JP2022164459A - Communication device and computer program for communication device - Google Patents

Abstract

To disclose a technique for appropriately receiving a service provided according to a specific communication standard in a situation where various communication standards are mixed.SOLUTION: A communication device receives signals from one or more external devices present around the communication device while the state of the communication device is a first state. The first state is a state for permitting both use of first connection with a first external device supporting a first communication standard and use of second connection with a second external device supporting a second communication standard and not supporting the first communication standard. When receiving a signal indicating that a specific external device of the one or more external devices is the first external device, the communication device changes the state of the communication device from the first state to a second state different from the first state. The second state is a state for permitting the use of the first connection and not permitting the use of the second connection.SELECTED DRAWING: Figure 3

Description

The technology disclosed in this specification relates to a communication device connectable to an external device.

As shown in Non-Patent Document 1, the Wi-Fi Alliance (registered trademark) established WPA3, which is a new communication standard in the Wi-Fi system. WPA3 provides a next generation security protocol. Also, other security protocols may be provided in communication standards other than WPA3.

JP 2016-019085 A JP 2016-208448 A JP 2019-106610 A

"WPA3 Specification Version 3.0" Wi-Fi Alliance, 2020, https://www.wi-fi.org/ja/discover-wi-fi/security

Due to the formulation of new communication standards, it is assumed that various communication standards will coexist. This specification discloses a technique for appropriately receiving services provided by a specific communication standard in the mixed situation described above.

A communication device disclosed herein includes a communication interface, and one or more external devices existing around the communication device via the communication interface while the state of the communication device is in a first state. wherein the first state is a first connection via the communication interface with a first external device supporting a first communication standard and a second connection via said communication interface with a second external device that supports a second communication standard and does not support said first communication standard. and the second communication standard is a communication standard different from the first communication standard, and the first receiving unit and a specific external device among the one or more external devices are in the first a first change of changing the state of the communication device from the first state to a second state different from the first state when the signal indicating that the communication device is an external device of and the first change unit, wherein the second state is a state in which use of the first connection is permitted and use of the second connection is not permitted.

Among the one or more external devices, there is a first external device that supports the first communication standard, and from the first external device, the first external device supports the first communication standard. It is presumed that the user of the communication device desires to receive the service provided by the first communication standard. According to the above configuration, when it is estimated that the user of the communication device desires to receive the service provided by the first communication standard, the state of the communication device changes from the first state to the second state. Be changed. In the second state, use of the first connection conforming to the first communication standard is permitted, but use of the second connection conforming to the second communication standard is not permitted. In a situation where the first communication standard and the second communication standard coexist, it is possible to appropriately receive services provided by the first communication standard.

Another communication device disclosed in this specification includes a communication interface, and a first receiver that receives signals from each of one or more external devices existing around the communication device via the communication interface. , if the signal indicating that a specific external device among the one or more external devices is a first external device supporting a first communication standard is not received, the communication device is set to the first and operates the communication device in a second state when the signal indicating that the specific external device is the first external device is received, The first state includes use of a first connection via the communication interface with the first external device and the communication interface with a second external device that does not support the first communication standard. The second state is a state in which use of the first connection is permitted and use of the second connection is not permitted. wherein the first connection is a connection according to the first communication standard, and the second connection is a connection according to a second communication standard different from the first communication standard; and an operation control unit.

Among the one or more external devices, there is a first external device that supports the first communication standard, and from the first external device, the first external device supports the first communication standard. It is presumed that the user of the communication device desires to receive the service provided by the first communication standard. According to the above configuration, the communication device operates in the second state when it is estimated that the user of the communication device desires to receive services provided by the first communication standard. In the second state, use of the first connection conforming to the first communication standard is permitted, but use of the second connection conforming to the second communication standard is not permitted. In a situation where the first communication standard and the second communication standard coexist, it is possible to appropriately receive services provided by the first communication standard.

Also, not receiving signals from a first external device that supports the first communication standard may prevent the user of the communication device from using services provided by the second communication standard rather than the first communication standard. presumed to wish to receive. According to the above configuration, the communication device operates in the first state when it is estimated that the user of the communication device desires to receive services provided by the second communication standard. In the first state, not only is the use of the first connection according to the first communication standard permitted, but also the use of the second connection according to the second communication standard is permitted. In a situation where the first communication standard and the second communication standard coexist, it is possible to appropriately receive services provided by the second communication standard.

Also, the method for controlling the communication device, the computer program for the communication device, and the storage medium storing the computer program are novel and useful.

1 shows the configuration of a communication system; Give an example problem. FIG. 3 shows a sequence diagram of cases C1 and C2 that address the example problem of FIG. 2; FIG. 10 shows a sequence diagram of case C3 in which multiple APs are present in the surroundings; FIG. FIG. 10 shows a sequence diagram of case C4 following case C2. FIG. 10 shows a sequence diagram of case C5 in which a terminal device is used; 4 shows a table representing the relationship between APs and MFPs in the first embodiment. The sequence diagram of the specific case in 2nd Example is shown. The sequence diagram of the specific case in 3rd Example is shown. FIG. 11 shows a table representing the relationship between APs and MFPs in the third embodiment; FIG. FIG. 11 shows the configuration of a communication system of a fourth embodiment; FIG. The sequence diagram of the specific case in 4th Example is shown. FIG. 11 shows the configuration of a communication system of a fifth embodiment; FIG. The sequence diagram of the specific case in 5th Example is shown. FIG. 11 shows a table representing the relationship between APs and servers in the fifth embodiment. FIG.

(First embodiment)
(Configuration of communication system 2; Fig. 1)
As shown in FIG. 1 , the communication system 2 includes an MFP (abbreviation for Multifunction Peripheral) 10 , a terminal device 100 , and APs (abbreviation for Access Point) 200 , 300 , and 400 . Each of the APs 200, 300, and 400 can form a wireless LAN (abbreviation for Local Area Network). The MFP 10 is connected to a wireless LAN formed by an AP (eg 200) and can communicate with other devices (eg terminal device 100) connected to the wireless LAN. The terminal device 100 is a mobile terminal, a desktop PC, a notebook PC, or the like.

(Configuration of MFP 10; Fig. 1)
The MFP 10 is a peripheral device (for example, a peripheral device of the terminal device 100) capable of executing a print function, a scan function, and the like. The MFP 10 includes an operation section 12 , a display section 14 , a Wi-Fi interface 16 , a print execution section 20 , a scan execution section 22 and a control section 30 . Each unit 12 to 30 is connected to a bus line (reference numerals omitted). Below, the interface is simply described as "I/F".

The operation unit 12 has a plurality of keys. A user can input various instructions to the MFP 10 by operating the operation unit 12 . The display unit 14 is a display for displaying various information. Note that the display unit 14 may function as a touch panel (that is, the operation unit 12).

The Wi-Fi I/F 16 is a wireless I/F for performing wireless communication conforming to the Wi-Fi (registered trademark) standard. The Wi-Fi standard is, for example, the IEEE (abbreviation of The Institute of Electrical and Electronics Engineers, Inc.) 802.11 standard and its equivalent standards (eg 802.11a, 11b, 11g, 11n, etc.). It is a standard for performing wireless communication.

Also, the Wi-Fi I/F 16 supports Personal and Enterprise of WPA3. Personal is a method for authenticating a slave station in a small-scale wireless LAN such as a home. Enterprise is a method for authenticating a slave station in a large-scale wireless LAN of a company or the like. In Enterprise, an authentication server (see the third embodiment) that performs authentication according to IEEE 802.1X authenticates a slave station in the Wi-Fi standard. On the other hand, in Personal, the authentication server is not used, and for example, the AP uses PSK (abbreviation of Pre-Shared Key) to authenticate the slave station.

WPA3 is a communication standard established by the Wi-Fi Alliance (registered trademark) after WPA2. WPA3 provides a next generation security protocol. For example, in WPA3, SAE (abbreviation for Simultaneous Authentication of Equals) is newly provided as a method for authenticating a child station.

