JP7302682B2 - Computer program for terminal device, terminal device, communication device, and computer program for communication device - Google Patents

Description

This specification discloses a technology related to a terminal device and a communication device capable of establishing a wireless connection with an external device.

Non-Patent Document 1 describes a DPP (abbreviation for Device Provisioning Protocol) system, which is a wireless communication system formulated by the Wi-Fi Alliance. The DPP system is a wireless communication system for easily establishing a Wi-Fi connection. Non-Patent Document 1 discloses that a Wi-Fi connection is established between a client device and an access point to form an infrastructure network.

JP 2017-28454 A JP 2017-135520 A Japanese Patent Application Laid-Open No. 2018-37978

"DRAFT Device Provisioning Protocol Technical Specification Version 0.2.11" Wi-Fi Alliance, 2017

Non-Patent Document 1 above does not disclose a specific technique for establishing a Wi-Fi connection between each of a plurality of client devices and an access point.

This specification discloses a technique for appropriately establishing a wireless connection between each of a terminal device and a communication device and an external device.

This specification discloses a computer program for a terminal device. The terminal device includes a wireless interface, a computer, and a memory that stores a private key of the terminal device, wherein the private key uses at least part of information included in first connection information for an external device. and the first connection information is used for establishing a first wireless connection between the terminal device and the external device via the wireless interface. and the memory, which is information stored in the external device, wherein the computer program causes the computer to obtain a first public key of a communication device different from the external device. and a first acquisition unit that, after the first public key is acquired, transmits a first authentication request using the first public key to the communication device via the wireless interface. and a first authentication response that is a response to the first authentication request from the communication device via the wireless interface after the first authentication request is transmitted to the communication device and generating second connection information for the communication device using the private key when the first authentication response is received from the communication device wherein the second connection information is information for establishing a second wireless connection between the communication device and the external device, and the secret key is the first the second connection information via the wireless interface and the first generating unit, which is used to encrypt information obtained using at least part of the information included in the connection information of No. 2; and a first information transmitting unit that transmits to the communication device.

According to the above configuration, the secret key used for encrypting the information obtained using at least part of the information included in the first connection information for the external device and the second connection information for the communication device. The secret key used for encryption of information obtained using at least part of the information included in the information is the same. Then, when the first connection information is used by the external device, a first wireless connection is established between the terminal device and the external device, and when the second connection information is used by the communication device, the communication device A second wireless connection is established between the and the external device. Therefore, it is possible to appropriately establish a wireless connection between each of the terminal device and the communication device and the external device.

This specification also discloses a communication device. A communication device comprises: a wireless interface; an authentication request receiving unit that receives an authentication request using a first public key of the communication device from a terminal device via the wireless interface; is received, via the wireless interface, an authentication response transmission unit that transmits an authentication response, which is a response to the authentication request, to the terminal device; and after the authentication response is transmitted to the terminal device, the An information receiving unit that receives connection information and specific information from a terminal device via the wireless interface, wherein the connection information is transmitted between the communication device and an external device via the wireless interface. The specific information includes channel information indicating a communication channel used in a first wireless connection established between the terminal device and the external device, and the external device and the information receiving unit including at least one of: and device identification information for identifying the terminal device; and an establishing unit that establishes the second wireless connection between the communication device and the external device.

According to the above configuration, when the communication device receives an authentication request from the terminal device, the communication device transmits an authentication response to the terminal device and receives the connection information and the specific information from the terminal device. The specific information includes at least one of channel information indicating a communication channel used in the first wireless connection established between the terminal device and the external device, and device identification information identifying the external device. Therefore, the communication device can use the connection information and the specific information to properly establish the second wireless connection between the communication device and the external device. Therefore, it is possible to appropriately establish a wireless connection between each of the terminal device and the communication device and the external device.

The terminal itself and the computer readable recording medium storing the computer program for the terminal are also new and useful. A computer program for a communication device and a computer-readable medium storing the computer program are also novel and useful. Methods performed by terminal devices and methods performed by communication devices are also novel and useful. A communication system comprising a terminal device and a communication device is also novel and useful.

1 shows the configuration of a communication system; An explanatory view for explaining an outline of an example is shown. FIG. 10 is a sequence diagram of a process of bootstrapping with an AP; FIG. FIG. 10 is a sequence diagram of authentication processing with an AP; FIG. 10 is a sequence diagram of configuration processing with an AP; FIG. 10 is a sequence diagram of Network Access processing with an AP; FIG. 10 is a sequence diagram of a process of bootstrapping with a printer; FIG. 4 is a sequence diagram of authentication processing with a printer; FIG. 10 is a sequence diagram of configuration processing with a printer; FIG. 4 shows a sequence diagram of Network Access processing between a printer and an AP; FIG. 4 shows a sequence diagram of processing executed between a terminal, a printer, and an AP;

(Configuration of communication system 2; Fig. 1)
As shown in FIG. 1 , the communication system 2 includes an AP (abbreviation for Access Point) 6 , a terminal 10 and a printer 100 . In this embodiment, the user uses the terminal 10 to establish a wireless connection according to the Wi-Fi system between the terminal 10 and the AP 6 (hereinafter referred to as "Wi-Fi connection"), and then , to establish a Wi-Fi connection between the printer 100 and the AP6.

(Configuration of terminal 10)
The terminal 10 is a portable terminal device such as a mobile phone (for example, smart phone), PDA, tablet PC, or the like. Note that in a modification, the terminal 10 may be a stationary PC, a notebook PC, or the like.

The terminal 10 includes an operation unit 12, a display unit 14, a camera 15, a Wi-Fi interface 16, and a control unit 30. Each unit 12 to 30 is connected to a bus line (reference numerals omitted). In the following description, the interface is simply referred to as "I/F".

The operation unit 12 has a plurality of keys. A user can input various instructions to the terminal 10 by operating the operation unit 12 . The display unit 14 is a display for displaying various information. The display unit 14 also functions as a touch panel (that is, an operation unit) that receives instructions from the user. The camera 15 is a device for photographing an object, and in this embodiment, it is used to photograph a QR code (registered trademark) for the AP 6 and the printer 100 in particular.

A MAC address “macte” is assigned to the Wi-Fi I/F 16 . The Wi-Fi I/F 16 is a wireless interface for performing wireless communication according to the Wi-Fi system (hereinafter referred to as "Wi-Fi communication"). The Wi-Fi system is, for example, the IEEE (abbreviation of The Institute of Electrical and Electronics Engineers, Inc.) 802.11 standard and standards conforming thereto (eg 802.11a, 11b, 11g, 11n, 11ac, etc.) is a wireless communication scheme for performing wireless communication according to. In particular, the Wi-Fi I/F 16 supports the DPP (abbreviation for Device Provisioning Protocol) method that will be formulated by the Wi-Fi Alliance. The DPP method is described in "DRAFT Device Provisioning Protocol Technical Specification Version 0.2.11", which is a draft of the standards created by the Wi-Fi Alliance, and uses the terminal 10 to connect a pair of devices (for example, the terminal 10 and AP6, or between the printer 100 and AP6).

The control unit 30 has a CPU 32 and a memory 34 . CPU 32 executes various processes according to programs 36 and 38 stored in memory 34 . The memory 34 is composed of a volatile memory, a nonvolatile memory, or the like, and stores an OS program 36 and a connection application 38 (hereinafter simply referred to as "application 38").

The OS program 36 is a program for controlling basic operations of the terminal 10 . The application 38 is a program for establishing a Wi-Fi connection between a pair of devices according to the DPP method. The application 38 is installed in the terminal 10 from a server on the Internet provided by the vendor of the printer 100, for example.

(Configuration of Printer 100)
The printer 100 is a peripheral device (for example, a peripheral device such as the terminal 10) capable of executing a print function. Printer 100 includes operation unit 112 , display unit 114 , Wi-Fi I/F 116 , print execution unit 118 , and control unit 130 . Each unit 112 to 130 is connected to a bus line (reference numerals omitted).

The operation unit 112 has a plurality of keys. A user can input various instructions to the printer 100 by operating the operation unit 112 . The display unit 114 is a display for displaying various information. The display unit 114 also functions as a touch panel (that is, an operation unit) that receives instructions from the user. Wi-Fi I/F 116 is similar to Wi-Fi I/F 16 of terminal 10 . That is, the Wi-Fi I/F 116 supports the DPP method. Also, the Wi-Fi I/F 116 is assigned a MAC address “macpr”. The print execution unit 118 includes a printing mechanism such as an inkjet method or a laser method.

Control unit 130 includes CPU 132 and memory 134 . CPU 132 executes various processes according to programs 136 stored in memory 134 . The memory 134 is composed of a volatile memory, a nonvolatile memory, or the like.

(Overview of this embodiment; FIG. 2)
Next, an outline of this embodiment will be described with reference to FIG. As mentioned above, the terminal 10 and the printer 100 support the DPP method, and the AP6 also supports the DPP method. In addition, AP6 is assigned a MAC address "macap". In this embodiment, each device 6, 10, 100 establishes a Wi-Fi connection between each of the terminal 10 and the printer 100 and the AP 6 by executing communication according to the DPP method. In the following, for ease of understanding, the operations executed by the CPUs (e.g., CPU 32, CPU 132) of each device will be described mainly for each device (e.g., terminal 10, printer 100) without describing the CPU as the subject. do.

At T5, the terminal 10 performs DPP-based bootstrapping (hereinafter simply referred to as “BS”) with AP6. In response to the terminal 10 photographing the QR code affixed to the AP 6, the BS transmits information used for Authentication of T10 (hereinafter simply referred to as "Auth") from the AP 6. This is processing provided to the terminal 10 .

At T10, the terminal 10 uses the information acquired by the BS at T5 to perform DPP Auth with AP6. The Auth is processing for each of the terminal 10 and the AP 6 to authenticate the communication partner.

