WO2018157782A1 - Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app) - Google Patents

Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app) Download PDF

Info

Publication number
WO2018157782A1
WO2018157782A1 PCT/CN2018/077364 CN2018077364W WO2018157782A1 WO 2018157782 A1 WO2018157782 A1 WO 2018157782A1 CN 2018077364 W CN2018077364 W CN 2018077364W WO 2018157782 A1 WO2018157782 A1 WO 2018157782A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
certificate
module
certificate data
network
Prior art date
Application number
PCT/CN2018/077364
Other languages
English (en)
Chinese (zh)
Inventor
田玉存
张伟
童伟刚
颜湘
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201710150249.4A external-priority patent/CN108696868B/zh
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Priority to KR1020197021587A priority Critical patent/KR102200936B1/ko
Priority to JP2019560452A priority patent/JP6917474B2/ja
Priority to US16/482,475 priority patent/US11751052B2/en
Priority to EP18761355.9A priority patent/EP3592017B1/fr
Publication of WO2018157782A1 publication Critical patent/WO2018157782A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an application APP for processing credential information for network connection.
  • the terminal When the terminal accesses the wireless network, it is usually required to provide the networked credential information to the wireless network, and the terminal access is allowed only when the credential information is verified correctly.
  • the terminal can use the network name and connection password of the wireless network to request to connect to the wireless network corresponding to the network name, at the input. After the connection password is verified, the terminal is allowed to access the wireless network.
  • WIFI Wireless Fidelity
  • the wireless network provider needs to announce the credential information for connecting to the wireless network to the user of the terminal, and the user of the terminal needs to manually input the credential information on the terminal.
  • user X provides a wireless network in the home, that is, user X is a wireless network provider.
  • connection password is manually input to make a network connection, and when the connection password is too complicated or lengthy, the user Y is not only inconvenient to remember but the input is also cumbersome. It can be seen that, on the one hand, the user operation is inconvenient in the process of connecting the terminal to the wireless network; on the other hand, the voucher information of the wireless network is publicly announced, which may lead to security risks.
  • the technical problem to be solved by the present invention is to provide a method, a device and an application APP for processing credential information for network connection, so that the terminal can obtain credential information of the wireless network and use credential information without manual input by the user.
  • Networking not only simplifies and facilitates the user's networking operations, but also avoids the disclosure of credential information for networking, improving the security of users using wireless networks.
  • an embodiment of the present invention provides a method for processing credential information for a network connection, where the method includes:
  • the first terminal sends a first credential download request to the server, in response to the instruction to apply for the network credential for the second terminal, where the first credential download request carries the user identity information of the first terminal, where the user identity
  • the information is used by the server to perform user identity verification on the first terminal;
  • the second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected;
  • the second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal;
  • the second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  • an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a first terminal, where the device includes: an application module;
  • the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
  • the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a second terminal, where the device includes: an application module, a storage module, and a network connection module;
  • the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
  • the storage module is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
  • the network connection module is configured to connect, by using the first credential information in the secure storage area, a wireless network corresponding to the network identifier.
  • an embodiment of the present invention provides an application APP, which is configured in a first terminal, where the application APP includes: an application module,
  • the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
  • the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • an embodiment of the present invention provides an application APP, configured in a second terminal, where the application APP includes: an application module,
  • the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
  • the application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
  • the application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
  • the present invention has the following advantages:
  • the first terminal having the voucher application right of the wireless network may request the server to download the credential information of the connection to the wireless network, and the voucher The information and the network identifier of the wireless network are sent to the second terminal, so that the second terminal can obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier.
  • the second terminal may obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier.
  • FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for processing credential information used for network connection according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
  • the wireless network provider needs to inform the user of the terminal of the credential information for connecting to the wireless network, and then the user of the terminal manually inputs or installs the credential information on the terminal. Connect the terminal to the wireless network.
  • the user needs to memorize the credential information (such as a password) used to connect to the wireless network, and manually input it to the wireless network connection interface of the terminal, which shows that the user operation is cumbersome; on the other hand, the wireless network provider needs The network credential information is advertised to other users who use the terminal to connect to the wireless network, and the voucher information is easily leaked when being published.
  • the credential information is obtained by a malicious user, the malicious user may attack the wireless network, visible, wireless There are hidden dangers in the security of the network.
  • the wireless network provider uses the first terminal, the first terminal has the voucher application right of the wireless network, that is, the user identity information provided by the first terminal can be verified by the server, so that the server can be obtained from the server. Download the networked voucher information.
  • the wireless network provider can use the first terminal to request the server to download the networked credential information, and send the network identifier of the wireless network and the networked credential information to the first The second terminal, so that the second terminal can obtain the network identifier and credential information of the wireless network without manual input, and use the credential information to connect to the wireless network corresponding to the network identifier.
  • the network connection operation is simplified, and the wireless network provider does not need to inform the credential information to use the second.
  • the user connected to the terminal avoids the network information of the network to be advertised, which reduces the possibility that the malicious user obtains the credential information and attacks the wireless network due to the leakage of the credential information, thereby improving the security of the wireless network.
  • FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention.
  • the first terminal 110 can interact with the server 130 through a wireless access point AP (also referred to as a wireless router), and the first terminal 110 can interact with the second terminal 120.
  • the first terminal 110 may include, for example, an application module 111, a certificate management module 112, a storage module 113, and a network connection module 114.