In WPA3, wireless connections are protected by PMF (abbreviation for Protected Management Frames). On the other hand, in WPA2, wireless connections may or may not be protected by PMF.

The print execution unit 20 includes a printing mechanism such as an inkjet method or a laser method. The scan executing unit 22 includes a scanning mechanism such as a CCD (Charge Coupled Device) image sensor, a CIS (Contact Image Sensor), or the like.

The control unit 30 has a CPU 32 and a memory 34 . The CPU 32 executes various processes according to programs 40 stored in the memory 34 . The memory 34 is composed of a volatile memory, a nonvolatile memory, or the like.

The memory 34 also stores WPA3 setting information 42 . The WPA3 setting information 42 indicates one of a plurality of settings including the setting "WPA3 Transition Mode" and the setting "WPA3 Only Mode". The setting “WPA3 Transition Mode” is a setting that permits both establishment of wireless connection according to WPA3 and establishment of wireless connection according to WPA2. For example, in the setting “WPA3 Transition Mode”, both authentication of a child station using PSK and authentication of a child station using SAE are permitted. Here, PSK is a method that can be used in standards before WPA2. The setting “WPA3 Only Mode” is a setting that permits the establishment of a wireless connection according to WPA3 and does not permit the establishment of a wireless connection according to WPA2. For example, in the setting “WPA3 Only Mode”, authentication of a child station using PSK is not permitted, but authentication of a child station using SAE is permitted.

At the shipping stage of the MFP 10, the WPA3 setting information 42 indicates the setting "WPA3 Transition Mode". The WPA3 setting information 42 after the MFP 10 is powered on for the first time indicates the setting "WPA3 Transition Mode" by default. Note that, in a modified example, the default of the WPA3 setting information 42 may be other setting (for example, setting using only WPA2) different from both the setting "WPA3 Transition Mode" and the setting "WPA3 Only Mode".

(Configuration of AP 200, 300, 400; Fig. 1)
AP 200 does not support WPA3. AP 200 supports WPA2. In the following description, the fact that WPA3 is not supported may be described as "WPA3 non-compliant". The AP 200 stores an SSID (abbreviation of Service Set Identifier) 'ap01' for identifying the wireless network formed by the AP 200 and a password 'xxxx' used in the wireless network.

AP 300 supports WPA3. In the following, supporting WPA3 may be referred to as "WPA3 compatible". The AP300 stores the SSID "ap02" and the password "yyyy" used in the wireless network formed by the AP300.

The AP 400 is a WPA3 non-compliant AP. The AP 400 is an AP capable of forming an open network that does not require authentication of child stations. AP 400, for example, supports Wi-Fi CERTIFIED Enhanced Open.

(problem example)
Before describing this embodiment, an example problem will be described with reference to FIG. In this problem example, Personal is used. The WPA3 setting information of the MFP850 in this problem example indicates the setting "WPA3 Transition Mode", and the WPA3 setting information of the MFP850 is not changed. In this example problem, a malicious third party prepares AP900 and attempts to connect MFP850 to the wireless network formed by AP900. The SSID of AP900 is set to "ap02", which is the same as the SSID of AP300. The AP 900 is a WPA3 compatible AP.

Upon receiving the connection instruction at Y10, the MFP 850 broadcasts a probe request to the outside at T12. In this problem example, AP300 and AP900 exist around MFP850. A third party installs the AP 900 around the MFP 850 and blocks the communication of the AP 300 . Therefore, the MFP 850 does not receive the Probe response from the AP 300 but receives the Probe response from the AP 900 at Y14.

At Y20, the MFP 850 displays a selection screen including the AP 900 SSID "ap02". At Y22, the MFP 850 receives the selection of the SSID "ap02" in the selection screen. Y30 to Y34 indicate Authentication communication for the AP 900 to authenticate the MFP 850 in this problem example. AP 900 supports WPA3. In this problem example, SAE Authentication is performed.

At Y30, the MFP 850 executes Commit communication with the AP 900. FIG. A signal requesting execution of SAE is transmitted from the MFP 850 to the AP 900 in the Commit communication. If the AP 900 accepts the request by the signal, SAE Authentication will succeed. However, in this example problem, the AP 900 is designed to ignore requests by such signals by third parties. Therefore, at Y34, the MFP 850 receives from the AP 900 a Confirm Failed signal indicating that SAE Authentication has failed.

In this problem example, the WPA3 setting information of the MFP 850 indicates the setting “WPA3 Transition Mode”. Therefore, at Y36, the MFP 850 executes PSK authentication instead of SAE authentication. At Y36, the encryption key generated by PSK is provided to both AP900 and MFP850.

At Y40, the MFP 850 executes 4-way handshake communication with the AP 900 using the encryption key provided at Y36. As a result, Y50 establishes a wireless connection between the MFP 850 and the AP 900 for performing wireless communication according to the Wi-Fi standard.

Although the AP 900 supports WPA3, it operates as an AP that does not support WPA3. Therefore, the AP 900 does not use the security protocol provided by WPA3. A third party attempts to intercept communication using the AP 900 with weak security, for example.

(Cases C1 and C2; FIG. 3)
Specific cases C1 and C2 realized by the communication system 2 of this embodiment will be described with reference to FIG. Case C1 represents the case in which the exemplary problem of FIG. 2 is addressed in this embodiment. Case C2 is a case of establishing wireless connection between MFP 10 and AP 300 .

Personal of WPA3 is used in cases C1 and C2, cases C2 to C5 in FIGS. 3 to 6, and a second embodiment in FIG. 8, which will be described later. At the initial stage of this case, the WPA3 setting information 42 of the MFP 10 indicates the setting "WPA3 Transition Mode" by default. In addition, in the first embodiment and second to fourth embodiments to be described later, all the following communications performed by the MFP 10 are performed via the Wi-Fi I/F 16 . In the following description of processing related to communication, the description “via the Wi-Fi I/F 16” may be omitted. Further, in the following description, for ease of understanding, operations executed by the CPU (eg, CPU 32, etc.) of each device may be described mainly with respect to each device (eg, MFP 10) instead of mainly describing the CPU. be.

(Case C1; Fig. 3)
When the MFP 10 receives an instruction to establish a wireless connection from the operation unit 12 at T10, the MFP 10 broadcasts to the outside a probe request for searching for APs existing around the MFP 10 at T12. In this case, the MFP 10 is surrounded by a WPA3 compatible AP 900 prepared by a third party and an AP 300 prepared by the administrator of the MFP 10, but no other APs. Here, AP 300 is blocked from communication by a third party. Therefore, at T14, the MFP 10 receives the Probe response from AP900 and does not receive the Probe response from AP300. The Probe response from AP 900 includes the SSID of AP 900 “ap02” and WPA3 support information indicating that AP 900 supports WPA3. The WPA3 compatibility information includes, for example, information indicating use of SAE.

At T16, the MFP 10 determines whether or not there is a WPA3 compatible AP among one or more APs existing around the MFP 10 (hereinafter referred to as "one or more surrounding APs"). Specifically, the MFP 10 determines whether or not there is a Probe response including WPA3 compatibility information (hereinafter, “compatible Probe response”) among one or more Probe responses received from one or more surrounding APs. to judge. Then, the MFP 10 determines that there is a WPA3 compatible AP among the one or more surrounding APs when the corresponding Probe response exists in the one or more Probe responses. On the other hand, the MFP 10 determines that there is no WPA3 compatible AP among the one or more surrounding APs when the corresponding Probe response does not exist among the one or more Probe responses.

In this case, there are two WPA3 compatible APs 300 and 900 around the MFP 10, and there is no WPA3 non-compatible AP. Then, the MFP 10 receives the Probe response from the WPA3 compatible AP 900 . In this case, the MFP 10 determines at T16 that there is a WPA3 compatible AP among the one or more surrounding APs, and proceeds to the process at T18. If only APs that do not support WPA3 exist around the MFP 10, the process of T18 is not executed, and the WPA3 setting information 42 is maintained at the setting "WPA3 Transition Mode".