At T15, the terminal 10 performs DPP configuration (hereinafter simply referred to as “Config”) with AP6. The Config is a process for AP 6 to transmit information for establishing Wi-Fi connection to AP 6 . Specifically, the terminal 10 generates a Configuration Object for AP (hereinafter, the Configuration Object is simply referred to as “CO”) and transmits the CO for AP to the AP 6 . As a result, the AP CO is stored in the AP6.

At T20, the terminal 10 executes DPP-based Network Access (hereinafter simply referred to as “NA”) with AP6. The terminal 10 generates a terminal CO in the NA and stores it in the memory 34 . The terminal 10 and the AP 6 use the terminal CO and the AP CO to share a connection key for establishing a Wi-Fi connection between the terminal 10 and the AP 6 .

At T25, the terminal 10 and AP 6 perform 4way-handshake communication. In at least a part of the 4way-handshake communication, the terminal 10 and the AP 6 communicate encrypted information encrypted by the connection key shared by the NA of T20. Then, when the decryption of the encrypted information is successful, a Wi-Fi connection is established between the terminal 10 and the AP6. As a result, the terminal 10 participates in the wireless network formed by the AP 6 as a slave station. Note that in a modification, SAE (Simultaneous Authentication of Equals, commonly known as “Dragonfly”) communication may be used instead of 4-way-handshake communication.

Next, the terminal 10 executes the DPP BS with the printer 100 at T55. The BS is a process in which the printer 100 provides the terminal 10 with information used for Auth in T60, which will be described later, in response to the terminal 10 photographing the QR code displayed on the printer 100 .

At T60, the terminal 10 uses the information already acquired by the BS at T55 to perform DPP Auth with the printer 100. FIG. The Auth is processing for each of the terminal 10 and the printer 100 to authenticate a communication partner.

At T65, the terminal 10 executes DPP Config with the printer 100. FIG. The Config is processing for transmitting information for the printer 100 to establish a Wi-Fi connection to the printer 100 . Specifically, the terminal 10 generates a printer CO and transmits the printer CO to the printer 100 . As a result, the printer CO is stored in the printer 100 .

At T70, the printer 100 and the AP 6 use the printer CO and the AP CO to execute DPP NA. The NA is processing for sharing a connection key between the printer 100 and the AP 6 for establishing a Wi-Fi connection between the printer 100 and the AP 6 .

At T75, the printer 100 and AP 6 execute 4way-handshake communication. In at least a part of the 4way-handshake communication, the printer 100 and the AP 6 communicate encrypted information encrypted by the connection key shared by the NA of T70. Then, when the encryption information is successfully decrypted, a Wi-Fi connection is established between the printer 100 and the AP6. As a result, the printer 100 participates in the wireless network formed by the AP 6 as a slave station.

When the processes of T5 to T75 are executed, each of the terminal 10 and the printer 100 participates as a slave station in the wireless network formed by the AP6. As a result, the terminal 10 and the printer 100 can communicate with each other through the AP 6 using the wireless network. For example, the terminal 10 and printer 100 can perform the following communications. That is, print data representing an image to be printed is transmitted from the terminal 10 to the AP 6 at T80, and the print data is transmitted from the AP 6 to the printer 100 at T85. As a result, at T90, the printer 100 executes printing according to the print data.

In the DPP method, in order to establish a Wi-Fi connection between each of the terminal 10 and the printer 100 and the AP 6, the user provides information of the wireless network in which the AP 6 operates as a master station (for example, SSID (abbreviation for Service Set Identifier)). ), password, etc.) to the terminal 10 and the printer 100 . Therefore, the user can easily establish a Wi-Fi connection between each of the terminal 10 and printer 100 and the AP 6 .

(Bootstrapping (BS) with AP6; Fig. 3)
Next, the details of each process executed at T5 to T20 and T55 to T70 in FIG. 2 will be described with reference to FIGS. 3 to 10. FIG. First, referring to FIG. 3, the BS processing performed between the terminal 10 and the AP 6 at T5 in FIG. 2 will be described. In the initial state of FIG. 3, AP6 stores in advance the public key APK1 and secret key ask1 of AP6. A QR code obtained by encoding AP6's public key APK1, AP6's channel list L1, and AP6's MAC address "macap" is attached to the housing of AP6. The channel list L1 is a list of a plurality of communication channels to be used for Auth (see T10 in FIG. 2) (that is, a plurality of communication channels available to AP6).

In T100, the terminal 10 activates the application 38 in response to receiving an activation operation of the application 38 from the user. Each subsequent process executed by the terminal 10 is implemented by the application 38 . Next, in T102, the terminal 10 displays a selection screen on the display unit 14. FIG. The selection screen includes a "New" button indicating that the terminal 10 will establish a new Wi-Fi connection.

In response to the user selecting the "New" button in the selection screen in T104, the terminal 10 causes the display unit 14 to display an input screen for inputting a group ID in T106. The group ID is information for identifying a wireless network formed by the terminal 10 establishing a new Wi-Fi connection.

The terminal 10 determines whether or not to establish a Wi-Fi connection with the AP 6 in T110 in response to input of the group ID "home", which is an arbitrary character string specified by the user, in T108. A confirmation screen is displayed on the display unit 14 for the user to confirm. The confirmation screen includes a YES button indicating to execute establishment of Wi-Fi connection with AP6 and a NO button indicating not to execute establishment of Wi-Fi connection with AP6.

At T112, the terminal 10 activates the camera 15 in response to the user selecting the YES button in the confirmation screen, and at T120, the terminal 10 is attached to the housing of the AP 6 using the camera 15. Take a picture of the QR code. Then, at T122, the terminal 10 decodes the captured QR code to acquire the public key APK1, the channel list L1, and the MAC address "macap". When the process of T122 ends, the process of FIG. 3 ends.

(Authentication (Auth) with AP6; Fig. 4)
Next, the Auth processing executed between the terminal 10 and the AP 6 at T10 in FIG. 2 will be described with reference to FIG.

At T200, the terminal 10 generates its public key TPK1 and private key tsk1. Next, at T201, the terminal 10 uses the generated private key tsk1 according to ECDH (an abbreviation for Elliptic curve Diffie-Hellman key exchange) and the public key APK1 of AP6 obtained at T122 in FIG. Generate shared key SK1. Then, in T202, the terminal 10 encrypts the random value RV1 using the generated shared key SK1 to generate encrypted data ED1.

At T210, the terminal 10 transmits a DPP Authentication Request (hereinafter simply referred to as "AReq") via the Wi-Fi I/F 16 to the MAC address "macap" acquired at T122 in FIG. Send to AP6. AReq is a signal requesting AP 6 to perform authentication, and includes public key TPK1 of terminal 10 generated at T200, encrypted data ED1 generated at T202, and terminal 10 capability. Here, the terminal 10 repeats transmitting AReq to the AP 6 by sequentially using a plurality of communication channels in the channel list L1 acquired at T122 in FIG.

The capability is information that is specified in advance in a device that supports the DPP method, and indicates that it can operate only as a configurator of the DPP method and that it can operate only as an enrollee of the DPP method. and a value indicating that it can operate as both a Configurator and an Enrollee. Configurator means a device that transmits CO used in NA (eg, T20 in FIG. 2) to Enrollee in Config (eg, T15 in FIG. 2). On the other hand, Enrollee means a device that receives CO used in NA from Configurator in Config. As described above, in this embodiment, the terminal 10 generates the AP CO or the printer CO and transmits it to the AP 6 or the printer 100 . Therefore, the capability of the terminal 10 includes a value indicating that it can operate only as a configurator.

AP6 receives AReq from terminal 10 at T210. As described above, the AReq is transmitted with the MAC address "macap" of AP6 as the destination. Therefore, AP 6 can appropriately receive the AReq from terminal 10 . In addition, AP6 is in a state of monitoring reception of an AReq using one communication channel among the plurality of communication channels in the channel list L1 (that is, the plurality of communication channels available to AP6). Become. As described above, the AReq of T210 is transmitted using a plurality of communication channels in the channel list L1 in sequence. Therefore, AP 6 can appropriately receive the AReq from terminal 10 .

AP 6 then performs the following process to authenticate the source of the AReq (ie terminal 10). Specifically, at T212, AP6 generates shared key SK1 using public key TPK1 of terminal 10 in AReq and secret key ask1 of AP6 according to ECDH. Here, the shared key SK1 generated by the terminal 10 at T201 is the same as the shared key SK1 generated by the AP 6 at T212. Therefore, at T214, AP6 can appropriately decrypt the encrypted data ED1 in AReq using the generated shared key SK1, and as a result can obtain the random value RV1. When the decryption of the encrypted data ED1 succeeds, AP6 determines that the source of the AReq is the device that captured the QR code of AP6, that is, determines that the authentication has succeeded, and performs the processes after T216. Execute. On the other hand, if the decryption of the encrypted data ED1 is not successful, the AP6 determines that the source of the AReq is not the device that captured the QR code of the AP6, that is, determines that the authentication has failed. do not process.

AP6 generates a new public key APK2 and a new private key ask2 for AP6 at T216. Note that in a modified example, the AP 6 may store the public key APK2 and the secret key ask2 in advance. Next, at T217, AP6 generates shared key SK2 according to ECDH, using public key TPK1 of terminal 10 in AReq of T210 and generated private key ask2 of AP6. Then, at T218, AP6 uses the generated shared key SK2 to encrypt the obtained random value RV1 and the new random value RV2 to generate encrypted data ED2.

At T220, the AP 6 transmits a DPP Authentication Response (hereinafter simply referred to as “ARes”) to the terminal 10. The ARes includes the public key APK2 of AP6 generated at T216, the encrypted data ED2 generated at T218, and the capabilities of AP6. The capability includes a value indicating that it can operate as an Enrollee only.

