WO2016003311A1 - Démarrage de dispositif vers réseau sans fil - Google Patents

Démarrage de dispositif vers réseau sans fil Download PDF

Info

Publication number
WO2016003311A1
WO2016003311A1 PCT/RU2014/000495 RU2014000495W WO2016003311A1 WO 2016003311 A1 WO2016003311 A1 WO 2016003311A1 RU 2014000495 W RU2014000495 W RU 2014000495W WO 2016003311 A1 WO2016003311 A1 WO 2016003311A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless network
wireless
new device
client device
new
Prior art date
Application number
PCT/RU2014/000495
Other languages
English (en)
Inventor
Yevgeniy Alexandrovich Gutnik
Yuri Gennadievich DOLGOV
Christian Andrew WARREN
Robert TOSCANO
Pavel Evgenievich PODIVILOV
Anton Sergeevich MUKHIN
Roman Yurievich SHUVAEV
Original Assignee
Google Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Google Inc. filed Critical Google Inc.
Priority to PCT/RU2014/000495 priority Critical patent/WO2016003311A1/fr
Publication of WO2016003311A1 publication Critical patent/WO2016003311A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • This description relates to bootstrapping or connecting devices to wireless networks.
  • the description relates to securely connecting devices (e.g., TVs, gaming consoles, computers, servers, hand-held computing devices, wearable computing devices, smartphones, smart sensors, etc.) to a wireless network.
  • devices e.g., TVs, gaming consoles, computers, servers, hand-held computing devices, wearable computing devices, smartphones, smart sensors, etc.
  • Machine-to-machine (M2M) and Internet of Things (IoT) technologies hold a promise to interconnect thousands, if not millions, of devices together for exchanging data over wired or wireless networks.
  • data transmission between the interconnected devices may not be secure (i.e., lack data trustworthiness, authenticity and privacy) unless steps are taken to ensure that the connections are secure.
  • a user may seek to connect a new device (e.g., a television set, a tablet computer or a computing wristwatch) to a wireless network (e.g., a home WiFi network) to which other devices are connected (e.g., a home computer, a smartphone, etc.).
  • a wireless network e.g., a home WiFi network
  • the user may, for example, employ a wireless protected setup (WPS) or a wireless protected access (WPA) procedure to register, authenticate and connect the new device to the wireless network.
  • WPS wireless protected setup
  • WPA wireless protected access
  • WiFi credentials e.g., network SSID, network password, etc.
  • entering WiFi credentials can be a complicated and confusing process for the user.
  • WiFi credentials on new devices e.g., a computing wristwatch
  • limited or constrained input interfaces e.g., few input buttons, small keyboards, or no display screen, etc.
  • WPS wireless network access point
  • a computer-implemented method involves
  • the wireless network may include an access point (AP) for connection to the cloud network.
  • AP access point
  • the method involves determining, by the client device, an entry point on the wireless network to enable the new device to join the wireless network over a wireless link and sending connection data for the entry point to the new device so that the new device connects to the entry point to establish the wireless link.
  • the entry point may be an AP basic service set (BSS) or an independent basic service set (IBSS).
  • the method involves establishing, by the client device, a secure communication session to the new device over the wireless link and sending, by the client device to the new device, via the secure communications session, information including wireless network credentials and registration information to set up the new device for connection to the cloud network via the wireless network.
  • FIG. 1A is a schematic illustration of a system for registering
  • FIG. IB is a schematic illustration of an example generic device structure, which may be common to devices connected by the wireless network and the new device to be connected to the wireless network in the system of FIG. 1A.
  • FIG. 2 is an illustration of an example method, which can be implemented on the system of FIG. 1 A, for registering, authenticating, or authorizing connection of the new device to a wireless network, in accordance with the principles of the disclosure herein.
  • FIG. 3 is an illustration of another example method which can be implemented on simplified version of the system of FIG. 1 A, for registering
  • FIG. 4 pictorially illustrates a method for bootstrapping a new device with a wireless network and for registering the new device with a cloud service account of a user of the wireless network, in accordance with the principles of the disclosure herein.
  • FIG. 5 is a flow chart illustrating an example implementation of a method for bootstrapping new device to a wireless network of a client device and for registering the new device with a cloud service account of a user of the client device on the Internet, even while the client device is connected to the Internet via the wireless network, in accordance with the principles of the disclosure.
  • FIG. 6 illustrates an example format of a vendor specific information element (IE).
  • IE vendor specific information element
  • FIG. 7 illustrates an example vendor specific IE that may be included in probe beacons broadcasted by a new device in a discovery phase of the methods of FIG. 5 and 6, in accordance with the principles of the disclosure herein.
  • FIG. 8 shows an example vendor specific IE that may be included in the beacons broadcast by the client device in a connectivity phase of the methods of FIG. 5 and 6, in accordance with the principles of the disclosure herein.
  • FIG. 9 is a schematic illustration of a generic computer device and a generic mobile device, which may be used with the techniques or in the systems described herein.
  • a wireless network e.g., a home WiFi network
  • the device to be connected to the wireless network may be referred to herein as a "new" device.
  • the adjective "new” as used herein to qualify the device will be understood as referring not to an age or a lack of previous use of the device, but will be understood instead as referring only to whether the device is new relative to the wireless network (i.e. the device is awaiting registration, authentication or authorization for connection to the wireless network).
  • a new device may, for example, be a computer, a computing device, or other electronic device (e.g., a tablet computer, a printer, a digital camera, a smart phone, a temperature sensor or controller, a smart meter, a television, a wearable electronic device, etc.) having a wireless communication capability for connection to the wireless network.
  • the wireless network may rely on a pre-existing infrastructure such as routers in wired networks or wireless access points (in a managed or infrastructure wireless network) to communicate or route data between devices in the wireless network.
  • the wireless network may be an ad hoc wireless network that does not rely on a pre-existing infrastructure (e.g., routers, access points, etc.) to route data between devices in the wireless network, but in which each device (node) can dynamically participate in routing data over the network by forwarding data for other devices (nodes) on the basis of, for example, instantaneous network connectivity.
  • the wireless network e.g., Open WiFi, WiFi Direct, Bluetooth, etc.
  • a process e.g., a WPS or WPA process
  • the security risks may be associated with eavesdropping or hijacking (e.g., man-in-the-middle attacks, phishing attacks, and ownership hijacking, etc.).
  • systems and methods for securely bootstrapping or connecting a new device to a wireless network over an open or unsecure channel of the wireless network may involve a third-party service provider (e.g., hosted on a server) external to the wireless network.
  • the third party service provider with which a user or installer of the new device may have a user account may generate user authentication credentials (including, for example, a unique keyword).
  • the third party service provider may use a secure communications protocol (e.g., Hypertext Transfer Protocol Secure (HTTPS)) for communications of sensitive data (e.g., the user authentication credentials) to and from a user-associated client device in the wireless network.
  • HTTPS Hypertext Transfer Protocol Secure
  • the systems and methods may further utilize the user-associated client device in the wireless network to securely exchange sensitive information (e.g., the user authentication credentials or shared secrets for use in authentication processes, wireless network credentials and registration information, etc.) with the new device.
  • sensitive information e.g., the user authentication credentials or shared secrets for use in authentication processes, wireless network credentials and registration information, etc.
  • the new device may utilize the user authentication credentials securely passed to it by the user-associated client device to authenticate with the wireless network or the user- associated client device, and use the wireless network credentials and registration information to make an authorized connection to the wireless network.
  • Securely exchanging the sensitive information between the user-associated client device and the new device over the open WiFi channel of the wireless network may involve use of a data encryption scheme to encrypt the sensitive information exchanged over the open WiFi channel of the wireless network.
  • the encryption scheme may involve public-key cryptography (also known as asymmetric cryptography). Encryption of the sensitive information may protect against disclosure of sensitive information to unauthorized parties and may frustrate use of the sensitive information by network sniffers, eavesdroppers and other malicious parties.
  • the systems and methods disclosed herein may allow the device to be authenticated and authorized for connection to the wireless network securely based on the exchange of the encrypted sensitive information between the device and the user- associated client device without requiring direct or manual input of user authentication or wireless network credentials on the device.
  • the encrypted sensitive information exchanged between the user- associated client device and the new device may include shared secrets used for authenticating the new device.
  • the systems and methods may involve displaying the shared secrets (e.g., keywords) on both the user-associated client device and the new device, and further involve physical user confirmation (on the new device or on the user- associated client device) that the shared secrets displayed on the new device and the user- associated client device are the same for authentication of the new device.