  • the second terminal 120 may include, for example, an application module 121, a certificate management module 122, a storage module 123, and a network. Connection module 124.
  • the first terminal 110 may only include an application module 111, and the application module 111 may send the first credential download to the server in response to an instruction to apply for a network credential for another terminal (in the embodiment of the present invention)
  • the request, the instruction for applying for the network connection credential for the other terminal may be generated by the first terminal 110, or may be generated by the second terminal 120 and sent to the first terminal 110 by the application module 121.
  • the first credential download request carries the user identity information provided by the first terminal 110.
  • the server 130 may perform user identity verification on the first terminal 110 according to the user identity information, and send the first credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful.
  • the first terminal 110 may receive the first credential information through the application module 111, and send the first credential information and the network identifier of the wireless network to be connected to the second terminal 120.
  • the second terminal 120 may include only the application module 121, the storage module 123, and the network connection module 124.
  • the second terminal 120 receives the first credential information and the network identifier through the application module 121, and the first The voucher information is stored in the secure storage area of the second terminal 120, and is connected to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area of the second terminal 120 by the network connection module 124.
  • the network identifier may be manually input by the wireless network provider on the sending interface that the first terminal 110 sends the first credential information to the second terminal 120; or the first terminal 110 may send the first terminal 120 to the second terminal 120.
  • the network identifier is generated by the first terminal 110 by default on the sending interface of the credential information.
  • the sending interface is displayed on the first terminal 110.
  • the application module 111 of the first terminal 110 may further send a second credential download request to the server in response to an instruction of the terminal (in the embodiment of the present invention, the first terminal) to apply for the network credential, where
  • the second credential download request carries the user identity information provided by the first terminal 110.
  • the first terminal 110 includes a storage module 113 and a network connection module 114 in addition to the application module 111.
  • the server 130 performs user identity verification on the first terminal 110 according to the user identity information, and sends the second credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful.
  • the first terminal 110 receives the second credential information through the application module 111, stores the second credential information in the secure storage area of the first terminal 110 through the storage module 113, and uses the secure storage of the first terminal 110 through the network connection module 114.
  • the second credential information in the zone is connected to the wireless network.
  • the credential information used to connect to the wireless network may be a network connection password, which is generally applicable to the WIFI network environment, and may also be applicable to a WAPI pre-shared key type network environment, which may enable the second terminal to be connected.
  • the network provider does not need to disclose the networked credential information (such as a network connection password) to the user of the second terminal, thereby avoiding the leakage of the credential information and posing a potential danger to the security of the wireless network; The user can complete the network connection without manually inputting the networked credential information (such as the network connection password) on the second terminal, thereby improving the convenience of the terminal networking.
  • the second terminal 120 may further include a certificate management module 122 in addition to the application module 121, the storage module 123, and the network connection module 124.
  • the certificate management module 122 may be configured to: before the first credential information is stored in the secure storage area of the second terminal 120, perform naming processing on the certificate data according to the certificate identifier set for the certificate data, and invoke the storage module 123 to pass the The certificate data of the naming process is stored in the secure storage area of the second terminal 120.
  • the first terminal 110 may further include a certificate management module 112 in addition to the application module 111, the storage module 113, and the network connection module 114.
  • the certificate management module 112 may be configured to perform naming processing on the certificate data according to the certificate identifier set for the certificate data before the second credential information is stored in the secure storage area of the first terminal 110, and call the storage module 113 to pass the The certificate data of the naming process is stored in a secure storage area of the first terminal 110.
  • the application module 111 generally runs at the application layer, and the certificate management module 112, the storage module 113, and the network connection module 114 operate at the system layer.
  • the application module 121 typically runs at the application layer, while the certificate management module 122, the storage module 123, and the network connection module 124 operate at the system layer. Whether it is the application module 111 or the application module 121, it may be built in the terminal when the terminal is shipped from the factory, or may be acquired by the user from the outside and installed in the terminal after the terminal is shipped from the factory.
  • the application module 111 or the application module 121 can be run in the terminal as a third-party application (Application, APP), that is, the third-party application APP including the application module 111 or the application module 121 can be installed on the terminal to facilitate the terminal to execute. Networked operation.
  • APP Application, APP
  • the application module 111 and the application module 121 can also run at the system layer, and the application module 111 and the application module 121 running at the system layer are built in the terminal when the terminal is shipped from the factory.
  • a module running at the application layer which can be acquired by the user from the outside and installed on the terminal, or can be uninstalled by the user from the terminal; the module running at the system layer is built in the terminal. In the system, it cannot be uninstalled by the user. Moreover, even if each module running at the system level has different operating rights.
  • FIG. 2 a flow chart of a method for processing credential information for network connection in an embodiment of the present invention is shown.
  • the method includes the following steps:
  • the first terminal sends a first credential download request to the server in response to the instruction to apply for the network credential for the second terminal.
  • the first credential download request carries user identity information of the first terminal, and the user identity information is used by the server to perform user identity verification on the first terminal.
  • the voucher download interface provided by the first terminal includes two operation options: “application for network connection voucher for the terminal” and “application for network connection voucher for other terminals”.
  • the wireless network provider can select an operation option of "application for networking credentials for other terminals" on the voucher download interface, and then trigger an instruction to apply for networking credentials for other terminals, which is referred to as a second terminal in the embodiment of the present invention.
  • An instruction to apply for a networked certificate Exemplarily, on the voucher download interface, the wireless network provider can input the user name and password as the user identity information of the first terminal, and can also input the Internet Protocol (IP) address and port number of the server.
  • IP Internet Protocol