At T220, the terminal 10 receives ARes from the AP 6 via the Wi-Fi I/F 16, and performs the following processing for authenticating the source of the ARes (that is, the AP 6). Specifically, at T222, the terminal 10 generates a shared key SK2 according to the ECDH using the private key tsk1 of the terminal 10 generated at T200 and the public key APK2 of AP6 in ARes. Here, shared key SK2 generated by AP 6 at T217 is the same as shared key SK2 generated by terminal 10 at T222. Therefore, at T224, the terminal 10 can appropriately decrypt the encrypted data ED2 in ARes using the generated shared key SK2, and as a result, can obtain the random values RV1 and RV2. When the decryption of the encrypted data ED2 succeeds, the terminal 10 determines that the source of the ARes is the device having the captured QR code, that is, determines that the authentication has succeeded, and performs the processing from T230 onwards. to run. On the other hand, if the decryption of the encrypted data ED2 is not successful, the terminal 10 determines that the source of the ARes is not a device having a captured QR code, that is, determines that the authentication has failed, and proceeds to T230. Do not execute further processing.

At T230, the terminal 10 transmits Confirm to AP6 via the Wi-Fi I/F16. Confirm includes information indicating that the terminal 10 operates as a configurator and the AP 6 operates as an enrollee. As a result, at T232, the terminal 10 decides to operate as a configurator, and at T234, the AP 6 decides to operate as an enrollee. When the process of T234 ends, the process of FIG. 4 ends. 4, the terminal 10 discards (that is, deletes from the memory 34) the public key TPK1 and the secret key tsk1.

(Configuration (Config) with AP6; Fig. 5)
Next, the Config process executed between the terminal 10 and the AP 6 at T15 in FIG. 2 will be described with reference to FIG.

At T300, the AP 6 transmits a DPP Configuration Request (hereinafter simply referred to as “CReq”) to the terminal 10. The CReq is a signal requesting transmission of the CO for AP.

Terminal 10 receives CReq from AP 6 via Wi-Fi I/F 16 at T300. In this case, the terminal 10 generates a new public key TPK2 and a new secret key tsk2 of the terminal 10 and stores them in the memory 34 in T302. Next, in T304, the terminal 10 uses the generated secret key tsk2 to generate a CO for AP. Specifically, the terminal 10 executes the following processes.

The terminal 10 first generates a hash value HV by hashing the public key TPK2 of the terminal 10 . Further, the terminal 10 hashes the combination of the hash value HV, the group ID "home" input at T108 in FIG. 3, and the public key APK2 of AP6 in ARes at T220 in FIG. Generate a first value. Then, the terminal 10 generates an electronic signature DSap by encrypting the generated first value using the secret key tsk2 of the terminal 10 according to ECDSA (an abbreviation for Elliptic Curve Digital Signature Algorithm). As a result, the terminal 10 receives a Signed-Connector for AP (hereinbelow, the Signed-Connector is simply referred to as " SC”) can be generated. The terminal 10 then generates an AP CO including the AP SC and the public key TPK2 of the terminal 10 .

At T310, the terminal 10 transmits a DPP Configuration Response (hereinafter simply referred to as “CRes”) including the AP CO to the AP 6 via the Wi-Fi I/F 16 .

AP6 receives CRes from the terminal 10 at T310. In this case, AP6 stores the AP CO in the CRes at T312. When the process of T312 ends, the process of FIG. 5 ends.

(Network Access (NA) with AP6; Fig. 6)
Next, the NA process performed between the terminal 10 and the AP 6 at T20 in FIG. 2 will be described with reference to FIG.

At T400, the terminal 10 generates a new public key TPK3 and a new private key tsk3 for the terminal 10. FIG. Next, in T402, the terminal 10 uses the secret key tsk2 of the terminal 10 stored in the memory 34 in T302 of FIG. 5 to generate a terminal CO. Specifically, the terminal 10 executes the following processes.

The terminal 10 first generates a hash value HV by hashing the public key TPK2 of the terminal 10 . The terminal 10 also hashes the combination of the hash value HV, the group ID "home" input at T108 in FIG. produces the value of Then, according to ECDSA, the terminal 10 uses the secret key tsk2 of the terminal 10 to encrypt the generated second value to generate the electronic signature DSte. As a result, the terminal 10 can generate a terminal SC including the hash value HV, the group ID "home", the public key TPK3 of the terminal 10, and the electronic signature DSte. The hash value HV and group ID "home" included in the terminal SC are the same as the hash value HV and group ID "home" included in the AP SC, respectively. The public key TPK3 and electronic signature DSte included in the terminal SC are different from the public key APK2 and electronic signature DSap included in the AP SC, respectively. Then, the terminal 10 generates a terminal CO including the terminal SC and the public key TPK2 of the terminal 10 stored in the memory 34 in T302 of FIG. 3, and stores the terminal CO in the memory .

At T410, the terminal 10 transmits a DPP Peer Discovery Request (hereinafter simply referred to as “DReq”) including the terminal SC to the AP 6 via the Wi-Fi I/F 16 . The DReq is a signal requesting the AP 6 to perform authentication and transmit the SC for AP.

At T410, in response to receiving the DReq from the terminal 10, the AP 6 obtains the source of the DReq (that is, the terminal 10) and each information in the DReq (that is, the hash value HV, "home", and public key Execute processing for authenticating TPK3). Specifically, in T412, the AP 6 first determines whether the hash value HV and group ID "home" in the terminal SC match the hash value HV and group ID "home" in the AP SC. A first AP determination process regarding whether or not is executed. In the case of FIG. 6, the AP 6 determines that the IDs match in the first AP determination process, and thus determines that the authentication of the source of the DReq (that is, the terminal 10) has succeeded. It should be noted that determining “match” in the first AP determining process means that the terminal SC and the AP SC were generated by the same device (that is, the terminal 10). Therefore, the AP 6 also determines that the authentication of the terminal SC generator (that is, the terminal 10) has succeeded. Further, the AP 6 decrypts the electronic signature DSte in the terminal SC using the public key TPK2 of the terminal 10 included in the AP CO. In the case of FIG. 6, the decryption of the electronic signature DSte is successful, so the AP 6 uses the second value obtained by decrypting the electronic signature DSte and each information in the terminal SC (that is, the hash value HV, A second AP determination process is performed as to whether or not "home" and the value obtained by hashing the public key TPK3) match. In the case of FIG. 6, the AP 6 determines "match" in the second AP determination process, so it determines that the authentication of each information in the DReq has succeeded, and executes the process from T414. Determining “match” in the second AP determination process means that each piece of information in the terminal SC has not been tampered with by a third party after the terminal CO was stored in the terminal 10. do. Authentication using an electronic signature, which will be described later, is also a process for confirming that information has not been tampered with by a third party. On the other hand, if it is determined that the first AP determination process "does not match", if the decryption of the digital signature DSte fails, or if it is determined that the second AP determination process "does not match", AP6 determines that the authentication has failed, and does not execute the processing after T414.

Next, at T414, AP6 generates a connection key (that is, a shared key) CK1 using public key TPK2 of terminal 10 included in the AP CO and secret key ask2 of AP6 according to ECDH.

At T420, the AP 6 transmits to the terminal 10 a DPP Peer Discovery Response (hereinafter simply referred to as "DRes") including the SC for AP.

At T420, the terminal 10 receives DRes from AP6 via the Wi-Fi I/F 16, the source of the DRes (that is, AP6), and each information in DRes (that is, the hash value HV, Execute processing for authenticating “home” and public key APK2). Specifically, in T422, the terminal 10 first determines whether the hash value HV and group ID "home" in the AP SC match the hash value HV and group ID "home" in the terminal SC. Execute a first TE determination process regarding whether or not. In the case of FIG. 6, the terminal 10 determines "match" in the first TE determination process, and therefore determines that the authentication of the source of DRes (that is, AP6) has succeeded. Note that determining “match” in the first TE determination process means that the terminal SC and the AP SC were generated by the same device (ie, the terminal 10). Therefore, the terminal 10 also determines that the authentication of the terminal SC generator (that is, the terminal 10) has succeeded. Further, the terminal 10 decrypts the electronic signature DSap in the SC for AP using the public key TPK2 of the terminal 10 included in the CO for terminal. In the case of FIG. 6, the decryption of the electronic signature DSap is successful, so the terminal 10 receives the first value obtained by decrypting the electronic signature DSap and each piece of information in the SC for AP (that is, the hash value HV , "home", and the value obtained by hashing the public key APK2) match. In the case of FIG. 6, the terminal 10 determines “matches” in the second TE determination process, and therefore determines that the authentication of each information in DRes has succeeded, and executes the processes from T424. On the other hand, if the first TE determination process determines "does not match", if the decryption of the digital signature DSap fails, or if the second TE determination process determines "does not match", The terminal 10 determines that the authentication has failed, and does not execute the process after T424.

At T424, the terminal 10 generates a connection key CK1 according to the ECDH using the terminal 10 secret key tsk2 and the AP6 public key APK2 in the AP SC. Here, the connection key CK1 generated by the AP 6 at T414 and the connection key CK1 generated by the terminal 10 at T424 are the same. As a result, the connection key CK1 for establishing Wi-Fi connection is shared between the terminal 10 and AP6. When T424 ends, the processing in FIG. 6 ends.

As described above, after the connection key CK1 is shared between the terminal 10 and AP6, at T25 in FIG. 2, the terminal 10 and AP6 execute 4way-handshake communication using the connection key CK1. As a result, a Wi-Fi connection is established between the terminal 10 and the AP6.

(Bootstrapping (BS) with printer 100; FIG. 7)
Next, the BS processing executed between the terminal 10 and the printer at T55 in FIG. 2 will be described with reference to FIG. In the initial state of FIG. 7, the terminal 10 has a public key TPK2 and a private key tsk2 of the terminal 10 (see T302 in FIG. 5), a public key TPK3 and a private key tsk3 of the terminal 10 (see T400 in FIG. 6), and a terminal and CO (see T402) are stored in the memory 34. Also, the printer 100 stores in advance the public key PPK1 and the private key psk1 of the printer 100 in the memory 134 .