At T18, the MFP 10 changes the WPA3 setting information 42 from the setting "WPA3 Transition Mode" to the setting "WPA3 Only Mode".

At T20, the MFP 10 displays a selection screen for selecting one AP from among one or more surrounding APs. The selection screen includes, for each of one or more surrounding APs, an SSID in the Probe response received from the AP, a button for selecting the SSID, and a message indicating whether the AP supports WPA3. ,including. In this case, the selection screen only includes the AP 900 SSID “ap02”. In addition to the list of SSIDs, the selection screen also includes an entry field for the password of the AP.

At T22, the user operates the operation unit 12 of the MFP 10 to select the SSID "ap01" and enter the password "yyyy" on the selection screen.

Subsequent T30 and T34 are the same as Y30 and Y34 in FIG. 2 except that the MFP 10 is used. In this case, at the timing when T30 is executed, the WPA3 setting information 42 is changed to the setting "WPA3 Only Mode" (T18). Therefore, the MFP 10 does not perform PSK authentication instead of SAE authentication. At T36, the MFP 10 causes the display unit 14 to display a connection error indicating that establishment of wireless connection has failed.

According to this case, since the WPA3 setting information 42 indicates the setting "WPA3 Only Mode" at the timing of executing Authentication, it is possible to suppress the occurrence of the example problem of FIG.

(Case C2; Fig. 3)
In this case, the MFP 10 executes the same processes as T10 to T22 with the AP300. T130 is similar to T30, except that AP300 is utilized. In this case, the AP 300 accepts the SAE execution request in the Commit communication. Therefore, at T134, the MFP 10 receives from the AP 300 a Confirm Success signal indicating that the SAE Authentication has succeeded.

In the Authentication at T130 and T134, authentication according to SAE is executed, the authentication is successful, and an encryption key generated using the password "yyyy" entered at T22 is provided to both the AP 300 and the MFP 10. . Note that after the successful communication of Authentication, communication of Association (not shown) is executed.

At T140, the MFP 10 performs 4-way handshake communication with the AP 300 using the encryption key provided at T130. As a result, in T150, a wireless connection is established between the MFP 10 and the AP 300 for performing wireless communication according to the Wi-Fi standard. Also, in this case, the WPA3 setting information 42 of the MFP 10 indicates the setting "WPA3 Only Mode" and the AP 300 supports WPA3. Therefore, in the 4-way handshake of this case, communication is executed for receiving management by the PMF. The radio connection of T150 is then managed by the PMF.

For example, in a situation where both the MFP 10 and the terminal device 100 are connected to a wireless LAN formed by the AP 300, the terminal device 100 sends print data indicating an image to be printed to the MFP 10 via the AP 300 at T160. Send.

Upon receiving the print data from the terminal device 100 at T160, the MFP 10 causes the print execution unit 20 to print the image indicated by the received print data at T162.

For example, a situation is assumed in which a malicious third party tries to connect the MFP 10 to the wireless network formed by the AP 800 prepared by the third party instead of the AP 300 . The SSID of AP800 is set to "ap02", which is the same as the SSID of AP300. The AP 800 is a WPA3-incompatible AP and does not support the security protocol provided by WPA3. Therefore, the AP800 has weaker security than the AP300. For example, a third party attempts to intercept communication using the AP 800 with weak security.

In the above situation, a third party first interferes with communication between AP 300 and MFP 10 and disconnects the wireless connection between AP 300 and MFP 10 . The MFP 10 detects disconnection of the wireless connection at T170. In order to try to re-establish the wireless connection, the MFP 10 broadcasts a Probe request to the outside at T172. At T174, the MFP 10 receives a Probe response to the Probe request from AP800 because communication with AP300 is interrupted. The Probe response includes the SSID “ap02” and WPA3 non-support information indicating that the AP 800 supports the WPA2 or earlier standard.

In this case, at T18, the WPA3 setting information 42 is changed to the setting "WPA3 Only Mode". As described above, the setting "WPA3 Only Mode" does not permit authentication of a child station using PSK, but permits authentication of a child station using SAE. In this case, the AP 800 does not support WPA3, so the AP 800 attempts authentication of the child station using PSK. However, since the MFP 10 does not permit authentication of the child station using PSK, the authentication fails. As a result, establishment of wireless connection between the AP 800 and the MFP 10 fails.

For example, a comparative example is assumed in which the process of T18 is not executed and the WPA3 setting information 42 is maintained at the setting "WPA3 Transition Mode". As described above, in the setting “WPA3 Transition Mode”, both the authentication of the child station using PSK and the authentication of the child station using SAE are permitted. Therefore, in this comparative example, the authentication of the slave station using PSK attempted by the AP 800 is successful, and wireless connection can be established between the AP 800 and the MFP 10 . On the other hand, according to this case, wireless connection is not established between the AP 800 and the MFP 10, and interception of communication using the AP 800 of a third party can be suppressed.

In addition, the fact that there is an AP 300 supporting WPA3 SAE among one or more surrounding APs and that a Probe response including WPA3 support information is received from the AP 300 is provided by the SAE to the user. It is presumed that they want to receive services (ie, communications with relatively high cryptographic strength). According to the configuration of this embodiment, when it is estimated that the user wishes to receive the service provided by SAE, the WPA3 setting information 42 is changed from the setting "WPA3 Transition Mode" to the setting "WPA3 Only Mode." (T18 in FIG. 3). In a situation where WPA3 SAE and pre-WPA2 PSK coexist, the service provided by WPA3 SAE can be properly received.

(Case C3; Fig. 4)
Another specific case C3 will be described with reference to FIG. In this case, a wireless connection is established between the MFP 10 and the AP in a situation where a WPA3-incompatible AP and a WPA3-compatible AP exist around the MFP 10 . The initial stage of this case is similar to case C1 in FIG.

T210, T212A, T212B and T212C are the same as T10 and T12 in FIG. In this case, there are three APs 200, 300, and 400 around the MFP 10. AP 200 is a WPA3-incompatible AP, AP 300 is a WPA3-compatible AP, and AP 400 forms an open network. It is an AP that Therefore, at T214A, T214B, and T214C, the MFP 10 receives Probe responses from the three APs 200, 300, and 400 respectively. The Probe response of AP 200 includes SSID “ap01” and WPA3 non-support information. The Probe response from AP 400 includes SSID “ap03” and OPEN information indicating that AP 400 is an AP forming an open network.

T216 is the same as T16 in FIG. In this case, the MFP 10 determines in T216 that there is a WPA3 compatible AP among the one or more surrounding APs, and proceeds to the process of T218. T218 is the same as T18 in FIG.

At T220, the MFP 10 causes the display unit 14 to display a first selection screen including the SSID "ap02" of the WPA3-compatible AP 300 and excluding the SSIDs "ap01" and "ap03" of the WPA3-incompatible APs 200 and 400. With such a configuration, it is possible to prompt the user to connect to a WPA-compatible AP.

Also, the first selection screen of T220 further includes an "other AP" button. The "other AP" button is a button for further displaying a second selection screen in which APs other than WPA3 compatible APs can also be selected. In this case, the second selection screen includes not only the SSID "ap02" of the WPA3-compatible AP 300, but also the SSIDs "ap01" and "ap03" of the WPA3-incompatible APs 200 and 400. FIG. The second selection screen also includes an entry field for the password of the AP. According to such a configuration, in a situation where a WPA3-compliant AP and a WPA3-incompatible AP exist, it is possible to allow the user to select connection with the WPA3-incompatible AP. In a modified example, the second selection screen may not include the SSID "ap02" of the WPA3-compatible AP 300, but may also include the SSIDs "ap01" and "ap03" of the WPA3-incompatible APs 200 and 400.

At T222, the user operates the operation unit 12 of the MFP 10 to select the SSID "ap01" and enter the password "xxxx" on the second selection screen.