  • the wireless network provider selects on the credential download interface. It is an operation option of "Requesting Networking Credentials for Other Terminals".
  • the first terminal generates a first credential download request carrying the user identity information based on an operation of the wireless network provider on the credential download interface and transmits the request to the server.
  • the server may obtain the user identity information and perform user identity verification on the first terminal according to the user identity information in response to the first credential download request.
  • the user identity verification manner of the server to the first terminal may be, for example, the server verifies whether the username and password are legal and match. If the username and password are legal and match, the user authentication of the first terminal is successful.
  • the first terminal receives the first credential information sent by the server in the case that the user identity verification of the first terminal is successful.
  • the server may generate or acquire (for example, obtain the first credential information from the certificate issuing server) and send the first credential information to the first terminal, so that the first terminal can receive The first credential information sent to the server.
  • the verification of the user identity information of the first terminal is successful, and may be used as a basis for the server to generate or obtain the first credential information.
  • the first credential information may be encrypted during the transmission process between the first terminal and the server.
  • the step 202 may include: the first terminal receives the first encrypted information that is sent by the server when the user identity verification of the first terminal is successful; and the first terminal decrypts the first encrypted information to obtain the first credential. information.
  • the first encrypted information is obtained by encrypting the first credential information by the server.
  • the encryption of the first credential information may be performed by any feasible encryption method, which is not limited in this embodiment.
  • a terminal receives a certificate or a file
  • the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send.
  • the first terminal may send the first credential information directly from the system memory of the first terminal to the second The terminal does not have to be stored in other storage locations within the first terminal.
  • the first credential information is temporarily stored in the traditional storage location in the first terminal, the first credential information may be read or copied by the unsecure application on the first terminal, and the first credential information is from the system of the first terminal.
  • the in-secure application on the first terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
  • the second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected.
  • the first terminal may prompt the wireless network provider by using a credential sending interface.
  • the wireless network provider may trigger a sending instruction to carry the network identifier and the first credential information on a credential sending interface provided by the first terminal.
  • the first terminal sends the network identifier and the first credential information to the second terminal in response to the sending instruction.
  • the network identifier of the wireless network may be that the first terminal obtains the network identifier of the default setting and provides the network identifier on the credential sending interface, or may be manually input by the wireless network provider on the credential sending interface.
  • the wireless network provider sends the network identifier of the wireless network to the second terminal together with the first credential information by using the first terminal, so that the second terminal can directly and automatically connect to the wireless network when using the first credential information.
  • the user of the second terminal does not need to manually click on the wireless network corresponding to the network identifier from the plurality of wireless network names on the second terminal (for example, in the "setting" of the second terminal), and then perform the wireless network. connection.
  • the network identifier of the wireless network may be a display name of the wireless network.
  • the network identifier of the wireless network may be a Service Set Identifier (SSID) of the wireless network.
  • SSID Service Set Identifier
  • the first terminal may send the first credential information to the second terminal by using a point-to-point wireless communication technology without networking.
  • the first terminal may send the first credential information to the second terminal by using a near field communication NFC (Near Field Commutation) technology
  • the second terminal may receive the first sent by the first terminal by using a near field communication NFC technology.
  • Voucher information The first credential information is transmitted by the NFC technology, and the first terminal and the second terminal only need to be close to each other to implement the transmission of the first credential information.
  • the first credential information such as Bluetooth technology, may also be sent between the first terminal and the second terminal by using other point-to-point wireless communication technologies.
  • the Bluetooth transmission also needs to search and configure the connection between the terminals in advance, and the credential information can be sent only after the connection is successful, and the NFC technology only needs to be close to each other to transmit the credential information. Therefore, it is more convenient and convenient to use the NFC technology for the transmission of the voucher information.
  • the NFC technology is transmitted, the distance between the terminal devices is very close and needs to be close to each other, so the transmission of the voucher information is not easily intercepted by the outside, and the transmission process is also relatively safe. .
  • the use of the NFC technology to transmit the credential information between the terminals is a preferred solution.
  • the embodiment of the present invention does not limit the manner of transmitting the credential information, and may also adopt other point-to-point technologies such as Bluetooth technology.
  • Wireless communication technology performs the transmission of credential information.
  • the second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal.
  • a terminal receives a certificate or a file
  • the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send.
  • the second terminal may directly store the first credential information from the system memory of the second terminal in the second The secure storage area of the terminal without having to temporarily store it in other traditional storage locations within the second terminal.
  • the first credential information is temporarily stored in the traditional storage location in the second terminal, the first credential information may be read or copied by the unsecure application on the second terminal, and the first credential information is from the second terminal system.
  • the memory is directly stored in the secure storage area of the second terminal, so that the unsecure application on the second terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
  • the secure storage area may be different from the traditional hard disk storage, and the secure storage area may be a separate storage area in the terminal.
  • the voucher information is not stored in the form of a file in the storage area, but the voucher information can only be stored in the form of data. Therefore, a file management tool having a file scanning function (for example, a RE file manager, an ES file browser, etc.)
  • the voucher information cannot be viewed by scanning, so the data stored in the area is invisible to the user and cannot be copied.
  • the storage area can only be accessed using a specific interface provided by the system, and any storage-related API cannot access the storage area.
  • the secure storage area in which the credential information is stored in the terminal is more secure than the conventional hard disk storage.