T500 is the same as T100 in FIG. The terminal 10 first acquires the group ID “home” included in the terminal SC in the terminal CO stored in the memory 34 . In this case, in T502, the terminal 10 causes the display unit 14 to display a selection screen including a "home" button having the same character string as the acquired group ID "home" in addition to the "new" button.

If the user wishes to establish a Wi-Fi connection between the printer 100 and the AP 6, he selects the "home" button in the selection screen in T504. As described above, the character string "home" is a character string input by the user (see T108 in FIG. 3). It can be easily recognized that the "home" button should be selected if desired. Note that, for example, if the user wishes to establish a Wi-Fi connection between the terminal 10 and an AP different from AP6, the user can select the "New" button in the selection screen. In this case, the terminal 10 executes the same processing as in FIGS. 3 to 6 with the different AP to establish a Wi-Fi connection with the different AP. Thus, according to this embodiment, a Wi-Fi connection can be appropriately established between a pair of devices intended by a user. In T504, the terminal 10 activates the camera 15 when the "home" button in the selection screen is selected, and in T506 displays an instruction screen including a message indicating that the QR code should be captured on the display unit 14. indicate.

The printer 100 displays the QR code on the display unit 114 at T512 in response to the user performing a QR code display operation for displaying the QR code at T510. The QR code is encoded with the public key PPK1 pre-stored in the memory 134, the channel list L2 pre-stored in the memory 134, and the MAC address "macpr" of the Wi-Fi I/F 116. is a code image obtained by The channel list L2 is a list of multiple communication channels to be used for Auth (see T60 in FIG. 2) (that is, multiple communication channels available to the printer 100). The QR code may be generated by the printer 100 at T512, or may be pre-stored in the memory 134 from the shipping stage of the printer 100. FIG.

The terminal 10 uses the camera 115 to photograph the QR code displayed on the printer 100 at T520. Then, in T522, the terminal 10 decodes the captured QR code and acquires the public key PPK1, the channel list L2, and the MAC address "macpr". When the process of T522 ends, the process of FIG. 7 ends.

(Authentication (Auth) with the printer 100; FIG. 8)
Next, the Auth processing executed between the terminal 10 and the printer 100 at T60 in FIG. 2 will be described with reference to FIG.

At T600, the terminal 10 generates a new public key TPK4 and a new private key tsk4 for the terminal 10. At T601, according to ECDH, the generated private key tsk4 and the public key PPK1 for the printer 100 obtained at T522 in FIG. and generate a shared key SK3. Then, in T602, the terminal 10 encrypts the random value RV3 using the generated shared key SK3 to generate encrypted data ED3.

At T610, the terminal 10 transmits AReq to the printer 100 via the Wi-Fi I/F 16 with the MAC address "macpr" obtained at T522 of FIG. 7 as the destination. Here, the terminal 10 repeats transmitting AReq to the printer 100 sequentially using the plurality of communication channels in the channel list L2 acquired in T522. The AReq includes the public key TPK4 of the terminal 10 generated at T600, the encrypted data ED3 generated at T602, and the capabilities of the terminal 10. The capability includes a value indicating that it can operate only as a configurator.

The printer 100 receives AReq from the terminal 10 via the Wi-Fi I/F 116 at T610. Since the AReq is transmitted with the MAC address “macpr” of the printer 100 as the destination, the printer 100 can appropriately receive the AReq. Also, since the AReq is transmitted sequentially using a plurality of communication channels in the channel list L2 (that is, a plurality of communication channels available to the printer 100), the printer 100 appropriately receives the AReq. be able to.

Next, the printer 100 executes the processes of T612 and T614 for authenticating the source of the AReq (that is, the terminal 10). T612 and T614 are the same as T212 and T214 in FIG. 4 except that the data used (keys, encrypted data, etc.) are different. That is, the printer 100 generates shared key SK3 using public key TPK4 and secret key psk1 in T612, and decrypts encrypted data ED3 in AReq using shared key SK3 in T614. In this case, the printer 100 determines that the authentication has succeeded, and executes the processing from T616.

The printer 100 generates a new public key PPK2 and a new private key psk2 for the printer 100 at T616. Note that, in a modified example, the public key PPK2 and the private key psk2 may be stored in the memory 134 in advance. T617 and T618, which are subsequently executed, are the same as T217 and T218 in FIG. 4 except that the data used (keys, encrypted data, etc.) are different. That is, the printer 100 generates shared key SK4 using public key TPK4 and secret key psk2 in T617, and encrypts random values RV3 and RV4 using shared key SK4 in T618 to generate encrypted data ED4. Generate.

At T620, the printer 100 transmits ARes to the terminal 10 via the Wi-Fi I/F116. The ARes includes the public key PPK2 of the printer 100 generated at T616, the encrypted data ED4 generated at T618, and the capabilities of the printer 100. The capability includes a value indicating that it can operate as an Enrollee only.

Except that the communication target is the printer 100, the public key PPK2, the encrypted data ED4, the secret key tsk4, the shared key SK4, and the random values RV3 and RV4 are used by the terminal 10. This is the same as T222-T234 in FIG. As a result, the terminal 10 decides to operate as a configurator, and the printer 100 decides to operate as an enrollee. When the process of T634 ends, the process of FIG. 8 ends. It should be noted that the terminal 10 discards (that is, deletes from the memory 34) the public key TPK4 and the secret key tsk4 when the process of FIG. 8 is completed.

(Configuration (Config) with printer 100; FIG. 9)
Next, the Config processing executed between the terminal 10 and the printer 100 at T65 in FIG. 2 will be described with reference to FIG.

At T700, the printer 100 transmits CReq to the terminal 10 via the Wi-Fi I/F 116. FIG. The CReq is a signal requesting transmission of the printer CO.

The terminal 10 receives CReq from the printer 100 via the Wi-Fi I/F 16 at T700. In this case, the terminal 10 acquires the public key TPK2 and the secret key tsk2 of the terminal 10 from the memory 34 in T702. Specifically, the terminal 10 acquires from the memory 34 the terminal CO including the group ID "home" having the same character string as "home" selected in T504 of FIG. As shown in the initial state of FIG. 7, the terminal SC includes public key TPK2. Therefore, the terminal 10 can obtain the public key TPK2 included in the terminal CO. Then, the terminal 10 acquires the private key tsk2 corresponding to the acquired public key TPK2 from the memory 34 .

At T704, the terminal 10 generates a printer CO. T704 is the same as T304 in FIG. 5 except that the data used (keys, etc.) is different. The printer CO includes the printer SC and the public key TPK2 obtained in T702. The printer SC includes a hash value HV, a group ID "home", a public key PPK2 of the printer 100, and an electronic signature DSpr. In the digital signature DSpr, the third value obtained by hashing the combination of the hash value HV, the group ID "home", and the public key PPK2 is information encrypted with the secret key tsk2 obtained in T702. be.

When the terminal 10 establishes a Wi-Fi connection with the AP 6 at T25 in FIG. and channel information indicating the communication channel to be used are stored in the memory 34 . At T710, the terminal 10 sends a CRes including the printer CO generated at T704, the stored AP 6 MAC address "macap", and the stored channel information to the printer via the Wi-Fi I/F 16. Send to 100.

The printer 100 receives CRes from the terminal 10 via the Wi-Fi I/F 116 at T710. In this case, the printer 100 stores the printer CO, the MAC address “macap”, and the channel information in the CRes in the memory 134 in T712. When the process of T712 ends, the process of FIG. 9 ends.

(Network Access (NA) between printer 100 and AP6; FIG. 10)
Next, with reference to FIG. 10, the NA process of T70 in FIG. 2 executed between the printer 100 and AP6 will be described. In the initial state of FIG. 10, the printer 100 stores public keys PPK1 and PPK2, private keys psk1 and psk2, and a printer CO. The AP 6 also stores public keys APK1 and APK2, private keys ask1 and ask2, and a CO for AP.

At T810, the printer 100 uses the communication channel indicated by the channel information stored at T712 via the Wi-Fi I/F 116 with the AP6 MAC address "macap" stored at T712 in FIG. Then, a DReq including the printer SC is sent to AP6.

AP6 receives DReq from the printer 100 at T810. As described above, the DReq is transmitted with the AP 6 MAC address “macap” as the destination, so the AP 6 can appropriately receive the DReq from the printer 100 . Further, when a Wi-Fi connection using a certain communication channel is established between the terminal 10 and the AP 6, the AP 6 executes communication using a communication channel different from the certain communication channel. may not be possible. In this embodiment, as described above, the DReq is transmitted using the certain communication channel indicated by the channel information, so the AP 6 can properly receive the DReq from the printer 100 .

In response to receiving the DReq from the printer 100 at T810, the AP 6 obtains the source of the DReq (i.e., the printer 100) and each piece of information in the DReq (i.e., hash value HV, "home", and public key PPK2) is processed in T812 to authenticate. T812 is the same as T412 in FIG. 6, except that the data used (keys, etc.) is different. That is, the AP 6 determines that the hash value HV and group ID "home" in the printer SC match the hash value HV and group ID "home" in the AP SC (that is, the DReq source ( That is, it is judged that the authentication of the printer 100) has succeeded). Also, the AP 6 decrypts the electronic signature DSpr in the printer SC using the public key TPK2 of the terminal 10 included in the AP CO, and the third value thus obtained and each information in the printer SC (that is, the value obtained by hashing the hash value HV, "home", and public key PPK2) is judged to match (that is, it is judged that the authentication of each information in DReq has succeeded) .

