WO2016049895A1 - Procédé de configuration, appareil et dispositif de configuration - Google Patents

Procédé de configuration, appareil et dispositif de configuration Download PDF

Info

Publication number
WO2016049895A1
WO2016049895A1 PCT/CN2014/088018 CN2014088018W WO2016049895A1 WO 2016049895 A1 WO2016049895 A1 WO 2016049895A1 CN 2014088018 W CN2014088018 W CN 2014088018W WO 2016049895 A1 WO2016049895 A1 WO 2016049895A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
signature
network
configuration
information
Prior art date
Application number
PCT/CN2014/088018
Other languages
English (en)
Chinese (zh)
Inventor
李小仙
方平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201480080297.5A priority Critical patent/CN106471831B/zh
Priority to PCT/CN2014/088018 priority patent/WO2016049895A1/fr
Publication of WO2016049895A1 publication Critical patent/WO2016049895A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices

Definitions

  • the present invention relates to the field of wireless communications, and in particular, to a method, a device, and a device for configuring.
  • a configuration method is: firstly, the device is configured to interact with the first device to obtain related information of the first device, and the related information is sent to the first device to implement configuration on the first device; The device interacts with the second device, acquires related information of the second device, and sends related information to the second device to implement configuration of the second device. Finally, the first device configured by the configuration device is configured by The second device configured with the device is configured to perform wireless communication, thereby avoiding a complicated process such as manually inputting a password by the user.
  • the configuration device separately configures the first device and the second device, if the configuration device cannot communicate with the device in-band, for example, a device does not support in-band communication, or configures the device with a certain device. If the inband communication mode supported by the device does not match, the above configuration process cannot be completed, resulting in a lower success rate for configuring the device.
  • the invention provides a method, a device and a device for configuring, which can improve the success rate of device configuration.
  • the present invention provides a method for configuring, in a configuration system, where the configuration system includes a first device, a second device, and a configuration device, and the configuration device performs in-band with the first device. Communication, the configuration device and the second device perform out-of-band communication; the method includes:
  • the first device generates an encryption key according to the out-of-band key of the second device, where the encryption key is used to encrypt information sent by the first device to the second device;
  • the first device generates a first signature generation key and a first signature verification key, where the first signature generation key is used for signing by the first device, and the first signature verification key is used for Decoding the information signed by the first device, and the first signature generation key and the first signature verification key correspond to each other;
  • the first device uses the first signature generation key to sign the second network key to obtain first signature information.
  • the first device sends the encrypted first connection information to the second device, where the first connection information includes the first signature information and the second network key, and the encrypted first connection
  • the information is obtained by the first device by using the first key to encrypt the first connection information
  • the first key is obtained by the first device according to the encryption key, so that the second device
  • the method before the receiving, by the first device, the second device out-of-band key sent by the configuration device, the method further includes:
  • the first device generates a first network key, where the first network key is used by the second device to generate a shared key;
  • the first device sends the first network key to the configuration device, so that the configuration device generates and sends second connection information to the first device according to at least the first network key.
  • the method further includes :
  • the second connection information that is sent by the configuration device, where the second connection information includes second signature information and the first network key, where the second signature information is configured by the configuration device Signing the first network key by using a second signature generation key, the second signature generation key is generated by the configuration device, and the second signature generation key is used by the configuration device to perform signature
  • the second signature generation key and the second signature verification key correspond to each other.
  • the first device sends a second message, where the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information includes the first network a key, so that the second device receives the second message sent by the first device, and determines, according to the second signature information carried in the second message, whether the first device is legal, and at least according to the Generating, by the first network key in the second signature information, a second shared key, where the second shared key is a pre-key between the first device and the second device, where the pre- The key is used for handshake authentication between the first device and the second device.
  • the method further includes:
  • the first device generates a third network key, where the third network key is used by the second device to generate a shared key;
  • the first device sends a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and at least according to the Generating a new second shared key, the new second shared key being a pre-key between the first device and the second device, where the pre-key is used Handshake authentication is performed between the first device and the second device.
  • the method further includes:
  • the first device determines that the second device is legal according to the first signature information carried in the first message.
  • the first device determines, according to the first signature information that is carried by the first message, The second device is legal, including:
  • the device that obtains the first signature information is a trusted device, and the trusted device includes the first device or the configuration device.
  • the first device determines, according to the first signature information that is carried by the first message, The second device is legal, including:
  • the first device decrypts the first signature information by using the first signature verification key to obtain a decryption result
  • the first device compares the decryption result with the second network key included in the first connection information
  • the first device determines that the second device is legal.
  • the first device further includes:
  • the first device If the second device is determined to be legal, the first device generates a first shared key according to the second network key, where the first shared key is the first device and the second A pre-key between the devices, where the pre-key is used for handshake authentication between the first device and the second device.
  • the first device generates a first shared key according to the second network key, specifically include:
  • the first device generates a DH shared key according to a Diffey Herman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and generates the DH a shared key, or a key derived from the DH shared key, as the first shared key; or
  • the first device is in accordance with an elliptic curve cryptosystem based on Diffie Hermann ECDH a key generation algorithm, generating an ECDH shared key according to the private key corresponding to the first network key, and the second network key, and deriving the ECDH shared key or derived by the ECDH shared key The obtained key is used as the first shared key.
  • the method further includes:
  • the first device determines that the second device is legal.
  • the present invention provides a device for configuring a first device, where the first device is located in a configuration system, where the configuration system includes a first device, a second device, and a configuration device, where the configuration device In-band communication between the first devices, the configuration device and the second device perform out-of-band communication; the device includes:
  • a receiving unit configured to receive a second device out-of-band key sent by the configuration device, where the second device out-of-band key is obtained by the configuration device by performing out-of-band communication with the second device;
  • a generating unit configured to generate an encryption key according to the second device out-of-band key received by the receiving unit, where the encryption key is used to encrypt information sent by the first device to the second device;
  • the generating unit is further configured to generate a first signature generation key and a first signature verification key, where the first signature generation key is used for signing by the first device, and the first signature verification key is used by Decrypting the information signed by the first device, and the first signature generation key and the first signature verification key correspond to each other;
  • the receiving unit is further configured to receive a second network key sent by the second device, where the second network key is generated by the second device, and the second network key is used by the first
  • the device generates a shared key
  • a signature unit configured to generate, by using the first signature, a key to the receiving unit
  • the second network key is signed to obtain the first signature information
  • a sending unit configured to send the encrypted first connection information to the second device, where the first connection information includes the first signature information and the second network key obtained by the signature unit signature, where The first connection information that is encrypted is obtained by the first device by using the first key to encrypt the first connection information, where the first key is generated by the first device according to the generating unit.
  • the encryption key is obtained, so that the second device acquires and sends the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legal. .
  • the receiving unit is further configured to: before the receiving unit receives the second device out-of-band key, receive a second signature verification key sent by the configuration device, where the second signature verification key is Configuring device generation, where the second signature verification key is used to decrypt the information signed by the configuration device;
  • the generating unit is further configured to generate a first network key, where the first network key is used by the second device to generate a shared key;
  • the sending unit is further configured to send the first network key generated by the generating unit to the configuration device, so that the configuration device generates and reports the at least according to the first network key.
  • the first device sends the second connection information.
  • the receiving unit is further configured to: after the transmitting unit sends the first network key, receive the second connection information sent by the configuration device, where the second connection information includes second signature information and a location a first network key, the second signature information is obtained by the configuration device by using a second signature generation key to sign the first network key, and the second signature generation key is configured by the configuration device
  • the second signature generation key is used by the configuration device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.
  • the sending unit is further configured to send the encrypted second message, where the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information
  • the first network key is included, so that the second device receives the second message sent by the first device, and determines, according to the second signature information carried in the second message, whether the first device is Legitimate, and generating a second shared key according to the first network key in the second signature information, where the second shared key is a pre-determination between the first device and the second device a key, the pre-key is used for handshake authentication between the first device and the second device.
  • the generating unit is further configured to generate a third network key, where the third network key is used by the second device to generate a shared key;
  • the sending unit is further configured to send the third network key to the configuration device
  • the receiving unit is further configured to receive third connection information that is sent by the configuration device, where the third connection information includes third signature information and the third network key, and the third signature information is configured by the third The device uses the second signature generation key to sign the third network key;
  • the sending unit is further configured to send a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and Generating a new second shared key according to the third network key, where the new second shared key is a pre-key between the first device and the second device, the pre-density
  • the key is used for handshake authentication between the first device and the second device.
  • the sending unit is further configured to send the encrypted second signature verification key to the second device, where the encrypted second signature verification key is used by the first device by using the second key pair
  • the second signature verification key is obtained by encryption, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key, and according to the The second signature verification key and the second signature information carried by the second message determine that the first device is legal.
  • the receiving unit is further configured to receive a first message sent by the second device, where the first message carries the first connection information;
  • the device further includes: a determining unit;
  • the determining unit is configured to determine, according to the first signature information carried in the first message, that the second device is legal.
  • the determining unit is configured to determine, according to the first signature information carried in the first message, whether a device that obtains the first signature information by signature is a trusted device, where the trusted device is the first Device or the configuration device.
  • the device further includes: a decryption unit, a comparison unit;
  • the decrypting unit is configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result
  • the comparison unit configured to compare the decrypted result obtained by decrypting the decryption unit with the second network key included in the first connection information
  • the determining unit is configured to determine that the second device is legal when the comparing unit matches the decryption result with the second network key.
  • the generating unit is further configured to: when the determining unit determines that the second device is legal, generate a first shared key according to at least the second network key, where the first shared key is the first a pre-key between the device and the second device, where the pre-key is used for handshake authentication between the first device and the second device.
  • the generating unit is specifically configured to generate a DH shared key according to a private key corresponding to the first network key and the second network key according to a Diffey Herman DH key generation algorithm, and The DH shared key, or a key derived by the DH shared key, as the first shared key;
  • the generating unit is further configured to perform, according to an elliptic curve cryptosystem-based Dieffie Herman ECDH key generation algorithm, according to the private key corresponding to the first network key, and the second network key. Generating an ECDH shared key and using the ECDH shared key or a key derived from the ECDH shared key as the first shared key.
  • the determining unit is further configured to determine whether the second device stores a private key corresponding to the second device out-of-band key;
  • the determining unit is further configured to determine that the second device is legal when the second device stores the private key corresponding to the outband key of the second device.
  • the present invention provides a device, where the device is a first device, and the first device is located in a configuration system, where the configuration system includes a first device, a second device, and a configuration device, where the configuration device and the device are Performing in-band communication between the first device, the configuration device and the second device performing out-of-band communication; the first device includes:
  • a receiver configured to receive a second device out-of-band key sent by the configuration device, where the second device out-of-band key is obtained by the configuration device by performing out-of-band communication with the second device;
  • a processor configured to generate, according to the second device out-of-band key received by the receiver a secret key, where the encryption key is used to encrypt information sent by the first device to the second device;
  • the processor is further configured to generate a first signature generation key and a first signature verification key, where the first signature generation key is used for signing by the first device, and the first signature verification key is used by Decrypting the information signed by the first device, and the first signature generation key and the first signature verification key correspond to each other;
  • the receiver is further configured to receive a second network key sent by the second device, where the second network key is generated by the second device, and the second network key is used by the first
  • the device generates a shared key
  • the processor is further configured to: use the first signature generation key to sign the second network key received by the receiver to obtain first signature information;
  • a transmitter configured to send, to the second device, the encrypted first connection information, where the first connection information includes the first signature information and the second network key obtained by the processor signature, where The encrypted first connection information is obtained by the first device by using the first key to encrypt the first connection information, where the first key is generated by the first device according to the processor.
  • the encryption key is obtained, so that the second device acquires and sends the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legal. .
  • the receiver is further configured to: before the receiver receives the second device out-of-band key, receive a second signature verification key sent by the configuration device, where the second signature verification key is Configuring device generation, where the second signature verification key is used to decrypt the information signed by the configuration device;
  • the processor is further configured to generate a first network key, where the first network key is used by the second device to generate a shared key;
  • the transmitter is further configured to send the first network key generated by the processor to the configuration device, so that the configuration device generates and reports the at least according to the first network key.
  • the first device sends the second connection information.
  • the receiver is further configured to: after the sending, by the sender, the first network key, receive the second connection information sent by the configuration device, where the second connection information includes second signature information and a location a first network key, the second signature information is obtained by the configuration device by using a second signature generation key to sign the first network key, and the second signature generation key is configured by the configuration device
  • the second signature generation key is used by the configuration device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.
  • the transmitter is further configured to send the encrypted second message to the second device, where the second message carries the second connection information, and the second connection information includes the second signature information,
  • the second signature information includes the first network key, and the encrypted second message is obtained by the first device encrypting the second message by using a fourth key, where the fourth key is obtained.
  • the processor is further configured to generate a third network key, where the third network key is used by the second device to generate a shared key;
  • the transmitter is further configured to send the third network key to the configuration device;
  • the receiver is further configured to receive third connection information that is sent by the configuration device, where the third connection information includes third signature information and the third network key, where the third signature information is The configuration device uses the second signature generation key to sign the third network key;
  • the transmitter is further configured to send a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and Generating a new second shared key according to the third network key, where the new second shared key is a pre-key between the first device and the second device, the pre-density
  • the key is used for handshake authentication between the first device and the second device.
  • the transmitter is further configured to send the encrypted second signature verification key to the second device, where the encrypted second signature verification key is used by the first device by using the second key pair
  • the second signature verification key is obtained by encryption, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key, and according to the The second signature verification key and the second signature information carried by the second message determine that the first device is legal.
  • the receiver is further configured to receive a first message sent by the second device, where the first message carries the first connection information;
  • the processor is further configured to determine that the second device is legal according to the first signature information carried by the first message.
  • the processor is configured to determine, according to the first signature information that is carried in the first message, whether a device that obtains the first signature information by signature is a trusted device, where the trusted device is the first Device or the configuration device.
  • the processor is further configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result
  • the processor is further configured to compare the decryption result with the second network key included in the first connection information
  • the processor is configured to determine that the second device is legal when the decryption result matches the second network key.
  • the processor is further configured to: when determining that the second device is legal, generate a first shared key according to the second network key, where the first shared key is the first device and the And a pre-key between the second device, where the pre-key is used for handshake authentication between the first device and the second device.
  • the processor is specifically configured to generate a DH shared key according to a private key corresponding to the first network key and the second network key according to a Dieffie Herman DH key generation algorithm, and The DH shared key, or a key derived by the DH shared key, as the first shared key;
  • the processor is further configured to perform, according to an elliptic curve cryptosystem-based Dieffie Herman ECDH key generation algorithm, according to the private key corresponding to the first network key, and the second network key. Generating an ECDH shared key and using the ECDH shared key or a key derived from the ECDH shared key as the first shared key.
  • the processor is further configured to determine whether the second device stores a private key corresponding to the outband key of the second device;
  • the processor is further configured to determine that the second device is legal when the second device stores the private key corresponding to the outband key of the second device.
  • the present invention provides a configuration method, which is applied to a configuration system, where the configuration system includes a first device, a second device, a configuration device, and a third device, where the configuration device and the first device In-band communication is performed, the configuration device performs out-of-band communication with the second device, the configuration device performs in-band communication with the third device, and the first device has configured the Two devices; the method includes:
  • the third device receives the first signature verification key and the first network key sent by the configuration device, where the first signature verification key is generated by the first device and sent to the configuration device, The first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the configuration device, where the first network key is used. Generating a shared key for the second device;
  • the third device Receiving, by the third device, the first message sent by the second device, where the first message carries first connection information, where the first connection information includes first signature information and a peer network key, where A signature information is obtained by the first device by using a first signature generation key to sign a second network key, the first signature generation key is generated by the first device, and the first signature generates a key