  • the shared secrets may be independently generated on both the user-associated client device and the new device as hashes of the encrypted sensitive information exchanged between the user-associated client device and the new device.
  • the independently generated shared secrets may be exchanged via further encrypted communications and may be electronically verified to be same, for example, on the user-associated client device, for authentication of the new device.
  • the systems and methods disclosed herein for securely bootstrapping or connecting a device to a wireless network may overcome the security risks associated with eavesdropping or hijacking (e.g., man-in-the-middle attacks, phishing attacks, and ownership hijacking, etc.).
  • the systems and methods require confirmation of a user's physical presence at or in proximity to both the new device (with or without a display) and the client device for authenticating or authorizing connection of the new device to the wireless network.
  • Having the same user physically present at or proximate to the new device and the client device may effectively verify the provenance of the new device and ensure that the new device is not a man-in-the-middle attacking device, a phishing device, or a hijacked device.
  • FIG. 1 A is a schematic illustration of an example system 100 for registering, authenticating, or authorizing connection of a new device (e.g., device 101a, device 101 b or device 101c) to a wireless network 120, in accordance with the principles of the disclosure herein.
  • a new device e.g., device 101a, device 101 b or device 101c
  • Wireless network 120 may, for example, be an infrastructure wireless communication network (e.g., a LAN, WLAN, or home WiFi network) including, for example, wireless access points (e.g., access point 124) or routers (not shown) for data communications.
  • wireless network 120 may be an ad hoc wireless network.
  • Wireless network 120 may be linked by a wired or wireless communication link 140 to other public or private computer networks (e.g., a computer network or Internet 130).
  • Wireless network 120 may provide wireless data communication connectivity between or amongst fixed or mobile devices (e.g., devices 121) that may have been registered and authorized for connection to wireless network 120.
  • Wireless network 120 may also provide data communications connectivity between devices 121 in wireless network 120 and the other public or private computer networks (e.g., computer network or Internet 130), for example, via a wired or wireless communication link 140.
  • Devices 121 connected to wireless network 120 may include any computer, computing device, or other electronic device (e.g., a tablet computer, a printer, a digital camera, a smart phone, a temperature sensor or controller, a smart meter, a television, etc.). Further, devices 121 may include at least one user-associated client device (e.g., client device 122a, client mobile phone 122b or client personal computer 122c) that is configured for secure communications with a third-party service provider server (e.g., service provider 132), for example, via wired or wireless communications link 140.
  • Service provider 132 may, for example, be hosted on the other public or private computer networks (e.g., computer network or Internet 130) linked to wireless network 120 via wired or wireless communication link 140.
  • Service provider 132 may provide a service (e.g., a telephone service, an internet service, an e-mail service, a cloud-based computing service, a web store, a storage service, or other on-line service, etc.) to authenticated or authorized users of service provider 132.
  • a user of wireless network 120 may, for example, have a subscribed or registered user account with service provider 132 to avail of the service provided by service provider 132.
  • the user may avail of the service provided by service provider 132, for example, on the at least one user-associated client device (e.g., client device 122a, client mobile phone 122b or client personal computer 122c) that is connected to service provider 132 via wired or wireless communication link 140.
  • Service provider 132 may provide the service to the user-associated client device (e.g., device 122a, mobile phone 122b or personal computer 122c) only after authentication of user credentials (e.g., after the user logs in the user account subscribed to or registered with service provider 132).
  • service provider 132 may provide e-mail service to client personal computer 122c only after verification or authentication of user credentials (e.g., login ID and password) for the user account subscribed or registered with service provider 132.
  • Service provider 132 may use a secure communications protocol (e.g., Hypertext Transfer Protocol Secure (HTTPS)) for communication of sensitive data (e.g., user credentials) over wired or wireless communication link 140 to and from the user- associated client device (e.g., client device 122a, client mobile phone 122b or client personal computer 122c).
  • HTTPS Hypertext Transfer Protocol Secure
  • a new device e.g., device 101a, device 101 b or device 101c requesting or seeking to be connected to a wireless network 120 may or may not have limited or constrained input capabilities (e.g., keyboard, or keypads (not shown)), and may or may not have output display capabilities (e.g., a display screen).
  • FIG. 1A shows, for example, device 101 a having a display screen 1 1a and device 101c having a display screen l ib.
  • the new device e.g., device 101 a, device 101b or device 101 c
  • the new device may, for example, broadcast an indicator of the presence of the new device and other device-related information (e.g., manufacturer, model no., device public key, etc.) over an open communication channel 150 (e.g., a radio channel) of wireless network 120.
  • System 100 may be configured so that wireless network 120 or a user-associated client device (e.g., client device 122a) can recognize or discover a proximate presence of the new device from the broadcast and initiate a process for registering, authenticating, or authorizing connection of the new device to wireless network 120.
  • service provider 132 may be configured to generate a unique user-specific keyword or other secret for the at least one user-associated client device (e.g., client device 122a) according to the user account subscribed or registered with service provider 132.
  • Service provider 132 may send the unique-specific keyword to the at least one user-associated client device (e.g., client device 122a).
  • the user-associated client device e.g., client device 122a
  • the user-associated client device may share knowledge of the unique user-specific keyword or other secret generated by service provider 132 with the user, for example, on a display screen (not shown) of client device 122a.
  • System 100 may be configured to utilize the user's knowledge of the unique user-specific keyword or other secret generated by service provider 132 as a basis for registering, authenticating, or authorizing connection of the new device to wireless network 120.
  • keywords or other secrets that may be used for authenticating the new device may be generated by the new device and/or the user-associated client device (e.g., device 122a, mobile phone 122b or personal computer 122c)) without involvement of service provider 132.
  • the new device may or may not have any display capability.
  • FIG. IB shows an example generic device structure 170, which may be common to devices 121 (e.g., client device 122a, client mobile phone 122b or client personal computer 122c) connected by wireless network 120 and the new device (e.g., device 101a, device 101 b or device 101c) to be connected to wireless network 120 in system 100.
  • Generic device structure 170 may, for example, include or be coupled to example, a transceiver circuit 172 for receiving and transmitting wireless signals.
  • Generic device structure 170 may further include digital signal processing circuitry 174, and a persistence or memory 178.
  • Digital signal processing circuitry 174 may include or be coupled to a processor 178 (e.g., an embedded processor, a general purpose processor, or a central processor, etc.), which may be configured to execute instructions stored in the memory 176 and/or manage data stored in memory 176.
  • a particular device (of devices 121 and the new device) in system 100 may include less or additional circuitry (e.g., I/O circuitry, sensor circuitry, hardware accelerators, etc.) (not shown) for functions and features specific to or characteristic of the particular device.
  • System 100 may be configured to utilize a data encryption scheme (e.g., public-key cryptography) for securing communications between system components (e.g., between the new device, the client device and the service provider, or between the new device and the client device) involved in the authentication processes that may be implemented on system 100 for registering, authenticating, or authorizing connection of the new device to wireless network 120.
  • a data encryption scheme e.g., public-key cryptography
  • system components e.g., between the new device, the client device and the service provider, or between the new device and the client device
  • Each of the system components e.g., devices
  • Each of the system components may, for example, be associated with a unique public key- private key pair for encrypting, decrypting or digitally signing the inter-component communications.
  • Communications, messages, or data sent to a receiving system component may be encrypted by a sending system component (e.g., client device 122a) using the public key of the receiving system component so that the receiving system component can decrypt the communications, messages, or data using a private key of the receiving system component.
  • the sending component may digitally sign the communications, messages, or data (using the private key of the sending component) send to the receiving component.
  • FIG. 2 schematically shows an example method 200 for registering, authenticating, or authorizing connection of a new device (e.g., device 101a, 101b or 101 c) to a wireless network 120, in accordance with the principles of the disclosure herein.
  • Method 200 may be implemented, for example, in the example system 100 shown in FIG. 1.
  • the new device e.g., device 101a
  • the new device has a display screen (e.g., display screen 1 1a) for display of data
  • the at least one user-associated client device e.g., client device 122a, client mobile phone 122b or client personal computer 122c
  • the at least one user-associated client device e.g., client device 122a, client mobile phone 122b or client personal computer 122c