T814 and T820 are the same as T414 and T420 in FIG. 6 except that the communication target is the printer 100 and that the public key PPK2 and connection key CK2 of the printer 100 are used. At T820, in response to receiving DRes from AP6 via the Wi-Fi I/F 116, the printer 100 determines the source of the DRes (that is, AP6) and each piece of information in DRes (that is, the hash value HV, Execute the process of T822 to authenticate "home" and the public key APK2). T822 is the same as T422 in FIG. 6, except that the execution subject is the printer 100 and that the data used (keys, etc.) are different. That is, the printer 100 determines that the hash value HV and the group ID “home” in the AP SC match the hash value HV and the group ID “home” in the printer SC (that is, the DRes source (that is, it determines that the authentication of AP6) has succeeded). Further, the printer 100 decrypts the electronic signature DSap in the SC for AP using the public key TPK2 of the terminal 10 included in the CO for printer, and the first value thus obtained and the It is determined that the values obtained by hashing each information (that is, the hash value HV, "home", and public key APK2) match each other (that is, it is determined that the authentication of each information in DRes is successful. do).

At T824, the printer 100 generates a connection key CK2 according to the ECDH using the private key psk2 of the printer 100 and the public key APK2 of AP6 in the SC for AP. Here, the connection key CK2 generated by the AP 6 at T814 is the same as the connection key CK2 generated by the printer 100 at T824. As a result, the connection key CK2 for establishing Wi-Fi connection is shared between the printer 100 and AP6. When T824 ends, the processing in FIG. 10 ends.

As described above, after the connection key CK2 is shared between the printer 100 and AP6, at T75 in FIG. 2, the printer 100 and AP6 execute 4way-handshake communication using the connection key CK2. As a result, a Wi-Fi connection is established between the printer 100 and the AP6. In particular, printer 100 establishes a Wi-Fi connection with AP 6 using the communication channel indicated by the channel information stored in T712 of FIG. Therefore, even if a Wi-Fi connection using a certain communication channel is established between the terminal 10 and the AP 6, the printer 100 uses the same communication channel as the certain communication channel. Therefore, Wi-Fi connection with AP 6 can be properly established.

As described above, printer 100 uses one of the plurality of communication channels included in channel list L2 of printer 100 to receive AReq of T610 in FIG. . That is, the printer 100 receives AReq from the terminal 10 using a communication channel that can be used by both the printer 100 and the terminal 10 . On the other hand, at T75 in FIG. 2, the printer 100 establishes a Wi-Fi connection with AP6 using the communication channel indicated by the channel information. That is, printer 100 establishes a Wi-Fi connection with AP 6 using a communication channel that can be used by both printer 100 and AP 6 . Here, the communication channel that can be used by the terminal 10 and the communication channel that can be used by the AP 6 may differ. In this embodiment, a communication channel for the printer 100 to receive an AReq from the terminal 10 at T610 in FIG. 8, a communication channel for the printer 100 to establish a Wi-Fi connection with the AP at T75 in FIG. is different. However, in a modification, the former communication channel and the latter communication channel may be the same.

(Connection confirmation processing executed by each device 6, 10, 100; FIG. 11)
Next, with reference to FIG. 11, processing executed by each device 6, 10, 100 after the processing of FIG. 10 will be described.

In response to transmitting CRes to the printer 100 at T710 in FIG. 9, the terminal 10 transmits the MAC address "macpr" obtained at T522 in FIG. , the repeated transmission of inquiry requests to the printer 100 is started. The inquiry request is a signal for inquiring of the printer 100 whether the printer 100 has established a Wi-Fi connection with the AP 6 and is sent to the printer 100 without going through the AP 6 . Communication of inquiry requests is communication of the data link layer of the OSI reference model.

Even if the printer 100 receives an inquiry request from the terminal 10 via the Wi-Fi I/F 116 before establishing a Wi-Fi connection with the AP 6, the printer 100 does not send an inquiry response as a response to the inquiry request. Do not send to terminal 10. When the printer 100 receives an inquiry request from the terminal 10 via the Wi-Fi I/F 116 after establishing a Wi-Fi connection with the AP 6 at T910 (that is, T75 in FIG. 2), at T912 , and the Wi-Fi I/F 116 to transmit the inquiry response to the terminal 10 .

At T912, when the terminal 10 receives an inquiry response from the printer 100 via the Wi-Fi I/F 16, the terminal 10 confirms whether communication with the printer 100 via AP 6 can be executed. Execute the process. Here, the confirmation request below includes a first request signal and a second request signal, and the confirmation response includes a first response signal and a second response signal.

(Case A)
First, after the Wi-Fi connection is established between the terminal 10 and the AP6 (T25 in FIG. 2), the Wi-Fi connection is not disconnected, and the printer 100 and the AP6 are connected at T910. Let us consider case A in which a Wi-Fi connection is established.

At T920, the terminal 10 transmits a broadcast first request signal (ie, a request with an unspecified destination) to the AP 6 via the Wi-Fi I/F 16 . As a result, the first request signal is transmitted to all slave stations that have established Wi-Fi connections with AP6. As a result, the printer 100 receives the first request signal from the AP 6 via the Wi-Fi I/F 116 at T922. In this case, the printer 100 transmits the first response signal to AP6 via the Wi-Fi I/F 116 at T924. The first response signal includes the MAC address “macpr” and the IP address of printer 100 .

AP6 receives the first response signal from printer 100 at T924. However, AP 6 can receive the first response signal not only from printer 100 but also from other slave stations. In this case, AP 6 transmits each first response signal received from each child station to terminal 10 at T926.

The terminal 10 receives each first response signal from the AP 6 via the Wi-Fi I/F 16 at T926. In this case, the terminal 10 determines whether or not there is a first response signal including the MAC address "macpr" of the printer 100 acquired at T522 in FIG. 7 among the received first response signals. to decide. In case A, terminal 10 determines that communication with printer 100 via AP 6 is possible because the first response signal including the MAC address “macpr” is present. The terminal 10 then acquires the IP address of the printer 100 in the first response signal. Communication of the first request signal and the first response signal is, for example, communication using ARP (abbreviation of Address Resolution Protocol) of the data link layer of the OSI reference model.

The terminal 10 further transmits a second request signal to the printer 100 via AP6 with the acquired IP address of the printer 100 as the destination (T920, T922), and from the printer 100 via AP6, A second response signal is received (T924, T926). The communication of the second request signal and the second response signal is, for example, PING communication using ICPM (abbreviation of Internet Control Protocol) of the network layer of the OSI reference model. This confirms that the terminal 10 can perform network layer communication of the OSI reference model with the printer 100 .

At T930 and T932, the terminal 10 transmits the print data representing the image to be printed to the AP 6 via the Wi-Fi I/F 16 with the acquired IP address of the printer 100 as the transmission destination (T80, T932 in FIG. 2). See T85). The print data may be data representing a test image for causing printer 100 to perform a print test, or data representing an image designated by the user.

The printer 100 receives print data from the terminal 10 via the AP 6 and the Wi-Fi I/F 116 at T932. In this case, the printer 100 supplies the received print data to the print execution unit 118 in T940, and causes the print execution unit 118 to execute printing according to the print data (see T90 in FIG. 2). When the processing of T940 ends, the processing of case A ends.

(Case B)
Next, case B in which the Wi-Fi connection is disconnected after the Wi-Fi connection is established between the terminal 10 and the AP 6 (T25 in FIG. 2) will be described. For example, the Wi-Fi connection is disconnected due to the terminal 10 being powered off. After the power of the terminal 10 is turned on again, the processes of T55 to T75 in FIG. 2 are executed between the terminal 10 and the printer 100, and at T910 in FIG. Fi connection is established.

In response to receiving the inquiry response from the printer 100 via the Wi-Fi I/F 16 at T912, the terminal 10 transmits a broadcast confirmation request (that is, the first 1 request signal) to AP6. However, in this case B, since the Wi-Fi connection between the terminal 10 and the AP 6 is disconnected, the terminal 10 cannot send the confirmation request to the AP 6. As a result, the confirmation response from the printer 100 (ie, the first response signal). Thereby, the terminal 10 can know that the Wi-Fi connection between the terminal 10 and the AP 6 is disconnected.

After knowing that the Wi-Fi connection with AP 6 has been disconnected, the terminal 10 uses the connection key CK1 (T424 in FIG. 6) stored in the memory 34 in T970 to perform a 4way-handshake. communication with AP6 to re-establish a Wi-Fi connection with AP6. As a result, each of the terminal 10 and the printer 100 establishes a Wi-Fi connection with the AP 6, that is, each device 6, 10, 100 belongs to the same network. For this reason, processing similar to T920 to T940 of Case A can be executed.

(Effect of this embodiment)
In this embodiment, a secret key tsk2 used to generate the electronic signature DSap included in the AP CO for the AP 6 and a secret key tsk2 used to generate the electronic signature DSpr included in the printer CO for the printer 100 are the same as the key tsk2. When the AP CO is used by the AP 6, a Wi-Fi connection is established between the terminal 10 and the AP 6 (T25 in FIG. 2). A Wi-Fi connection is established with AP6 (T75). Therefore, a Wi-Fi connection can be properly established between each of the terminal 10 and the printer 100 and the AP 6 .

In this embodiment, the printer 100 receives from the terminal 10 the printer CO, the channel information indicating the communication channel used in the Wi-Fi connection established between the terminal 10 and the AP 6, and the MAC of the AP 6. address "macap" (T710 in FIG. 9). For this reason, the printer 100 can properly establish a Wi-Fi connection with the AP 6 using the MAC address “macap” and the communication channel indicated by the channel information. Therefore, a Wi-Fi connection can be properly established between each of the terminal 10 and the printer 100 and the AP 6 .

(correspondence relationship)
The terminal 10, the printer 100, and the AP 6 are examples of the "terminal device,""communicationdevice," and "external device," respectively. The Wi-Fi I/F 16, the CPU 32, and the application 38 are examples of the "wireless interface" of the "terminal device," the "computer" of the "terminal device," and the "computer program" for the "terminal device," respectively. The secret key tsk2 of the terminal 10, the AP CO, and the Wi-Fi connection of T25 in FIG. 2 are examples of the "secret key", the "first connection information", and the "first wireless connection", respectively. The first value obtained by hashing the combination of the hash value HV included in the AP CO, the group ID "home", and the public key APK2 is "at least part of the information included in the first connection information. is an example of "information obtained using The public key PPK1 of the printer 100, AReq of T610, ARes of T620 in FIG. This is an example of "second connection information". The second value obtained by hashing the combination of the hash value HV included in the printer CO, the group ID "home", and the public key PPK2 is "at least part of the information included in the second connection information. is an example of "information obtained using The Wi-Fi connection of T75 in FIG. 2 (or T910 in FIG. 11) is an example of the “second wireless connection”.