  • the first device generates a signature, the first signature generation key and the first signature verification key correspond to each other, and the second network key is generated by the second device, where the The second network key is used by the first device or the third device to generate a shared key;
  • the third device determines, according to the first signature information, whether the second device is legal.
  • the third device according to the first network key, determining whether the peer network key is legal, specifically includes:
  • the third device determines whether the peer network key is a trusted network key, and the trusted network key includes the first network key.
  • the first connection information further includes a second network key
  • the third device decrypts the first signature information by using the first signature verification key to obtain a decryption result
  • the third device compares the decrypted result with the second network key
  • the third device determines that the second device is legal.
  • the method further includes:
  • the third device generates a third shared key according to the second network key, where the third shared key is a pre-key for performing handshake authentication between the third device and the second device. .
  • the third device generates a third shared key according to the second network key, specifically include:
  • the third device generates a DH shared key according to a Diffey Herman DH key generation algorithm, according to a private key corresponding to the fourth network key, and the second network key, and shares the DH a key, or a key derived from the DH shared key, as the third shared key, the fourth network key is used by the second device to generate a shared key; or
  • the third device generates an ECDH shared secret according to a Diffie Hermann ECDH key generation algorithm based on an elliptic curve cryptosystem, according to a private key corresponding to the fourth network key, and the second network key. a key, and the ECDH shared key, or a key derived from the ECDH shared key, as the third shared key.
  • the method further includes:
  • the third device generates a fourth network key, where the fourth network key is used by the second device to generate a shared key;
  • the third device sends the fourth network key to the configuration device.
  • the third device receives fourth connection information that is sent by the configuration device, where the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information is used by the configuration device.
  • the second signature generation key is obtained by signing the fourth network key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key is used for The configuration device performs signing, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key and the second signature verification key correspond to each other.
  • the method further includes:
  • the third device sends a fourth message to the second device, where the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that the second Receiving, by the device, the fourth message sent by the third device, and determining, according to the fourth signature information carried by the fourth message, and the second signature verification key, whether the third device is legal,
  • the second signature verification key is configured by the first device, the second signature verification key is sent to the second device.
  • the present invention provides a device for configuring a third device, where the third device is located in a configuration system, where the configuration system includes a first device, a second device, a configuration device, and a third device, Performing in-band communication between the configuration device and the first device, performing out-of-band communication between the configuration device and the second device, and performing in-band communication between the configuration device and the third device
  • the first device has configured the second device; the device includes:
  • a receiving unit configured to receive a first signature verification key and a first network key sent by the configuration device, where the first signature verification key is generated by the first device and sent to the configuration device, The first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the configuration device, where the first network key is used. Generating a shared key for the second device;
  • the receiving unit is further configured to receive a first message sent by the second device, where the first message carries first connection information, where the first connection information includes first signature information and a peer network key,
  • the first signature information is obtained by the first device by using a first signature generation key to sign a second network key, and the first signature generation key is generated by the first device, the first signature Generating a key for the first device to perform signature, the first signature generation key and the first signature verification key mutually correspond, and the second network key is generated by the second device,
  • the second network key is used by the first device or the third device to generate a shared key;
  • a determining unit configured to determine, according to the first network key received by the receiving unit, whether the peer network key is legal
  • the determining unit is further configured to determine, according to the first signature information received by the receiving unit, whether the second device is legal when the peer network key is legal.
  • the determining unit is specifically configured to determine whether the peer network key is a trusted network key, and the trusted network key includes the first network key.
  • the first connection information received by the receiving unit further includes a second network key
  • the device further includes: a decryption unit and a comparison unit;
  • the decrypting unit is configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result
  • the comparing unit configured to compare the decrypted result obtained by decrypting the decrypting unit with the second network key
  • the determining unit is configured to determine that the second device is legal when the comparing unit matches the decryption result with the second network key.
  • the device further includes: a generating unit;
  • the generating unit is configured to generate a third shared key according to the second network key received by the receiving unit, where the third shared key is the third device and the second device A pre-key for handshaking authentication.
  • the generating unit specifically includes: according to a Diffie Hermann DH key generation algorithm, generating a DH shared key according to a private key corresponding to the fourth network key, and the second network key, and generating the DH a shared key, or a key derived from the DH shared key, as the third shared key, where the fourth network key is used by the second device to generate a shared key; or
  • the generating unit specifically includes a Dieffie Herman ECDH key generation algorithm based on an elliptic curve cryptosystem, and generates an ECDH according to the private key corresponding to the fourth network key and the second network key.
  • the key is shared, and the ECDH shared key or a key derived from the ECDH shared key is used as the third shared key.
  • the generating unit is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key;
  • the device further includes: a transmitting unit;
  • the sending unit is configured to send the fourth network key generated by the generating unit to the configuration device.
  • the receiving unit is further configured to receive fourth connection information that is sent by the configuration device, where the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information And signing, by the configuration device, the fourth network key by using a second signature generation key, where the second signature generation key and the second signature verification key are generated by the configuration device, and the second a signature generation key is used for signing by the configuration device, the second signature verification key is used to decrypt information signed by the configuration device, and the second signature generation key is encrypted with the second signature.
  • the keys correspond to each other.
  • the sending unit is further configured to send a fourth message to the second device, where the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that The second device receives the fourth message sent by the third device, and determines whether the third device is legal according to the fourth signature information carried by the fourth message and the second signature verification key. And the second signature verification key is sent to the second device when the second device is configured by the first device.
  • the present invention provides a device, where the device is a third device, and the third device is located in a configuration system, where the configuration system includes a first device, a second device, a configuration device, and a third device, and features
  • the in-band communication is performed between the configuration device and the first device
  • the out-of-band communication is performed between the configuration device and the second device
  • the configuration device and the third device perform a band Internal communication
  • the first device has configured the second device
  • the third device includes:
  • a receiver configured to receive a first signature verification key and a first network key sent by the configuration device, where the first signature verification key is generated by the first device and sent to the configuration device, The first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the configuration device, where the first network key is used. Generating a shared key for the second device;
  • the receiver is further configured to receive a first message sent by the second device, where the first message carries first connection information, where the first connection information includes first signature information and a peer network key,
  • the first signature information is generated by the first device by using a first signature to generate a key pair to the second network
  • the first key generation key is generated by the first device, the first signature generation key is used by the first device to perform signature, and the first signature generates a key and
  • the first signature verification keys correspond to each other, the second network key is generated by the second device, and the second network key is used by the first device or the third device to generate a share. Key
  • a processor configured to determine, according to the first network key received by the receiver, whether the peer network key is legal;
  • the processor is further configured to determine, according to the first signature information received by the receiver, whether the second device is legal when the peer network key is legal.
  • the processor is specifically configured to determine whether the peer network key is a trusted network key, and the trusted network key includes the first network key.
  • the first connection information received by the receiver further includes a second network key
  • the processor is further configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result
  • the processor is further configured to compare the decrypted result obtained by decryption with the second network key
  • the processor is configured to determine that the second device is legal when the decryption result matches the second network key.
  • the processor is configured to generate a third shared key according to the second network key received by the receiver, where the third shared key is the third device and the second device A pre-key for handshaking authentication.
  • the processor specifically includes: according to a Diffie Hermann DH key generation algorithm, generating a DH shared key according to a private key corresponding to the fourth network key, and the second network key, and generating the DH a shared key, or a key derived from the DH shared key, as the third shared key, the fourth network key being used by the second device to generate a shared secret; or
  • the processor specifically includes a Dieffie Herman ECDH key generation algorithm based on an elliptic curve cryptosystem, generating an ECDH according to the private key corresponding to the fourth network key, and the second network key
  • the key is shared, and the ECDH shared key or a key derived from the ECDH shared key is used as the third shared key.
  • the processor is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key;
  • the third device further includes: a transmitter
  • the transmitter is configured to send the fourth network key generated by the processor to the configuration device.
  • the receiver is further configured to receive fourth connection information that is sent by the configuration device, where the fourth connection information includes fourth signature information and the fourth network key, where the fourth signature information is configured by the
  • the device obtains the fourth network key by using a second signature generation key, where the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generates a key.
  • the second device signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key and the second signature verification key are mutually correspond.
  • the transmitter is further configured to send a fourth message to the second device, where the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that The second device receives the fourth message sent by the third device, and determines the third device according to the fourth signature information carried by the fourth message and the second signature verification key. If the second signature verification key is configured by the first device, the second signature verification key is sent to the second device.
  • the method, the configured device and the device provided by the present invention first configure the device to perform out-of-band communication with the second device, obtain the out-of-band key of the second device, and send the second device out-of-band key to the first device. So that the first device generates an encryption key according to the second device out-of-band key, and then the first device generates a first signature generation key and a first signature verification key, and receives a second network key sent by the second device, The first device generates a key according to the first signature, signs the second network key, obtains the first signature information, and sends the first connection information encrypted according to the encryption key to the second device, where the first connection information includes First signature information and a second network key.
  • the present invention obtains the out-of-band key of the second device by performing out-of-band communication between the configuration device and the second device, and obtains the second device.
  • the out-of-band key is sent to the first device, so that the first device can be configured to communicate with the second device, so that the first device can be configured to configure the second device, that is, when the device is not configured between the device and the second device.
  • a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving device configuration. Success rate.
  • the method, the device and the device for configuring the configuration provided by the present invention when the first device has configured the second device, first configuring the device to send the first signature verification key and the first network key to the third device, the first signature verification
  • the key and the first network key are generated by the first device and sent to the configuration device, and then the second device sends the first message carrying the first connection information to the third device, where the first connection information includes the first signature information and the pair
  • the network device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.
  • the present invention configures the second device according to the second device out-of-band key by the first device, and the second device out-of-band key is configured.
  • Device and second device The outband communication is obtained, and the configuration device sends the first signature verification key and the first network key to the third device, and the second device sends the first connection information to the third device, so that the third device can be implemented according to the first network.
  • the second device is configured to the third device, that is, the third device is configured to configure the second device, thereby improving the success rate of the device for configuration.
  • FIG. 1 is a schematic structural diagram of a system for configuring a system according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for configuring another embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a system configuration of another configuration system according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for another configuration according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a method for configuring another embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an apparatus configured in an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of another apparatus according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a first device according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of another apparatus according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of another apparatus according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a third device according to an embodiment of the present invention.
  • the technical solution provided by the embodiment of the present invention is applied to a configuration system.
  • the system architecture of the present invention is as shown in FIG. 1 , and the configuration system includes a first device, a second device, and a configuration device.
  • the in-band communication can be performed between the configuration device and the first device, and the out-of-band communication can be performed between the configuration device and the second device.
  • the embodiment of the present invention provides a method for configuring, which can improve the success rate of configuration of the device. As shown in FIG. 2, the method includes:
  • the first device receives a second device out-of-band key sent by the configuration device.
  • the second device out-of-band key is obtained by the configuration device by performing out-of-band communication with the second device.
  • the first device supports in-band communication, and may perform in-band communication with the configuration device, or perform in-band communication with the second device.
  • the first device may be specifically: a wireless access point (English full name: Access Point, English abbreviation: AP), a smart terminal, a wearable device, or a smart home device.
  • smart terminals include mobile phones, mobile phone tablets, tablets and computers
  • wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads.
  • Smart homes include smart TVs, smart stereos, smart refrigerators, smart washing machines, smart air conditioners, smart lights, smart curtains and smart alarms.
  • the configuration device is configured to configure the device, or assist the device to configure other devices.
  • the configuration device may be an external configuration device or an internal configuration device, which is not limited in the embodiment of the present invention.
  • the external configuration device may be a wireless device with rich UI and strong computing power.
  • the external configuration device may be a smart phone, a smart tablet, a smart glasses, a smart watch, or the like, or may be installed with an associated application unit.
  • the internal configuration device can also be a set of application modules integrated in the hardware unit and can interact with other devices through the UI provided by the hardware unit.
  • the internal configuration device can be configured in the wireless AP.
  • the configuration The unit can realize the input in the configuration process through the input module of the wireless AP, and realize the output in the configuration process through the output module of the wireless AP, that is, the input module of the configuration unit is the input module of the wireless AP, and the output module of the configuration unit is the wireless AP.
  • Output module the input module of the configuration unit is the input module of the wireless AP, and the output module of the configuration unit is the wireless AP.
  • the in-band communication refers to a communication method in which the communication distance is relatively long
  • the out-of-band communication refers to a communication method in which the communication distance is relatively short
  • the in-band communication can be: Bluetooth, Bluetooth low energy, wireless fidelity (English full name: Wireless Fidelity, English abbreviation: Wi-Fi), ZigBee (low-power LAN protocol based on IEEE802.15.4 standard), super Broadband (English full name: Ultra Wide Band, English abbreviation: UWB) or wireless Gigabit (English full name: Wireless Gigabit, English abbreviation: WiGig), etc.
  • out-of-band communication can be: Radio Frequency Identification (English full name: Radio Frequency Identification, English Abbreviations: RFID), Near Field Communication (English name: Near Field Communication, English abbreviation: NFC), infrared, laser, ultrasonic, capacitive screen short-range transmission, optical recognition or acoustic recognition.
  • the second device when the manner of performing out-of-band communication between the configuration device and the second device is optical recognition, the second device first provides a two-dimensional code including the out-of-band key of the second device; and then configures the device to scan through its own camera module.
  • the two-dimensional code is decoded and obtained to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material, and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires the verification information according to the verification information material.
  • the second device plays the verification information material through its own acoustic module, and then the configuration device listens to the verification information material; finally, the device is configured according to The verification information material obtains the verification information and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device acquires the verification information according to the verification information material.
  • the out-of-band communication and the in-band communication are relative concepts, and are not limited to the above examples of out-of-band communication and in-band communication.
  • Any other communication method with a relatively short distance can be considered as out-of-band communication.
  • a relatively long-distance communication method can be considered as in-band communication.
  • Bluetooth has a short communication distance with respect to Wi-Fi, so when Wi-Fi is used as in-band communication, Bluetooth can be used as out-of-band communication.
  • the embodiment of the present invention is not limited to the outband communication between the configuration device and the second device, and any other manner that can implement communication between the configuration device and the second device is applicable to the embodiment of the present invention, for example, In-band communication can be performed between the configuration device and the second device.
  • the verification information material and the verification information may be mutually converted by a specific codec mode, or may be the same information, which is not limited by the embodiment of the present invention.
  • the base64/32/16 (64/32/hexadecimal) coding mode can be directly converted to achieve mutual conversion; or the base64/32/16 can be firstly passed. Encoding, and then through the abstract syntax mark (English full name: Abstract Syntax Notation One, English abbreviation: ASN.1) encoding, to achieve mutual conversion.
  • the method may further include: determining, by the first device, whether the second device out-of-band key is legal.
  • the first device may determine whether the second device out-of-band key is legal by determining whether the second device stores the private key corresponding to the second device out-of-band key. Specifically, if the second device stores the private key corresponding to the outband key of the second device, the first device determines that the second device is legal.
  • the private key corresponding to the second device out-of-band key and the second device out-of-band key correspond to each other.
  • the private key corresponding to the out-of-band key of the second device when the private key corresponding to the out-of-band key of the second device is an asymmetric key, the private key corresponding to the out-of-band key of the second device is a private key.
  • the second device out-of-band key is a public key; or, when the private key corresponding to the second device out-of-band key and the second device out-of-band key are symmetric keys, the second device out-of-band key corresponds to The private key is the same as the second device out-of-band key.
  • the first device generates an encryption key according to the second device out-of-band key.
  • the out-of-band key of the second device may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the first device may directly use the second device out-of-band key as the encryption key.
  • the first device when the second device out-of-band key is an asymmetric key, the first device first generates a pair of asymmetric temporary keys, which are a first device temporary private key and a first device temporary public key, respectively, and then The encryption key is generated according to the first device temporary private key and the second device out-of-band key.
  • the first device temporary public key may be sent to the second device, so that the second device acquires the first device temporary public And generating a second encryption key according to the first device temporary public key and the locally stored private key corresponding to the second device out-of-band key.