  • service provider 132 i.e. logged in the user account
  • Method 200 may involve initial communications between the new device (e.g., device 101a) and the at least one user-associated client device (e.g., client device 122a) over open communication channel 150 of wireless network 120 and between client device 122a and service provider 132 over communication link 140.
  • Method 200 to register, authenticate and authorize connection of new device 101a to wireless network 120 may begin when new device 101a broadcasts it presence proximate to wireless network 120 over open communication channel 150.
  • client device 122a may detect or discover new device 101a over open communication channel 150, and request and get device 101 a to broadcast device-related information including at least a public key (i.e. "device public key" (DPK)) of device 101 a (210).
  • DPK device public key
  • the broadcasted device-related information may also include other device details (e.g., technical details such as manufacturer, model no., device type, etc.).
  • Client device 122a which may be on-line with service provider 132, may then transmit the public key (DPK) of device 101 a and its own public key (i.e. "client device public key" (CPK)), to service provider 132 over communication link 140 (using, for example, HTTPS or other secure communications protocols).
  • service provider 132 may generate a unique keyword (230) and send a package including the DPK, CPK, and the unique keyword to client device 122a over communication link 140 (using, for example, HTTPS or other secure communications protocols).
  • the package may be digitally signed with a private key of service provider 132.
  • client device 122a may encrypt the package received from service provider 132 using the public key (DPK) of the device 101a and send the encrypted package including the unique keyword to device 101a (250).
  • Client device 122a may also display the unique keyword on client device 122a (e.g. on a display screen (not shown)) to a user of client device 122a.
  • DPK public key
  • Device 101 a may decrypt the DPK-encrypted package received from client device I22a using a private key of device 101a, verify that the DPK in the package is the public key (e.g., a current public key) of device 101a, and may also display the unique keyword in the package on display screen 1 l a of devicelO la so that the user can inspect and confirm that the unique keyword displayed on device 101 a is the same as that displayed on client device 122a (260). The user may submit a confirmation that the unique keyword displayed on device 101 a is the same as that displayed on client device 122a, for example, by the user activating a designated button on devicel Ol a.
  • a private key of device 101a verify that the DPK in the package is the public key (e.g., a current public key) of device 101a, and may also display the unique keyword in the package on display screen 1 l a of devicelO la so that the user can inspect and confirm that the unique keyword displayed on device 101 a is the same as that displayed on
  • client device 122a may send a query to device 101 a seeking results of the user-confirmation (e.g., did the user press the designated button?) on devicel O l a that the keyword displayed on device 101 a is the same as displayed on client device 122a (270).
  • device 101 a may send to client device 122a the results (e.g., OK, Cancel, or Timeout) of the user-confirmation on device 101 a that the keyword displayed on device 101 a is the same as displayed on client device 122a (280).
  • client device 122a may send wireless network credentials and registration information
  • Device 101 a may acknowledge receipt (encrypted by CPK) of the wireless network credentials and registration information from client device 122a (295), and use the wireless network credentials and registration information to securely connect to wireless network 120.
  • method 200 can ensure that the user of client device 122a is aware of device 101 a seeking connection to wireless network 120 and that device 101 a is not a malicious device (e.g., a man-in- the-middle attacking device, a phishing device, or a hijacked device). Therefore, method 200 may allow new device 101a to be securely connected or linked to wireless network 120 over WiFi channel 150.
  • a malicious device e.g., a man-in- the-middle attacking device, a phishing device, or a hijacked device. Therefore, method 200 may allow new device 101a to be securely connected or linked to wireless network 120 over WiFi channel 150.
  • FIG. 3 schematically shows another example method 300 for registering, authenticating, or authorizing connection of a new device (e.g., device 101 a, 101 b and 101 c) to wireless network 120, in accordance with the principles of the disclosure herein.
  • method 300 may be implemented, for example, in system 100 shown in FIG. 1 .
  • method 300 may not require that the one user-associated client device (e.g., client device 122a, client mobile phone 122b or client personal computer 122c) in system 100 should be on-line with service provider 132 or log in the user account with service provider 132 during method 300.
  • method 300 can be implemented (as shown for example in FIG. 3) in a simpler version of system 100, which, for example, may not include service provider 132 or which may not include
  • Method 300 may be utilized for registering, authenticating, or authorizing connection of the new device (e.g., device 101a) to wireless network 120 in an instance where, for example, the new device (e.g., device 101 a) has display capability (e.g., display screen 1 la), and also in an instance where the new device (e.g., device 101b) has no or a limited data display capability (e.g., does not have a display screen).
  • the new device may have a unique device identifier or code (e.g., an alphanumeric string), which may be hard wired and stored in device memory and also may be published in device-related materials provided, for example, by the device manufacturer or vendor.
  • the device-related materials may, for example, include printed materials, a device manual, device packaging boxes or inserts, device enclosure labels, markings, or tags, etc.
  • the unique device identifier or code stored in device memory may be referred to herein as the "stored device code” and the same unique device identifier or code published in the device-related materials provided, for example, by the device manufacturer or vendor, may be referred to herein as the "published device code”.
  • the unique device identifier or code, whether stored in memory or published may also be referred to commonly herein as the "device code"
  • method 300 may involve communications between the new device (e.g., device 101a) and the at least one user-associated- client device (e.g., client device 122a) over open communication channel 150 of wireless network 120 Further, like method 200, method 300 to register, authenticate and authorize connection of new device 101a to wireless network 120 may begin when new device 101a broadcasts its presence proximate to wireless network 120 over open communication channel 150 and its presence is discovered by client device 122a. Client device 122a may request and get device 101a to broadcast device-related information including at least a public key (DPK.) of device 101 a (310).
  • DPK. public key
  • the broadcasted information may also include other device-related information (e.g., manufacturer, model number, device type, etc.) but may not include the unique device code associated with device 101 a.
  • client device 122a may send its public key (i.e., client device public key (CPK)) encrypted by DPK to device 101 a (320).
  • CPK client device public key
  • device 101a may automatically compute a secure hash of its unique device code ("device code”) stored in device memory for use as a shared secret or keyword in authentication processes (330).
  • Device 101 a may use a secure hash algorithm (e.g., SHA0, SHA 1 , SHA2 or SHA3) for computing the secure hash of the device code.
  • the computed secure hash may be digitally signed by device 101a using its private key.
  • Device 101 a may send the computed secure hash in a message further encrypted by CPK to client device 122a for use in the authentication processes (340).
  • client device 122a may request the user of client device 122a to enter on client device 122a the "published" device code of device 101a and to confirm the user's physical presence at device 101 a, for example, by activating a designated button on device 101a (350).
  • the published device code of device 101a may be available to the user client device 122a in device-related materials (e.g., printed materials, a device manual, device packaging boxes or inserts, device enclosure labels, tags or markings, or in serial or identification number markings) that may be provided, for example, by a manufacturer or vendor of device 101a.
  • device 101 a may send a confirmation of the user's physical presence at device 101 a to client device 122a (360).
  • client device 122a may compute a secure hash of the device code entered by the user on client device 122a.
  • Client device 122a may compare or match the secure hash computed by client device 122a and the secure hash received from device 101 a (380).
  • client device 122a may send wireless network credentials and registration information (encrypted by DPK) to device 101a (390).
  • the positive matching of the secure hashes of the device code and the user-entered device code sufficient to trigger the sending of wireless network credentials and registration information by client device 122a to device 101a at 390 may include only a positive matching result from the comparison and matching of the secure hashes by client device 122a at 380 (FIG. 3).
  • client device 122a may send wireless network credentials and registration information to device 101a at 390 (FIG. 3) only after an additional or alternate positive matching by device 101a of the device code entered on client device 122a by the user.
  • CPK public key
  • Device 101a may compare and match the secure hash computed by device 101a and the another secure hash received from client device 122a, and send the matching results (i.e. yes match or no match) encrypted by CPK to client device 122a (386).
  • client device 122a may use receipt of a positive matching result from device 101 at 386 (FIG. 3) (in addition to or as an alternate to a positive matching result by client 122a in 380 (FIG. 3)) as a basis in 390 (FIG. 3) for sending wireless network credentials (e.g., network set secure identification (SSID) and network password) and registration information to device 101a.