The group ID "home" and the character string "New" in the selection screen of T502 in FIG. 7 are examples of "related information" and "predetermined information", respectively. The MAC address “macap” of AP6 is an example of “device identification information”. The terminal CO is an example of the "third connection information", and the third connection information obtained by hashing the combination of the hash value HV included in the terminal CO, the group ID "home", and the public key TPK3. The value is an example of "information obtained using at least part of the information included in the third connection information". The public key APK1 of AP6, AReq of T210, and ARes of T220 in FIG. 4 are examples of "second public key", "second authentication request", and "second authentication response", respectively. The hash value HV included in the printer CO and the AP SC are examples of "authentication information" and "information transmitted from the external device to the communication device", respectively. The QR code displayed at T512 in FIG. 7 is an example of the "code image".

The Wi-Fi I/F 116 is an example of the 'wireless interface' of the 'communication device'. AReq of T610 and ARes of T620 in FIG. 8 are examples of "authentication request" and "authentication response", respectively. The printer CO is an example of "connection information", and the channel information and MAC address "macap" of the AP 6 are examples of "specific information". The communication channel used at T610 in FIG. 8 and the communication channel used at T75 in FIG. 2 are examples of the "first communication channel" and the "second communication channel", respectively.

The processing of T522 in FIG. 7, T610 and T620 in FIG. 8, and T704 and T710 in FIG. This is an example of processing executed by the "authentication response transmission unit", the "first generation unit", and the "first information transmission unit". T610 and T620 in FIG. 8, and T710 in FIG. 9 are examples of processing executed by the "authentication request receiving unit", "authentication response transmitting unit", and "information receiving unit" of the "communication device", respectively. T810, T822, and T824 in FIG. 10 and T75 in FIG. 2 are examples of processing executed by the 'establishment unit' of the 'communication device'.

Although specific examples of the present invention have been described in detail above, these are merely examples and do not limit the scope of the claims. The technology described in the claims includes various modifications and changes of the specific examples illustrated above. Modifications of the above embodiment are listed below.

(Modification 1) In the above embodiment, the electronic signature (for example, DSpr) is a private key value obtained by hashing a combination of the hash value HV, the group ID "home", and the public key (for example, APK2). It is encrypted by tsk2. Alternatively, the electronic signature may be the above combination itself encrypted with the secret key tsk2. In this modification, the combination itself included in the SC (for example, the SC for AP) is "at least part of the information included in the first (or second or third) connection information" and "the This is an example of "information obtained using at least part of information included in one (or second or third) piece of connection information."

(Modification 2) In T102 of FIG. 3 and T502 of FIG. 7, the terminal 10 may not display the selection screen on the display unit 14. FIG. In this case, the terminal 10 skips T102 and T104 and executes T106 when the application 38 is activated at T100 in FIG. 3 without storing the terminal CO. Further, when the application 38 is activated at T500 in FIG. 7 while the terminal CO is stored, the terminal 10 skips T502 and T504 and executes T506. In this modified example, the “display control unit” of the “terminal device” can be omitted.

(Modification 3) The processing of T920 to T926 and T960 in FIG. 11 may be omitted. In this modified example, the “confirmation request transmission unit” and the “confirmation response reception unit” of the “terminal device” can be omitted. Also, the "receiving unit for confirmation request" and the "transmitting unit for confirmation response" of the "communication device" can be omitted.

(Modification 4) The processing of T970 in FIG. 11 may be omitted. In this modified example, the “re-establishment unit” of the “terminal device” can be omitted.

(Modification 5) The processing of T930 and T932 in FIG. 11 may be omitted. In this modified example, the “print data transmission unit” of the “terminal device” can be omitted. Also, the "print execution unit", "print data reception unit", and "print control unit" of the "communication device" can be omitted.

(Modification 6) At T912 in FIG. In this case, the terminal 10 can transmit a confirmation request including the IP address of the printer 100 as a transmission destination (that is, a unicast confirmation request) to the printer 100 via AP6 at T920 and T922. Here, the confirmation request is, for example, communication using the data link layer of the OSI reference model. This modified example is also an example of processing executed by the “confirmation request transmission unit” of the “terminal device”.

(Modification 7) The processing of T900 and T912 in FIG. 11 may be omitted. In this case, the terminal 10 may repeatedly transmit a confirmation request to the AP 6 in T920 in response to transmitting CRes to the printer 100 in T710 of FIG. In this modified example, the "inquiry request transmission section" and the "inquiry response reception section" of the "terminal device" can be omitted. Also, the "inquiry request receiving unit" and the "inquiry response transmitting unit" of the "communication device" can be omitted.

(Modification 8) T122 in FIG. 3 to T424 in FIG. That is, the ``computer program'' for the ``terminal device'' converts the ``computer'' into a ``second generating unit'', an ``establishing unit'', a ``second obtaining unit'', and a ``second authentication request sending unit''. , the “third generator”, and the “second information transmitter”.

(Modification 9) At T512 in FIG. 7, the printer 100 may print an image including the QR code on the print medium instead of displaying the QR code. In this modified example, printing a QR code is an example of "outputting a code image".

(Modification 10) The "communication device" may not be the printer 100, but may be other devices such as a scanner, a multi-function device, a mobile terminal, a PC, and a server. Also, the "external device" does not have to be the AP6, and may be other devices such as printers, scanners, mobile terminals, PCs, and servers.

(Modification 11) At T710 in FIG. 9, the terminal 10 may transmit CRes to the printer 100 that does not include the AP 6 MAC address "macap" but includes the printer CO and channel information. In this case, at T810 in FIG. 10, the printer 100 uses the communication channel indicated by the channel information to broadcast the DReq. In another modification, at T710, the terminal 10 may transmit CRes to the printer 100 that does not include the channel information but includes the printer CO and the MAC address "macap" of the AP6. In this case, in T710, the printer 100 sequentially uses each wireless channel available to the printer 100 to transmit the DReq to the AP 6 with the MAC address "macap" of the AP 6 as the transmission destination. That is, the "specific information" should include at least one of "channel information" and "device identification information".

(Modification 12) The terminal 10 may execute the processes of T55 and T60 before executing the processes of T5 to T25 in FIG. 2 with AP6. In this case, the terminal 10 executes the processes T5 to T25 with the AP6 after the process T60, and then executes the process T65 with the printer 100. FIG.

(Modification 13) The 'device identification information' is not limited to the MAC address 'macap' of the AP 6, and may be the IP address of the AP 6, the device name, or the like.

(Modification 14) The processing (eg, T201 in FIG. 4) for generating a shared key (eg, SK1) is not limited to the above-described processing according to ECDH, but may be other processing according to ECDH. may Further, the processing for generating a shared key is not limited to processing according to ECDH, and processing according to other schemes (for example, DH (abbreviation of Diffie-Hellman key exchange), etc.) may be executed. Further, in the above embodiment, the electronic signature (DSap, etc.) was generated according to ECDSA, but other methods (eg, DSA (abbreviation of Digital Signature Algorithm), RAS (abbreviation of Rivest-Shamir-Adleman cryptosystem), etc.) can be used. ).

(Modification 15) The QR code displayed on the printer 100 at T512 in FIG. 7 may not be the one in which the channel list L2 and the MAC address "macpr" are coded. That is, the QR code may be a code image obtained by encoding at least the public key PPK1. In this case, in response to receiving the QR code display operation in T510, the printer 100 monitors for reception of an AReq using one wireless channel out of all the wireless channels available to the printer 100. . Also, at T610 in FIG. 8, the terminal 10 sequentially uses all radio channels available to the terminal 10 to sequentially transmit AReq by broadcasting. That is, the "code image" may be an image obtained by encoding at least the "first public key".

(Modification 16) The processes of T510 and T512 in FIG. 7 may be omitted. In this case, a QR code in which the public key PPK1, the channel list L2, and the MAC address “macpr” are encoded may be pasted on the housing of the printer 100. FIG. In this modified example, the “output controller” of the “communication device” can be omitted.

(Modification 17) In "DRAFT Device Provisioning Protocol Technical Specification Version 0.2.11", which is a draft standard created by the Wi-Fi Alliance, shared codes, keys, phrases, and words are called "codes". is stated. Therefore, in T512 of FIG. 7, the printer 100 uses the shared code, key, phrase, and word obtained by encoding the public key PPK1, the channel list, and the MAC address "abc" instead of the QR code. may be displayed on the display unit 114.

(Modification 18) In the above embodiment, each process of FIGS. 2 to 11 is realized by software (that is, each program 36, 38, 136), but at least one of these processes is a logic circuit or the like. hardware.