  • the secure storage area may also be a non-hardware Android system keystore, a Windows system system storage area, and a hardware security chip, etc., which may be used to implement the function of the secure storage area. Since the first credential information is stored in the secure storage area, the first credential information is not scanned by the file management tool, and cannot be accessed by the API related to the file operation, thereby preventing the first credential information from being leaked on the second terminal. So that the security of the first voucher information is better protected. It should be noted here that the secure storage area described above does not only refer to the secure storage area of the second terminal, and the secure storage area of the first terminal also has the same function.
  • the first credential information may be encrypted and then stored in the secure storage area.
  • the second terminal reads the encrypted first credential information from the secure storage area, the encrypted first credential information needs to be decrypted first, and then the decrypted first credential information is used to connect to the wireless network.
  • the second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  • the second terminal may determine the wireless network corresponding to the network identifier and send a connection request to the access point of the wireless network, so as to be connected through the access point of the wireless network. wireless network.
  • the mentioned wireless network may be any feasible wireless communication technology.
  • Wireless networks of different wireless communication technologies correspond to different kinds of credential information. Therefore, there are many possible types of credential information mentioned in this embodiment.
  • the wireless network adopts a Wireless LAN Authentication and Privacy Infrastructure (WAPI) mode the first credential information may be WAPI certificate data.
  • the wireless network adopts the WIFI mode and the encryption mode is WPA/WPA2PSK
  • the first credential information may be a password.
  • the first credential information may include CA certificate data and other credential parameters, where the other credential parameters include, for example, a specific EAP method (eg, PEAP, TLS, TTLS, PWD, etc.), Phase 2 authentication (eg MSCHAPV2, GTC), identity, anonymous identity, password, etc.
  • a specific EAP method eg, PEAP, TLS, TTLS, PWD, etc.
  • Phase 2 authentication eg MSCHAPV2, GTC
  • identity anonymous identity, password, etc.
  • the manner in which the first credential information is processed when the first terminal connects to the wireless network may be different.
  • the second terminal may directly store the credential information itself and use the credential information itself to connect to the wireless network, or the second terminal may directly use the credential information. Connect to the wireless network itself.
  • the second terminal may install the certificate, that is, store the certificate data and connect to the wireless network using the certificate data.
  • the first credential information includes the certificate data
  • the first credential information is stored in the secure storage area of the second terminal in step 204, and the second terminal may be based on the certificate identifier set for the credential data
  • the certificate data is subjected to naming processing.
  • the storing manner of step 204 is specifically: storing the certificate data subjected to the naming process in a secure storage area of the second terminal.
  • the method of the step 205 is specifically to connect the wireless network corresponding to the network identifier by using the certificate data in the secure storage area.
  • the certificate data may be WAPI certificate data, corresponding to the WAPI network connection mode, or may be WIFI certificate data, corresponding to the WIFI network connection mode.
  • a certificate used by a wireless network to connect to a network is usually a set of certificates containing multiple certificate data.
  • the WAPI certificate data used for networking refers to a set of WAPI certificate data.
  • a set of WAPI certificate data in the embodiment of the present invention includes user certificate data, issuer certificate data, and user private key.
  • the second terminal can name the WAPI certificate data, that is, set a certificate name, that is, a certificate identifier, for the WAPI certificate data.
  • the user certificate data, the issuer certificate data, and the user private key in the WAPI certificate data all contain the same certificate identifier.
  • a set of WAPI certificate data for networking is named, wherein the user certificate data is set to "WAPI_USRCERT_NAME1", the issuer certificate data is set to "WAPI_CACERT_NAME1", and the user private key is set. Is set to "WAPI_USRPKEY_NAME1".
  • the naming of the three certificate data in a set of WAPI certificate data includes the certificate identifier "NAME1". Therefore, when searching for WAPI certificate data, the second terminal only needs to find the certificate identifier "NAME1" to obtain a complete set of WAPI certificate data.
  • the certificate identifier may be an identifier set by the user.
  • the user can input the certificate identifier on the certificate naming interface provided by the second terminal and trigger the installation of the certificate.
  • the second terminal names the certificate data according to the input certificate identifier.
  • the certificate identification may be automatically assigned or generated by the second terminal. Specifically, when the certificate needs to be installed, the second terminal may display the automatically assigned or generated certificate identifier to the user, and automatically trigger the installation of the certificate after naming the certificate data according to the automatically assigned or generated certificate identifier.
  • the second terminal may use the certificate data to connect to the wireless network, that is, a manual connection mode, or the second terminal may automatically use the certificate data connection to connect the second terminal.
  • Wireless network that is, automatic connection.
  • the certificate data to be used may be found by the second terminal based on the certificate identifier manually selected by the user.
  • the network connection mode of step 205 is that the second terminal enumerates the certificate identifiers of all the certificate data in the secure storage area in response to the manual connection instruction, and reads the corresponding certificate based on the certificate identifier manually selected by the user. Data is connected to the wireless network using the read certificate data.
  • the certificate data to be used may be automatically found by the second terminal.
  • the network connection manner of step 205 is that the second terminal queries the certificate data for connecting to the wireless network in the secure storage area in response to the automatic connection instruction, and uses the queried certificate data. Connect to the wireless network.
  • the second terminal when the second terminal self-query the certificate data for networking in the secure storage area, the second terminal first needs to read the secure storage area. All the WAPI certificate data in the internal storage is temporarily stored in the memory, and then associated with the external wireless access point AP.
  • the identity of the local ASU (Authentication Service Unit) in the packet is obtained. Field, then traverse all WAPI certificate data previously read, and obtain the "holder name", "issuer name” and “serial number” from the issuer certificate data in each set of WAPI certificate data, and use The three pieces of information constitute "identity” information.
  • the set of WAPI certificate data is used for network connection.
  • the second terminal needs to first read the certificate data in the secure storage area and temporarily store it in the memory, and obtain the “local ASU” in the authentication activation packet. After the "identity" field, traversing the certificate data from memory to obtain the “identity” information will greatly reduce the time spent, thereby avoiding the authentication activation packet failure.
  • the second terminal 120 can cooperate with other modules using the certificate management module 122 to implement storage and use of the certificate data.
  • the application module 121 can invoke the certificate installation interface of the certificate management module 122 and provide Interface parameters of the certificate installation interface.
  • the interface parameters may include user certificate data, issuer certificate data, and user private key in the WAPI certificate data.