  • wireless network credentials e.g., network set secure identification (SSID) and network password
  • device 101 a may acknowledge receipt of the wireless network credentials and registration information (encrypted by CPK) (395), and use the wireless network credentials and registration information to securely connect to wireless network 120.
  • shared secret information e.g., secure hashes of the device code
  • the example versions of method 300 are described using an example new device (e.g., device 101a) in which the device code is hardwired or stored in device memory and is also published in device materials that may be provided, for example, by a manufacturer or vendor of device 101a.
  • method 300 is not limited to new devices associated with such device codes (i.e. stored and published device codes).
  • Method 300 can be used for registering, authenticating or authorizing connection of new devices that are associated with other types of unique device codes.
  • a new device e.g., device 101 c
  • device 100c may have a display screen (e.g., display screen 1 lb).
  • device 100c may be configured to generate (e.g., on demand) a new unique device code ("new registration code") and display the new registration code on its display screen 1 1a.
  • client device 122a may, for example, while or in addition to requesting that newly discovered device 101c broadcast device-related information at 310 (FIG. 3) also request or demand that device 101 c generate a new registration code and display the registration code on the display screen 1 la of device 101c.
  • client device 122a at 350 may request that the user of client device 122a to use the new registration code displayed on display screen 11a of device 101c as the device code to be entered on client device 122a.
  • Method 300 may use the new registration code as the device code for registering, authenticating or authorizing connection of device 101 c to wireless network 120 in the same or similar manner as the use of the stored and published device code of a new device (e.g., device 101a) described in the foregoing, for example, with reference to FIG. 3.
  • a new device e.g., device 101c having a display screen (e.g., display screen 1 1)
  • security in registering or connecting the new device to wireless networks may be improved by generating a new registration code for every registration session.
  • a new registration code generated each time there may be a reduced risk of losing or compromising the device code as may be the case with device codes that are published on device-related materials provided by the manufacturer or vendor of the new device.
  • user experience may be enhanced as the user may not have to hold on to or find the device-related materials for each time the user may want to register or connect the new device to a wireless network in the future.
  • method 300 may effectively verify the provenance of the new device and ensure that the new device is not a phishing device, or a hijacked device. Therefore, method 300 may allow new device 101c to be securely connected to wireless network 120.
  • a computer system e.g., system 100
  • the instructions when executed by one or more microprocessors (e.g., semiconductor-based hardware processors) may cause the computer system to implement method 200 or method 300 as described above with reference to FIG. 2 and FIG. 3, respectively.
  • microprocessors e.g., semiconductor-based hardware processors
  • wireless networks may be implemented to conform with industry standards (e.g., the IEEE 802.11 family of standards, which include, for example, the 802.1 la, 802.11 b and, 802.1 lg standards) for wireless networks and products (e.g., WiFi branded products such as access point (AP) 124, routers (not shown), devices 121 , client devices 122a- 122c, new devices lO la-c, etc.).
  • industry standards e.g., the IEEE 802.11 family of standards, which include, for example, the 802.1 la, 802.11 b and, 802.1 lg standards
  • products e.g., WiFi branded products such as access point (AP) 124, routers (not shown), devices 121 , client devices 122a- 122c, new devices lO la-c, etc.
  • a common characteristic of the wireless networks may be the use of a series of half-duplex over-the-air (i.e., over wireless radio frequencies) modulation techniques utilizing a same basic protocol for data transmissions.
  • the IEEE 802.1 lb and 802.1 l g standards use the 2.4 GHz ISM radio frequency band, and the IEEE 802.1 la standard uses the 5 GHz U-NII radio frequency band.
  • a radio frequency band spectrum used in a wireless network may be sub-divided into channels with a center frequency and bandwidth, in a manner similar to the way radio and TV broadcast bands are sub-divided.
  • the 2.4 GHz band may be divided into 14 channels spaced 5 MHz apart, beginning with channel 1.
  • the IEEE 802.1 la standard offers at least 23 non-overlapping channels in the 5 GHz band.
  • the wireless networks and Wi-Fi products or devices may be configured for dual band operation involving operation over either or both the 2.4 GHz band and the 5.0 GHz band, as described, for example, by the IEEE 802.1 I n standard.
  • a wireless network may designate a few or all channels available in the wireless network frequency band to receive or transmit data, for example, between individual devices (e.g., routers, devices 121, client devices 122a- 122c, new devices lOla-c, etc.) in the wireless network.
  • individual devices e.g., routers, devices 121, client devices 122a- 122c, new devices lOla-c, etc.
  • the designated channels of the wireless network may be referred to herein as "WiFi channels.”
  • the individual devices e.g., routers, devices 121 , client devices 122a- 122c, new devices lO l a-c, etc.
  • the wireless network may be configured to allow selection of which of the WiFi channels to use for wireless data transmission or receipt. For example, with reference to FIG.
  • client device 122a may select a specific WiFi channel (an "Internet channel") to establish communication link 140 with Internet 130.
  • a new device e.g., devices 101a, device 101b, 110c
  • the new device e.g., devices 101a, device 101 b, 1 10c
  • wireless network 120 may use a different WiFi channel for data transmissions to other devices and for other purposes (e.g., for broadcasts over open communication channel 150) than data transmissions to or from Internet 130.
  • FIG. 4 pictorially illustrates a method 400 for bootstrapping a new device (e.g., new device 401 ) to a wireless network (e.g., "Internet wireless network 420"), which may be an IEEE 802.1 1 standards-compliant wireless network, and for registering the new device with a cloud service account of a user, in accordance with the principles of the disclosure herein.
  • the cloud service account of the user may be hosted or serviced by a cloud service provider (e.g., service provider 132) on a public or private "cloud” network (e.g., Internet 130, a personal or corporate LAN or WLAN (not shown), etc.), which may be accessible via the wireless network (e.g., "Internet wireless network 420").
  • a cloud service provider e.g., service provider 132
  • a public or private "cloud” network e.g., Internet 130, a personal or corporate LAN or WLAN (not shown), etc.
  • Internet wireless network 420 may, for example, be a wireless network which provides access to the cloud network (e.g., Internet 130, FIG. 1 A) and/or another public or private computer network), for example, via an infrastructure access point (e.g., AP 124, FIG. 1 A).
  • an infrastructure access point e.g., AP 124, FIG. 1 A
  • the access point e.g., AP 124, FIG. 1A
  • the access point providing access to the Cloud network may be may be referred to herein as the "Internet AP" of the wireless network (e.g., Internet wireless network 420).
  • Method 400 may be implemented in system 100 or a similar system.
  • Method 400 may involve processes (e.g., secure hashes, shared secrets, asymmetric cryptography involving public-private key pairs, etc.) that are similar to those used in method 200 and/or method 300 for securely passing information (e.g., wireless network credentials) between a client device and new device 401.
  • processes e.g., secure hashes, shared secrets, asymmetric cryptography involving public-private key pairs, etc.
  • information e.g., wireless network credentials
  • Method 400 may be utilized in an example use case or scenario in which client device 422 (e.g., a notebook computer, a laptop computer, a smartphone, etc.) has a user account ("cloud service account") with a cloud service provider (e.g., service provider 132) for a cloud computing service.
  • client device 422 may utilize the cloud computing service when connected to a public or private cloud network (e.g., Internet 130) via a wireless network (e.g., wireless network 120, Internet wireless network 420).
  • the wireless network which provides client device 422 with access to the Internet, may be referred to herein as "the Internet wireless network” or "the wireless network of the client device”.
  • the cloud computing service may provide client device 422 with further access to other devices (e.g., printers, storage devices, computers, peripheral devices, etc.) that are "cloud-connected” or "Internet- connected.”
  • a user of client device 422 may utilize such cloud-connected or Internet- connected devices, which may be associated or registered with the cloud service account of the user, via Internet 130 (e.g. from any where in the world) when the user is logged into the cloud service account.
  • registering new device 401 with the cloud service account of the user may enable the user of client device 422 to utilize new device 401 as a cloud-connected or Internet-connected device via Internet 130.
  • Method 400 for bootstrapping and registering a new device may allow the user of client device 422 to authorize passing wireless network credentials to new device 401 with just a few or limited number of required user interventions or actions during implementation of method 400.
  • method 400 may allow the user of client device 422 to stay connected to and use Internet 130 with little or no disruption, even as new device 401 is being bootstrapped and registered.
  • the few or limited number of actions that the user may have to perform for setting up or connecting new device 401 may be limited to the following actions:
  • [0068] Give consent or instructions on client device 422) to register new device 401 in the cloud service account of the user and to pass wireless network credentials to new device 401 for connection of new device 401 to the wireless network of the client device.
  • a user of client device 422 may connect client device 422 to Internet 130 through the wireless network of client device 422 (e.g., wireless network 420) to use the cloud computing service on Internet 130.