In addition, the technical elements described in this specification or in the drawings exhibit technical usefulness alone or in various combinations, and are not limited to the combinations described in the claims at the time of filing. In addition, the techniques exemplified in this specification or drawings achieve multiple purposes at the same time, and achieving one of them has technical utility in itself.
The matters described in the claims as filed for this patent application are listed below.
(Item 1)
A computer program for a terminal device, comprising:
The terminal device
a wireless interface;
a computer;
A memory for storing a private key of the terminal device, wherein the private key is used to encrypt information obtained using at least part of the information included in the first connection information for the external device. and the first connection information is information for establishing a first wireless connection between the terminal device and the external device via the wireless interface, and is stored in the external device. the memory, which is information stored in
The computer program causes the computer to:
a first acquisition unit that acquires a first public key of a communication device different from the external device;
a first authentication request transmitting unit configured to transmit a first authentication request using the first public key to the communication device via the wireless interface after the first public key is acquired;
A first authentication that receives a first authentication response, which is a response to the first authentication request, from the communication device via the wireless interface after the first authentication request is transmitted to the communication device. a response receiver;
A first generating unit that generates second connection information for the communication device using the private key when the first authentication response is received from the communication device, The connection information of 2 is information for establishing a second wireless connection between the communication device and the external device, and the private key is at least part of the information included in the second connection information. the first generator utilized to encrypt information obtained using
a first information transmission unit that transmits the second connection information to the communication device via the wireless interface;
A computer program that acts as a
(Item 2)
The terminal device further comprises a display unit,
the memory associates and stores the secret key and related information related to the first wireless connection;
The computer program further causes the computer to:
functioning as a display control unit for displaying a selection screen containing the relevant information on the display unit;
The first generator,
obtaining the secret key associated with the relevant information from the memory when the relevant information included in the selection screen is selected;
The computer program according to item 1, wherein the second connection information is generated using the obtained private key.
(Item 3)
The selection screen further includes predetermined information different from the related information,
The computer program further causes the computer to:
3. The computer program according to item 2, functioning as an establishing unit that establishes the first wireless connection between the terminal device and the external device when the predetermined information included in the selection screen is selected.
(Item 4)
The computer program further causes the computer to:
a confirmation request transmission unit configured to transmit a confirmation request to the communication device via the wireless interface after the second connection information is transmitted to the communication device, the confirmation request transmitting unit being between the terminal device and the external device; and the second wireless connection is established between the communication device and the external device, the confirmation request is sent from the terminal device to the the confirmation request transmission unit, which is transmitted to the communication device via an external device;
an acknowledgment receiving unit that receives an acknowledgment response to the acknowledgment request via the wireless interface, wherein the first wireless connection is established between the terminal device and the external device; and when the second wireless connection is established between the communication device and the external device, the acknowledgment is transmitted from the communication device to the terminal device via the external device. the acknowledgment receiving unit;
4. The computer program according to any one of items 1 to 3, which functions as a computer program.
(Item 5)
The computer program further causes the computer to:
when the acknowledgment is not received due to disconnection of the first wireless connection after the first wireless connection was established between the terminal device and the external device, and the external device.
(Item 6)
the communication device is a printer capable of executing a printing function,
The computer program further causes the computer to:
Functioning as a print data transmission unit that transmits print data representing an image to be printed to the communication device via the wireless interface and the external device after the second connection information is transmitted to the communication device 6. The computer program according to any one of items 1 to 5, wherein the computer program causes
(Item 7)
The computer program further causes the computer to:
after the second connection information is transmitted to the communication device, inquiring of the communication device whether the second wireless connection has been established via the wireless interface and without the external device; an inquiry request transmission unit that transmits an inquiry request for
After the inquiry request is transmitted to the communication device and the second wireless connection is established between the communication device and the external device, from the communication device without going through the external device, functioning as an inquiry response receiving unit that receives an inquiry response, which is a response to the inquiry request, via the wireless interface;
7. The computer program according to item 6, wherein the print data transmission unit transmits the print data to the communication device via the external device after the inquiry response is received from the communication device.
(Item 8)
The first information transmission unit transmits the second connection information and specific information to the communication device,
8. Any one of items 1 to 7, wherein the specific information includes at least one of channel information indicating a communication channel used in the first wireless connection and device identification information identifying the external device. the computer program described in .
(Item 9)
The computer program further causes the computer to:
A second generation unit that uses the private key to generate third connection information for the terminal device, wherein the third connection information is generated between the terminal device and the external device. the information for establishing the first wireless connection, wherein the private key is used to encrypt information obtained using at least part of the information included in the third connection information; the second generator; and
An establishing unit that establishes the first wireless connection between the terminal device and the external device using the third connection information, wherein the first wireless connection is the first connection the establishing unit, wherein the information is established by being utilized by the external device;
9. The computer program according to any one of items 1 to 8, which functions as a
(Item 10)
The computer program further causes the computer to:
a second acquisition unit that acquires a second public key of the external device;
a second authentication request transmitting unit configured to transmit a second authentication request using the second public key to the external device via the wireless interface after the second public key is obtained;
A second authentication that receives a second authentication response, which is a response to the second authentication request, from the external device via the wireless interface after the second authentication request is transmitted to the external device. a response receiver;
a third generation unit that generates the first connection information for the external device using the private key when the second authentication response is received from the communication device;
a second information transmission unit that transmits the first connection information to the external device via the wireless interface;
the first wireless connection between the terminal device and the external device when the first connection information is used by the external device after the first connection information is transmitted to the external device; an establishing unit that establishes
10. The computer program according to any one of items 1 to 9, which functions as a computer program.
(Item 11)
The first generation unit operates as a configurator conforming to the Wi-Fi standard to generate the second connection information,
The first information transmission unit according to any one of items 1 to 10, which operates as the configurator according to the Wi-Fi standard and transmits the second connection information to the communication device. computer program.
(Item 12)
the second connection information includes authentication information;
12. Computer program according to any one of items 1 to 11, wherein said authentication information is used by said communication device to perform authentication of information transmitted from said external device to said communication device.
(Item 13)
The communication device outputs a code image obtained by encoding the first public key,
13. The computer program according to any one of items 1 to 12, wherein the first acquisition unit acquires the first public key by capturing the code image output from the communication device.
(Item 14)
14. Computer program according to any one of items 1 to 13, wherein said external device is an access point.
(Item 15)
A terminal device,
a wireless interface;
A memory for storing a private key of the terminal device, wherein the private key is used to encrypt information obtained using at least part of the information included in the first connection information for the external device. and the first connection information is information for establishing a first wireless connection between the terminal device and the external device via the wireless interface, and is stored in the external device. said memory being information stored in
a first acquisition unit that acquires a first public key of a communication device different from the external device;
a first authentication request transmitting unit configured to transmit a first authentication request using the first public key to the communication device via the wireless interface after the first public key is acquired;
A first authentication that receives a first authentication response, which is a response to the first authentication request, from the communication device via the wireless interface after the first authentication request is transmitted to the communication device. a response receiver;
A first generating unit that generates second connection information for the communication device using the private key when the first authentication response is received from the communication device, The connection information of 2 is information for establishing a second wireless connection between the communication device and the external device, and the private key is at least part of the information included in the second connection information. the first generator utilized to encrypt information obtained using
a first information transmission unit that transmits the second connection information to the communication device via the wireless interface;
terminal device.
(Item 16)
A communication device,
a wireless interface;
an authentication request receiving unit that receives an authentication request using the first public key of the communication device from the terminal device via the wireless interface;
an authentication response transmitting unit configured to transmit an authentication response, which is a response to the authentication request, to the terminal device via the wireless interface when the authentication request is received from the terminal device;
an information receiving unit configured to receive connection information and specific information from the terminal device via the wireless interface after the authentication response is transmitted to the terminal device, wherein the connection information is the communication device and the specific information; Information for establishing a second wireless connection with an external device via the wireless interface, wherein the specific information is the first wireless connection established between the terminal device and the external device the information receiving unit including at least one of channel information indicating a communication channel to be used and device identification information identifying the external device;
When the connection information and the specific information are received from the terminal device, the connection information and the specific information are used to establish the second wireless connection between the communication device and the external device. an establishing unit that establishes;
A communication device comprising:
(Item 17)
The communication device further
A confirmation request receiving unit for receiving a confirmation request from the terminal device via the wireless interface after the connection information and the specific information are received from the terminal device, the terminal device and the external device and the second wireless connection is established between the communication device and the external device, the confirmation request is sent to the terminal the confirmation request receiving unit, which is transmitted from the device to the communication device via the external device;
an acknowledgment transmission unit configured to transmit an acknowledgment, which is a response to the confirmation request, to the terminal device via the wireless interface when the confirmation request is received from the terminal device, the terminal device and the When the first wireless connection has been established with an external device and the second wireless connection has been established between the communication device and the external device, the acknowledgment is the acknowledgment transmission unit that is transmitted from the communication device to the terminal device via the external device;
17. A communication device according to item 16, comprising:
(Item 18)
The communication device further
a print execution unit;
After the second wireless connection is established between the communication device and the external device, print data representing an image to be printed is sent from the terminal device via the wireless interface via the external device. a print data receiving unit for receiving;
a print control unit that causes the print execution unit to print the image represented by the print data when the print data is received from the terminal device;
18. A communication device according to item 16 or 17, comprising:
(Item 19)
The communication device further
An inquiry request for receiving an inquiry request for inquiring of the communication device whether the second wireless connection has been established from the terminal device via the wireless interface without the external device. a receiver;
after the inquiry request is received from the terminal device and the second wireless connection is established between the communication device and the external device, via the wireless interface without the external device and an inquiry response transmission unit that transmits an inquiry response, which is a response to the inquiry request, to the terminal device,
19. The communication device according to item 18, wherein the print data receiving unit receives the print data from the terminal device after the inquiry response is transmitted to the terminal device.
(Item 20)
20. The communication device according to any one of items 16 to 19, wherein the information receiving unit operates as an enrollee conforming to Wi-Fi standards and receives the connection information from the terminal device.
(Item 21)
the connection information includes authentication information;
The establishing unit comprises:
using the authentication information to perform authentication of information received from the external device;
21. A communication device according to any one of items 16 to 20, wherein said second wireless connection is established between said communication device and said external device if said authentication is successful.
(Item 22)
The communication device further
An output control unit that outputs a code image obtained by encoding the first public key,
22. The communication device according to any one of items 16 to 21, wherein the first public key is acquired by the terminal device by capturing the code image output from the communication device by the terminal device. .
(Item 23)
The authentication request receiving unit receives the authentication request from the terminal device using a first communication channel,
the specific information includes the channel information indicating a second communication channel used in the first wireless connection;
The establishing unit establishes the second wireless connection between the communication device and the external device using the second communication channel indicated by the channel information;
23. A communication device according to any one of items 16-22, wherein the second communication channel is different than the first communication channel.
(Item 24)
A computer program for a communication device,
a computer of the communication device,
an authentication request receiving unit that receives an authentication request using a first public key of the communication device from a terminal device via a wireless interface of the communication device;
an authentication response transmitting unit configured to transmit an authentication response, which is a response to the authentication request, to the terminal device via the wireless interface when the authentication request is received from the terminal device;
an information receiving unit configured to receive connection information and specific information from the terminal device via the wireless interface after the authentication response is transmitted to the terminal device, wherein the connection information is the communication device and the specific information; Information for establishing a second wireless connection with an external device via the wireless interface, wherein the specific information is the first wireless connection established between the terminal device and the external device the information receiving unit including at least one of channel information indicating a communication channel to be used and device identification information identifying the external device;
When the connection information and the specific information are received from the terminal device, the connection information and the specific information are used to establish the second wireless connection between the communication device and the external device. an establishing unit that establishes;
A computer program that acts as a