At T224, the MFP 10 changes the WPA3 setting information 42 from the setting "WPA3 Only Mode" to the setting "WPA3 Transition Mode". The fact that the SSID “ap01” of the WPA3-incompatible AP 200 is selected on the second selection screen is presumed to indicate that the user wishes to connect to the WPA3-incompatible AP 200 . According to the configuration of the T224, it is possible to permit connection with the AP 200 that does not support WPA3 according to the user's desire.

At T230, the MFP 10 performs PSK Authentication communication with the AP 200 selected at T222. T240 is the same as T140 in FIG. 3 except that AP200 is used, the encryption key provided by PSK of T230 is used, and communication for receiving management by PMF is not executed. . T250 is similar to T150 of FIG. 3 except that it is not managed by the PMF.

In this case, even if a WPA3-incompatible AP (for example, 200) exists among one or more surrounding APs, the MFP 10 changes the WPA3 setting information 42 to the setting "WPA3 Only Mode" (T218). ). Even in a situation where one or more surrounding APs include APs that do not support WPA3, the occurrence of the problem in FIG. 2 can be suppressed.

(Case C4; Fig. 5)
Case C3 following T150 of case C2 in FIG. 3 will be described with reference to FIG. In this case, the WPA3-incompatible AP 200 is installed around the MFP 10 after the wireless connection with the AP 300 is established at T150. In this case, for example, the AP 300 is powered off. At the initial stage of this case, the WPA3 setting information 42 of the MFP 10 indicates the setting "WPA3 Only Mode".

T260 and T262 are the same as T10 and T12 in FIG. T264 is similar to T214B in FIG.

T266 is the same as T16 in FIG. In this case, there is no corresponding Probe response among the one or more Probe responses received from one or more surrounding APs due to AP 300 being powered off. In this case, the MFP 10 determines that there is no WPA3 compatible AP among the one or more surrounding APs, and proceeds to the process of T268.

In T268, the MFP 10 changes the WPA3 setting information 42 from the setting "WPA3 Only Mode" to the setting "WPA3 Transition Mode". T270 is similar to T20 in FIG. 3, except that the selection screen includes the AP 200 SSID "ap01". T272 is the same as T22 in FIG. 3 except that the SSID "ap01" is selected and the AP200 password "xxxx" is entered. T280 to T300 are the same as T230 to T250 in FIG.

Not receiving a Probe response from an AP 300 that supports WPA3 SAE is presumed that the user wants to receive services provided by PSK and not by SAE. According to this case, the WPA3 setting information 42 is changed from the setting "WPA3 Only Mode" to the setting "WPA3 Transition Mode" when it is presumed that the user wants to receive the service provided by PSK. (T268). In a situation where WPA3 SAE and PSK before WPA2 coexist, the service provided by PSK can be properly received.

(Case C5; Fig. 6)
A case C5 in which the terminal device 100 is used in connection with an AP will be described with reference to FIG. In this case, the MFP 10 and the terminal device 100 are connected by wired or wireless LAN, USB, wireless connection according to Bluetooth (registered trademark), or the like (not shown). The terminal device 100 also stores connection information for connecting to a wireless LAN formed by the AP200 or AP300. The connection information includes SSID and password. Also, in the initial stage of this case, the WPA3 setting information 42 of the MFP 10 indicates the setting "WPA3 Transition Mode".

In T305, the user operates the terminal device 100 to input an instruction to connect the MFP 10 to the AP (for example, AP 200) corresponding to the connection information stored in the terminal device 100. FIG.

Upon receiving the user's instruction in T305, the terminal apparatus 100 transmits to the MFP 10 an establishment request requesting the MFP 10 to connect to the AP in T310. The establishment request includes the SSID stored in terminal device 100 .

When the MFP 10 receives the establishment request from the terminal device 100 in T310, in T312 the probe request including the SSID included in the establishment request is sent to the AP indicated by the SSID (hereinafter referred to as "target AP"). Send to Cast.

At T314, the MFP 10 receives a probe response from the target AP as a response to the probe request at T312. When the target AP is AP200, the Probe response includes SSID "ap01" and WPA3 non-support information. When the target AP is AP300, the Probe response includes SSID "ap02" and WPA3 compatibility information.

In subsequent T316, the MFP 10 determines whether the target AP is a WPA3 compatible AP. Specifically, when the probe response received from the target AP includes WPA3 compatibility information, the MFP 10 determines that the target AP is a WPA3 compatible AP. When the MFP 10 determines that the target AP is a WPA3 compatible AP (YES in T316), the MFP 10 proceeds to T318. T318 is the same as T18 in FIG. After completing T318, the MFP 10 proceeds to T320. On the other hand, when the MFP 10 determines that the target AP is a WPA3-incompatible AP (NO in T316), the MFP 10 skips the process of T318 and proceeds to T320.

At T320, the MFP 10 executes processing for establishing wireless connection with the target AP. If the target AP is a WPA3 compatible AP, the same processing as T130 to T150 in FIG. 3 is executed. If the target AP is a WPA3-incompatible AP, the same processing as T230-T250 in FIG. 4 is executed.

For example, in this case as well, it is assumed that a third party prepares the AP 900 in place of the AP 300 . According to the configuration of this case, even when an establishment request is received from the terminal device 100, the WPA3 setting information 42 is changed to the setting "WPA3 Only Mode" (T318). In this case as well, the occurrence of the problem in FIG. 2 can be suppressed.

Further, according to the configuration of this case, when the target AP is a WPA3-incompatible AP, the WPA3 setting information 42 is maintained at the setting "WPA3 Transition Mode". A connection with the AP 200 can be established according to the desire of the user who desires connection with an AP that does not support WPA3.

(Table showing the relationship between AP and MFP; FIG. 7)
As shown in FIG. 7, according to the formulation of WPA3, APs include non-WPA3-compatible APs that support WPA or WPA2, WPA3-compatible APs that support WPA3 Transition Mode, and WPA3-compatible APs that support WPA3 Only Mode. and can exist.

On the other hand, MFPs may include a WPA3-incompatible MFP, a WPA3-compatible MFP that operates in the WPA3 Transition Mode, and a WPA3-compatible MFP that operates in the WPA3 Only Mode.

In this embodiment, the WPA3 setting information 42 of the MFP 10 is changed to the setting "WPA3 Only Mode" (T18 in FIG. 3). Therefore, the MFP 10 can establish a wireless connection with either a WPA3 AP supporting the WPA3 Transition Mode or a WPA3 AP supporting the WPA3 Only Mode. Both use WPA3. On the other hand, the MFP 10 cannot establish a wireless connection with an AP that does not support WPA3.

(correspondence relationship)
The MFP 10, the Wi-Fi I/F 16, the display section 14, and the print execution section 20 are examples of the "communication device,""communicationinterface,""displaysection," and "image processing execution section," respectively. The terminal device 100 is an example of a "terminal device." AP300 and AP200 are examples of the "first external device" and the "second external device". WPA3 Transition and WPA3 Only Mode are examples of the “first state” and the “second state”, respectively. SAE and PSK are examples of the "first communication standard" and the "second communication standard", respectively. A Probe response containing WPA3 compatibility information is an example of a "signal." The instruction at T10 in FIG. 3 is an example of the "specific instruction". The print data of T160 in FIG. 3 is an example of the "specific request". Selection of T222 in FIG. 4 is an example of "instruction to establish second connection". The list of SSIDs in T220 in FIG. 4 is an example of a "list." Selecting the 'other AP' button in the first selection screen at T220 in FIG. 4 is an example of the 'predetermined instruction'. The establishment request of T310 in FIG. 6 is an example of the "establishment request". The WPA3 support information and WPA3 non-support information in T314 are examples of "specific standard information".

T14 and T18 in FIG. 3 are an example of processing implemented by the "first receiving unit" and the "first changing unit (and operation control unit)".