  • the second encryption key is used to decrypt the encrypted information of the first device.
  • the first device generates an encryption key generated according to the first device temporary private key and the second device out-of-band key
  • the second device according to the first device temporary public key and the second device.
  • the second encryption key generated by the private key corresponding to the device out-of-band key is the same.
  • the encryption key is used to encrypt information sent by the first device to the second device.
  • the first device may directly encrypt the information that needs to be sent to the second device according to the encryption key; the first device may also first convert the encryption key to obtain the converted encryption key, and then according to the conversion.
  • the encryption key encrypts the information that needs to be sent to the second device.
  • the method for converting the encryption key by the first device may be directly converting the encryption key through the base64/32/16 encoding method to obtain the converted encryption key; or may first pass the base64. /32/16 is encoded, and then the encryption key is converted by the ASN.1 encoding method to obtain the converted encryption key.
  • the second device when the first device encrypts the information that needs to be sent to the second device according to the converted encryption key, the second device encrypts the first device according to the converted second encryption key.
  • the information is decrypted.
  • the second device first converts the second encryption key according to the same conversion manner as the first device, obtains the converted second encryption key, and then performs the first according to the converted second encryption key.
  • the encrypted information of the device is decrypted.
  • the first device generates a first signature generation key and a first signature verification key.
  • the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for signing by the first device, and the first signature verification key is used for signing information of the first device. Decryption is performed, and the first signature generation key and the first signature verification key correspond to each other.
  • the method further includes: the first device sending the encrypted first signature verification key to the second device.
  • the encrypted first signature verification key is obtained by the first device encrypting the first signature verification key by using the third key, and the third key is obtained by the first device according to the encryption key.
  • the first device may directly use the encryption key as the third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature verification key;
  • a device may also first convert the encryption key to obtain a converted encryption key as a third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature. Verify the key.
  • the first device generates a pair of signature keys, which are a first signature verification key and a first signature generation key, respectively.
  • the first signature verification key is used for sending to other devices, so that other devices can decrypt the information signed by the first device by using the first signature verification key; the first signature generation key is used for the first device. Sign it.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the first device receives a second network key sent by the second device.
  • the second network key is generated by the second device, and the second network key is used by the first device to generate the shared key.
  • the embodiment of the present invention is not limited to the foregoing first device generating a shared key according to the second network key, and any other device that can communicate with the second device may generate the shared key according to the second network key. .
  • the second network key may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the second network key when the second network key is an asymmetric key, the second network key may be a Diffie-Hellman (English name: Diffie-Hellman, English abbreviation: DH) public key; It is a Diffel Herman (ECDH) public key based on the Elliptic Curve Cryptosystems (English name: ECC); it can also be the X coordinate or Y coordinate of the ECDH public key.
  • Diffie-Hellman English name: Diffie-Hellman, English abbreviation: DH
  • ECDH Diffel Herman
  • ECC Elliptic Curve Cryptosystems
  • the second network key may also be a result of further encoding the key.
  • the second network key is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first by using base64/32/16, and then encoding by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1
  • the result of the coding is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first by using base64/32/16, and then encoding by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1
  • the first device signs the second network key by using the first signature generation key to obtain first signature information.
  • the first signature generation key is generated by the first device, and the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key correspond to each other.
  • the first device sends the encrypted first connection information to the second device.
  • the first connection information includes the first signature information and the second network key, and the encrypted first connection information is obtained by the first device encrypting the first connection information by using the first key, and the first key is obtained by the first The device is derived from the encryption key.
  • the first device may directly use the encryption key as the first key, and encrypt the first connection information according to the first key to obtain the encrypted first signature verification key;
  • the encryption key may be first converted to obtain the converted encryption key as the first key, and the first connection information is encrypted according to the first key to obtain the encrypted first signature verification key.
  • connection information may include: network identification information, peer network key information, network key information to be configured, configuration device identification information, and signature of the configuration device. information.
  • the first device sends the first connection information to the second device, so that the second device acquires and sends the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legal.
  • the method for configuring the first embodiment of the present invention first configures the device to perform out-of-band communication with the second device, obtains a second device out-of-band key, and sends the second device out-of-band key to the first device, so that the first The device generates an encryption key according to the second device out-of-band key, and then the first device generates a first signature generation key and a first signature verification key, and receives a second network key sent by the second device, and finally the first device Generating a key according to the first signature, signing the second network key, obtaining the first signature information, and transmitting the first connection information encrypted according to the encryption key to the second device, where the first connection information includes the first signature information And a second network key.
  • the embodiment of the present invention obtains the out-of-band key of the second device by configuring the device to perform out-of-band communication with the second device, and The device sends the second device to the first device, so that the first device can be configured to communicate with the second device, that is, the device cannot be configured between the device and the second device.
  • in-band communication for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving the device.
  • the success rate of the configuration for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving the device. The success rate of the configuration.
  • the embodiment of the present invention provides another method for configuring, as shown in FIG. 3, the method includes:
  • the first device receives a second signature verification key sent by the configuration device.
  • the first device supports in-band communication, and may perform in-band communication with the configuration device, or perform in-band communication with the second device.
  • the first device may be specifically: a wireless AP, a smart terminal, a wearable device, or a smart home device.
  • smart terminals include mobile phones, mobile phone tablets, tablets and computers
  • wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads.
  • smart home including smart TV, wisdom Can audio, smart refrigerator, smart washing machine, smart air conditioning, smart lighting, smart curtains and smart alarms.
  • the configuration device is configured to configure the device, or assist the device to configure other devices.
  • the configuration device may be an external configuration device or an internal configuration device, which is not limited in the embodiment of the present invention.
  • the external configuration device can be a wireless device with a rich user interface (English name: User Interface, English abbreviation: UI) and a relatively large computing power.
  • the external configuration device can be a smart phone, a smart tablet, smart glasses, or smart.
  • a watch, etc. may also be another device with an associated application unit installed; the internal configuration device may also be a set of application modules integrated in the hardware unit and can interact with other devices through the UI provided by the hardware unit, for example
  • the internal configuration device may be a configuration unit integrated in the wireless AP, and the configuration unit may implement an input in a configuration process through an input unit of the wireless AP, and realize an output in a configuration process through an output unit of the wireless AP.
  • the second signature verification key is generated by the configuration device, and the second signature verification key is used to decrypt the information signed by the configuration device.
  • the configuration device generates a pair of signature keys, which are respectively a second signature verification key and a second signature generation key.
  • the second signature verification key is used to send the information to the other device, so that the other device can decrypt the information signed by the second device by using the second signature verification key; the second signature generation key is used to configure the device. signature.
  • the second signature verification key may be referred to by C-sign-key1
  • the second signature generation key may be referred to by C-sign-key2.
  • A is used to identify the first device
  • B is used to identify the second device
  • C is used to identify the configuration device
  • sign is used to indicate a signature (Signature)
  • key is used to represent a key
  • key 1 is used to represent
  • the authentication key key2 is used to indicate the generation of the key
  • net is used to represent the network
  • pub is used to indicate public
  • priv is used to indicate private.
  • the embodiment of the present invention is not limited to the foregoing identification manners for each device, and the identification manner of each key, and any other manner that can be used to identify the device or the key is applicable to the present invention. Inventive embodiments.
  • the first device generates a first network key.
  • the first network key is used by the second device to generate a shared key.
  • the first network key may be referred to by A-net-pub.
  • the embodiment of the present invention is not limited to the foregoing that the second device generates the shared key according to the first network key, and any other device that can communicate with the first device may generate the shared key according to the first network key. .
  • the first network key may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the first network key when the first network key is an asymmetric key, the first network key may be DH; or may be an ECDH public key; or may be an X coordinate or a Y coordinate of the ECDH public key.
  • the first network key may also be a result of further encoding the key.
  • the first network key is a result obtained by directly encoding the DH key through base64/32/16, and the DH key may first be encoded by base64/32/16, and then encoded by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1 The result of the coding.
  • the first device sends the first network key to the configuration device.
  • the first network key is sent by the first device to the configuration device, so that the configuration device generates and sends the second connection information to the first device according to at least the first network key.
  • the first device receives second connection information sent by the configuration device.
  • the second connection information includes the second signature information and the first network key, and the second signature information is obtained by the configuration device by using the second signature generation key to sign the first network key, and the second signature generation key is configured by The device generates a second signature generation key for configuring the device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.
  • the second connection information may be referred to by Connector 2
  • the second signature information may be referred to by signature 2 .
  • the second signature generation key and the second signature verification key are asymmetric keys
  • the second signature generation key is a corresponding private key
  • the second signature verification key is corresponding.
  • connection information may include: a network identifier, a peer network key, a network key to be configured, a configuration device identifier, and a signature of the configuration device.
  • specific manifestation of the connection information may be:
  • the net ID is used to indicate the network identifier of the network to be configured or added to be configured.
  • the PeerKey is used to indicate the network key of the peer device to which the device to be configured is configured to connect. In the embodiment of the present invention, when the PeerKey is a wildcard (wildcard), it indicates that the device to be configured can be connected to all devices in the network.
  • the second connection information configured by the configuration device may be specifically:
  • the service set identifier (English name: Service Set Identifier, English abbreviation: SSID) is a network identifier.
  • the netID is the SSID of the wireless AP;
  • the wildcard is a wildcard, and when the peerKey is a wildcard, Indicates that the first device can be in the network All devices are connected;
  • C-id is the identification information of the configured device.
  • the configuration device may be in accordance with a digital signature algorithm (English full name: Digital Signature Algorithm, English abbreviation: DSA), an elliptic curve digital signature algorithm (English full name: Elliptic Curve Digital Signature Algorithm, English abbreviation: ECDSA) or RSA ( Rivest-Shamir-Adleman) and other signature algorithms, according to C-sign-key2, sign A-net-pub to get signature2.
  • DSA Digital Signature Algorithm
  • ECDSA Elliptic Curve Digital Signature Algorithm
  • RSA Rivest-Shamir-Adleman
  • the configuration device may also sign A-net-pub and other items according to C-sign-key2 according to a signature algorithm such as DSA, ECDSA or RSA to obtain signature2.
  • the other item may be any one of the SSID, the wildcard, and the C-id, or any combination.
  • the configuration device may first convert C-sign-key2, and then according to the signature algorithm such as DSA, ECDSA or RSA, according to the converted C-sign-key2, to A-net-pub, or A. -net-pub and other items, sign and get signature2.
  • the signature algorithm such as DSA, ECDSA or RSA
  • the configuration device when the configuration device obtains the out-of-band key of the second device by performing out-of-band communication with the second device, the corresponding connection information may be configured and sent to the first device, so that the first device acquires The second device has an out-of-band key.
  • the connection information configured by the configuration device may specifically be:
  • the peerKey of Connector2' is B-id-pub, that is, the second device out-of-band key.
  • the embodiment of the present invention is not limited to the manner in which the configuration device sends the second device out-of-band key to the first device through the Connector 2', and any other configuration device can send the second device with the external device to the first device.
  • the method of the key is applicable to the present invention. Example.
  • the configuration device may directly encrypt the second device out-of-band key and send the encrypted second device out-of-band key to the first device.
  • the configuration device may carry, in the message sent to the first device, the indication information, where the indication information is used to carry the second device out-of-band key in the first device indication message, so that the first device receives the second device.
  • the out-of-band key is executed and the corresponding process is performed.
  • the first device receives a second device out-of-band key sent by the configuration device.
  • the second device out-of-band key is obtained by the configuration device by performing out-of-band communication with the second device.
  • the second device out-of-band key may be referred to by B-id-pub.
  • the out-of-band communication refers to a communication mode in which the communication distance is relatively short
  • the in-band communication refers to a communication method in which the communication distance is relatively long
  • the in-band communication may be: Bluetooth, Bluetooth low energy, Wi-Fi, ZigBee, UWB, WiGig, etc.
  • the out-of-band communication may be: RFID, NFC, infrared, laser, ultrasonic, capacitive screen transmission, optical recognition or Acoustic recognition, etc.
  • the second device when the manner of performing out-of-band communication between the configuration device and the second device is optical recognition, the second device first provides a two-dimensional code including the out-of-band key of the second device; and then configures the device to scan through its own camera module.
  • the two-dimensional code is decoded and obtained to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material, and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires the verification information according to the verification information material.
  • the second device plays the verification information material through its own acoustic module, and then the configuration device listens to the verification information material; finally, the device is configured according to The verification information material obtains the verification information and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device acquires the verification information according to the verification information material.
  • the verification information material and the verification information may be mutually converted by a specific codec mode, or may be the same information, which is not limited by the embodiment of the present invention.
  • the mutual conversion can be directly performed by the base64/32/16 encoding mode; or the encoding can be performed first by base64/32/16, and then by ASN.1 encoding. Ways to achieve mutual conversion.
  • the second device out-of-band key may be a DH public key, an ECDH public key, an X coordinate or a Y coordinate of the ECDH public key, or an X coordinate or Y of the ECDH public key. coordinate.
  • the second device out-of-band key may also be a result of further encoding the public key.
  • the second device out-of-band key may be a result obtained by directly encoding the DH public key through base64/32/16, or may first encode the DH public key through base64/32/16, and then pass ASN.1.
  • the result of the coding can also be obtained by directly encoding the X coordinate of the ECDH public key through base64/32/16, or by encoding the Y coordinate of the ECDH public key first by base64/32/16, and then The result of encoding by ASN.1.
  • the method further includes: determining, by the first device, whether the second device out-of-band key is legal.
  • the first device determines whether the second device stores the private key corresponding to the out-of-band key of the second device, and if the second device stores the private key corresponding to the out-of-band key of the second device, the first device determines the second The device legally corresponds to the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device.
  • the private key corresponding to the out-of-band key of the second device may be referred to by B-id-priv.
  • the private key corresponding to the out-of-band key of the second device when the private key corresponding to the out-of-band key of the second device is an asymmetric key, the private key corresponding to the out-of-band key of the second device is a private key.
  • the second device out-of-band key is a public key; or, when the private key corresponding to the second device out-of-band key and the second device out-of-band key are symmetric keys, the second device out-of-band key corresponds to The private key is the same as the second device out-of-band key.
  • the first device generates an encryption key according to the second device out-of-band key.
  • the out-of-band key of the second device may be a symmetric key or a non-non-
  • the symmetric key is not limited in the embodiment of the present invention.
  • the first device may directly use the second device out-of-band key as the encryption key.
  • the first device when the second device out-of-band key is an asymmetric key, the first device first generates a pair of asymmetric temporary keys, which are a first device temporary private key and a first device temporary public key, respectively, and then The encryption key is generated according to the first device temporary private key and the second device out-of-band key.
  • the first device temporary public key may be sent to the second device, so that the second device acquires the first device temporary public And generating a second encryption key according to the first device temporary public key and the locally stored private key corresponding to the second device out-of-band key.
  • the second encryption key is used to decrypt the encrypted information of the first device.
  • the first device generates an encryption key generated according to the first device temporary private key and the second device out-of-band key
  • the second device according to the first device temporary public key and the second device.
  • the second encryption key generated by the private key corresponding to the device out-of-band key is the same.
  • the encryption key is used to encrypt information sent by the first device to the second device.
  • the first device may directly encrypt the information that needs to be sent to the second device according to the encryption key; the first device may also first convert the encryption key to obtain the converted encryption key, and then according to the conversion.
  • the encryption key encrypts the information that needs to be sent to the second device.
  • the method for converting the encryption key by the first device may be directly converting the encryption key through the base64/32/16 encoding method to obtain the converted encryption key; or may first pass the base64. /32/16 is encoded, and then the encryption key is converted by the ASN.1 encoding method to obtain the converted encryption key.
  • the second device when the first device encrypts the information that needs to be sent to the second device according to the converted encryption key, the second device encrypts the first device according to the converted second encryption key.
  • the information is decrypted.
  • the second device first follows the first device In the same conversion manner, the second encryption key is converted to obtain the converted second encryption key, and then the encrypted information of the first device is decrypted according to the converted second encryption key.
  • the first device generates a first signature generation key and a first signature verification key.
  • the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for signing by the first device, and the first signature verification key is used for signing information of the first device. Decryption is performed, and the first signature generation key and the first signature verification key correspond to each other.
  • the method further includes: the first device sending the encrypted first signature verification key to the second device.
  • the encrypted first signature verification key is obtained by the first device encrypting the first signature verification key by using the third key, and the third key is obtained by the first device according to the encryption key.
  • the first device may directly use the encryption key as the third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature verification key;
  • a device may also first convert the encryption key to obtain a converted encryption key as a third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature. Verify the key.
  • the first device generates a pair of signature keys, which are a first signature verification key and a first signature generation key, respectively.
  • the first signature verification key is used for sending to other devices, so that other devices can decrypt the information signed by the first device by using the first signature verification key; the first signature generation key is used for the first device. Sign it.
  • the first signature verification key may be referred to by A-sign-key1
  • the first signature generation key may be referred to by A-sign-key2.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the method may further include: sending, by the first device, the encryption to the second device The second signature verification key.
  • the encrypted second signature verification key is obtained by the first device encrypting the second signature verification key by using the second key, and the second key is obtained by the first device according to the encryption key.