2: communication system, 6: AP, 10: terminal, 12, 112: operation unit, 14, 114: display unit, 15: camera, 16, 116: Wi-Fi I / F, 30, 130: control unit, 32, 132: CPU, 34, 134: memory, 36: OS program, 38: connection application, 100: printer, 118: print execution unit, 136: program

Claims (20)

A computer program for a terminal device, comprising:
The terminal device
a wireless interface;
a computer ;
The computer program causes the computer to:
a first acquisition unit that acquires a first public key of the communication device;
a first authentication request transmitting unit configured to transmit a first authentication request using the first public key to the communication device via the wireless interface after the first public key is acquired;
A first authentication that receives a first authentication response, which is a response to the first authentication request, from the communication device via the wireless interface after the first authentication request is transmitted to the communication device. a response receiver;
A first generation unit that generates second connection information for the communication device when the first authentication response is received from the communication device, the second connection information being the the first generator , which is information for establishing a second wireless connection between the communication device and the external device;
a first information transmission unit that transmits the second connection information to the communication device via the wireless interface;
When the first wireless connection is established between the terminal device and the external device and the second wireless connection is established between the communication device and the external device, the second wireless connection is established a confirmation request transmission unit that transmits a confirmation request to the communication device via the wireless interface and the external device after connection information is transmitted to the communication device;
an acknowledgment receiving unit that receives an acknowledgment response to the acknowledgment request from the communication device via the external device and the wireless interface;
A computer program that acts as a The terminal device further comprises a memory and a display unit ,
the memory associates and stores a secret key of the terminal device and related information related to the first wireless connection;
The computer program further causes the computer to:
functioning as a display control unit for displaying a selection screen containing the relevant information on the display unit;
The first generator,
obtaining the secret key associated with the relevant information from the memory when the relevant information included in the selection screen is selected;
2. The computer program according to claim 1, wherein the obtained private key is used to generate the second connection information. The selection screen further includes predetermined information different from the related information,
The computer program further causes the computer to:
3. The computer program according to claim 2, functioning as an establishing unit that establishes the first wireless connection between the terminal device and the external device when the predetermined information included in the selection screen is selected. . The computer program further causes the computer to:
when the acknowledgment is not received due to disconnection of the first wireless connection after the first wireless connection was established between the terminal device and the external device, 4. The computer program according to any one of claims 1 to 3 , wherein the computer program functions as a re-establishing unit that re-establishes the first wireless connection between the device and the external device. the communication device is a printer capable of executing a printing function,
The computer program further causes the computer to:
Functioning as a print data transmission unit that transmits print data representing an image to be printed to the communication device via the wireless interface and the external device after the second connection information is transmitted to the communication device 5. A computer program according to any one of claims 1 to 4 , which causes The computer program further causes the computer to:
after the second connection information is transmitted to the communication device, inquiring of the communication device whether the second wireless connection has been established via the wireless interface and without the external device; an inquiry request transmission unit that transmits an inquiry request for
After the inquiry request is transmitted to the communication device and the second wireless connection is established between the communication device and the external device, from the communication device without going through the external device, functioning as an inquiry response receiving unit that receives an inquiry response, which is a response to the inquiry request, via the wireless interface;
6. The computer program according to claim 5 , wherein said print data transmission unit transmits said print data to said communication device via said external device after said inquiry response is received from said communication device. The first information transmission unit transmits the second connection information and specific information to the communication device,
7. The specific information includes at least one of channel information indicating a communication channel used in the first wireless connection and device identification information identifying the external device. 13. The computer program of claim 1. The computer program further causes the computer to:
A second generation unit that generates third connection information for the terminal device using a private key of the terminal device, wherein the third connection information is generated between the terminal device and the external device. and the secret key is used to encrypt information obtained using at least part of the information included in the third connection information. the second generator, wherein
an establishing unit that establishes the first wireless connection between the terminal device and the external device using the third connection information;
8. A computer program as claimed in any one of claims 1 to 7 , which functions as a The computer program further causes the computer to:
a second acquisition unit that acquires a second public key of the external device;
a second authentication request transmitting unit configured to transmit a second authentication request using the second public key to the external device via the wireless interface after the second public key is obtained;
A second authentication that receives a second authentication response, which is a response to the second authentication request, from the external device via the wireless interface after the second authentication request is transmitted to the external device. a response receiver;
a third generation unit that generates first connection information for the external device using a private key of the terminal device when the second authentication response is received from the communication device;
a second information transmission unit that transmits the first connection information to the external device via the wireless interface;
the first wireless connection between the terminal device and the external device when the first connection information is used by the external device after the first connection information is transmitted to the external device; an establishing unit that establishes
9. A computer program according to any one of claims 1 to 8 , which operates as a The first generation unit operates as a configurator conforming to the Wi-Fi standard to generate the second connection information,
The first information transmission unit according to any one of claims 1 to 9 , operating as the configurator conforming to the Wi-Fi standard and transmitting the second connection information to the communication device. computer program. the second wireless connection includes a Wi-Fi connection;
11. The first information transmission unit transmits the second connection information, which is a Configuration Object used to establish the Wi-Fi connection, to the communication device. the computer program described in . the second connection information includes authentication information;
12. A computer program product as claimed in any preceding claim, wherein the authentication information is utilized by the communication device to perform authentication of information transmitted from the external device to the communication device. The communication device outputs a code image obtained by encoding the first public key,
13. The computer program according to any one of claims 1 to 12 , wherein said first acquisition unit acquires said first public key by capturing said code image output from said communication device. 14. A computer program product as claimed in any preceding claim, wherein the external device is an access point. A terminal device,
a wireless interface ;
a first acquisition unit that acquires a first public key of the communication device;
a first authentication request transmitting unit configured to transmit a first authentication request using the first public key to the communication device via the wireless interface after the first public key is acquired;
A first authentication that receives a first authentication response, which is a response to the first authentication request, from the communication device via the wireless interface after the first authentication request is transmitted to the communication device. a response receiver;
A first generation unit that generates second connection information for the communication device when the first authentication response is received from the communication device, the second connection information being the the first generator , which is information for establishing a second wireless connection between the communication device and the external device;
a first information transmission unit that transmits the second connection information to the communication device via the wireless interface;
When the first wireless connection is established between the terminal device and the external device and the second wireless connection is established between the communication device and the external device, the second wireless connection is established a confirmation request transmission unit that transmits a confirmation request to the communication device via the wireless interface and the external device after connection information is transmitted to the communication device;
an acknowledgment receiving unit that receives an acknowledgment response to the acknowledgment request from the communication device via the external device and the wireless interface;
terminal device. A communication device,
a wireless interface;
an authentication request receiving unit that receives an authentication request using the first public key of the communication device from the terminal device via the wireless interface;
an authentication response transmitting unit configured to transmit an authentication response, which is a response to the authentication request, to the terminal device via the wireless interface when the authentication request is received from the terminal device;
an information receiving unit configured to receive connection information from the terminal device via the wireless interface after the authentication response is transmitted to the terminal device, wherein the connection information is between the communication device and the external device; the information receiving unit, which is information for establishing a second wireless connection via the wireless interface between
an establishing unit that establishes the second wireless connection between the communication device and the external device using the connection information when the connection information is received from the terminal device;
From the terminal device when a first wireless connection is established between the terminal device and the external device and the second wireless connection is established between the communication device and the external device a confirmation request receiving unit that receives a confirmation request from the terminal device via the external device and the wireless interface after the connection information is received;
an acknowledgment transmission unit that transmits an acknowledgment response to the confirmation request to the terminal device via the wireless interface and the external device;
A communication device comprising: The communication device further
a print execution unit;
After the second wireless connection is established between the communication device and the external device, print data representing an image to be printed is sent from the terminal device via the wireless interface via the external device. a print data receiving unit for receiving;
a print control unit that causes the print execution unit to print the image represented by the print data when the print data is received from the terminal device;
7. A communication device according to claim 16, comprising: The communication device further
An inquiry request for receiving an inquiry request for inquiring of the communication device whether the second wireless connection has been established from the terminal device via the wireless interface without the external device. a receiver;
after the inquiry request is received from the terminal device and the second wireless connection is established between the communication device and the external device, via the wireless interface without the external device and an inquiry response transmission unit that transmits an inquiry response, which is a response to the inquiry request, to the terminal device,
18. The communication device according to claim 17 , wherein said print data receiving unit receives said print data from said terminal device after said inquiry response is transmitted to said terminal device. The authentication request receiving unit receives the authentication request from the terminal device using a first communication channel,
The communication device further
a channel information receiving unit configured to receive channel information indicating a second communication channel used in the first wireless connection from the terminal device via the wireless interface;
The establishing unit establishes the second wireless connection between the communication device and the external device using the second communication channel indicated by the channel information;
19. A communication device according to any one of claims 16 to 18 , wherein said second communication channel is different than said first communication channel. The communication device according to any one of claims 16 to 19, wherein said information receiving unit operates as an enrollee conforming to Wi-Fi standards and receives said connection information from said terminal device.

Images