(Second embodiment)
This embodiment is the same as the first embodiment, except that the processing executed upon receipt of the Probe response is different.

(Specific case; Figure 8)
In this case, similarly to case C3 in FIG. 4, a wireless connection is established between the MFP 10 and the AP in a situation where a WPA3-incompatible AP and a WPA3-compatible AP exist around the MFP 10. is. The initial stage of this case is similar to case C3 in FIG.

T410-T414C are the same as T210-T214C in FIG. In T416, the MFP 10 determines whether or not there is a WPA3-incompatible AP among the one or more surrounding APs. In this case, WPA3-incompatible APs 200 and 400 exist around the MFP 10 . In this case, the MFP 10 determines that one or more surrounding APs include an AP that does not support WPA3. In this case, the MFP 10 maintains the WPA3 setting information 42 to the setting "WPA3 Transition Mode". On the other hand, if only WPA3-compliant APs 300 exist around the MFP 10, for example, as in case C1 in FIG. determine that it does not exist. In this case, the MFP 10 changes the WPA3 setting information 42 from the setting "WPA3 Transition Mode" to the setting "WPA3 Only Mode" (see T18 in FIG. 3), as in case C1 in FIG.

T420 is the same as T220 in FIG. In this case, the user wishes to connect with the AP 300 that supports WPA3. At T422, the user operates the operation unit 12 of the MFP 10 to select the SSID "ap02" and enter the password "yyyy" on the first selection screen. In T424, the MFP 10 changes the WPA3 setting information 42 from the setting "WPA3 Transition Mode" to the setting "WPA3 Only Mode". T430-T450 are the same as T140-T150 in FIG. It should be noted that if the "other AP" button is selected on the first selection screen and the SSID of a WPA3-incompatible AP is selected on the second selection screen, the WPA3 setting information 42 is set to "WPA3 Transition Mode”.

In the first embodiment, in a situation where the user wishes to connect to an AP that does not support WPA3, the WPA3 setting information 42 is changed to the setting "WPA3 Only Mode" (T218 in FIG. 4), and then the WPA3 setting information 42 is returned to the setting "WPA3 Transition Mode". Instead, in this embodiment, the WPA3 setting information 42 is maintained at the setting "WPA3 Transition Mode" in a situation where the user desires connection with an AP that does not support WPA3. Unnecessary changes to the WPA3 setting information 42 can be suppressed in a situation where the user wishes to connect to an AP that does not support WPA3.

In this embodiment, when the SSID "ap01" of the WPA3 compatible AP 300 is selected on the first selection screen (T422), the WPA3 setting information 42 is changed to the setting "WPA3 Only Mode" (T424). In the present embodiment, similarly to the first embodiment, it is possible to suppress the occurrence of the problem of FIG. 2 and to execute processing for establishing connection with the AP 300 that supports WPA3. Selection of T422 in FIG. 8 is an example of "instruction to establish first connection".

(Third embodiment)
(Configuration of communication system 2; Fig. 1)
The communication system 2 of this embodiment is the same as that of the first embodiment except for the following points. The APs 200 and 300 of this embodiment are WPA3-incompatible APs and support WPA2. The AP 200 operates with PMF Capable. AP 300 operates with PMF Required. Hereinafter, operating with PMF Required may be described as "PR operation", and not operating with PMF Required may be described as "PR non-operation". Note that, in a modified example, the AP 300 may be a WPA3 compatible AP.

The memory 34 of the MFP 10 stores PMF setting information 44 instead of the WPA3 setting information 42 . The PMF setting information 44 indicates any one of a plurality of settings including the setting "PMF Capable" and the setting "PMF Required". The setting “PMF Capable” is a setting that permits both establishment of wireless connection without using PMF and establishment of wireless connection using PMF. The setting “PMF Required” is a setting that permits the establishment of wireless connection using PMF and does not permit the establishment of wireless connection that does not use PMF.

(Specific case of this embodiment; FIG. 9)
A specific case of this embodiment will be described with reference to FIG. The AP 900 in this case is operating with WPA2 and PMF Required. At the initial stage of this case, the PMF setting information 44 of the MFP 10 indicates the setting "PMF Capable" by default.

T610 and T612 are the same as T10 and T12 in FIG. T614 is similar to T14 in FIG. 3, except that the Probe response contains PMF information. The PMF information is information indicating that the AP 900 that is the transmission source of the Probe response is operating with PMF Required. If the AP that sent the Probe response does not support PMF Required, the Probe response does not include PMF information.

In T616, the MFP 10 determines whether or not there is an AP in PR operation among one or more surrounding APs. Specifically, the MFP 10 determines whether or not one or more Probe responses received from one or more peripheral APs include a Probe response including PMF information. Then, when one or more probe responses contain a probe response including PMF information, the MFP 10 determines that one or more surrounding APs include an AP performing PR operation. On the other hand, the MFP 10 determines that there is no PR operation AP among the one or more surrounding APs when there is no Probe response including PMF information among the one or more Probe responses.

In this case, there are two PR-operating APs 300 and 900 around the MFP 10, and there is no PR-non-operating AP. Then, the MFP 10 receives a Probe response from the AP 900 in PR operation. In this case, the MFP 10 determines in T616 that one or more surrounding APs include an AP performing PR operation, and proceeds to processing in T618. If only APs that do not operate PR exist around the MFP 10, the process of T618 is not executed, and the PMF setting information 44 is maintained at the setting "PMF Capable".

In T618, the MFP 10 changes the PMF setting information 44 from the setting "PMF Capable" to the setting "PMF Required".

T622-634 are the same as T22-T34 in FIG. At T636, PSK authentication is performed. In this case as well, a malicious third party prepares the AP 900 for the purpose of intercepting communications. The AP 900 operates with PMF Required, but is set not to use PMF.

At T640, the MFP 10 executes 4-way handshake communication with the AP 900 using the encryption key provided at T636. The AP 900 notifies the MFP 10 that the PMF is not used in the 4-way handshake communication. However, since the MFP 10 does not permit establishment of a wireless connection that does not use the PMF, the 4-way handshake communication fails. T642 is similar to T36 in FIG. In this case as well, the occurrence of the problem in FIG. 2 can be suppressed.

(Table representing the relationship between AP and MFP; FIG. 10)
As shown in FIG. 10 , according to the formulation of PMF, as APs, a PR non-operating AP operating with PMF Disable, a PR non-operating AP operating with PMF Capable, a PR operating AP operating with PMF Required, can exist. Here, PMF Disable is a setting that permits the establishment of wireless connection that does not use PMF, and does not permit the establishment of wireless connection that uses PMF.

On the other hand, MFPs may include an MFP that operates with PMF Disable, a WPA3-compatible MFP that operates with PMF Capable, and a WPA3-compatible MFP that operates with PMF Required.

In this embodiment, the PMF setting information 44 of the MFP 10 is changed to the setting "PMF Required" (T618 in FIG. 9). Therefore, the MFP 10 can establish a wireless connection with either a PR non-operating AP operating in PMF Capable or a PR operating AP operating in PMF Required. Both use PMF. On the other hand, the MFP 10 cannot establish a wireless connection (that is, a wireless connection in which PMF is not used) with a PR non-operating AP that operates with PMF Disable.

(correspondence relationship)
PMF Capable and PMF Required are examples of "first state" and "second state", respectively.

(Fourth embodiment)
(Communication system 2; Fig. 11)
In this embodiment, the MFP 10 uses Enterprise. As described above, Enterprise is a communication standard used by companies and the like. Enterprise is offered in WPA2 as well as WPA3.

The communication system 2 of the present embodiment is the same as the communication system 2 of the first embodiment except that authentication servers 210 and 310 are provided and the contents of the WPA3 setting information 42 are different.

Authentication servers 210 and 310 are authentication servers used in Enterprise. The authentication server 210 is used in processing for establishing wireless connection with the AP 200, and is connected to the AP 200 via a wired LAN. The authentication server 310 is used in processing for establishing wireless connection with the AP 300 and is connected to the AP 300 via LAN (wired or wireless).