  • the certificate installation interface of the certificate management module 122 opens the certificate naming interface, and displays the default certificate identifier on the certificate naming interface. Alternatively, the user can modify the certificate identifier on the certificate naming interface.
  • the certificate installation interface of the certificate management module 122 After the certificate installation interface of the certificate management module 122 obtains the user certificate data, the issuer certificate data, and the user private key from the interface parameters, the user certificate data and the issuer certificate are determined according to the default certificate identifier or the certificate identifier entered on the certificate naming interface. Data and user private keys are named. Then, the certificate management module 122 calls the storage module 123, and the storage module 123 stores the naming processed certificate data in the secure storage area according to the naming rules of the certificate management module 122, thereby completing the certificate installation process.
  • the network connection module 124 invokes the certificate enumeration interface of the certificate management module 122 to enumerate and present the certificate identifiers of all the certificate data in the secure storage area, after the user selects the target certificate identifier.
  • the network connection module 124 calls the storage module 123 to find the certificate data in the secure storage area that matches the target certificate identifier, and then the network connection module 124 connects to the wireless network based on the wireless network driver and using the found certificate data. .
  • the certificate naming interface is provided by the certificate management module 122 running at the system layer, rather than by the application module 121 running at the application layer.
  • the certificate naming interface provided by the certificate management module of the system layer is usually not controlled by the unsafe application of the application layer and maliciously operated, so as to prevent the unsafe application of the application layer from maliciously inputting the name for certificate installation or certificate deletion on the naming interface.
  • the terminal of the embodiment of the present invention is based on the Android Android system, and the network configuration interface of the network connection module 124 may not need to add a new class, but may By modifying Android's original WLAN network configuration interface (including modifying the WifiConfiguration class and its subclass KeyMgmt), it can achieve the purpose of compatibility with WAPI, and can also provide two different networking modes: manual connection and automatic connection.
  • some member variables can be added under the WifiConfiguration class, so that the member variables include wapiPskType, wapiPsk, wapiCertSelMode, and wapiCertSel.
  • wapiPskType is used to describe the key type of WAPI pre-shared key
  • wapiPsk is used to describe the content of WAPI pre-shared key
  • wapiCertSelMode is used to describe the selection mode of WAPI certificate
  • wapiCertSel is used to describe the WAPI certificate selected in manual mode.
  • the certificate identifier; the new wapiCertSelMode and wapiCertSel correspond to the case of using the WAPI certificate for networking
  • wapiPskType and wapiPsk correspond to the case of using the key to connect to the network.
  • the network connection module needs to implement automatic connection and manual connection two different networking modes for the key mode, it is necessary to add some member variables to the WifiConfiguration class. It includes a member variable describing the key selection mode and a member variable describing the identity of the selected key in the manual mode.
  • each of the other modules that call the storage module 123 are run as different users, and different user identities have different operation rights.
  • a module running as the system user can install a certificate for the terminal, delete the certificate data installed in the terminal, and enumerate the certificate identifier, but cannot read the certificate data in the terminal; run as the wlan user.
  • the module can perform the operation of reading the certificate data and obtaining the certificate identifier for the certificate in the terminal.
  • the certificate management module 122 runs as the system user
  • the network connection module 124 runs as the wlan user.
  • the certificate management module 122 calls the storage module 123 to install the certificate data for the terminal, and can also call the storage module 123 to perform the certificate data installed in the terminal.
  • the certificate identifier of the certificate is deleted and enumerated, but the storage module 123 cannot be called to read the certificate data in the terminal; and the network connection module 124 can call the storage module 123 to read the certificate data and the certificate identifier in the terminal, but cannot call the storage.
  • Module 123 deletes the certificate data and installs the certificate data.
  • the certificate installation interface, the certificate deletion interface, and the certificate identification enumeration interface of the certificate management module 122 may adopt the Andriod system.
  • the Intent mechanism is designed. Specifically, an Activity can be preset in the system, and a related Intent Action is defined.
  • the related Intent Action includes: "com.wapi.certificate.INSTALL" for installing WAPI certificate data, used to enumerate the certificate identifier "com .wapi.certificate.GET_ALIASES”, "com.wapi.certificate.DELETE” for deleting WAPI certificate data.
  • the application module 121 or the application APP of the built-in application module 121 can send a corresponding Intent Action to the preset activity in the system, and the Activity performs the operation of installing the certificate data, deleting the certificate data or enumerating the certificate identifier according to the corresponding Intent Action.
  • the application module 121 or the application APP of the built-in application module 121 sends the relevant parameters by using the putExtra function of the Intent, and the preset activity in the system acquires the parameters sent by the application module 121 or the application APP of the built-in application module 121 through the getExtras function of the Intent.
  • the definition of related parameters is shown in Table 1.
  • the Activity determines whether the certificate identifier is duplicated with the alias of the installed certificate data. If it is repeated, the user is prompted to re-edit.
  • the Activity obtains the certificate identifier finally confirmed by the user through the interactive interface, the operation of installing the WAPI certificate is performed. Then, the corresponding return value is set by the setResult function of the Activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is successfully installed or failed.
  • the return value set by the setResult function when installing the certificate data is defined as follows:
  • the return value of 1 means the installation was successful, and a return value of 0 means the installation failed.
  • the deletion operation fails; at the same time, the corresponding return value is set by the setResult function of the Activity; if it is, the Activity pops up an interactive interface, allowing the user to confirm whether to delete the set of certificate data, after the user confirms the deletion, The deletion operation is performed, and the corresponding return value is set by the setResult function of the activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is deleted successfully or failed this time.
  • the return value set by the setResult function when deleting the certificate data is defined as follows: the return value 1 indicates that the certificate is successfully deleted, and the return value 0 indicates that the certificate deletion failed.
  • the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, and the naming of the credential information (here, the certificate data) can use the default name generated by the terminal, and the installation of the certificate can be automatically performed by the terminal. Installation, and the terminal automatically queries the certificate data used for networking and automatically makes a network connection.
  • the first terminal 110 can cooperate with other modules by using the certificate management module 112 to implement the certificate data.