  • the first device may directly use the encryption key as the second key, and encrypt the second signature verification key according to the second key to obtain the encrypted first signature verification key;
  • a device may also first convert the encryption key to obtain a converted encryption key as a second key, and encrypt the second signature verification key according to the second key to obtain the encrypted first signature. Verify the key.
  • the second key obtained by the first device according to the encryption key may be the same as or different from the third key obtained by the first device according to the encryption key, which is not limited in the embodiment of the present invention. .
  • the second device sends the second signature verification key to the second device, so that the second device receives the second signature verification key, and the second signature verification key and the second signature carried by the second message. Information to determine that the first device is legitimate.
  • the first device receives a second network key sent by the second device.
  • the second network key is generated by the second device, and the second network key is used by the first device to generate the shared key.
  • the second network key may be referred to by B-net-pub.
  • the embodiment of the present invention is not limited to the foregoing first device generating a shared key according to the second network key, and any other device that can communicate with the second device may generate the shared key according to the second network key. .
  • the second network key may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the second network key when the second network key is an asymmetric key, the second network key may be a DH public key; or may be an ECDH public key; or may be an X coordinate or a Y coordinate of the ECDH public key. .
  • the second network key may also be a result of further encoding the key.
  • the second network key is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first through base64/32/16, and then
  • the result obtained by encoding by ASN.1 can also be the result of directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key first through base64/32/16. Encoded and then encoded by ASN.1.
  • the first device signs the second network key by using the first signature generation key to obtain first signature information.
  • the first signature generation key is generated by the first device, and the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key correspond to each other.
  • the first signature information may be referred to by signature1.
  • the configuration device may sign the B-net-pub according to A-sign-key2 according to a signature algorithm such as DSA, ECDSA or RSA to obtain signature1.
  • the first device sends the encrypted first connection information to the second device.
  • the first connection information includes the first signature information and the second network key, and the encrypted first connection information is obtained by the first device encrypting the first connection information by using the first key, and the first key is obtained by the first The device is derived from the encryption key.
  • the first connection information may be referred to by Connector1.
  • the first device may directly use the encryption key as the first key, and encrypt the first connection information according to the first key to obtain the encrypted first signature verification key;
  • the encryption key may be first converted to obtain the converted encryption key as the first key, and the first connection information is encrypted according to the first key to obtain the encrypted first signature verification key.
  • first key obtained by the first device according to the encryption key and the third key obtained by the first device according to the encryption key, or the second key obtained by the first device according to the encryption key
  • the keys may be the same or different, and are not limited in the embodiment of the present invention.
  • the encrypted first connection information is sent by the first device to the second device, so that the second device acquires and sends the first connection information to the first device.
  • the first connection information is used by the first device to determine whether the second device is legal.
  • the first connection information that is configured by the first device may be specifically:
  • the first connection information is sent by the first device to the second device, so that the second device acquires the first network key in the first connection information, and generates a second shared key according to the first network key.
  • the second shared key is a pre-key for performing handshake authentication between the second device and the first device.
  • the second device may generate a DH shared key according to the DH key generation algorithm according to the private key corresponding to the second network key and the first network key, and share the key by DH or shared by DH.
  • the second shared key may be DH (B-net-priv, A-net-pub).
  • the private key corresponding to the second network key may be referred to by B-net-priv.
  • the second device may further generate an ECDH shared key according to the ECDH key generation algorithm according to the private key corresponding to the second network key and the first network key, and share the key by ECDH, or by ECDH
  • the key derived from the shared key is used as the second shared key.
  • the second shared key may be ECDH (B-net-priv, A-net-pub).
  • the first device receives the first message sent by the second device.
  • the first message carries the first connection information.
  • the first message may be referred to by M1.
  • the second device carries the first connection information in the first message, and sends the first connection information to the first device, so that the first device determines whether the second device is legal according to the first signature information carried in the first message.
  • the first device determines, according to the first signature information carried in the first message, that the second device is legal.
  • the step 312 is that the first device determines, according to the first signature information carried in the first message, that the device that obtains the first signature information is a trusted device.
  • the trusted device includes a first device or a configuration device.
  • the step 312 may be that the first device first decrypts the first signature information by using the first signature verification key to obtain a decryption result, and then decrypts the decrypted result with the second network included in the first connection information. The keys are compared. If the decrypted result matches the second network key, the first device determines that the second device is legitimate.
  • the decryption result is matched with the second network key, which means that the decryption result is the same as the second network key; or, after the decryption result is converted, it is the same as the second network key; or, for the second After the network key is converted, it is the same as the decrypted result; or, the converted decrypted result is the same as the converted second network key.
  • the decryption result or the second network key conversion manner may be performed by directly converting the decryption result or the second network key through the base64/32/16 encoding mode; or may first pass the base64/ The 32/16 is encoded, and then the decryption result or the second network key is converted by the ASN.1 encoding method.
  • the first signature information may be generated by the first device according to the first signature, and the network key and other items to be configured in the first connection information are signed.
  • the other item is any one or any combination of the network identifier, the peer network key, and the configuration device identifier in the first connection information.
  • the decryption result matches the second network key, which means that the second network key and other items are the same as the decryption result; or, after the second network key and other items are converted, the decryption result is the same; or After the decryption result is converted, it is the same as the second network key and other items; or the converted second network key and other items are the same as the converted decryption result.
  • signature1 is signed by the first device according to A-sign-key2, B-net-pub, SSID, A-net-pub, and A-id
  • the first device is based on A-sign-key1, signature1 Decrypting to obtain the decrypted result, which is the same as B-net-pub, SSID, A-net-pub, and A-id; or, the decrypted result after conversion, and B-net-pub, SSID, A-net -pub and The A-id is the same; or, the decrypted result is the same as the converted B-net-pub, SSID, A-net-pub, and A-id; or, the converted decrypted result, and the converted B-net-pub , SSID, A-net-pub and A-id are the same.
  • the conversion mode is a hash conversion
  • signature1 is hashed by the first device according to A-sign-key2
  • B-net-pub, SSID, A-net-pub, and A-id are hashed
  • the first device decrypts signature1 according to A-sign-key1, and obtains a decrypted result, which is the same as the result of hashing B-net-pub, SSID, A-net-pub, and A-id.
  • the first connection information carried by the first message received by the first device may be specifically:
  • the specific process of the first device verifying the Connector1 may be: first, the first device verifies that the netID in the Connector1 matches the netID in the Connector2, and if the matching, continues to verify the Connector1, if not, the authentication is aborted.
  • the netID in the Connector1 and the netID in the Connector2 are both SSIDs, and the two are matched.
  • the first device verifies whether the peerKey in the Connector1 is a network key or a wildcard generated by itself, and if it matches, continues to verify the Connector1.
  • the peerKey in Connector1 is the network key generated by itself, and therefore the peerKey matches; secondly, the first device verifies whether the initiator in Connector1 is a trusted device, and if so, continues to verify Connector1. If not, the verification is abandoned.
  • the initiator in the Connector 1 is an A-id, that is, its own identification information, and thus is a trusted device.
  • the first device verifies whether the signature1 is legal according to the A-sign-key1. If it is legal, it is determined that Connector1 is legal, and if it is not legal, the verification is abandoned, in the present invention.
  • signature1 The signature is performed by the first device according to the A-sign-key2, and therefore the signature1 is legal. Therefore, the first device determines that the Connector1 is legal, that is, the first device determines that the second device is legal.
  • the first device If it is determined that the second device is legal, the first device generates the first shared key according to at least the second network key.
  • the first shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.
  • the first device may first generate a pre-shared key (Pre-Shared Key, English abbreviation: PSK) or a pairwise master key (English name: Pairwise Master Key, according to the pre-key).
  • PSK Pre-Shared Key
  • PMK Pairwise Master Key
  • the first device may generate a DH shared key according to the DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and share the key by DH or shared by DH.
  • the first shared key may be DH (A-net-priv, B-net-pub).
  • the private key corresponding to the first network key may be referred to by A-net-priv.
  • the first device may further generate an ECDH shared key according to the ECDH key generation algorithm according to the private key corresponding to the first network key and the second network key, and share the key by ECDH, or by ECDH
  • the key derived from the shared key is used as the first shared key.
  • the first shared key may be ECDH (A-net-priv, B-net-pub).
  • the first device corresponds to the second device according to the second network generated by the first device according to the private key corresponding to the first network key and the first shared key generated by the second network key.
  • the private key is the same as the second shared key generated by the first network key.
  • the first shared key generated by the first device is the same as the second shared key generated by the second device, and the handshake authentication between the first device and the second device can be implemented.
  • the first device sends a second message.
  • the second message carries the second connection information, and the second connection information includes the second signature information. interest.
  • the second message may be referred to by M2.
  • step 314 may be: the first device sends the encrypted second message.
  • the encrypted second message is obtained by the first device encrypting the second message by using the fourth key, and the fourth key is obtained by the first device according to the encryption key.
  • the first device may directly use the encryption key as the fourth key, and encrypt the second message according to the fourth key to obtain the encrypted second message; the first device may also first The encryption key is converted to obtain a converted encryption key as a fourth key, and the second message is encrypted according to the fourth key to obtain an encrypted second message.
  • the fourth key obtained by the first device according to the encryption key, and the third key obtained by the first device according to the encryption key, or the second key obtained by the first device according to the encryption key may be the same or different, and is not limited by the embodiment of the present invention.
  • the second device sends a second message to the second device, so that the second device receives the second message sent by the first device, and determines whether the first device is legal according to the second signature information carried by the second message.
  • the second connection information carried by the second message received by the second device may be specifically:
  • the specific process of the second device verifying the Connector 2 may be: first, the second device verifies whether the netID in the Connector 2 matches the net ID in the Connector 1 , and if the matching, continues to verify the Connector 1 , if not, the authentication is aborted.
  • the netID in Connector2 and the netID in Connector1 are both SSIDs, and the two match; then, The second device verifies whether the peerKey in the Connector 2 is the network key or the wildcard generated by itself. If the match is the same, the connection is continued to be verified. If the match is not matched, the authentication is discarded.
  • the peerKey in the Connector 2 is a wildcard, and therefore the peerKey matches.
  • the second device verifies whether the initiator in the Connector 2 is a trusted device, and if so, continues to verify the Connector 2, and if not, the authentication is discarded.
  • the initiator in the Connector 2 is a C-id, that is, the identification information of the device is configured. Therefore, the device trusts the device.
  • the second device verifies whether the signature2 is legal according to the C-sign-key1. If it is legal, it determines that the Connector2 is legal. If it is not legal, the authentication is discarded.
  • the signature2 is configured by the device according to C- Sign-key2 is signed, so signature2 is legal. Therefore, the second device determines that Connector2 is legal, that is, the second device determines that the first device is legitimate.
  • whether the second device verifies that the signature 2 is legal according to the C-sign-key1 may be: the second device first decrypts the second signature information according to the second signature verification key, obtains the decrypted result, and then decrypts As a result, the first network key included in the second connection information is compared. If the decryption result matches the first network key, the second device determines that the first device is legal.
  • the decryption result matches the first network key, which means that the decryption result is the same as the first network key; or, after the decryption result is converted, it is the same as the first network key; or, for the first After the network key is converted, it is the same as the decrypted result; or, the converted decrypted result is the same as the converted first network key.
  • the decryption result or the first network key conversion manner may be directly converted by the base64/32/16 encoding method, or the first network key may be converted; or may be first passed through the base64/ The 32/16 is encoded, and then the decryption result or the first network key is converted by the ASN.1 encoding method.
  • the second signature information may be generated by the configuration device according to the second signature, and the network key and other items to be configured in the second connection information are signed.
  • the other item is any one or any combination of the network identifier, the peer network key, and the configuration device identifier in the second connection information.
  • the decryption result matches the first network key, which means The first network key and other items are the same as the decryption result; or, after converting the first network key and other items, the decryption result is the same; or, after converting the decrypted result, the first network key and The other items are the same; or, the converted first network key and other items are the same as the converted decrypted result.
  • signature2 is signed by the configuration device according to C-sign-key2, A-net-pub, SSID, wildcard, and C-id are obtained, the second device decrypts signature2 according to C-sign-key1, and obtains decryption.
  • the decryption result is the same as A-net-pub, SSID, wildcard, and C-id; or, the converted decryption result is the same as A-net-pub, SSID, wildcard, and C-id; or, the decryption result,
  • the converted A-net-pub, SSID, wildcard, and C-id are the same; or, the converted decrypted result is the same as the converted A-net-pub, SSID, wildcard, and C-id.
  • the conversion mode is a hash conversion
  • the second device is configured according to the second device.
  • C-sign-key1 decrypts signature2 to obtain the decrypted result, which is the same as the result of hashing A-net-pub, SSID, wildcard and A-id.
  • the second device determines that the first device is legal, the second device acquires the first network key in the second connection information, and generates a second shared key according to the first network key.
  • the following steps 315 to 318 may be performed.
  • the first device generates a third network key.
  • the third network key is used by the second device to generate a shared key.
  • the third network key may be referred to by A-net-pub'.
  • the embodiment of the present invention is not limited to the foregoing that the second device generates the shared key according to the third network key, and any other device that can communicate with the first device may generate the shared key according to the first network key. .
  • the third network key may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the third network key when the third network key is non- In the case of a symmetric key, the third network key may be a DH public key; it may also be an ECDH public key; it may also be an X coordinate or a Y coordinate of the ECDH public key.
  • the second network key may also be a result of further encoding the key.
  • the second network key is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first by using base64/32/16, and then encoding by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1
  • the result of the coding is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first by using base64/32/16, and then encoding by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1
  • the third network key is a network key regenerated by the first device.
  • the first device may update its own network key according to the preset period, and send the updated network key to the second device, thereby improving the first The security of the shared key between the device and the second device.
  • the method may further include: the first device generating a new first shared key according to the second network key.
  • the new first shared key is a pre-key for performing handshake authentication again between the first device and the second device.
  • the first device may generate a DH shared key according to the DH key generation algorithm, according to the private key corresponding to the third network key, and the second network key, and share the key by DH or shared by DH.
  • the new first shared key may be DH (A-net-priv', B-net-pub).
  • the first device may further generate an ECDH shared key according to the ECDH key generation algorithm according to the private key corresponding to the third network key and the second network key, and share the key by ECDH, or by ECDH
  • the key derived from the shared key is used as the new first shared key.
  • the new first shared key may be ECDH (A-net-priv', B-net-pub).
  • the first device sends the third network key to the configuration device.
  • the third network key is sent to the configuration device by the first device, so that the configuration device reconstructs the third connection information according to the third network key, and sends the third connection information Give the first device.
  • the first device receives the third connection information sent by the configuration device.
  • the third connection information includes the third signature information and the third network key, and the third signature information is obtained by the configuration device by using the second signature generation key to sign the third network key.
  • the third connection information may be referred to by Connector3
  • the third signature information may be referred to by signature3
  • the third network key may be referred to by A-net-pub'.
  • the configuration device may sign A-net-pub' according to C-sign-key2 according to a signature algorithm such as DSA, ECDSA or RSA to obtain signature3.
  • a signature algorithm such as DSA, ECDSA or RSA
  • the third connection information configured by the configuration device may be specifically:
  • the netKey in Connector3 is A-net-pub'
  • the signature3 in Connector3 is obtained by signing A-net-pub'.
  • the first device sends a third message to the second device.
  • the third message carries the third connection information.
  • the third message may be referred to by M3.
  • the first device sending, by the first device, the third message to the second device, so that the second device acquires the third network key, and generates a new second shared key according to at least the third network key, the new second share
  • the key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.
  • the third connection information carried by the third message received by the second device may be specifically:
  • the specific process of the second device verifying the Connector 3 may be: first, the second device verifies that the netID in the Connector 3 matches the net ID in the Connector 1, and if the match, continues to verify the Connector 1; if not, the authentication is aborted.
  • the netID in the Connector3 and the netID in the Connector1 are both SSIDs, and the two are matched; then, the second device verifies whether the peerKey in the Connector3 is a network key or a wildcard generated by itself, and if the matching, continues to verify the Connector3, If the matching does not match, the authentication is abandoned.
  • the peerKey in the Connector3 is a wildcard, and the peerKey is matched.
  • the second device verifies whether the initiator in the Connector3 is a trusted device, and if so, continues to verify the Connector3, if not, then gives up. It is verified that, in the embodiment of the present invention, the initiator in the Connector 3 is a C-id, that is, the identification information of the device is configured, so that the device is trusted; finally, the second device verifies whether the signature3 is legal according to C-sign-key1, and if it is legal, Determining that Connector 3 is legal, and if not, abandoning the verification, in the embodiment of the present invention.
  • the configuration device signature3 by C-sign-key2 signature is, therefore signature3 method, therefore, the second device determined Connector3 method, i.e., the second device determines that the first device is valid.
  • the second device determines that the Connector3 is legal, and the netKey in the Connector3 is different from the netKey in the Connector1, the second device considers that the netKey in the Connector3 is the updated network key of the first device, and according to the A- Net-pub', regenerate the shared key.
  • the second device generates a new second shared key according to the third network key.
  • the new second shared key is a pre-key for performing handshake authentication again between the second device and the first device.
  • the second device may perform the DH key generation algorithm according to the second network key pair.
  • the private key, and the third network key generate a DH shared key, and use the DH shared key or the key derived from the DH shared key as the new second shared key.
  • the new second shared key may be DH (B-net-priv, A-net-pub').
  • the second device may further generate an ECDH shared key according to the ECDH key generation algorithm, according to the private key corresponding to the second network key, and the third network key, and share the key by ECDH, or by ECDH
  • the key derived from the shared key is used as the new second shared key.
  • the new second shared key may be ECDH (B-net-priv, A-net-pub').
  • the first device is configured according to the private key corresponding to the third network key and the new first shared key generated by the second network key
  • the second device is configured according to the second network.
  • the private key corresponding to the key and the new second shared key generated by the third network key are the same.
  • the new first shared key generated by the first device is the same as the new second shared key generated by the second device, and the handshake authentication between the first device and the second device can be implemented. .