Also, the WPA3 setting information 42 of this embodiment indicates one of a plurality of settings including the setting "SHA256 optional" and the setting "SHA256 required". The setting "SHA256 optional" specifies a hash function (for example, SHA1) that can be used in both WPA2 and WPA, and a hash function that can be used in WPA3 but cannot be used in WPA2 and WPA, in communication with an authentication server in Enterprise. This is a setting that permits the use of both the function "SHA256". That is, when the WPA3 setting information 42 indicates the setting "SHA256 arbitrary", both establishment of wireless connection according to WPA2 or WPA and establishment of wireless connection according to WPA3 are permitted. Note that the hash function that can be used in WPA3 is not limited to SHA256, and may be SHA384 or SHA3, for example.

On the other hand, the setting "SHA256 required" permits the use of the hash function "SHA256" in communication with the authentication server in Enterprise, but does not permit the use of hash functions available in both WPA2 and WPA. That is, when the WPA3 setting information 42 indicates the setting "SHA256 required", establishment of wireless connection according to WPA3 is permitted, and establishment of wireless connection according to WPA2 or WPA is not permitted. Note that the setting “SHA256 required” may permit the use of SHA384 and SHA3.

SHA256 is a hash function that outputs a return value with a length of 256 bits. The length of the SHA256 return value is longer than the length of the SHA1 return value. The encryption strength of SHA256 is higher than that of SHA1.

(Specific case of this embodiment; FIG. 12)
A specific case of this embodiment will be described with reference to FIG. The AP 900 in this case is the same as in the first embodiment except that it is connected to an authentication server 910 prepared by a third party. At the initial stage of this case, the WPA3 setting information 42 of the MFP 10 indicates the setting "SHA256 optional" by default.

T710 to T714 are the same as T10 to T14 in FIG. The WPA3 compatibility information of T714 includes information indicating the hash function "SHA256" used in communication with the authentication server. T716 is the same as T16 in FIG. In T718, the MFP 10 changes the WPA3 setting information 42 from the setting "SHA256 optional" to the setting "SHA256 required".

T720 is the same as T20 in FIG. 3 except that the selection screen includes a user password input field used for authentication in the authentication server instead of the AP password input field. T722 is the same as T22 in FIG. 3 except that the user password "pppp" stored in the authentication server 310 in association with the user name indicating the user of the MFP 10 is entered in the user password entry field. . T730-T734 are the same as T30-T34 in FIG. T736 is similar to Y36 in FIG. 2 except MPF10 is utilized.

At T740, the MFP 10 transmits a Client Hello signal to the authentication server 910 via the AP900. Communication between the MFP 10 and the AP 900 is encrypted according to TLS (abbreviation of Transport Layer Security). The Client Hello signal is a signal that notifies the authentication server 310 that the MFP 10 will start operating as a TLS client.

At T742, the MFP 10 receives a Server Hello signal from the authentication server 910 via the AP 900 as a response to the Client Hello signal. The Server Hello signal is a signal that notifies the MFP 10 that the authentication server 910 will start operating as a TLS server.

In this case, a malicious third party prepares AP 900 and authentication server 910 for the purpose of intercepting communications. The authentication server 910 is a server that executes EAP (Extensible Authentication Protocol) authentication according to WPA2. EAP authentication includes user authentication and key exchange. User authentication is communication for authentication server 910 to authenticate the user of MFP 10 using the user password received from MFP 10 . Key exchange is communication for authentication server 910 to provide both MFP 10 and AP 900 with an encryption key used in 4-way handshake communication when user authentication is successful.

As described above, the authentication server 910 performs EAP authentication using the hash function "SHA1". Therefore, the authentication server 910 notifies the MFP 10 of the use of the hash function "SHA1" in the Server Hello signal of T742. However, in this case, at T718, the WPA3 setting information 42 is changed from the setting "SHA256 optional" to the setting "SHA256 required". As described above, the setting “SHA256 required” does not permit communication with the authentication server using the hash function “SHA1”. Therefore, the MFP 10 determines in T744 that EAP authentication with the authentication server 910 cannot be executed. T746 is similar to T36 in FIG. According to this case, it is possible to suppress the occurrence of the same problem as in FIG. 2 even in WPA3 Enterprise.

(correspondence relationship)
SHA256 optional and SHA256 required are examples of a "first state" and a "second state," respectively.

(Fifth embodiment)
In this embodiment, the MFP 10 communicates with a management server that manages the state of the MFP 10 . Communication between the MFP 10 and the management server is performed according to TCP (abbreviation for Transmission Control Protocol). Furthermore, communication between the MFP 10 and the management server is encrypted according to TLS. For example, the MFP 10 periodically transmits information indicating the state of the MFP 10 (for example, the remaining amount of ink) to the management server.

(Configuration of communication system 2; FIG. 13)
The communication system 2 of the present embodiment is the same as the communication system 2 of the first embodiment except that management servers 600 and 700 are provided instead of the APs 200 and 300 and the configuration of the MFP 10 is different.

The management server 600 supports TLS version 1.2. The management server 700 supports the new version 1.3 of TLS formulated after version 1.2. Management servers 600 and 700 are connected to LAN4. LAN4 is a wired LAN. Note that "1.3" is a number representing the latest version and is only an example.

(Configuration of MFP 10; FIG. 13)
The MFP 10 of this embodiment has a LAN I/F 60 instead of the Wi-Fi I/F 16, stores TLS setting information 50 instead of the WPA3 setting information 42, and the memory 34 stores a MAC address list. It is the same as the first embodiment except that 52 is stored. LAN I/F 60 is an I/F for executing communication via LAN 4 and is connected to LAN 4 . Also, the MFP 10 of this embodiment supports TLS version 1.3.

The TLS setting information 50 indicates one of a plurality of settings including the setting "TLS1.3 not required" and the setting "TLS1.3 required". The setting “TLS 1.3 not required” is a setting that permits the use of both TLS of version 1.3 and TLS of version 1.2 or earlier. The setting “TLS 1.3 required” is a setting that permits the use of TLS version 1.3 and does not permit the use of TLS versions prior to version 1.2.

The MAC address list 52 indicates a list of MAC addresses of management servers that support TLS version 1.3 and are connected to the LAN 4 by the administrator of the MFP 10 . The MAC address list 52 is stored in the MFP 10 by the administrator. Note that, in a modified example, the MAC address list 52 may be stored in an external device different from the memory 34 (for example, a server separate from the MFP 10).

(Specific case of this embodiment; FIG. 14)
Specific cases D1 and D2 of this embodiment will be described with reference to FIG. Case D1 is a case in which communication according to TLS is executed between the MFP 10 and the management server 700 . Case D2 represents a case in which the present embodiment deals with a problem example similar to the problem example in FIG.

At the initial stage of cases D1 and D2, the TLS setting information 50 of the MFP 10 indicates the setting "TLS 1.3 not required" by default. All the following communications performed by the MFP 10 of this embodiment are performed via the LAN I/F 60 . In the following description, the description of "via the LAN I/F 60" may be omitted when describing processing related to communication.

Also, in cases D1 and D2, a situation is assumed in which a new management server 700 is installed in addition to the management server 600 . In this case, the user inputs the IP address of management server 700 into MFP 10 instead of the IP address of management server 600 .

(Case D1; FIG. 14)
At T<b>810 , the user operates the operation unit 12 of the MFP 10 to input an instruction for TCP connection with the management server 700 . For example, communication between the MFP 10 and the management server is performed periodically while the MFP 10 is powered on. A connection according to TCP with the management server 700 (hereinafter referred to as a TCP connection) is established triggered by turning on the power of the MFP 10 after the IP address of the management server 700 is entered.

In T812, the MFP 10 transmits an ARP (abbreviation of Address Resolution Protocol) request with the IP address of the management server 700 as the destination. The ARP request is a signal requesting the MAC address of the management server.