  • the embodiment in which the first terminal 110 specifically stores and uses the certificate data is the same as the embodiment in which the second terminal 120 specifically stores and uses the certificate data, and the certificate management of the first terminal 110 and the second terminal 120 is as described above.
  • the design mechanism of modules, storage modules, and network connection modules is also the same, and will not be described here.
  • FIG. 3 a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown.
  • the device is configured in the first terminal, and the device may include, for example, an application module 301;
  • the application module 301 is configured to send a first credential download request to the server, in response to the instruction for requesting the network credential for the second terminal, to receive the first credential information sent by the server in the case that the user identity verification succeeds, and Transmitting, by the first terminal system memory, the first credential information and the network identifier of the wireless network to be connected to the second terminal; or
  • the application module 301 is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • the application module 301 is further configured to send the first credential information and the network identifier to the second terminal by using a point-to-point wireless communication technology that does not require networking.
  • the device further includes: a storage module 303 and a network connection module 304;
  • the storage module 303 is configured to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
  • the network connection module 304 is configured to connect to the wireless network by using the second credential information stored in the secure storage area.
  • the second credential information includes certificate data, and correspondingly, as shown in FIG. 5, the apparatus further includes: a certificate management module 302;
  • the certificate management module 302 is configured to: before storing the second credential information directly from the first terminal system memory in the secure storage area of the first terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 303 is called to store the certificate data subjected to the naming process directly from the first terminal system memory in the secure storage area of the first terminal.
  • the certificate management module 302 is further configured to use the certificate identifier to perform naming processing for each part of the data included in the certificate data, so that each part of the data included in the certificate data has the same certificate identifier.
  • the partial data includes user certificate data, issuer certificate data, and a user private key.
  • each module that invokes the storage module 303 runs as a different user, and different user identities correspond to different operation rights;
  • the certificate management module 302 runs as the system user, and the operation authority includes: calling the storage module 303 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 303 to read the certificate data;
  • the network connection module 304 runs as the wlan user, and the operation authority includes: calling the storage module 303 to read the certificate data and the certificate identifier, but cannot invoke the storage module 303 to install and delete the certificate data.
  • the certificate management module 302 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 302 when the storage module 303 is invoked to install, delete, and enumerate the certificate data.
  • the interface is designed using the Intent mechanism of Android, including:
  • the application module 301 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
  • the network connection module 304 is further configured to:
  • the certificate management module 302 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 303 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read The certificate data retrieved is connected to the wireless network.
  • the network connection module 304 in response to the automatic connection instruction, invokes the storage module 303 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
  • the network connection module 304 is configured to invoke the storage module 303 to read WAPI certificate data in the secure storage area;
  • the network connection module 304 is configured to associate with the wireless access point AP, receive the authentication activation packet sent by the wireless access point AP, and obtain an identity field of the local authentication service unit ASU in the authentication activation packet.
  • the network connection module 304 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
  • the network connection module 304 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
  • the network configuration interface of the network connection module 304 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
  • a member variable describing the key type of the pre-shared key a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
  • the network configuration interface of the network connection module 304 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
  • the modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
  • the certificate management module, the storage module and the network connection module located in the first terminal have different functions for storing and using the second credential information when the second credential information is used for networking.
  • the certificate management module, the storage module and the network connection module located in the second terminal described above, in the different implementation manners for storing and using the first credential information when the first credential information is used for networking. The functions that are available are not described here.
  • the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network, so that the first terminal can
  • the voucher information of the wireless network is obtained without manual input by the user, so that the voucher information can be used to connect to the wireless network. It can be seen that, in the process of connecting the wireless network to the first terminal, not only the manual input of the voucher information is saved. The user operation simplifies the user operation, and the credential information does not need to be publicly announced, thereby avoiding leakage of credential information of the wireless network and improving the security of the wireless network.
  • FIG. 6 a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown.
  • the device is configured in the second terminal, and the device may include, for example, an application module 601, a storage module 603, and a network connection module 604;
  • the application module 601 is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is an instruction that the first terminal requests to apply for a network credential for the second terminal. And downloading from the server and sending to the second terminal;
  • the storage module 603 is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
  • the network connection module 604 is configured to connect the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  • the application module 601 is further configured to receive the first credential information and the network identifier sent by the first terminal by using a point-to-point wireless communication technology that does not require networking.
  • the first credential information includes certificate data; correspondingly, as shown in FIG. 7, the apparatus further includes: a certificate management module 602;
  • the certificate management module 602 is configured to: before storing the first credential information directly from the second terminal system memory in the secure storage area of the second terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 603 is called to store the certificate data subjected to the naming process directly from the second terminal system memory in the secure storage area of the second terminal.
  • the certificate management module 602 is further configured to perform naming processing for each part of the data included in the certificate data by using the certificate identifier, so that each part of the data included in the certificate data has the same certificate identifier.
  • the partial data includes user certificate data, issuer certificate data, and a user private key.
  • each module that invokes the storage module 603 runs as a different user, and different user identities correspond to different operation rights;
  • the certificate management module 602 runs as the system user, and the operation authority includes: calling the storage module 603 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 603 to read the certificate data;