  • steps 315 to 318 are optional steps.
  • the method for configuring the first embodiment of the present invention first configures the device to perform out-of-band communication with the second device, obtains a second device out-of-band key, and sends the second device out-of-band key to the first device, so that the first The device generates an encryption key according to the second device out-of-band key, and then the first device generates a first signature generation key and a first signature verification key, and receives a second network key sent by the second device, and finally the first device Generating a key according to the first signature, signing the second network key, obtaining the first signature information, and transmitting the first connection information encrypted according to the encryption key to the second device, where the first connection information includes the first signature information And a second network key.
  • the embodiment of the present invention obtains the out-of-band key of the second device by configuring the device to perform out-of-band communication with the second device, and The device sends the second device to the first device, so that the first device can be configured to communicate with the second device, that is, when the device is configured with the second device.
  • the in-band communication cannot be performed, for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving The success rate of the device configuration.
  • the technical solution provided by the embodiment of the present invention is applied to a configuration system.
  • the system architecture of the present invention is as shown in FIG. 4, and the configuration system includes a first device, a second device, a configuration device, and a third device, and the configuration device is first. In-band communication between the devices, the outband communication between the configuration device and the second device, and in-band communication between the configuration device and the third device, and the second device is configured on the first device.
  • the embodiment of the invention provides a method for configuring, which can improve the success rate of configuration of the device. As shown in FIG. 5, the method includes:
  • the third device receives the first signature verification key and the first network key sent by the configuration device.
  • the third device supports in-band communication, and may perform in-band communication with the configuration device, or perform in-band communication with the second device.
  • the third device may be specifically: a wireless AP, a smart terminal, a wearable device, or a smart home device.
  • smart terminals include mobile phones, mobile phone tablets, tablets and computers
  • wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads.
  • Smart homes include smart TVs, smart stereos, smart refrigerators, smart washing machines, smart air conditioners, smart lights, smart curtains and smart alarms.
  • the configuration device is configured to configure the device, or assist the device to configure other devices.
  • the configuration device may be an external configuration device or an internal configuration device, which is not limited in the embodiment of the present invention.
  • the external configuration device may be a wireless device with rich UI and strong computing power.
  • the external configuration device may be a smart phone, a smart tablet, a smart glasses, a smart watch, or the like, or may be installed with an associated application unit.
  • the internal configuration device can also be a set of application modules integrated in the hardware unit and can interact with other devices through the UI provided by the hardware unit.
  • the internal configuration device may be a configuration unit integrated in the wireless AP, and the configuration unit may implement an input in a configuration process through an input unit of the wireless AP, and realize an output in a configuration process through an output unit of the wireless AP.
  • the first device has configured the second device.
  • the device is configured to obtain an out-of-band key of the second device by performing out-of-band communication with the second device, and send the key to the first device; and then perform in-band communication between the first device and the second device.
  • the first device configures the second device.
  • the out-of-band communication refers to a communication mode in which the communication distance is relatively short
  • the in-band communication refers to a communication method in which the communication distance is relatively long
  • the in-band communication may be: Bluetooth, Bluetooth low energy, Wi-Fi, ZigBee, UWB, WiGig, etc.
  • out-of-band communication may be: RFID, NFC, infrared, laser, ultrasonic, capacitive screen short-range transmission, optical Identification or acoustic recognition, etc.
  • the second device when the manner of performing out-of-band communication between the configuration device and the second device is optical recognition, the second device first provides a two-dimensional code including the out-of-band key of the second device; and then configures the device to scan through its own camera module.
  • the two-dimensional code is decoded and obtained to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material, and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires the verification information according to the verification information material.
  • the second device plays the verification information material through its own acoustic module, and then the configuration device listens to the verification information material; finally, the device is configured according to The verification information material obtains the verification information and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device acquires the verification information according to the verification information material.
  • the embodiment of the present invention is not limited to the outband communication between the configuration device and the second device, and any other manner that can implement communication between the configuration device and the second device is applicable to the embodiment of the present invention, for example, In-band communication can be performed between the configuration device and the second device.
  • the verification information material and the verification information may be mutually converted by a specific codec mode, or may be the same information, which is not limited by the embodiment of the present invention.
  • the mutual conversion can be directly performed by the base64/32/16 encoding mode; or the encoding can be performed first by base64/32/16, and then by ASN.1 encoding. Ways to achieve mutual conversion.
  • the first signature verification key is generated by the first device and sent to the configuration device, and the first signature verification key is used to decrypt the information signed by the first device, where the first network key is used by the first device.
  • the embodiment of the present invention is not limited to the foregoing that the second device generates the shared key according to the first network key, and any other device that can communicate with the first device may generate the shared key according to the first network key. .
  • the first network key may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the second network key may be a DH public key; or may be an ECDH public key; or may be an X coordinate or a Y coordinate of the ECDH public key. .
  • the second network key may also be a result of further encoding the key.
  • the second network key is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first by using base64/32/16, and then encoding by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1
  • the result of the coding is a result obtained by directly encoding the DH key through base64/32/16, and may also encode the DH key first by using base64/32/16, and then encoding by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1
  • the third device receives the first message sent by the second device.
  • the first message carries the first connection information, where the first connection information includes the first signature information and the peer network key, and the first signature information is used by the first device to generate the second network key by using the first signature generation key.
  • the signature is obtained, the first signature generation key is generated by the first device, the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key are generated.
  • the second network key is generated by the second device, and the second network key is used by the first device or the third device to generate the shared key.
  • the embodiment of the present invention is not limited to the foregoing first device or the third device generating a shared key according to the second network key, and any other device that can communicate with the second device may be based on the second network key.
  • Generate a shared secret any other device that can communicate with the second device may be based on the second network key.
  • the third device determines, according to the first network key, whether the peer network key is legal.
  • the fourth network key is generated by the third device.
  • the third device may determine whether the peer network key is a trusted network key, thereby determining whether the peer network key is legal.
  • the trust network key is a first network key or a fourth network key.
  • the trusted network key when the first device has configured the second device, the trusted network key is the first network key; or when the third device configures the second device, the trusted network key is the fourth network key.
  • the third device determines, according to the first signature information, whether the second device is legal.
  • the first connection information may further include a second network key.
  • the third device may decrypt the first signature information according to the first signature verification key, obtain a decryption result, and compare the decrypted result with the second network key, if the decryption result is dense with the second network. If the key matches, the third device determines that the second device is legitimate.
  • the method for configuring the embodiment of the present invention when the first device has configured the second device, first configuring the device to send the first signature verification key and the first network key to the third device, the first signature verification key and the first A network key is generated by the first device and sent to the configuration device, and then the second device sends a first message carrying the first connection information to the third device, where the first connection information includes the first signature information and the peer network key.
  • the third device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.
  • the embodiment of the present invention is configured by the first device according to the second device out-of-band key pair.
  • the device is configured, the second device out-of-band key is obtained by out-of-band communication between the configuration device and the second device, and the configuration device sends the first signature verification key and the first network key to the third device, and second The device sends the first connection information to the third device, and the third device determines whether the peer network key in the first connection information is legal according to the first network key, and determines the first according to the first signature verification key. Whether the first signature information in the connection information is legal, so that the second device configured by the first device can be configured to the third device, that is, the third device is configured to configure the second device, thereby improving the success rate of the device configuration.
  • the embodiment of the present invention provides another method for configuring, as shown in FIG. 6, the method includes:
  • the third device receives the first signature verification key and the first network key that are sent by the configuration device.
  • the third device supports in-band communication, and may perform in-band communication with the configuration device, or perform in-band communication with the second device.
  • the third device may be specifically: a wireless AP, a smart terminal, a wearable device, or a smart home device.
  • smart terminals include mobile phones, mobile phone tablets, tablets and computers
  • wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads.
  • Smart homes include smart TVs, smart stereos, smart refrigerators, smart washing machines, smart air conditioners, smart lights, smart curtains and smart alarms.
  • the configuration device is configured to configure the device, or assist the device to configure other devices.
  • the configuration device may be an external configuration device or an internal configuration device, which is not limited in the embodiment of the present invention.
  • the external configuration device may be a wireless device with rich UI and strong computing power.
  • the external configuration device may be a smart phone, a smart tablet, a smart glasses, a smart watch, or the like, or may be installed with an associated application unit.
  • the internal configuration device can also be a set of application modules integrated in the hardware unit and can interact with other devices through the UI provided by the hardware unit.
  • the internal configuration device can be configured in the wireless AP.
  • the configuration unit can The input in the configuration process is implemented by the input unit of the wireless AP, and the output in the configuration process is realized by the output unit of the wireless AP.
  • the first device has configured the second device.
  • the device is configured to obtain an out-of-band key of the second device by performing out-of-band communication with the second device, and send the key to the first device; and then perform in-band communication between the first device and the second device.
  • the first device configures the second device.
  • the out-of-band communication refers to a communication mode in which the communication distance is relatively short
  • the in-band communication refers to a communication method in which the communication distance is relatively long
  • the in-band communication may be: Bluetooth, Bluetooth low energy, Wi-Fi, ZigBee, UWB, WiGig, etc.
  • out-of-band communication may be: RFID, NFC, infrared, laser, ultrasonic, capacitive screen short-range transmission, optical Identification or acoustic recognition, etc.
  • the second device when the manner of performing out-of-band communication between the configuration device and the second device is optical recognition, the second device first provides a two-dimensional code including the out-of-band key of the second device; and then configures the device to scan through its own camera module.
  • the two-dimensional code is decoded and obtained to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material, and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires the verification information according to the verification information material.
  • the second device plays the verification information material through its own acoustic module, and then the configuration device listens to the verification information material; finally, the device is configured according to The verification information material obtains the verification information and sends the verification information to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device acquires the verification information according to the verification information material.
  • the embodiment of the present invention is not limited to the outband communication between the configuration device and the second device, and any other manner that can implement communication between the configuration device and the second device is applicable to the embodiment of the present invention, for example, In-band communication can be performed between the configuration device and the second device.
  • the verification information material and the verification information may pass a specific
  • the coding and decoding modes are mutually converted, and may be the same information, which is not limited in the embodiment of the present invention.
  • the mutual conversion can be directly performed by the base64/32/16 encoding mode; or the encoding can be performed first by base64/32/16, and then by ASN.1 encoding. Ways to achieve mutual conversion.
  • the first signature verification key is generated by the first device and sent to the configuration device, where the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the first device.
  • the device is configured, and the first network key is used by the second device to generate a shared key.
  • the embodiment of the present invention is not limited to the foregoing that the second device generates the shared key according to the first network key, and any other device that can communicate with the first device may generate the shared key according to the first network key. .
  • the first signature verification key may be referred to by A-sign-key1, and the first network key may be referred to by A-net-pub.
  • A is used to identify the first device
  • B is used to identify the second device
  • C is used to identify the configuration device
  • D is used to identify the third device
  • sign is used to indicate the signature (Signature)
  • key is used to Indicates the key
  • key1 is used to indicate the authentication key
  • key2 is used to indicate the generated key
  • net is used to represent the network
  • pub is used to indicate public
  • priv is used to indicate private.
  • the embodiment of the present invention is not limited to the foregoing identification manners for each device, and the manner of identifying each key, and any other manner that can be used to identify the device or the key, the embodiments of the present invention are applicable.
  • the first device generates a pair of signature keys, which are a first signature verification key and a first signature generation key, respectively.
  • the first signature verification key is used to send the information signed by the first device by using the first signature verification key.
  • the first signature generation key is used to configure the device. signature.
  • the first network key may be a symmetric key or an asymmetric key, which is not limited in the embodiment of the present invention.
  • the first network key when the first network key is an asymmetric key, the first network key may be a DH public key; or may be an ECDH public key; or may be an X coordinate or a Y coordinate of the ECDH public key. .
  • the first network key may also be a result of further encoding the key.
  • the first network key is a result obtained by directly encoding the DH key through base64/32/16, and the DH key may first be encoded by base64/32/16, and then encoded by ASN.1.
  • the result can also be obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or by first encoding the Y coordinate of the ECDH key through base64/32/16, and then passing the ASN. 1 The result of the coding.
  • the third device generates a fourth network key.
  • the fourth network key is used by the second device to generate a shared key.
  • the fourth network key may be referred to by D-net-pub.
  • the embodiment of the present invention is not limited to the foregoing that the second device generates the shared key according to the fourth network key, and any other device that can communicate with the third device may generate the shared key according to the fourth network key. .
  • the third device sends the fourth network key to the configuration device.
  • the third device receives the fourth connection information sent by the configuration device.
  • the fourth connection information includes a fourth signature information and a fourth network key.
  • the fourth signature information is obtained by the configuration device by using a second signature generation key to sign the fourth network key, and the second signature generates a key and a second signature.
  • the second signature verification key is generated by the configuration device, the second signature generation key is used to configure the device for signature, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generates the key and the second signature.
  • the verification keys correspond to each other.
  • the fourth connection information may be referred to by Connector4
  • the fourth signature information may be referred to by signature
  • the second signature verification key may be referred to by C-sign-key1
  • the second signature is generated.
  • the key can be referred to by C-sign-key2.
  • the configuration device generates a pair of signature keys, which are a second signature verification key and a second signature generation key, respectively.
  • the second signature verification key is used to send the information to the other device, so that the other device can decrypt the information signed by the second device by using the second signature verification key; the second signature generation key is used to configure the device. signature.
  • the second signature generation key and the second signature verification key are In the case of an asymmetric key, the second signature generation key is a corresponding private key, and the second signature verification key is a corresponding public key; or, when the second signature generation key is symmetric with the second signature verification key When the key is used, the second signature generation key is the same as the second signature verification key.
  • connection information may include: network identification information, peer network key information, network key information to be configured, configuration device identification information, and signature information of the configuration device.
  • specific manifestation of the connection information may be:
  • the net ID is used to indicate the network identifier of the network to be configured or added to be configured.
  • the PeerKey is used to indicate the network key of the peer device to which the device to be configured is configured to connect. In the embodiment of the present invention, when the PeerKey is a wildcard (wildcard), it indicates that the device to be configured can be connected to all devices in the network.
  • the fourth connection information configured by the configuration device may be specifically:
  • the SSID is the network identifier.
  • the netID is the SSID of the wireless AP;
  • the wildcard is a wildcard.
  • the peerKey is a wildcard, the first device can connect with all devices in the network; C-id To configure the identification information of the device.
  • the configuration device may be according to a signature algorithm such as DSA, ECDSA or RSA, according to C-sign-key2, sign D-net-pub and get signature4.
  • a signature algorithm such as DSA, ECDSA or RSA, according to C-sign-key2, sign D-net-pub and get signature4.
  • the configuration device may also sign the D-net-pub and other items according to the signature algorithm such as DSA, ECDSA or RSA according to C-sign-key2 to obtain signature4.
  • the other item may be any one of the SSID, the wildcard, and the C-id, or any combination.
  • the configuration device may first convert C-sign-key2, and then according to the signature algorithm such as DSA, ECDSA or RSA, according to the converted C-sign-key2, to A-net-pub, or A. -net-pub and other items, sign and get signature4.
  • the signature algorithm such as DSA, ECDSA or RSA
  • the third device sends a fourth message to the second device.
  • the fourth message carries fourth connection information, and the fourth connection information includes fourth signature information.
  • the fourth message may be referred to by M4.
  • the third device sends a fourth message to the second device, so that the second device receives the fourth message sent by the third device, and according to the fourth signature information carried by the fourth message, and the second signature verification key. And determining whether the third device is legal.
  • the second signature verification key is configured by the first device, the second device is sent to the second device.
  • the fourth connection information carried by the fourth message received by the second device may be specifically:
  • the specific process of the second device verifying the Connector 4 may be: first, the second device verifies that the netID in the Connector 4 matches the net ID in the Connector 1, and if the match, continues to verify the Connector 1; if not, the verification is abandoned.
  • the netID in Connector4 and the netID in Connector1 are both SSIDs, and the two match; then, The second device verifies whether the peerKey in the Connector 4 is the network key or the wildcard generated by itself, and if the match is matched, the Connector 4 is continued to be verified. If the match is not matched, the authentication is discarded.
  • the peerKey in the Connector 4 is a wildcard, and therefore the peerKey matches.
  • the second device verifies whether the initiator in the Connector 4 is a trusted device, and if so, continues to verify the Connector 4, and if not, the authentication is discarded.
  • the initiator in the Connector 4 is a C-id, that is, the identification information of the device is configured. Therefore, the device trusts the device.
  • the second device verifies that the signature4 is legal according to the C-sign-key1. If it is legal, it determines that the Connector4 is legal. If it is not legal, the authentication is abandoned.
  • the signature2 is configured by the device according to C- Sign-key2 is signed, so signature4 is legal. Therefore, the second device determines that Connector4 is legal, that is, the second device determines that the first device is legitimate.
  • whether the second device verifies that the signature 4 is legal according to the C-sign-key1 may be: the second device first decrypts the fourth signature information according to the second signature verification key, obtains the decrypted result, and then decrypts As a result, the fourth network key included in the fourth connection information is compared. If the decryption result matches the fourth network key, the second device determines that the third device is legal.