At T814, the MFP 10 receives an ARP response including MAC address MA1 of management server 700 from management server 700 as a response to the ARP request at T812. At T816, a TCP connection is established between the MFP 10 and the management server 700. FIG.

At T818, the MFP 10 determines whether the MAC address in the ARP response received from the management server is included in the MAC address list 52 or not. In this case, the MFP 10 determines that the MAC address MA1 included in the ARP response in T814 is included in the MAC address list 52, and proceeds to the process of T819. On the other hand, if it is determined that the MAC address in the ARP response is not included in the MAC address list 52, the MFP 10 skips the processing of T819 and proceeds to the processing from T820. In this case, the MFP 10 executes communication according to TLS1.2 with the management server 600 supporting TLS1.2, for example.

In T819, the MFP 10 changes the TLS setting information 50 from the setting "TLS1.3 not required" to the setting "TLS1.3 required".

At T820, the MFP 10 transmits a Client Hello signal to the management server 700 using the TCP connection established at T816. At T820, the MFP 10 receives a Server Hello signal from the management server 700 using the established TCP connection. The Server Hello signal includes information indicating that the management server 700 supports TLS version 1.3.

In T830, communication according to TLS version 1.3 is executed between the MFP 10 and the management server 700 using the established TCP connection. The communication includes, for example, transmission of information indicating the state of the MFP 10 to the management server.

At subsequent T840, the MFP 10 disconnects the TCP connection at T816 with a predetermined user operation as a trigger. The predetermined operation is, for example, an operation of turning off the power of the MFP 10 .

(Case D2)
In this case, a malicious third party prepares the management server 930 for the purpose of intercepting communications. Management server 930 does not support TLS version 1.3. Management server 930, for example, supports older versions (eg, 1.2) that were formulated prior to version 1.3. TLS provides new security protocols with version updates. Communication according to an old version of TLS formulated before version 1.3 has weaker security than communication according to version 1.3 of TLS.

Also, a third party illegally obtains the IP address and MAC address MA1 of management server 700 . The third party sets the IP address of management server 930 to the same IP address as that of management server 700, and sets the MAC address of management server 930 to MAC address MA1.

The third party first interferes with communication between management server 700 and LAN4. The user of the MFP 10 inputs a TCP connection instruction at T910 in the same manner as at T810 without knowing the existence of the third party. The MFP 10 transmits an ARP request addressed to the IP address of the management server 700 at T912. However, the communication of the management server 700 is blocked, and the IP address of the management server 930 is set to the same IP address as that of the management server 700 . As a result, at T914, the MFP 10 receives an ARP response including the MAC address MA1 of the management server 930 from the management server 930. FIG.

A TCP connection is established between the MFP 10 and the management server 930 at T916. T918, T919 and T920 are similar to T818, T819 and T820. T922 is similar to T822, except that the Server Hello signal includes information indicating that the management server 930 supports TLS of version 1.3 or earlier (eg, 1.2).

In this case, at T919, the TLS setting information 50 is changed to the setting "TLS 1.3 required". As described above, the setting "Require TLS 1.3" does not allow the use of TLS versions earlier than version 1.2. In this case, the management server 930 supports TLS versions prior to version 1.2. Therefore, in T924, the MFP 10 does not permit execution of communication according to TLS version 1.3, and causes the display unit 14 to display a communication error with the management server 930. FIG. Also in this case, it is possible to suppress the occurrence of the same problem as in FIG. 2 in communication according to TLS with the management server.

(Table showing relationship between management server and MFP; FIG. 15)
As shown in FIG. 15, a server supporting TLS version 1.2 or earlier, a server supporting TLS version 1.3 or earlier, a server supporting only TLS version 1.3, can exist.

On the other hand, as MFPs, there are an MFP that operates with TLS version 1.2 or earlier, an MFP that operates with TLS version 1.3 or earlier, and a WPA3 compatible MFP that operates only with TLS version 1.3. and can exist.

In this embodiment, the TLS setting information 50 of the MFP 10 is changed to the setting "TLS 1.3 required" (T919 in FIG. 14). Therefore, the MFP 10 can perform communication using a TCP connection with either a server that supports TLS of version 1.3 or earlier, or a server that only supports TLS of version 1.3. On the other hand, the MFP 10 cannot perform communication using a TCP connection with a server that supports TLS of version 1.2 or earlier.

(correspondence relationship)
The LAN I/F 60 in FIG. 12 is an example of the "communication interface". The management server 700 and the management server 600 are examples of the "first external device" and the "second external device", respectively. TLS1.3 non-required and TLS1.3 required are examples of the "first state" and the "second state", respectively. Version 1.3 and version 1.2 are examples of "first version" and "second version", respectively. TLS version 1.3 and TLS version 1.2 are examples of the "first communication standard" and the "second communication standard", respectively. An APR response containing the MAC address MA1 is an example of a "signal." T814 and T819 in FIG. 14 are examples of processing implemented by the "first receiving unit" and the "first changing unit", respectively.

Specific examples of the technology disclosed in this specification have been described above, but these are merely examples and do not limit the scope of the claims. The technology described in the claims includes various modifications and changes of the specific examples illustrated above. For example, the following modifications may be adopted.

(Modification 1) The "signal" received by the "communication device" from each of one or more external devices is not limited to the probe response, and may be, for example, a beacon signal transmitted by the AP. In this modified example, the "request signal" can be omitted.

(Modification 2) The process of T224 in FIG. 4 may not be executed. In this modified example, the "second change section" can be omitted.

(Modification 3) The process of FIG. 6 may not be executed. In this modified example, the “second receiving unit” and the “third changing unit” can be omitted.

(Modification 4) In the first to fourth embodiments, the selection screen such as T20 in FIG. 3 may not be displayed. In this modified example, the "first display control section" can be omitted.

(Modification 5) The first selection screen at T220 in FIG. 4 may include the SSIDs "ap01" and "ap03" of the APs 200 and 400 that are not compatible with WPA3. Generally speaking, a "list" may include information indicative of a first external device and information indicative of said second external device.

(Modification 6) The first selection screen at T220 in FIG. 4 may not include the "other AP" button. In this modified example, the "predetermined instruction" can be omitted.

(Modification 7) The process of T268 in FIG. 5 may not be executed. In this modified example, the “fourth modification unit” can be omitted.

(Modification 8) The "communication device" is not limited to the MFP 10, and may be a terminal device such as a printer, a scanner, or a PC.

(Modification 9) The “server” is not limited to the management server 600 or the like that manages the state of the MFP 10 , but may be, for example, a mail server or the like that transmits an e-mail in response to an instruction from the MFP 10 .

(Modification 10) In the above embodiment, the processes of FIGS. 2 to 14 are realized by software (for example, the program 40), but at least one of these processes may be realized by hardware such as a logic circuit. good.

(Modification 11) In the fifth embodiment, the MFP 10 transmits an ARP request to the management server 700 (T810, T812 in FIG. 14) triggered by the input of the TCP connection instruction after the IP address of the management server 700 is input. ). Alternatively, the MFP 10 may automatically send an ARP request to the management server 700 at a predetermined timing after the IP address of the management server 700 is entered without executing the process of T810. In this modified example, the "specific instruction" can be omitted. Also, generally speaking, the “first receiving unit” is a predetermined timing while the state of the communication device is in the first state, and receives the first signal via the communication interface with the first external device. A request signal may be transmitted to the outside at the predetermined timing at which one connection should be established.

The technical elements described in this specification or in the drawings exhibit technical usefulness alone or in various combinations, and are not limited to the combinations described in the claims as of the filing. In addition, the techniques exemplified in this specification or drawings achieve multiple purposes at the same time, and achieving one of them has technical utility in itself.