  • the network connection module 604 is operated as a wlan user, and the operation authority includes: calling the storage module 603 to read the certificate data and the certificate identifier, but the storage module 603 cannot be called to install and delete the certificate data.
  • the certificate management module 602 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 602 when the storage module 603 is invoked to install, delete, and enumerate the certificate data.
  • the interface is designed using the Intent mechanism of Android, including:
  • the application module 601 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
  • the network connection module 604 is further configured to:
  • the certificate management module 602 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 603 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read.
  • the certificate data retrieved is connected to the wireless network.
  • the network connection module 604 in response to the automatic connection instruction, invokes the storage module 603 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
  • the network connection module 604 is configured to invoke the storage module 603 to read WAPI certificate data in the secure storage area;
  • the network connection module 604 is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet.
  • the network connection module 604 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
  • the network connection module 604 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
  • the network configuration interface of the network connection module 604 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
  • a member variable describing the key type of the pre-shared key a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
  • the network configuration interface of the network connection module 604 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
  • the modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
  • the certificate management module, the storage module, and the network connection module located in the second terminal when using the first credential information for networking, have different implementations of the storage and use of the first credential information.
  • the function refer to the above description, and details are not described herein again.
  • the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, so that the credential information can be used to connect to the wireless network.
  • the credential information can be used to connect to the wireless network.
  • the application module 111 in the first terminal 110 shown in FIG. 1 can be built in the first terminal 110 not only when the terminal is shipped, but also built in the third-party application APP.
  • the third-party application APP in which the application module 111 is built is acquired from the outside by the user, and is installed in the terminal to perform the operation of networking. Therefore, the embodiment of the present invention further provides an application APP, configured in the first terminal, where the application APP includes: an application module,
  • the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
  • the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • the application module is further configured to invoke the storage module of the first terminal to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
  • the application module is further configured to invoke a network connection module of the first terminal to connect to the wireless network by using the second credential information stored in the secure storage area.
  • the second credential information includes certificate data; correspondingly, before the second credential information is directly stored in the first terminal system security storage area from the first terminal system memory, the application module further uses Calling the certificate management module of the first terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the first terminal to be named.
  • the certificate data is directly stored in the first terminal system's secure storage area from the first terminal system memory.
  • the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the first terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
  • the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the first terminal to enumerate the secure storage area.
  • the certificate identifier of all the certificate data, and the storage module invoking the first terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
  • the application APP configured in the first terminal provided by the embodiment of the present invention has the same function as the application module 111 shown in FIG. 1 and has the application as shown in FIG. 3, 4, and 5. The same functions of the module are not described here.
  • the application module 121 in the second terminal 120 shown in FIG. 1 can be built in the second terminal 120 not only when the terminal is shipped from the factory, but also built in the third-party application APP, and externally by the user.
  • the third-party application APP with the application module 121 built therein is obtained and installed in the terminal to perform the networked operation. Therefore, the embodiment of the present invention further provides an application APP, configured in the second terminal, where the application APP includes: an application module,
  • the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
  • the application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
  • the application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
  • the first credential information includes certificate data; correspondingly, before the first credential information is directly stored in the second terminal system memory from the second terminal's secure storage area, the application module further uses Calling the certificate management module of the second terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the second terminal to be named.
  • the certificate data is directly stored in the second terminal system memory in the secure storage area of the second terminal.
  • the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the second terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
  • the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the second terminal to enumerate the secure storage area.
  • the certificate identifier of all the certificate data, and the storage module invoking the second terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
  • the application APP configured in the second terminal provided by the embodiment of the present invention has the same function as the application module 121 shown in FIG. 1 and has the same application module as shown in FIG. The function is not repeated here.
  • the system embodiment since it basically corresponds to the method embodiment, it can be referred to the partial description of the method embodiment.
  • the system embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • the code can be implemented by a non-transitory computer readable storage medium, and when the instructions in the storage medium are executed by the processor of the terminal, the terminal is caused.
  • the various embodiments of the present invention can be carried out while being understood and carried out by those skilled in the art without departing from the invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et une application (APP). Le procédé comprend les étapes suivantes : en réponse à une instruction d'appliquer un justificatif de réseau à un second terminal, un premier terminal envoie une première demande de téléchargement de justificatif d'identité à un serveur ; le premier terminal reçoit des premières informations de justificatif d'identité envoyées par le serveur ; et le second terminal reçoit les premières informations de justificatif d'identité envoyées directement par le premier terminal à partir d'une mémoire système du premier terminal et un identificateur de réseau d'un réseau sans fil devant être connecté, le second terminal stocke les premières informations de justificatif d'identité directement dans une région de stockage sécurisée du second terminal à partir d'une mémoire système du second terminal, et le second terminal se connecte à un réseau sans fil correspondant à l'identificateur de réseau au moyen des premières informations de justificatif d'identité dans la région de stockage sécurisée.
PCT/CN2018/077364 2017-03-01 2018-02-27 Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app) WO2018157782A1 (fr)