  • Wireless network 420 may be a 2.4 GHz wireless network, which is compliant with, for example, the IEEE 802.1 1 standards.
  • Method 400 may be used to bootstrap a new device 401 into the wireless network of client device 422, connect new device 401 to Internet 130 through the wireless network of client device 422, and register the new device 401 as a cloud-connected or Internet-connected device available for use by client device 422 via Internet 130.
  • method 400 for bootstrapping and registering new device 401 is shown pictorially in FIG. 4 as occurring in pictorial stages (e.g., stages 41 -46).
  • stages 41 -46 may show a relative status or condition of client device 422, wireless network 410, new device 401 , and Internet 130.
  • Client device 422 may stay connected to Internet 130 throughout stages 41 to 46.
  • client device 422 may use one designated WiFi channel (e.g., Internet channel 424) of the 1 1 WiFi channels available in the radio frequency band (e.g., 2.4 GHz band) of wireless network 420, for data transmissions to and from Internet 130.
  • new device 401 e.g., after being plugged in a power outlet
  • New device 401 may broadcast a presence or availability of new device 401 over any or all of the 11 WiFi channels available in the radio frequency band (e.g., 2.4 GHz band) of wireless network 420.
  • FIG. 4 shows new device 401, for example, broadcasting over an open WiFi channel 426.
  • client device 422 may notify the user on client device 422 of the presence or availability of new device 401 even as client device 422 remains connected to Internet 130 using Internet channel 424.
  • the user of client device 422 e.g., wanting to connect client device 422 to new device 401 and use new device 401 via Internet 130
  • No further action or intervention by the user of client device 422 may be needed in method 400 to bootstrap new device 401 into wireless network 420 and register new device 401 with the cloud service account of the user.
  • client device 422 may, in response, return broadcast (e.g., over open WiFi channel 426) information regarding wireless network 420 and Internet channel 424 to new device 401.
  • the information may, for example, include a basic service set (BSS) associated with an infrastructure access point (AP) ("WiFi AP") in wireless network 420 or an independent basic service set (IBSS)) associated with an ad-hoc wireless network entry point on wireless network 420.
  • the WiFi AP may be the same as the access point (Internet AP) used by wireless network 420 to connect to Internet 130 or a different AP in the wireless network.
  • new device 401 may receive the broadcasted information regarding Internet channel 424 from client device 422.
  • new device 401 may activate input and output on Internet channel 424 (e.g., by activating or switching a transceiver to operate at the Internet channel frequency) (not shown)).
  • new device 401 may connect to client device 422 over Internet channel 424 by connecting to the wireless network infrastructure AP BSS.
  • new device 401 may connect to the IBSS to establish an ad hoc wireless link to client device 422 over Internet channel 424.
  • Device 422 and new device 401 may securely exchange wireless network credentials over Internet channel 424 using, for example, public key - private key encryption techniques for security.
  • new device 401 may use the wireless network credentials received from client device 422 to join wireless network 420 and connect to Internet 130 over Internet channel 424.
  • Client device 422 may also send registration information to new device 401 to use for registering in the cloud service account of the user.
  • Client device 422 may send this registration information, for example, along with the secure exchange of wireless network credentials over Internet channel 424 in stage 45.
  • New device 401 may use the registration information to register in the cloud service account of the user with the cloud service provider (not shown in FIG. 4).
  • Registering new device 410 in the cloud service account of the user with the cloud service provider may allow the user of client device 422 to operate or utilize new device 401 as a cloud-connected or Internet-connected peripheral device when the user is using Internet 130 (e.g., using the cloud computing service on Internet 130).
  • new device 402 is a printer device
  • the user of client device 422 may be able to print cloud computing files or documents on registered new device 401 directly from Internet 130 via the Internet connection to new device 401.
  • FIG. 5 is a flow chart 500 illustrating an example implementation of a method (e.g., method 400) for bootstrapping new device 401 to an IEEE 802.1 1 standards-compliant wireless network (e.g., Internet wireless network 420) of a client device (e.g., client device 422) and for registering the new device with a cloud service account of a user of the client device on the Internet, even while the client device is connected to the Internet via the wireless network, in accordance with the principles of the disclosure.
  • an IEEE 802.1 1 standards-compliant wireless network e.g., Internet wireless network 420
  • client device e.g., client device 422
  • new device 401 may broadcast its availability for provisioning (i.e., being set-up to be boot strapped or connected to the wireless network and being registered with the cloud service account of a user of the client device) by a client device (e.g., client device 422).
  • client device 422 may be referred to a "provisioning device” or “provisioner” herein.
  • Client device 422 may provision or set-up new device 401 for connection to the wireless network and for being registered with the cloud service account of the user by supplying set-up information (e.g., wireless network credentials, Internet AP BSS / IBSS information, registration information, etc.) to new device 401.
  • set-up information e.g., wireless network credentials, Internet AP BSS / IBSS information, registration information, etc.
  • the method may be viewed as involving different phases: a "Discovery” phase 510 (e.g., involving active or passive finding by the client device of an available new device within a coverage range of the wireless network; a "Connectivity” phase 520 (e.g., involving connecting the client device and the new device for inter-device communications); a "Security” phase 530 (e.g., involving establishing a secure communication session between the client device and the new device), a "Provisioning” phase 540 (e.g., involving passing wireless network credentials and registration information from the client device to the new device), and a Completion phase 550 (e.g., connecting the new device to the wireless network and registering the new device in the user account of the client device with the cloud service provider).
  • a "Discovery” phase 510 e.g., involving active or passive finding by the client device of an available new device within a coverage range of the wireless network
  • a "Connectivity” phase 520 e.g
  • Flow chart 500 shows example device actions and inter-device communications that may occur during the different phases (e.g., Discovery phase 510 - Completion phase 550) in the example implementation of method 400 for bootstrapping new device 401 to the wireless network (e.g., wireless network 420) of a client device (e.g., client device 422), which is connected to the Internet, and for registering the new device with a cloud service account of a user of the client device.
  • the wireless network e.g., wireless network 420
  • client device e.g., client device 422
  • the device actions and inter-device communications that occur during the different phases may comply with the wireless network specifications and data protocols of the IEEE 802.1 1 standards for wireless networks.
  • new device 401 and client device 422 may broadcast or exchange set-up information as information elements (IEs) in beacon frames that are formatted according to, for example, the IEEE 802.1 1 standard specifications and protocols for wireless networks (FIG. 6).
  • new device 401 may use vendor specific IEs in beacon frames to announce a wireless network provisioning availability.
  • client device 422 may broadcast wireless network connectivity information as vendor specific information elements (IEs) in beacon frames.
  • IEs information elements
  • client device 422 may have a WiFi channel (e.g., channel 6 of the up to 11 WiFi channels available in the 2.4 GHz band) selected as the channel for open wireless or radio communications.
  • client device 422 may passively monitor the selected WiFi channel (e.g., channel 6) for any radio broadcasts containing information that may identify a presence or availability of a new device (e.g. new device 401) in a coverage range of the wireless network (51 ).
  • New device 401 may not have information on which of the available up to 11 WiFi channels available in the 2.4 GHz band is being used by client device 422 as the selected WiFi channel (e.g., channel 6) for radio communications.
  • new device 401 may have to conduct a frequency scan or search procedure to arrive at the selected WiFi channel (e.g., channel 6) for radio communications with client device 422, as described below with reference to elements 42 to 46 of flow chart 400.
  • selected WiFi channel e.g., channel 6
  • New device 401 (which may be already powered up or may be powered up during Discovery phase 510, for example, by new device 401 being plugged in a power outlet) may switch on a WiFi channel (e.g. WiFi channel 1 in the 2.4 GHz band) to use as an initial channel for open radio communications (52).
  • New device 401 may broadcast probe beacons 570 (which include a vendor specific IE indicating a presence and an availability of new device 401 for provisioning) over WiFi channel I for a period of time tl (53).
  • new device 401 may listen for any response beacons (e.g., response beacons 580) broadcasted by a provisioning device over WiFi channel 1 for a period of time t2 (54).
  • the period of time tl and the period of time t2 may, for example, be about a few seconds each (e.g., about 3 seconds and about 2 seconds, respectively.
  • new device 401 may return to 52, switch to a next WiFi channel (e.g., WiFi channel 2) at 52 and repeat broadcasting the presence or availability of new device 401 at 53 and listening for any response beacons from a provisioning device over the next WiFi channel (e.g., WiFi channel 2) at 54.
  • a next WiFi channel e.g., WiFi channel 2
  • new device 401 may cycle through 52-54, each cycle switching to a next WiFi channel (of the up to 1 1 WiFi channels available in a 2.4 GHZ band of wireless network) at 52.
  • a provisioning device e.g., client device 422