  • the decryption result is matched with the fourth network key, which means that the decryption result is the same as the fourth network key; or, after the decryption result is converted, it is the same as the fourth network key; or, for the fourth After the network key is converted, it is the same as the decrypted result; or, the converted decrypted result is the same as the converted fourth network key.
  • the decryption result or the fourth network key conversion manner may be directly converted by the base64/32/16 encoding method, or the fourth network key may be converted; or may be first passed through the base64/ The 32/16 is encoded, and then the decryption result or the fourth network key is converted by the ASN.1 encoding method.
  • the fourth signature information may be generated by the configuration device according to the second signature generation key, and the network key and other items to be configured in the fourth connection information are obtained.
  • the other item is any one or any combination of the network identifier, the peer network key, and the configuration device identifier in the fourth connection information.
  • the decryption result matches the fourth network key, which means The fourth network key and other items are the same as the decryption result; or, after the fourth network key and other items are converted, the decryption result is the same; or, after the decryption result is converted, the fourth network key and The other items are the same; or, the converted fourth network key and other items are the same as the converted decrypted result.
  • the second device decrypts signature4 according to C-sign-key1, and obtains decryption.
  • the decryption result is the same as D-net-pub, SSID, wildcard, and C-id; or, the converted decryption result is the same as D-net-pub, SSID, wildcard, and C-id; or, the decryption result,
  • the converted D-net-pub, SSID, wildcard, and C-id are the same; or, the converted decrypted result is the same as the converted D-net-pub, SSID, wildcard, and C-id.
  • the conversion mode is a hash conversion
  • signature4 is signed by the configuration device according to C-sign-key2
  • D-net-pub, SSID, wildcard, and C-id are hashed
  • the second device is configured according to the second device.
  • C-sign-key1 decrypts signature4 to obtain the decrypted result, which is the same as the result of hashing D-net-pub, SSID, wildcard and C-id.
  • the second device determines that the Connector 4 is legal, and the netKey in the Connector 4 is different from the netKey in the Connector 1, the second device considers the netKey in the Connector 4 to be the updated network key, and according to the D-net-pub , regenerate the shared key.
  • the second device generates a fourth shared key according to the fourth network key.
  • the fourth shared key is a pre-key for performing handshake authentication between the third device and the first device.
  • the second device may generate a DH shared key according to the DH key generation algorithm, according to the private key corresponding to the second network key, and the fourth network key, and share the key by DH or shared by DH.
  • the fourth shared key may be DH (B-net-priv, D-net-pub).
  • the second device may further generate an ECDH shared key according to the ECDH key generation algorithm, according to the private key corresponding to the second network key, and the fourth network key, and share the key by ECDH, or by ECDH
  • the key derived from the shared key is used as the fourth shared key.
  • the fourth shared key may be ECDH (B-net-priv, D-net-pub).
  • the third device receives the first message sent by the second device.
  • the first message carries the first connection information, where the first connection information includes the first signature information and the peer network key, and the first signature information is used by the first device to generate the second network key by using the first signature generation key.
  • the signature is obtained, the first signature generation key is generated by the first device, the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key correspond to each other, and the second network The key is generated by the second device, and the second network key is used by the first device or the third device to generate the shared key.
  • the first message may be referred to by M1
  • the first connection information may be referred to by Connector1
  • the first signature information may be referred to by signature1
  • the second network key may be used by B-net- Pub to refer to.
  • the first connection information that is configured by the first device may be specifically:
  • the method may further include: first, the third device verifies whether the netID in the Connector1 matches the netID in the Connector4, and if the matching, continues to verify the Connector1, and if not, the verification is abandoned, in the embodiment of the present invention.
  • the netID in Connector1 and the netID in Connector4 are both SSIDs, and the two match.
  • the third device determines, according to the first network key, whether the peer network key is legal.
  • step 607 may be that the third device determines whether the peer network key is a trusted network key.
  • the trusted network key includes a first network key or a fourth network key. Specifically, when the first device has configured the second device, the trusted network key is the first network key; or when the third device configures the second device, the trusted network key is the fourth network key.
  • the third device verifies whether the peerKey in Connector1 is A-net-pub or D-net-pub or wildcard, if it matches, continue to verify Connector1. If it does not match, the authentication is discarded.
  • the peerKey in Connector1 is A-net-pub, and therefore the peerKey matches.
  • the method may further include: determining, by the third device, whether the initiator in the connector 1 is a trusted device, and if yes, continuing to verify the connector 1, and if not, abandoning the verification, in the embodiment of the present invention, the initiator in the connector 1 is A. -id, which is its own identification information, so it is a trusted device.
  • the third device decrypts the first signature information by using the first signature verification key to obtain a decryption result.
  • the third device verifies whether the signature1 is legal according to the A-sign-key1, and determines that the Connector1 is legal if it is legal, and the authentication is discarded if it is not.
  • the signature1 is performed by the first device according to the A-sign-key2. The signature is obtained, so signature1 is legal. Therefore, the third device determines that Connector1 is legal, that is, the third device determines that the second device is legitimate.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the third device compares the decrypted result with the second network key.
  • the first connection information may further include a second network key.
  • the third device determines that the second device is legal.
  • the decryption result is matched with the second network key, which means that the decryption result is the same as the second network key; or, after the decryption result is converted, it is the same as the second network key; or, for the second After the network key is converted, it is the same as the decrypted result; or, the converted decrypted result is the same as the converted second network key.
  • the decryption result or the second network key conversion manner may be performed by directly converting the decryption result or the second network key by using the base64/32/16 encoding mode. Change; can also be first encoded by base64/32/16, and then converted by the ASN.1 encoding method, or the second network key.
  • the first signature information may be generated by the first device according to the first signature, and the network key and other items to be configured in the first connection information are signed.
  • the other item is any one or any combination of the network identifier, the peer network key, and the configuration device identifier in the first connection information.
  • the decryption result matches the second network key, which means that the second network key and other items are the same as the decryption result; or, after the second network key and other items are converted, the decryption result is the same; or After the decryption result is converted, it is the same as the second network key and other items; or the converted second network key and other items are the same as the converted decryption result.
  • the third device performs signature1 according to A-sign-key1.
  • Decrypting to obtain the decrypted result which is the same as B-net-pub, SSID, A-net-pub, and A-id; or, the decrypted result after conversion, and B-net-pub, SSID, A-net -pub and A-id are the same; or, the decryption result is the same as the converted B-net-pub, SSID, A-net-pub, and A-id; or, the converted decrypted result, and the converted B- Net-pub, SSID, A-net-pub, and A-id are the same.
  • the conversion mode is a hash conversion
  • signature1 is hashed by the first device according to A-sign-key2
  • B-net-pub, SSID, A-net-pub, and A-id are hashed
  • the first device decrypts signature1 according to A-sign-key1, and obtains a decrypted result, which is the same as the result of hashing B-net-pub, SSID, A-net-pub, and A-id.
  • the third device generates a third shared key according to at least the second network key.
  • the third shared key is a pre-key for performing handshake authentication between the third device and the second device.
  • the third device generates a DH shared key according to the Diffey Herman DH key generation algorithm, generates a DH shared key according to the private key corresponding to the fourth network key, and the second network key, and shares the key with the DH. Or a key derived from a DH shared key as a third shared key.
  • the first The four network key is used by the second device to generate a shared key.
  • the third shared key may be DH (D-net-priv, B-net-pub).
  • the private key corresponding to the fourth network key may be D-net-priv.
  • the embodiment of the present invention is not limited to the foregoing that the second device generates the shared key according to the fourth network key, and any other device that can communicate with the third device may generate the shared key according to the fourth network key. .
  • the third device generates the ECDH shared key according to the eleven-hertz EDCH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the fourth network key, and the second network key. And the ECDH shared key or the key derived from the ECDH shared key is used as the third shared key.
  • the third shared key may be ECDH (D-net-priv, B-net-pub).
  • the third device can correspond to the second device according to the second network key according to the private key corresponding to the fourth network key and the third shared key generated by the second network key.
  • the private key and the fourth shared key generated by the fourth network key are the same.
  • the third shared key generated by the third device is the same as the fourth shared key generated by the second device, and the handshake authentication between the third device and the second device can be implemented.
  • the method for configuring the embodiment of the present invention when the first device has configured the second device, first configuring the device to send the first signature verification key and the first network key to the third device, the first signature verification key and the first A network key is generated by the first device and sent to the configuration device, and then the second device sends a first message carrying the first connection information to the third device, where the first connection information includes the first signature information and the peer network key.
  • the third device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.
  • the second device is configured according to the second device out-of-band key, and the second device has an out-of-band key, compared with the configuration of the first device and the second device by using the configuration device. Obtained by the outband communication between the configuration device and the second device, and the configuration device sends the first signature verification key and the first network secret to the third device.
  • the second device sends the first connection information to the third device, and the third device determines whether the peer network key in the first connection information is legal according to the first network key, and verifies the key according to the first signature. Determining whether the first signature information in the first connection information is legal, so that the second device configured by the first device can be configured to the third device, that is, the third device is configured to configure the second device, thereby improving device configuration. Success rate.
  • the embodiment of the present invention further provides a device for configuring, the device may be located in a first device, the first device is located in a configuration system, and the configuration system includes a first device. And the second device and the configuration device, the in-band communication between the configuration device and the first device, and the out-of-band communication between the configuration device and the second device, the device may be configured to configure the second device, as shown in FIG. 7
  • the device includes a receiving unit 71, a generating unit 72, a transmitting unit 73, and a signing unit 74.
  • the receiving unit 71 is configured to receive a second device out-of-band key sent by the configuration device.
  • the second device out-of-band key is obtained by the configuration device by performing out-of-band communication with the second device.
  • the generating unit 72 is configured to generate an encryption key according to the second device out-of-band key received by the receiving unit 71.
  • the encryption key is used to encrypt information sent by the first device to the second device.
  • the generating unit 72 is further configured to generate a first signature generation key and a first signature verification key.
  • the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for signing by the first device, and the first signature verification key is used for signing information of the first device. Decryption is performed, and the first signature generation key and the first signature verification key correspond to each other.
  • the receiving unit 71 is further configured to receive a second network key sent by the second device.
  • the second network key is generated by the second device, and the second network key is used by the first device to generate the shared key.
  • the signing unit 74 is configured to sign the second network key received by the receiving unit 71 by using the first signature generation key to obtain the first signature information.
  • the first signature generation key is generated by the first device, and the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key correspond to each other.
  • the sending unit 73 is configured to send the encrypted first connection information to the second device.
  • the first connection information includes the first signature information and the second network key that are signed by the signature unit 74, and the encrypted first connection information is obtained by the first device encrypting the first connection information by using the first key.
  • a key is obtained by the first device according to the encryption key generated by the generating unit 72, so that the second device acquires and sends the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legal. .
  • the second device is configured to acquire the first connection information.
  • the receiving unit 71 is further configured to receive the second signature verification key sent by the configuration device before the receiving unit 71 receives the second device out-of-band key.
  • the second signature verification key is generated by the configuration device, and the second signature verification key is used to decrypt the information signed by the configuration device.
  • the generating unit 72 is further configured to generate a first network key.
  • the first network key is used by the second device to generate a shared key.
  • the sending unit 73 is further configured to send the first network key generated by the generating unit 72 to the configuration device.
  • the configuration device is configured to generate and send the second connection information to the first device according to at least the first network key.
  • the receiving unit 71 is further configured to: after the sending unit 73 sends the first network key, receive the second connection information sent by the configuration device.
  • the second connection information includes the second signature information and the first network key, and the second signature information is obtained by the configuration device by using the second signature generation key to sign the first network key, and the second signature generation key is configured by The device generates a second signature generation key for configuring the device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.
  • the second signature generation key and the second signature verification key are asymmetric keys
  • the second signature generation key is a corresponding private key
  • the second signature verification key is a pair.
  • the public key should be.
  • the second signature generation key and the second signature verification key are symmetric keys
  • the second signature generation key is the same as the second signature verification key.
  • the sending unit 73 is further configured to send the second message.
  • the second message carries the second connection information, and the second connection information includes the second signature information.
  • the second device is configured to receive the second message sent by the first device, and determine, according to the second signature information carried in the second message, whether the first device is legal, and at least according to the first network in the second signature information.
  • the key generates a second shared key, and the second shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.
  • the generating unit 72 is further configured to generate a third network key.
  • the third network key is used by the second device to generate a shared key.
  • the sending unit 73 is further configured to send the third network key to the configuration device.
  • the receiving unit 71 is further configured to receive third connection information sent by the configuration device.
  • the third connection information includes the third signature information and the third network key, and the third signature information is obtained by the configuration device by using the second signature generation key to sign the third network key.
  • the sending unit 73 is further configured to send the encrypted third message to the second device.
  • the encrypted second signature verification key is obtained by the first device according to the encryption key, and the third message carries the third connection information.
  • the second device obtains a third network key, and generates a new second shared key according to at least the third network key, where the new second shared key is between the first device and the second device.
  • the pre-key is used for handshake authentication between the first device and the second device.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the sending unit 73 is further configured to send the encrypted second signature verification key to the second device.
  • the encrypted second signature verification key is obtained by the first device encrypting the second signature verification key by using the second key, and the second key is obtained by the first device according to the encryption key.
  • the first device is determined to be legal, so that the second device receives the second signature verification key, and according to the second signature verification key and the second signature information carried by the second message.
  • the receiving unit 71 is further configured to receive the first message sent by the second device.
  • the apparatus may further include: a determining unit 81.
  • the first message carries the first connection information.
  • the determining unit 81 is configured to determine, according to the first signature information carried in the first message, that the second device is legal.
  • the determining unit 81 is configured to determine, according to the first signature information carried in the first message, whether the device that obtains the first signature information by signature is a trusted device.
  • the trusted device is the first device or the configuration device.
  • the device further includes: a decryption unit 82 and a comparison unit 83.
  • the decryption unit 82 is configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result.
  • the comparing unit 83 compares the decrypted result obtained by decrypting the decrypting unit 82 with the second network key included in the first connection information.
  • the determining unit 81 is specifically configured to determine that the second device is legal when the comparing unit 83 matches the decrypted result with the second network key.
  • the generating unit 72 is further configured to: when the determining unit 81 determines that the second device is legal, generate the first shared key according to at least the second network key.
  • the first shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.
  • the generating unit 72 is specifically configured to generate a DH shared key according to the Diffey Herman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and share the key with the DH. Or a key derived from a DH shared key as the first shared key.
  • the generating unit 72 is specifically used for the Diffel Hermann based on the elliptic curve cryptosystem
  • the ECDH key generation algorithm generates an ECDH shared key according to the private key corresponding to the first network key and the second network key, and uses the ECDH shared key or the key derived from the ECDH shared key as The first shared key.
  • the determining unit 81 is further configured to determine whether the second device stores the private key corresponding to the second device out-of-band key.
  • the private key corresponding to the second device out-of-band key and the second device out-of-band key correspond to each other.
  • the private key corresponding to the out-of-band key of the second device when the private key corresponding to the out-of-band key of the second device is an asymmetric key, the private key corresponding to the out-of-band key of the second device is a private key.
  • the second device out-of-band key is a public key.
  • the private key corresponding to the out-of-band key of the second device is a symmetric key between the external key of the second device, the private key corresponding to the out-of-band key of the second device is the same as the out-of-band key of the second device. .
  • the determining unit 81 is further configured to determine that the second device is legal when the second device stores the private key corresponding to the second device out-of-band key.
  • the device provided by the embodiment of the present invention first configures the device to perform out-of-band communication with the second device, obtains a second device out-of-band key, and sends the second device out-of-band key to the first device, and then the first device.
  • the embodiment of the present invention obtains the out-of-band key of the second device by configuring the device to perform out-of-band communication with the second device, and The device sends the second device to the first device, so that the first device can be configured to communicate with the second device, that is, the device cannot be configured between the device and the second device.
  • in-band communication for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving the device.
  • the success rate of the configuration for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving the device. The success rate of the configuration.
  • the embodiment of the present invention further provides a device, where the device is a first device, and the first device is located in a configuration system, where the configuration system includes a first device, a second device, and a configuration device, and the configuration device is configured.
  • the in-band communication between the devices is performed, and the out-of-band communication is performed between the configuration device and the second device.
  • the first device includes: a receiver 91, a processor 92, and a transmitter 93.
  • the receiver 91 is configured to receive a second device out-of-band key sent by the configuration device.
  • the second device out-of-band key is obtained by the configuration device by performing out-of-band communication with the second device.
  • the processor 92 is configured to generate an encryption key according to the second device out-of-band key received by the receiver 91.
  • the encryption key is used to encrypt information sent by the first device to the second device.
  • the processor 92 is further configured to generate a first signature generation key and a first signature verification key.
  • the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for signing by the first device, and the first signature verification key is used for signing information of the first device. Decryption is performed, and the first signature generation key and the first signature verification key correspond to each other.
  • the receiver 91 is further configured to receive a second network key sent by the second device.
  • the second network key is generated by the second device, and the second network key is used by the first device to generate the shared key.
  • the processor 92 is further configured to use the first signature generation key to sign the second network key received by the receiver 91 to obtain the first signature information.
  • the first signature generation key is generated by the first device, and the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key correspond to each other.
  • the transmitter 93 is configured to send the encrypted first connection information to the second device.
