additional network information from the other digital device, and including the additional network information in the other digital device; Providing a second credential request, receiving a credential request response including a network credential from the other digital device, and receiving the network credential retrieved from the credential request response to the network device A response module configured to provide;
A system for obtaining network credentials, comprising: The first credential request is formatted as a DNS protocol message;
The system according to claim 10. The response module provides the first credential request to the another digital device via an open port on the network device;
The system according to claim 10. The open port is port 53;
13. The system of claim 12, wherein: The network identifier is an SSID;
The system according to claim 10. The additional network information is a BSSID;
The system according to claim 10. The additional network information is a title of a web page received by the digital device from the network device;
The system according to claim 10. The additional network information is a URL of a web page received by the digital device from the network device.
The system according to claim 10. The additional network information is a hash of any part associated with a web page that the digital device received from the network device.
The system according to claim 10. A computer readable storage medium configured to store instructions comprising a method, the method comprising:
Receiving a network identifier from a network device using a digital device;
Providing a first credential request including the network identifier to another digital device on the network;
Receiving a request for additional network information from said another digital device;
Providing a second credential request including additional network information to the another digital device;
Receiving a credential request response including a network credential from the another digital device;
Providing the network device with the network credentials extracted from the credential request response;
A computer-readable storage medium comprising: The first credential request is formatted as a DNS protocol message;
The computer-readable storage medium according to claim 19.

Images