  • new device 401 may arrive at the selected WiFi channel (e.g. WiFi channel 5) used by a provisioning device (e.g., client device 422) for radio communications, even while client device 422 remains connected to the Internet over the Internet channel.
  • a provisioning device e.g., client device 422
  • method 400 may allow new device 401 to be passively detected or discovered by client device 422 (over the selected WiFi channel) without client device 422 having to switch away from the Internet channel or interrupt the connection of client device 422 to the Internet.
  • client device 422 may detect probe beacons 570 indicating the presence or availability of new device 401 (65). Upon detecting probe beacons 570 indicating a presence or availability of new device 401 , client device 422 may present a user of client device 422 with a choice of whether or not to provision (i.e. set up) the newly discovered or detected new device 401 for registration in the cloud service account of the user and/or connection to the wireless network of client device 422 (65a).
  • client device 422 may, in Connectivity phase 420, determine a wireless network BSS that new device 510 can use as an entry point to join or connect to the wireless network or create an independent basis service set (IBSS) that can be used as an entry point for making an ad hoc wireless link between client device 422 and new device 510.
  • Client device 422 may enable the IBSS entry point on any WiFi channel, but may prefer to enable the IBSS entry point on the same channel (i.e., the Internet channel) that client device 422 is using to access the Internet.
  • a cloud authentication schema may assume that IBSS will be open and security may be implemented on an upper layer of the wireless network.
  • Client device 422 may include the wireless network BSS or IBSS in a specific reply in a beacon IE (57).
  • Client device 422 may broadcast a response 580 directed at new device 401 and include the wireless network BSS or IBSS in a vendor specific IE in beacons in broadcasted response 580.
  • new device 401 (which may be listening for response beacons from a provisioning device for the period of time t2, at 54 in Discovery phase 10) finds or detects broadcasted response 580 which indicates a presence of a provisioning device (e.g., client device 422), new device 401 at 56 may proceed to Connectivity phase 420.
  • a provisioning device e.g., client device 422
  • new device 401 may connect to the wireless network BSS or IBSS included in broadcasted response 580 from client device 422 (58) to make a wireless link 590 between client device 422 and new device 10.
  • wireless link 590 may be an ad hoc wireless link.
  • client device 422 may establish a secure communication session 592 over wireless link 590 between client device 422 and new device 510 (59).
  • client device 422 may use secure communication session 592 to securely pass wireless network credentials and registration information to new device 401 over wireless link 590 between client device 422 and new device 510.
  • new device 401 at 61 may use the wireless network credentials (passed by client device 422 at 60 through secure communication session 592) to join the wireless network of client device 422 (e.g., via the wireless network BSS or IBSS), and connect to the Internet (e.g., via an Internet AP in the wireless network) (63), and use the registration information (passed by client device 422 at 60) to complete registration processes to be included in cloud service account of the user with the cloud service provider.
  • Authentication of the new device may be based an authentication schema involving, for example, cloud-based authentication, device generated code based authentication, or device serial number based authentication.
  • client device 422 may verify that new device 401 has become available in the Internet WiFi and is registered in the cloud service account of the user with the cloud service provider (62).
  • all device actions and inter-device communications by new device 401 or client device 422 in method 400 may comply with, for example, the IEEE 802. 1 1 standards for wireless networks.
  • the vendor specific IEs in beacon frames broadcasted by new device 401 or client device 422 may have a structure or format consistent with IE format specifications of, for example, the IEEE 802.11 standards.
  • FIG. 6 shows an example format of a vendor specific IE 600, which is consistent with IE format specifications of the IEEE 802. 1 1 standards.
  • vendor specific IE 600 may include fields Element ID 601 , Length 602, Organization Identifier (OI) 603 and Data 604, respectively.
  • Field Element ID 601 and field Length 602 may each have a size or length or size of 1 octet.
  • Field OI 603 and field Data 604 may have a combined length or size of N octets, where N is value entered in field Length 602.
  • field OI 603 may have a length of three octets and thus field Data 604 may have a size or length of N-3 octets.
  • field Element ID 601 may carry a value "221", which may be the element ID value that is assigned by the IEEE standards to identify the IE as a vendor specific IE.
  • Field Length 602 may carry a value "N" corresponding to the combined length of field OI 603 and Data 604.
  • field OI 603 may carry a value identifying an organization (e.g., a service provider 132), while field Data 604 may carry a metadata structure.
  • the metadata structure may include information formatted as multiple text blocks or strings one after another. Each text block or string in the metadata structure may be formatted to include a leading field carrying a text size value text block or string and a following text field carrying the text.
  • the metadata structure may carry technical information or parameters (wireless network characteristics, device identifiers, device characteristics and device roles, etc.) for connecting the new device to the Internet via the wireless network of the client device.
  • TABLE I shows an example list of key-value pairs that may be used in the metadata structure carried in vendor specific IE 600 in the beacons (e.g., probe beacons 570 and response beacons 580) broadcast by a device (e.g., by new device 401 or client device 422).
  • example keys and example, possible values for the keys are shown under column headings "KEY” and "VALUE", respectively.
  • TABLE 1 also includes an explanation of the example keys and the corresponding possible key values under the column heading "Comments.”
  • rl r, e, a Role (rl) of the device.
  • Possible values may be:
  • Enrollee ( e ) - identifies the new device as a device available to join the WiFi network.
  • Registrar ( r ) - identifies the device as a provisioner which may provision and register an enrollee device.
  • Announcer ( a ) - identifies the device as an already registered device that would like to announce some additional information (e.g.. Droximitv ) . tok ⁇ AlphaNum> Locally unique token (tok) for the device. May be
  • additional or alternative key-value pairs may be optionally used in the metadata structure in addition to the example key-value pairs shown in TABLE 1 .
  • TABLE 2 shows an example list of optional key-value pairs that may be used in the metadata structure carried in vendor specific IE 700 in the beacons broadcast by a device (e.g., by new device 401 or client device 422).
  • cs nc, on, off, con Connection state (cs) of the device could be one of the following:
  • Connecting (con) - device is currently in the process of connecting to the server.
  • FIG. 7 shows an example vendor specific IE 700 that may be included in probe beacons 570 broadcasted by new device 401 in Discovery phase 520, in accordance with the principles of the disclosure herein.
  • Vendor specific IE 700 may include the key- value pairs listed in TABLE 1.
  • the text fields in Vendor specific IE 700 are shown in FIG. 7 as being coded, for example, using an American Standard Code for Information Interchange (ASCII) character-encoding scheme. In other implementations, the text fields may be coded using other character-encoding schemes (e.g., Unicode
  • ASCII American Standard Code for Information Interchange
  • the vendor specific IEs in response beacons may have a same format as the vendor specific IEs used in probe beacons 570 broadcasted by new device 401 in Discovery phase 510.
  • client device 422 may use the same token key value "tok" which identifies new device 401 in the IES in beacons 570. Further, client device 422 may set the role key value to Registrar ( r ) in the vendor specific IE in broadcasted response beacons 480.
  • FIG. 8 shows an example vendor specific IE 800 coded in ASIC that may be included in response beacons 480 that may be broadcast by client device 422 in Connectivity phase 520, in accordance with the principles of the disclosure herein.
  • a computer system e.g., system 100
  • the instructions when executed by one or more
  • microprocessors e.g., semiconductor-based hardware processors
  • microprocessors may cause the computer system to implement method 400 as described above with reference to
  • FIGS. 4 -8 are identical to FIGS. 4 -8.
  • FIG. 9 shows an example of a generic computer device 900 and a generic mobile device 950, which may be used with the techniques and the systems described herein.
  • Computing device 900 as shown is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.
  • Computing device 950 is intended to represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smart phones, and other similar computing devices.
  • the components shown here, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed in this document.
  • Computing device 900 includes a processor 902, memory 904, a storage device 906, a high-speed interface 908 connecting to memory 904 and high-speed expansion ports 910, and a low speed interface 912 connecting to low speed bus 914 and storage device 906.
  • Each of the components 902, 904, 906, 908, 910, and 912, are interconnected using various busses, and may be mounted on a common motherboard or in other manners as appropriate.
  • the processor 902 can process instructions for execution within the computing device 900, including instructions stored in the memory 904 or on the storage device 906 to display graphical information for a GUI on an external input/output device, such as display 916 coupled to high speed interface 908.
  • multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory.
  • multiple computing devices 900 may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi-processor system).
  • the memory 904 stores information within the computing device 900.
  • the memory 904 is a volatile memory unit or units.
  • the memory 904 is a non-volatile memory unit or units.
  • the memory 904 may also be another form of computer-readable medium, such as a magnetic or optical disk.