  • the first connection information includes the first signature information and the second network signed by the processor 92.
  • the first key information is obtained by the first device encrypting the first connection information by using the first key, and the first key is obtained by the first device according to the encryption key generated by the processor 92.
  • the second device acquires and sends the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legal.
  • the receiver 91 is further configured to receive the second signature verification key sent by the configuration device before the receiver 91 receives the second device out-of-band key.
  • the second signature verification key is generated by the configuration device, and the second signature verification key is used to decrypt the information signed by the configuration device.
  • the processor 92 is further configured to generate a first network key.
  • the first network key is used by the second device to generate a shared key.
  • processor 92 in the first device may be one or more.
  • the embodiment of the present invention is described by using one example. Other embodiments may be understood by referring to the following.
  • the transmitter 93 is further configured to send the first network key generated by the processor 92 to the configuration device.
  • the configuration device is configured to generate and send the second connection information to the first device according to at least the first network key.
  • the receiver 91 is further configured to receive, after the transmitter 93 sends the first network key, the second connection information sent by the configuration device.
  • the second connection information includes the second signature information and the first network key, and the second signature information is obtained by the configuration device by using the second signature generation key to sign the first network key, and the second signature generation key is configured by The device generates a second signature generation key for configuring the device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.
  • the second signature generation key and the second signature verification key are asymmetric keys
  • the second signature generation key is a corresponding private key
  • the second signature verification key is corresponding.
  • the transmitter 93 is further configured to send the second message.
  • the second message carries the second connection information, and the second connection information includes the second signature information. interest.
  • the second device is configured to receive the second message sent by the first device, and determine, according to the second signature information carried in the second message, whether the first device is legal, and at least according to the first network key in the second signature information.
  • a second shared key is generated, where the second shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.
  • the processor 92 is further configured to generate a third network key.
  • the third network key is used by the second device to generate a shared key.
  • the transmitter 93 is further configured to send the third network key to the configuration device.
  • the receiver 91 is further configured to receive third connection information sent by the configuration device.
  • the third connection information includes the third signature information and the third network key, and the third signature information is obtained by the configuration device by using the second signature generation key to sign the third network key.
  • the transmitter 93 is further configured to send a third message to the second device.
  • the third message carries the third connection information.
  • the second device obtains a third network key, and generates a new second shared key according to at least the third network key, where the new second shared key is between the first device and the second device.
  • the pre-key is used for handshake authentication between the first device and the second device.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the transmitter 93 is further configured to send the encrypted second signature verification key to the second device.
  • the encrypted second signature verification key is obtained by the first device encrypting the second signature verification key by using the second key, and the second key is obtained by the first device according to the encryption key.
  • the first device is determined to be legal, so that the second device receives the second signature verification key, and according to the second signature verification key and the second signature information carried by the second message.
  • the receiver 91 is further configured to receive the first message sent by the second device.
  • the first message carries the first connection information.
  • the processor 92 is further configured to determine, according to the first signature information carried in the first message, that the second device is legal.
  • the processor 92 is specifically configured to determine, according to the first signature information carried in the first message, whether the device that obtains the first signature information is a trusted device.
  • the trusted device is the first device or the configuration device.
  • the processor 92 is further configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result.
  • the processor 92 is further configured to compare the decrypted result with the second network key included in the first connection information.
  • the processor 92 is configured to determine that the second device is legal when the decryption result matches the second network key.
  • the processor 92 is further configured to generate the first shared key according to the second network key when determining that the second device is legal.
  • the first shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.
  • the processor 92 is further configured to generate a DH shared key according to the Diffie Hermann DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and share the key with the DH. Or a key derived from a DH shared key as the first shared key.
  • the processor 92 is further configured to generate an ECDH shared key according to a Diffie Hermann ECDH key generation algorithm based on an elliptic curve cryptosystem, according to a private key corresponding to the first network key, and a second network key. And the ECDH shared key or the key derived from the ECDH shared key is used as the first shared key.
  • the processor 92 is specifically configured to determine whether the second device stores the private key corresponding to the out-of-band key of the second device.
  • the private key corresponding to the second device out-of-band key and the second device out-of-band key correspond to each other.
  • the private key corresponding to the out-of-band key of the second device when the private key corresponding to the out-of-band key of the second device is an asymmetric key, the private key corresponding to the out-of-band key of the second device is a private key.
  • the second device out-of-band key is a public key; or, when the private key corresponding to the second device out-of-band key and the second device out-of-band key are symmetric keys, the second device out-of-band key corresponds to The private key is the same as the second device out-of-band key.
  • the processor 92 is further configured to determine that the second device is legal when the second device stores the private key corresponding to the outband key of the second device.
  • the device provided by the embodiment of the present invention is specifically a first device.
  • the device is configured to perform out-of-band communication with the second device, obtain an out-of-band key of the second device, and send the second device out-of-band key to the first device. So that the first device generates an encryption key according to the second device out-of-band key, and then the first device generates a first signature generation key and a first signature verification key, and receives a second network key sent by the second device, The first device generates a key according to the first signature, signs the second network key, obtains the first signature information, and sends the first connection information encrypted according to the encryption key to the second device, where the first connection information includes First signature information and a second network key.
  • the embodiment of the present invention obtains the out-of-band key of the second device by configuring the device to perform out-of-band communication with the second device, and The device sends the second device to the first device, so that the first device can be configured to communicate with the second device, that is, the device cannot be configured between the device and the second device.
  • in-band communication for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving the device.
  • the success rate of the configuration for example, a device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a device, and the second device can be configured by the first device, thereby improving the device. The success rate of the configuration.
  • the embodiment of the present invention further provides a device for configuring
  • the device may be located in a third device, the third device is located in the configuration system, and the configuration system includes the first device.
  • the second device, the configuration device, and the third device configure the device to communicate with the first device in-band, and configure the device to communicate with the second device.
  • the device performs in-band communication with the third device, and the first device has configured the second device.
  • the device can be configured to configure the second device.
  • the device includes: a receiving unit 101, and a determining unit. 102.
  • the receiving unit 101 is configured to receive a first signature verification key and a first network key that are sent by the configuration device.
  • the first signature verification key is generated by the first device and sent to the configuration device, where the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the first device.
  • the device is configured, and the first network key is used by the second device to generate a shared key.
  • the receiving unit 101 is further configured to receive the first message sent by the second device, where the first message carries the first connection information, where the first connection information includes the first signature information and the peer network key, where the first signature information is first
  • the device generates the key by using the first signature generation key to generate the key.
  • the first signature generation key is generated by the first device, and the first signature generation key is used for signing by the first device, and the first signature generates a key.
  • the second network key is generated by the second device, and the second network key is used by the first device or the third device to generate the shared key.
  • the determining unit 102 is configured to determine, according to the first network key received by the receiving unit 101, whether the peer network key is legal.
  • the determining unit 102 is further configured to determine, according to the first signature information received by the receiving unit 101, whether the second device is legal when the peer network key is legal.
  • the determining unit 102 is specifically configured to determine whether the peer network key is a trusted network key.
  • the trusted network key includes a first network key.
  • the first connection information received by the receiving unit 101 further includes a second network key.
  • the apparatus further includes: a decryption unit 111 and a comparison unit 112.
  • the decryption unit 111 is configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result.
  • the matching unit 112 the decryption result obtained by decrypting the decryption unit 111, and the second network The keys are compared.
  • the determining unit 102 is configured to determine that the second device is legal when the comparing unit 112 matches the decrypted result with the second network key.
  • the device further includes: a generating unit 113.
  • the generating unit 113 is configured to generate a third shared key according to at least the second network key received by the receiving unit 101.
  • the third shared key is a pre-key for performing handshake authentication between the third device and the second device.
  • the generating unit 113 specifically includes: according to the Diffie Hermann DH key generation algorithm, generating a DH shared key according to the private key corresponding to the fourth network key, and the second network key, and sharing the key by the DH, or The key derived from the DH shared key is used as the third shared key, and the fourth network key is used by the second device to generate the shared key. or,
  • the generating unit 113 specifically includes: according to an elliptic curve cryptosystem-based Dieffie Herman ECDH key generation algorithm, generating an ECDH shared key according to the private key corresponding to the fourth network key, and the second network key, and The ECDH shared key or the key derived from the ECDH shared key is used as the third shared key.
  • the generating unit 113 is further configured to generate a fourth network key.
  • the fourth network key is used by the second device to generate a shared key.
  • the device further includes: a sending unit 114.
  • the sending unit 114 is configured to send the fourth network key generated by the generating unit 113 to the configuration device.
  • the receiving unit 101 is further configured to receive fourth connection information that is sent by the configuration device.
  • the fourth connection information includes a fourth signature information and a fourth network key.
  • the fourth signature information is obtained by the configuration device by using a second signature generation key to sign the fourth network key, and the second signature generates a key and a second signature.
  • the second signature verification key is generated by the configuration device, the second signature generation key is used to configure the device for signature, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generates the key and the second signature.
  • the verification keys correspond to each other.
  • the second signature generation key and the second signature verification key are asymmetric keys
  • the second signature generation key is a corresponding private key
  • the second signature verification key is corresponding.
  • the sending unit 114 is further configured to send a fourth message to the second device.
  • the fourth message carries fourth connection information, and the fourth connection information includes fourth signature information.
  • the second device is configured to receive the fourth message sent by the third device, and according to the fourth signature information carried by the fourth message, and the second signature verification key, determining whether the third device is legal, and the second signature verification is confidential.
  • the second device is sent to the second device.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the device provided by the embodiment of the present invention, when the first device has configured the second device, first configuring the device to send the first signature verification key and the first network key to the third device, the first signature verification key and the first A network key is generated by the first device and sent to the configuration device, and then the second device sends a first message carrying the first connection information to the third device, where the first connection information includes the first signature information and the peer network key.
  • the third device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.
  • the second device is configured according to the second device out-of-band key, and the second device has an out-of-band key, compared with the configuration of the first device and the second device by using the configuration device. Obtained by the outband communication between the configuration device and the second device, and the configuration device sends the first signature verification key and the first network key to the third device, and the second device sends the first connection information to the third device, Determining, by the third device, whether the peer network key in the first connection information is legal according to the first network key, and determining, according to the first signature verification key, whether the first signature information in the first connection information is legal, thereby can
  • the second device configured by the first device is configured to the third device, that is, the third device is configured to configure the second device, thereby improving the success rate of the device for configuration.
  • the embodiment of the present invention further provides a device, where the device is a third device, and the third device is located in a configuration system, where the configuration system includes a first device, a second device, a configuration device, and a third device.
  • Configure in-band communication between the device and the first device configure out-of-band communication between the device and the second device, and configure in-band communication between the device and the third device.
  • the second device is configured on the first device.
  • the third device includes: a receiver 121, a processor 122, and a transmitter 123.
  • the receiver 121 is configured to receive a first signature verification key and a first network key that are sent by the configuration device.
  • the first signature verification key is generated by the first device and sent to the configuration device, where the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the first device.
  • the device is configured, and the first network key is used by the second device to generate a shared key.
  • the receiver 121 is further configured to receive the first message sent by the second device.
  • the first message carries the first connection information, where the first connection information includes the first signature information and the peer network key, and the first signature information is used by the first device to generate the second network key by using the first signature generation key.
  • the signature is obtained, the first signature generation key is generated by the first device, the first signature generation key is used for signing by the first device, and the first signature generation key and the first signature verification key correspond to each other, and the second network The key is generated by the second device, and the second network key is used by the first device or the third device to generate the shared key.
  • the processor 122 is configured to determine, according to the first network key received by the receiver 121, whether the peer network key is legal.
  • processor 122 in the third device may be one or more.
  • the embodiment of the present invention is described by using one example. Other embodiments may be understood by referring to the following.
  • the processor 122 is further configured to receive, according to the receiver 121, when the peer network key is legal.
  • a signature information determines whether the second device is legitimate.
  • the processor 122 is specifically configured to determine whether the peer network key is a trusted network key.
  • the trusted network key includes a first network key.
  • the first connection information received by the receiver 121 further includes a second network key.
  • the processor 122 is further configured to decrypt the first signature information by using the first signature verification key to obtain a decryption result.
  • the processor 122 is further configured to compare the decrypted decrypted result with the second network key.
  • the processor 122 is configured to determine that the second device is legal when the decryption result matches the second network key.
  • the processor 122 is further configured to generate a third shared key according to at least the second network key received by the receiver 121.
  • the third shared key is a pre-key for performing handshake authentication between the third device and the second device.
  • the processor 122 specifically includes: according to the Diffie Hermann DH key generation algorithm, generating a DH shared key according to the private key corresponding to the fourth network key, and the second network key, and sharing the key by the DH, or The key derived from the DH shared key is used as the third shared key, and the fourth network key is used by the second device to generate the shared secret. or,
  • the processor 122 specifically includes a Dieffie Herman ECDH key generation algorithm based on an elliptic curve cryptosystem, generating an ECDH shared key according to a private key corresponding to the fourth network key, and a second network key, and The ECDH shared key or the key derived from the ECDH shared key is used as the third shared key.
  • the processor 122 is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate the shared key.
  • the transmitter 123 is configured to send the fourth network key generated by the processor 122 to the configuration device.
  • the receiver 121 is further configured to receive fourth connection information sent by the configuration device.
  • the fourth connection information includes fourth signature information and a fourth network key, and the fourth signature information
  • the configuration device uses the second signature generation key to sign the fourth network key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key is used to configure the device.
  • the signature, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key and the second signature verification key correspond to each other.
  • the second signature generation key and the second signature verification key are asymmetric keys
  • the second signature generation key is a corresponding private key
  • the second signature verification key is corresponding.
  • the transmitter 123 is further configured to send a fourth message to the second device.
  • the fourth message carries fourth connection information, and the fourth connection information includes fourth signature information.
  • the second device is configured to receive the fourth message sent by the third device, and according to the fourth signature information carried by the fourth message, and the second signature verification key, determining whether the third device is legal, and the second signature verification is confidential.
  • the second device is sent to the second device.
  • the first signature generation key and the first signature verification key are asymmetric keys
  • the first signature generation key is a corresponding private key
  • the first signature verification key is corresponding.
  • the device provided by the embodiment of the present invention is specifically a third device.
  • the device first sends the first signature verification key and the first network key to the third device, and the first signature is verified.
  • the key and the first network key are generated by the first device and sent to the configuration device, and then the second device sends the first message carrying the first connection information to the third device, where the first connection information includes the first signature information and the pair
  • the network device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.
  • the second device is configured according to the second device out-of-band key, and the second device has an out-of-band key, compared with the configuration of the first device and the second device by using the configuration device.
  • the configuration device sends the first signature verification key and the first network key to the third device, and the second device sends the first connection information to the third device, so that the third device can be implemented according to the third device.
  • the configured second device is configured to the third device, that is, the third device is configured to configure the second device, thereby improving the success rate of the device for configuration.
  • the configuration method, the configured device, and the device provided by the embodiments of the present invention may be applicable to configuring the device, but are not limited thereto.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé de configuration, ainsi qu'un appareil et un dispositif de configuration qui se rapportent au domaine technique de l'information et peuvent améliorer le taux de réussite de configuration d'un dispositif. Le procédé comprend les opérations suivantes : premièrement, le dispositif de configuration réalise une communication hors bande avec un second dispositif, obtient une clé hors bande du second dispositif et transmet la clé hors bande du second dispositif à un premier dispositif pour générer, par le premier dispositif, une clé de chiffrement selon la clé hors bande du second dispositif ; ensuite, le premier dispositif transmet au second dispositif une première clé de vérification de signature chiffrée selon la clé de chiffrement, et reçoit une seconde clé de réseau envoyée par le second dispositif ; enfin, le premier dispositif génère une clé selon la première signature, signe la seconde clé de réseau, obtient les premières informations de signature, et transmet au second dispositif des premières informations de connexion chiffrées selon la clé de chiffrement, les premières informations de connexion comprenant les premières informations de signature et la seconde clé de réseau. La présente invention peut s'appliquer à la configuration de dispositifs.
PCT/CN2014/088018 2014-09-30 2014-09-30 Procédé de configuration, appareil et dispositif de configuration WO2016049895A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201480080297.5A CN106471831B (zh) 2014-09-30 2014-09-30 配置的方法、配置的装置及设备
PCT/CN2014/088018 WO2016049895A1 (fr) 2014-09-30 2014-09-30 Procédé de configuration, appareil et dispositif de configuration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/088018 WO2016049895A1 (fr) 2014-09-30 2014-09-30 Procédé de configuration, appareil et dispositif de configuration