Priority Applications (4)

Application Number Priority Date Filing Date Title
KR1020197021587A KR102200936B1 (ko) 2017-03-01 2018-02-27 네트워크 연결을 위한 크리덴셜 정보 처리 방법 및 장치, 및 응용 프로그램(app)
JP2019560452A JP6917474B2 (ja) 2017-03-01 2018-02-27 ネットワーク接続のためのクレデンシャル情報の処理方法、装置、及びアプリケーションapp
US16/482,475 US11751052B2 (en) 2017-03-01 2018-02-27 Credential information processing method and apparatus for network connection, and application (APP)
EP18761355.9A EP3592017B1 (fr) 2017-03-01 2018-02-27 Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201710117743.0 2017-03-01
CN201710117743 2017-03-01
CN201710150249.4A CN108696868B (zh) 2017-03-01 2017-03-14 用于网络连接的凭证信息的处理方法和装置
CN201710150249.4 2017-03-14

Publications (1)

Publication Number Publication Date
WO2018157782A1 true WO2018157782A1 (fr) 2018-09-07

Family

ID=63369805

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077364 WO2018157782A1 (fr) 2017-03-01 2018-02-27 Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app)

Country Status (1)

Country Link
WO (1) WO2018157782A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020088673A (ja) * 2018-11-28 2020-06-04 Necプラットフォームズ株式会社 無線通信装置、通信システム及び設定情報提供プログラム
US11405216B2 (en) * 2020-05-07 2022-08-02 Adp, Inc. System for authenticating verified personal credentials

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026197A (zh) * 2010-12-31 2011-04-20 东莞宇龙通信科技有限公司 Wapi数字证书的获取方法和装置
CN103220669A (zh) * 2012-01-19 2013-07-24 中国移动通信集团公司 私有wlan共享方法、系统、服务器、终端及网关管理服务器
CN105636030A (zh) * 2016-01-29 2016-06-01 北京小米移动软件有限公司 分享接入点的方法及装置
US20160261587A1 (en) * 2012-03-23 2016-09-08 Cloudpath Networks, Inc. System and method for providing a certificate for network access
CN105959971A (zh) * 2016-06-30 2016-09-21 维沃移动通信有限公司 一种WiFi密码共享方法及移动终端

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026197A (zh) * 2010-12-31 2011-04-20 东莞宇龙通信科技有限公司 Wapi数字证书的获取方法和装置
CN103220669A (zh) * 2012-01-19 2013-07-24 中国移动通信集团公司 私有wlan共享方法、系统、服务器、终端及网关管理服务器
US20160261587A1 (en) * 2012-03-23 2016-09-08 Cloudpath Networks, Inc. System and method for providing a certificate for network access
CN105636030A (zh) * 2016-01-29 2016-06-01 北京小米移动软件有限公司 分享接入点的方法及装置
CN105959971A (zh) * 2016-06-30 2016-09-21 维沃移动通信有限公司 一种WiFi密码共享方法及移动终端

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3592017A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020088673A (ja) * 2018-11-28 2020-06-04 Necプラットフォームズ株式会社 無線通信装置、通信システム及び設定情報提供プログラム
US11405216B2 (en) * 2020-05-07 2022-08-02 Adp, Inc. System for authenticating verified personal credentials

Similar Documents

Publication Publication Date Title
EP3592017B1 (fr) Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app)
US10667131B2 (en) Method for connecting network access device to wireless network access point, network access device, and application server
CN109286932B (zh) 入网认证方法、装置及系统
CN108551675B (zh) 一种应用客户端、服务端及对应的Portal认证方法
US8769612B2 (en) Portable device association
US20100040233A1 (en) Protocol for device to station association
US11765164B2 (en) Server-based setup for connecting a device to a local area network
WO2022111187A1 (fr) Procédé et appareil d'authentification de terminal, dispositif informatique et support de stockage
US10045212B2 (en) Method and apparatus for providing provably secure user input/output
US20230112606A1 (en) Device enrollment in a unified endpoint management system over a closed network
WO2018099407A1 (fr) Procédé et dispositif de connexion basée sur une authentification de compte
WO2018157782A1 (fr) Procédé et appareil de traitement d'informations de justificatif d'identité pour une connexion réseau, et application (app)
US9231932B2 (en) Managing remote telephony device configuration
US9143510B2 (en) Secure identification of intranet network
JP4775154B2 (ja) 通信システム、端末装置、プログラム、及び、通信方法
US10756899B2 (en) Access to software applications
CN113746779A (zh) 一种数字证书安装方法及设备
US12021938B1 (en) Device provisioning with a network profile
US11825306B2 (en) Peer-to-peer secure communication system, apparatus, and method
WO2024028291A1 (fr) Certificat provenant d'un serveur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18761355

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20197021587

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2019560452

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018761355

Country of ref document: EP

Effective date: 20191001