  • the storage device 906 is capable of providing mass storage for the computing device 900.
  • the storage device 906 may be or contain a computer-readable medium, such as a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid state memory device, or an array of devices, including devices in a storage area network or other
  • a computer program product can be tangibly embodied in an information carrier.
  • the computer program product may also contain instructions that, when executed, perform one or more methods, such as those described above.
  • the information carrier is a computer- or machine-readable medium, such as the memory 904, the storage device 906, or memory on processor 902.
  • the high speed controller 908 manages bandwidth-intensive operations for the computing device 900, while the low speed controller 912 manages lower bandwidth- intensive operations.
  • Such allocation of functions is exemplary only. In one
  • the high-speed controller 908 is coupled to memory 904, display 916 (e.g., through a graphics processor or accelerator), and to high-speed expansion ports 910, which may accept various expansion cards (not shown).
  • low- speed controller 912 is coupled to storage device 906 and low-speed expansion port 914.
  • the low-speed expansion port which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet) may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
  • the computing device 900 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a standard server 920, or multiple times in a group of such servers. It may also be implemented as part of a rack server system 924. In addition, it may be implemented in a personal computer such as a laptop computer 922. Alternatively, components from computing device 900 may be combined with other components in a mobile device (not shown), such as device 950. Each of such devices may contain one or more of computing device 900, 950, and an entire system may be made up of multiple computing devices 900, 950 communicating with each other.
  • Computing device 950 includes a processor 952, memory 964, and an input/output device such as a display 954, a communication interface 966, and a transceiver 968, among other components.
  • the device 950 may also be provided with a storage device, such as a microdrive or other device, to provide additional storage.
  • a storage device such as a microdrive or other device, to provide additional storage.
  • Each of the components 950, 952, 954, 966, and 968 are interconnected using various buses, and several of the components may be mounted on a common motherboard or in other manners as appropriate.
  • the processor 952 can execute instructions within the computing device 950, including instructions stored in the memory 964.
  • the processor may be implemented as a chipset of chips that include separate and multiple analog and digital processors.
  • the processor may provide, for example, for coordination of the other components of the device 950, such as control of user interfaces, applications run by device 950, and wireless communication by device 950.
  • Processor 952 may communicate with a user through control interface 958 and display interface 956 coupled to a display 954.
  • the display 954 may be, for example, a TFT LCD (Thin-Film-Transistor Liquid Crystal Display) or an OLED (Organic Light Emitting Diode) display, or other appropriate display technology.
  • the display interface 956 may comprise appropriate circuitry for driving the display 954 to present graphical and other information to a user.
  • the control interface 958 may receive commands from a user and convert them for submission to the processor 952.
  • an external interface 962 may be provided in communication with processor 952, so as to enable near area communication of device 950 with other devices.
  • External interface 962 may provide, for example, for wired communication in some implementations, or for wireless communication in other implementations, and multiple interfaces may also be used.
  • the memory 964 stores information within the computing device 950.
  • the memory 964 can be implemented as one or more of a computer-readable medium or media, a volatile memory unit or units, or a non-volatile memory unit or units.
  • Expansion memory 974 may also be provided and connected to device 950 through expansion interface 972, which may include, for example, a SIMM (Single In Line Memory Module) card interface. Such expansion memory 974 may provide extra storage space for device 950, or may also store applications or other information for device 950.
  • SIMM Single In Line Memory Module
  • expansion memory 974 may include instructions to carry out or supplement the processes described above, and may include secure information also.
  • expansion memory 974 may be provided as a security module for device 950, and may be programmed with instructions that permit secure use of device 950.
  • secure applications may be provided via the SIMM cards, along with additional information, such as placing identifying information on the SIMM card in a non-hackable manner.
  • the memory may include, for example, flash memory and/or NVRAM memory, as discussed below.
  • a computer program product is tangibly embodied in an information carrier.
  • the computer program product contains instructions that, when executed, perform one or more methods, such as those described above.
  • the information carrier is a computer- or machine-readable medium, such as the memory 964, expansion memory 974, or memory on processor 952 that may be received, for example, over transceiver 968 or external interface 962.
  • Device 950 may communicate wirelessly through communication interface 966, which may include digital signal processing circuitry where necessary. Communication interface 966 may provide for communications under various modes or protocols, such as GSM voice calls, SMS, EMS, or MMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, or GPRS, among others. Such communication may occur, for example, through radio-frequency transceiver 968. In addition, short-range communication may occur, such as using a Bluetooth, Wi-Fi, or other such transceiver (not shown). In addition, GPS (Global Positioning System) receiver module 970 may provide additional navigation- and location-related wireless data to device 950, which may be used as appropriate by applications running on device 950.
  • GPS Global Positioning System
  • Device 950 may also communicate audibly using audio codec 960, which may receive spoken information from a user and convert it to usable digital information. Audio codec 960 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset of device 950. Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, etc.) and may also include sound generated by applications operating on device 950.
  • Audio codec 960 may receive spoken information from a user and convert it to usable digital information. Audio codec 960 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset of device 950. Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, etc.) and may also include sound generated by applications operating on device 950.
  • the computing device 950 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a cellular telephone 980. It may also be implemented as part of a smart phone 982, personal digital assistant, or other similar mobile device.
  • Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof.
  • ASICs application specific integrated circuits
  • These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
  • the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer.
  • a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
  • a keyboard and a pointing device e.g., a mouse or a trackball
  • Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • the systems and techniques described here can be implemented in a computing system that includes a back end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front end component (e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back end, middleware, or front end components.
  • the components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN”), a wide area network (“WAN”), and the Internet.
  • LAN local area network
  • WAN wide area network
  • the Internet the global information network
  • the computing system can include clients and servers.
  • a client and server are generally remote from each other and typically interact through a communication network.
  • the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • the client device may, for example, cycle or scan through all available WiFi channels to listen for radio broadcasts announcing a presence or availability of the new device (instead of passively listening on a single selected WiFi channel).
  • a user may, for example, initiate active discovery on a client device as a way to speed up discovery and set up of the new device.
  • Active discovery may enable client device 422 to discover not only a single new device (e.g., new device 401), but may further enable client device 422 to find all other new devices that may be available for provisioning and use by client device 422 as Internet-connected devices.
  • systems e.g., system 100
  • methods e.g. method 200, method 300, and method 400
  • Internet 130 only as an example of a cloud network to which a client device may be connected via the wireless network.
  • systems and methods described herein for bootstrapping a new device to a wireless network may be readily modified or extended to scenarios that include other types of cloud networks (e.g., personal, governmental, corporate, or campus LANs or WLANs).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé consistant à découvrir, par un dispositif client dans un réseau sans fil, une disponibilité d'un nouveau dispositif à établir une connexion au Nuage (par exemple, Internet) par l'intermédiaire du réseau sans fil, et à déterminer un ensemble de services de base de point d'accès ou à créer un ensemble de services de base indépendants comme point d'entrée pour permettre au nouveau dispositif de se joindre au réseau sans fil sur une liaison sans fil. De plus, le procédé consiste à établir une session de communication sécurisée sur la liaison sans fil, et à envoyer, du dispositif client au nouveau dispositif, des informations comprenant des justificatifs d'identité de réseau sans fil et des informations d'enregistrement nécessaires pour établir une connexion du nouveau dispositif au Nuage par l'intermédiaire du réseau sans fil.
PCT/RU2014/000495 2014-07-04 2014-07-04 Démarrage de dispositif vers réseau sans fil WO2016003311A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/RU2014/000495 WO2016003311A1 (fr) 2014-07-04 2014-07-04 Démarrage de dispositif vers réseau sans fil