Publications (1)

Publication Number Publication Date
WO2016049895A1 true WO2016049895A1 (fr) 2016-04-07

Family

ID=55629322

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/088018 WO2016049895A1 (fr) 2014-09-30 2014-09-30 Procédé de configuration, appareil et dispositif de configuration

Country Status (2)

Country Link
CN (1) CN106471831B (fr)
WO (1) WO2016049895A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018076240A1 (fr) * 2016-10-27 2018-05-03 Silicon Laboratories Inc. Utilisation d'un réseau pour mettre en service un second réseau
CN111835508A (zh) * 2019-04-23 2020-10-27 深圳市汇顶科技股份有限公司 一种密钥分配部署方法和系统
US20210374736A1 (en) * 2018-01-02 2021-12-02 Laurence Hamid Wireless based methods and systems for federated key management, asset management, and financial transactions

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650057B (zh) * 2019-09-29 2022-03-11 武汉迈威通信股份有限公司 一种通过便携移动终端配置设备的方法及系统
CN111339545B (zh) * 2020-03-20 2024-03-19 苏州链原信息科技有限公司 用于生成数据标签的方法、电子设备及计算机存储介质
CN112601218B (zh) * 2020-12-31 2022-12-02 青岛海尔科技有限公司 无线网络配置方法和装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101366259A (zh) * 2005-12-30 2009-02-11 英特尔公司 用于装置在引入连网环境时的自动配置的方法、设备和制品
CN103813318A (zh) * 2012-11-09 2014-05-21 华为终端有限公司 一种信息配置方法、设备及系统
US20140281522A1 (en) * 2013-03-13 2014-09-18 Xerox Corporation Method and apparatus for establishing a secure communication link between a mobile endpoint device and a networked device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI501580B (zh) * 2009-08-07 2015-09-21 Dolby Int Ab 資料串流的鑑別
US8856534B2 (en) * 2010-05-21 2014-10-07 Intel Corporation Method and apparatus for secure scan of data storage device from remote server
CN101873588B (zh) * 2010-05-27 2013-11-20 大唐微电子技术有限公司 一种业务应用安全实现方法及系统
US8462734B2 (en) * 2010-10-20 2013-06-11 Nokia Corporation Wireless docking with out-of-band initiation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101366259A (zh) * 2005-12-30 2009-02-11 英特尔公司 用于装置在引入连网环境时的自动配置的方法、设备和制品
CN103813318A (zh) * 2012-11-09 2014-05-21 华为终端有限公司 一种信息配置方法、设备及系统
US20140281522A1 (en) * 2013-03-13 2014-09-18 Xerox Corporation Method and apparatus for establishing a secure communication link between a mobile endpoint device and a networked device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018076240A1 (fr) * 2016-10-27 2018-05-03 Silicon Laboratories Inc. Utilisation d'un réseau pour mettre en service un second réseau
US11012898B2 (en) 2016-10-27 2021-05-18 Silicon Laboratories, Inc. Use of a network to commission a second network
US20210374736A1 (en) * 2018-01-02 2021-12-02 Laurence Hamid Wireless based methods and systems for federated key management, asset management, and financial transactions
CN111835508A (zh) * 2019-04-23 2020-10-27 深圳市汇顶科技股份有限公司 一种密钥分配部署方法和系统
CN111835508B (zh) * 2019-04-23 2023-02-28 深圳市汇顶科技股份有限公司 一种密钥分配部署方法和系统

Also Published As

Publication number Publication date
CN106471831B (zh) 2019-11-29
CN106471831A (zh) 2017-03-01

Similar Documents

Publication Publication Date Title
JP7389103B2 (ja) 追跡に対するプライバシーを維持しながら無線セキュアリンクを確立する方法および装置
US10129031B2 (en) End-to-end service layer authentication
US10003966B2 (en) Key configuration method and apparatus
US8504833B2 (en) Relay device, wireless communications device, network system, program storage medium, and method
WO2016049895A1 (fr) Procédé de configuration, appareil et dispositif de configuration
US9668230B2 (en) Security integration between a wireless and a wired network using a wireless gateway proxy
CN112740733B (zh) 一种安全接入方法及装置
EP3427435A1 (fr) Procédés et appareils d'authentification de dispositif sécurisée
WO2014180352A1 (fr) Procede, dispositif et systeme pour configurer un dispositif sans fil
CN109905348B (zh) 端到端认证及密钥协商方法、装置及系统
CN110087240B (zh) 基于wpa2-psk模式的无线网络安全数据传输方法及系统
CN110022320B (zh) 一种通信配对方法及通信装置
WO2015100676A1 (fr) Procédé de connexion sécurisée pour dispositif de réseau, et dispositif et système connexes
EP3570487B1 (fr) Procédé, dispositif et système de génération de clé privée
CN103002442A (zh) 无线局域网密钥安全分发方法
WO2015100675A1 (fr) Procédé de configuration de réseau, et dispositif et système associés
US20190356478A1 (en) Secure systems and methods for resolving audio device identity using remote application
CN105407109A (zh) 一种蓝牙设备间数据安全传输方法
Yüksel et al. Zigbee-2007 security essentials
CN105025472A (zh) 一种wifi接入点加密隐藏及发现的方法及其系统
CN107682152B (zh) 一种基于对称密码的群组密钥协商方法
WO2018126783A1 (fr) Procédé, dispositif et support de stockage informatique de transmission de clé
CN114070570A (zh) 一种电力物联网的安全通信方法
CN110636502A (zh) 一种无线加密通信方法和系统
Berchtold et al. Secure communication protocol for a low-bandwidth audio channel

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14903227

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14903227

Country of ref document: EP

Kind code of ref document: A1