2: communication system, 4: LAN, 10: MFP, 12: operation unit, 14: display unit, 16: Wi-Fi I/F, 20: print execution unit, 22: scan execution unit, 30: control unit, 32: CPU, 34: memory, 40: program, 42: WPA3 setting information, 44: PMF setting information, 50: TLS setting information, 52: MAC address list, 100: terminal device, 200: AP, 210: authentication server, 300: AP, 310: authentication server, 600: management server, 700: management server, 800: AP, 850: MFP, 900: AP, 910: AP, 920: authentication server, 930: management server, MA1, MA2: MAC address

Claims (21)

A communication device,
a communication interface;
a first receiver that receives signals from each of one or more external devices existing around the communication device via the communication interface while the communication device is in the first state; hand,
The first state supports use of a first connection via the communication interface with a first external device supporting a first communication standard, supports a second communication standard, and supports the first communication standard. use of a second connection via the communication interface with a second external device that does not support the communication standard of
The second communication standard is a communication standard different from the first communication standard,
the first receiving unit;
changing the state of the communication device from the first state to the A first changing unit that changes to a second state different from the first state,
the second state is a state in which use of the first connection is permitted and use of the second connection is not permitted;
the first modification unit;
A communication device comprising: The first receiving unit transmits a request signal to the outside when a specific instruction is input to the communication device, and receives the signal as a response to the request signal from each of the one or more external devices. 2. The communication device of claim 1, receiving. Among the one or more external devices, in addition to the first external device, there is the second external device that supports the second communication standard and does not support the first communication standard. 3. The communication device according to claim 1, wherein the state of the communication device is maintained in the first state when the state of the communication device is changed. The first change unit communicates with the first external device after the signal is received from each of the one or more external devices including the first external device and the second external device. 4. The communication device according to claim 3, wherein the state of said communication device is changed from said first state to said second state when an instruction to establish said first connection is input to said communication device. The first change unit supports the second communication standard and does not support the first communication standard in addition to the first external device among the one or more external devices. 3. The communication device according to claim 1, wherein the state of said communication device is changed from said first state to said second state even when said second external device is present. The communication device further
when an instruction to establish the second connection with the second external device is input to the communication device after the state of the communication device is changed from the first state to the second state; 6. The communication device according to claim 5, further comprising: a second changing unit for changing the state of said communication device from said second state to said first state. The communication device further
When receiving an establishment request requesting establishment of a connection with a specific external device from a terminal device different from the communication device while the state of the communication device is in the first state, the specific external device a second receiving unit that receives specific standard information indicating the communication standard supported by the specific external device from
When the specific standard information indicates the first communication standard due to the fact that the specific external device is the first external device that supports the first communication standard, the a third changing unit that changes the state of the communication device from the first state to the second state;
with
Due to the fact that the specific external device is the second external device that supports the second communication standard but does not support the first communication standard, the specific standard information is 7. The communication device according to any one of claims 1 to 6, wherein the state of said communication device is maintained in said first state when indicating No. 2 communication standard. The communication device further
a display unit;
a first display control unit that causes the display unit to display a list indicating the one or more external devices when the signal is received from each of the one or more external devices;
8. A communication device according to any one of claims 1 to 7, comprising a . The one or more external devices are the first external device supporting the first communication standard and the second external device supporting the second communication standard and not supporting the first communication standard. a second external device;
9. The communication device according to claim 8, wherein said list includes information indicating said first external device and does not include information indicating said second external device. The communication device further
a second display control unit for displaying information indicating the second external device on the display unit when a predetermined instruction is input to the communication device after the list is displayed on the display unit; 10. A communication device according to claim 9. The communication device further
changing the state of the communication device from the second state if the signal is not received from the first external device after the state of the communication device is changed from the first state to the second state; 11. The communication device according to any one of claims 1 to 10, comprising a fourth changer for changing to said first state. the first external device and the second external device are access points;
12. A communication device according to any preceding claim, wherein said first connection and said second connection are wireless connections. the first state includes a WPA3 Transition Mode according to the WPA3;
13. The communication device of claim 12, wherein said second state comprises WPA3 Only Mode according to said WPA3. The first state is the first authentication of the PSK (abbreviation of Pre-Shared Key) method that can be used in the standards before WPA2, and the authentication that can be used in the WPA3 and cannot be used in the standards before WPA2. SAE (abbreviation of Simultaneous Authentication of Equals) method includes a state that permits both of the second authentication,
14. The communication device according to claim 12 or 13, wherein said second state includes a state in which said first authentication is not permitted and said second authentication is permitted. The first state includes a first hash function usable in both the WPA3 and the pre-WPA2 standard, and a second hash function usable in the WPA3 but not pre-WPA2 standard. contains state that permits the use of both a hash function and
13. The communication device according to claim 12, wherein said second state includes a state in which use of said first hash function is not permitted and use of said second hash function is permitted. The first communication standard and the second communication standard include Wi-Fi standards,
The first communication standard includes PMF (abbreviation of Protected Management Frames),
the second communication standard does not include the PMF;
the first state includes a state indicated by PMF Capable;
13. The communications device of claim 12, wherein the second state comprises a state indicated by PMF Required. The communication device further
an image processing execution unit for executing specific image processing;
After establishing the first connection, using the first connection to receive a specific request requesting execution of the specific image processing from the first external device via the communication interface. a third receiving unit;
a processing control unit that causes the image processing execution unit to execute the specific image processing according to the specific request;
17. A communication device according to any one of claims 1 to 16, comprising: the first external device and the second external device are servers;
The first communication standard includes a first version of TLS (abbreviation for Transport Layer Security) used in communication with the server,
the second communication standard includes a second version of the TLS, formulated prior to the first version;
the first state includes a state that permits use of both the first version and the second version;
12. The communication device according to any one of claims 1 to 11, wherein said second state includes a state in which use of said first version is not permitted and use of said second version is permitted. A communication device,
a communication interface;
a first receiver that receives signals from each of one or more external devices existing around the communication device via the communication interface;
If the signal indicating that the specific external device among the one or more external devices is the first external device supporting the first communication standard is not received, the communication device is transferred to the first external device. operate as a state,
an operation control unit that operates the communication device in a second state when the signal indicating that the specific external device is the first external device is received,
The first state includes use of a first connection via the communication interface with the first external device and the communication interface with a second external device that does not support the first communication standard. and permitting both the use of the second connection via
the second state is a state in which use of the first connection is permitted and use of the second connection is not permitted;
the first connection is a connection according to the first communication standard;
the operation control unit, wherein the second connection is a connection according to a second communication standard different from the first communication standard;
A communication device comprising: A computer program for a communication device, comprising:
The communication device
a communication interface;
a computer;
with
The computer program causes the computer to:
a first receiver that receives signals from each of one or more external devices existing around the communication device via the communication interface while the communication device is in the first state; hand,
The first state supports use of a first connection via the communication interface with a first external device supporting a first communication standard, supports a second communication standard, and supports the first communication standard. use of a second connection via the communication interface with a second external device that does not support the communication standard of
The second communication standard is a communication standard different from the first communication standard,
the first receiving unit;
changing the state of the communication device from the first state to the A first changing unit that changes to a second state different from the first state,
the second state is a state in which use of the first connection is permitted and use of the second connection is not permitted;
the first modification unit;
A computer program that acts as A computer program for a communication device, comprising:
The communication device
a communication interface;
a computer;
with
The computer program causes the computer to:
a first receiver that receives signals from each of one or more external devices existing around the communication device via the communication interface;
If the signal indicating that the specific external device among the one or more external devices is the first external device supporting the first communication standard is not received, the communication device is transferred to the first external device. operate as a state,
an operation control unit that operates the communication device in a second state when the signal indicating that the specific external device is the first external device is received,
The first state includes use of a first connection via the communication interface with the first external device and the communication interface with a second external device that does not support the first communication standard. and permitting both the use of the second connection via
the second state is a state in which use of the first connection is permitted and use of the second connection is not permitted;
the first connection is a connection according to the first communication standard;
the operation control unit, wherein the second connection is a connection according to a second communication standard different from the first communication standard;
A computer program that acts as

Images