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/RU2014/000495 WO2016003311A1 (fr) 2014-07-04 2014-07-04 Démarrage de dispositif vers réseau sans fil

Publications (1)

Publication Number Publication Date
WO2016003311A1 true WO2016003311A1 (fr) 2016-01-07

Family

ID=52595399

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/RU2014/000495 WO2016003311A1 (fr) 2014-07-04 2014-07-04 Démarrage de dispositif vers réseau sans fil

Country Status (1)

Country Link
WO (1) WO2016003311A1 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160294828A1 (en) * 2015-03-31 2016-10-06 Kiban Labs, Inc. System and method for automatic wireless network authentication
EP3206423A1 (fr) * 2016-02-15 2017-08-16 Thomson Licensing Dispositif et procédé pour dispositifs de connexion à un réseau
WO2017146438A1 (fr) * 2016-02-24 2017-08-31 Samsung Electronics Co., Ltd. Appareil d'affichage et procédé de paramétrage du canal opérationnel dudit appareil
EP3253095A1 (fr) * 2016-05-31 2017-12-06 Advanced Digital Broadcast S.A. Dispositif d'activation iot et procédé de fabrication associé
US9906956B1 (en) 2016-12-15 2018-02-27 Google Inc. Using power-line networks to facilitate network access
EP3416002A1 (fr) * 2017-06-13 2018-12-19 Omron Corporation Système de gestion de la quantité de puissance, programme de reconnaissance de moniteur de quantité de puissance et support d'enregistrement
US20190116087A1 (en) * 2017-10-13 2019-04-18 BLX.io LLC CONFIGURATION FOR IoT DEVICE SETUP
US10298581B2 (en) 2017-04-28 2019-05-21 Cisco Technology, Inc. Zero-touch IoT device provisioning
US10574445B2 (en) 2016-12-21 2020-02-25 Intel IP Corporation Range constrained device configuration
WO2023000726A1 (fr) * 2021-07-21 2023-01-26 广州地铁集团有限公司 Procédé à intégration inverse d'accès à un dispositif, procédé et système de gestion d'intégration inverse pour un dispositif, et dispositif informatique

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012026932A1 (fr) * 2010-08-25 2012-03-01 Thomson Licensing Procédé et appareil pour configuration radio dans dispositif sans fil
US20120240191A1 (en) * 2011-03-14 2012-09-20 Jordan Husney Wireless device nearfield security configuration
US20120254960A1 (en) * 2011-03-31 2012-10-04 Victor Lortz Connecting mobile devices, internet-connected vehicles, and cloud services
US20140068727A1 (en) * 2012-09-05 2014-03-06 Apple Inc. Wi-fi credential sharing using images
US20140075523A1 (en) * 2012-09-10 2014-03-13 Nokia Corporation Method, apparatus, and computer program product for sharing wireless network credentials

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012026932A1 (fr) * 2010-08-25 2012-03-01 Thomson Licensing Procédé et appareil pour configuration radio dans dispositif sans fil
US20120240191A1 (en) * 2011-03-14 2012-09-20 Jordan Husney Wireless device nearfield security configuration
US20120254960A1 (en) * 2011-03-31 2012-10-04 Victor Lortz Connecting mobile devices, internet-connected vehicles, and cloud services
US20140068727A1 (en) * 2012-09-05 2014-03-06 Apple Inc. Wi-fi credential sharing using images
US20140075523A1 (en) * 2012-09-10 2014-03-13 Nokia Corporation Method, apparatus, and computer program product for sharing wireless network credentials

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DONALD BELL: "How to set up a Chromecast - CNET", 26 July 2013 (2013-07-26), XP055183710, Retrieved from the Internet <URL:http://www.cnet.com/how-to/how-to-set-up-a-chromecast/> [retrieved on 20150416] *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10523672B2 (en) 2015-03-31 2019-12-31 Afero, Inc. System and method for automatic wireless network authentication
US11683307B2 (en) 2015-03-31 2023-06-20 Afero, Inc. System and method for automatic wireless network authentication
US20160294828A1 (en) * 2015-03-31 2016-10-06 Kiban Labs, Inc. System and method for automatic wireless network authentication
US9838390B2 (en) * 2015-03-31 2017-12-05 Afero, Inc. System and method for automatic wireless network authentication
US10992672B2 (en) 2015-03-31 2021-04-27 Afero, Inc. System and method for automatic wireless network authentication
EP3206423A1 (fr) * 2016-02-15 2017-08-16 Thomson Licensing Dispositif et procédé pour dispositifs de connexion à un réseau
US11350413B2 (en) 2016-02-24 2022-05-31 Samsung Electronics Co., Ltd. Display apparatus and method of setting operating channel of the same
US10602514B2 (en) 2016-02-24 2020-03-24 Samsung Electronics Co., Ltd. Display apparatus and method of setting operating channel of the same
WO2017146438A1 (fr) * 2016-02-24 2017-08-31 Samsung Electronics Co., Ltd. Appareil d'affichage et procédé de paramétrage du canal opérationnel dudit appareil
KR102487534B1 (ko) * 2016-02-24 2023-01-11 삼성전자주식회사 디스플레이 장치 및 디스플레이 장치의 동작 채널 설정방법
KR20170099665A (ko) * 2016-02-24 2017-09-01 삼성전자주식회사 디스플레이 장치 및 디스플레이 장치의 동작 채널 설정방법
US10849127B2 (en) 2016-02-24 2020-11-24 Samsung Electronics Co., Ltd. Display apparatus and method of setting operating channel of the same
EP3253095A1 (fr) * 2016-05-31 2017-12-06 Advanced Digital Broadcast S.A. Dispositif d'activation iot et procédé de fabrication associé
US9906956B1 (en) 2016-12-15 2018-02-27 Google Inc. Using power-line networks to facilitate network access
US11387989B2 (en) 2016-12-21 2022-07-12 Intel Corporation Range constrained device configuration
US10574445B2 (en) 2016-12-21 2020-02-25 Intel IP Corporation Range constrained device configuration
US12028445B2 (en) 2016-12-21 2024-07-02 Intel Corporation Range constrained device configuration
US10298581B2 (en) 2017-04-28 2019-05-21 Cisco Technology, Inc. Zero-touch IoT device provisioning
CN109085773B (zh) * 2017-06-13 2021-12-14 欧姆龙株式会社 电能管理系统以及计算机可读存储介质
EP3416002A1 (fr) * 2017-06-13 2018-12-19 Omron Corporation Système de gestion de la quantité de puissance, programme de reconnaissance de moniteur de quantité de puissance et support d'enregistrement
JP2019004561A (ja) * 2017-06-13 2019-01-10 オムロン株式会社 電力量管理システム、電力量モニタ認識プログラム及び記録媒体
CN109085773A (zh) * 2017-06-13 2018-12-25 欧姆龙株式会社 电能管理系统以及计算机可读存储介质
US20190116087A1 (en) * 2017-10-13 2019-04-18 BLX.io LLC CONFIGURATION FOR IoT DEVICE SETUP
US11469941B2 (en) * 2017-10-13 2022-10-11 BLX.io LLC Configuration for IoT device setup
WO2023000726A1 (fr) * 2021-07-21 2023-01-26 广州地铁集团有限公司 Procédé à intégration inverse d'accès à un dispositif, procédé et système de gestion d'intégration inverse pour un dispositif, et dispositif informatique

Similar Documents

Publication Publication Date Title
US10979412B2 (en) Methods and apparatus for secure device authentication
US10218501B2 (en) Method, device, and system for establishing secure connection
WO2016003311A1 (fr) Démarrage de dispositif vers réseau sans fil
EP3183857B1 (fr) Fourniture sécurisée de justificatif d&#39;identité d&#39;authentification
US9031050B2 (en) Using a mobile device to enable another device to connect to a wireless network
US8787572B1 (en) Enhanced association for access points
US8594632B1 (en) Device to-device (D2D) discovery without authenticating through cloud
CN105684344B (zh) 一种密钥配置方法和装置
US11863985B2 (en) Method and apparatus for detecting and handling evil twin access points
EP3334084B1 (fr) Procédé d&#39;authentification de sécurité, procédé de configuration et dispositif associé
JP2018521566A (ja) 分散されたコンフィギュレータエンティティ
KR20160078426A (ko) 무선 직접통신 네트워크에서 비대칭 키를 사용하여 아이덴티티를 검증하기 위한 방법 및 장치
KR20160078475A (ko) 키 구성 방법, 시스템, 및 장치
TW201728197A (zh) 具有多個安全等級的無線通信系統
US20230344626A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
US10097524B2 (en) Network configuration method, and related apparatus and system
EP3794852B1 (fr) Procédés et systèmes sécurisés permettant d&#39;identifier des dispositifs connectés bluetooth avec application installée
EP3117576B1 (fr) Appariement de dispositifs
JP6570355B2 (ja) 通信装置、通信方法及びプログラム
US11652625B2 (en) Touchless key provisioning operation for communication devices
WO2016003310A1 (fr) Amorçage d&#39;un dispositif à un réseau sans fil
WO2023070433A1 (fr) Authentification entre des dispositifs sans fil et des serveurs périphériques
CN115767529A (zh) 无线连接的建立方法、电子设备、程序产品和存储介质
CN115767541A (zh) 无线连接的建立方法、电子设备、程序产品和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14841344

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14841344

Country of ref document: EP

Kind code of ref document: A1