WO2019192935A1 - Transfert de justificatifs d'identité pendant l'insertion d'un dispositif de réseau - Google Patents

Transfert de justificatifs d'identité pendant l'insertion d'un dispositif de réseau Download PDF

Info

Publication number
WO2019192935A1
WO2019192935A1 PCT/EP2019/058011 EP2019058011W WO2019192935A1 WO 2019192935 A1 WO2019192935 A1 WO 2019192935A1 EP 2019058011 W EP2019058011 W EP 2019058011W WO 2019192935 A1 WO2019192935 A1 WO 2019192935A1
Authority
WO
WIPO (PCT)
Prior art keywords
credentials
new device
access point
network
server
Prior art date
Application number
PCT/EP2019/058011
Other languages
English (en)
Inventor
Lieven Gesquiere
Bart Vercammen
Gerrit RUELENS
Original Assignee
Interdigital Ce Patent Holdings
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Interdigital Ce Patent Holdings filed Critical Interdigital Ce Patent Holdings
Publication of WO2019192935A1 publication Critical patent/WO2019192935A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/047Public Land Mobile systems, e.g. cellular systems using dedicated repeater stations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present disclosure relates generally to communication networks and in particular to transfer of credentials to new devices in such networks.
  • a Wi-Fi network this can be done by connecting to a desired device (which requires knowledge of the identity of the desired device, typically its Service Set Identifier, SSID) and somehow inputting a Wi-Fi password.
  • SSID Service Set Identifier
  • the SSID is not always known, in particular to less technology savvy persons, and inputting the Wi-Fi password is error prone, in particular on devices with a fiddly user interface.
  • Wi-Fi Protected Setup An easier way of connecting a device to a Wi-Fi network is Wi-Fi Protected Setup (WPS), but the end-user still needs to push at least one button that is not always easy to find.
  • WPS Wi-Fi Protected Setup
  • the present principles are directed to a method in which at least one hardware processor of a server receives a registration of an access point, transmits at least one first encryption key to the access point, receives a registration of a new device, linked to the access point, to be installed in the network, receives from the new device a request for the credentials, transmits at least one second encryption key to the new device, and causes transmission of the credentials in encrypted form to the new device.
  • the present principles are directed to a server including at least one interface configured for providing messages between at least one hardware processor of the server and an access point and a new device, the at least one hardware processor configured to receive a registration of the access point in the network, transmit at least one first encryption key to the access point, receive a registration of the new device to be installed in the network, the new device linked to the access point, receive from the new device a request for the credentials, transmit at least one second encryption key to the new device, and cause transmission of the credentials in encrypted form to the new device.
  • the present principles are directed to a device including a communication interface and at least one hardware processor configured to search through the communication interface for an open hotspot, establish, through the communication interface and the open hotspot, a connection with a server, receive through the connection at least one encryption key, request credentials for a network to which the device is to connect, receive from the server through the connection encrypted credentials for the network, decrypt the credentials using the at least one encryption key and establish, using the received credentials, a protected connection with the network.
  • the present principles are directed to a computer program comprising program code instructions executable by a processor for implementing the steps of a method according to any embodiment of the first aspect.
  • the present principles are directed to a computer program product which is stored on a non-transitory computer readable medium and includes program code instructions executable by a processor for implementing the steps of a method according to any embodiment of the first aspect.
  • Figure 1 illustrates an exemplary environment 100 according to the present principles
  • Figure 2 illustrates a flow chart of a method according to an embodiment of the present principles.
  • FIG. 1 illustrates an exemplary environment 100 according to the present principles.
  • the exemplary environment 100 includes a device 1 10 to be inserted into a wireless network 120 maintained by an access point (AP) 130 and a server 140.
  • AP access point
  • server 140 For reasons of clarity, only one device of each type is illustrated, but it will be understood that the exemplary environment 100 can, and normally will, include further devices.
  • the AP 130 manages the network 120, possibly operating at a plurality of frequency bands, and provides connectivity to an external network 150, such as the Internet, for devices in the network 120.
  • the AP 130 has an identity in the network, for example at least one Service Set Identifier (SSID), which is used when connecting a device to the network.
  • SSID Service Set Identifier
  • the AP 130 further stores a set of credentials for protecting the network 120; the credentials can for example be a network key used to encrypt communications in the network 120.
  • the SSID(s) and the credentials are also stored on devices that have been successfully inserted into the network 120.
  • Non-limitative examples of the device 1 10 are a personal computer, a mobile phone, a tablet, a set-top box and an alarm system.
  • Non-limitative examples of the AP 130 are a Wi-Fi gateway and a Wi-Fi extender in a home network.
  • Each of the device 1 10, the AP 130 and the server 140 includes at least one hardware processing unit (“processor”) 1 1 1 , 131 , 141 , memory 1 12, 132, 142 and hardware communication interfaces (“I/O”) 1 13, 133, 143 configured for communication with other devices - the AP 130 for the device 1 10; the device 1 10 and the server 140 for the AP 130; and the device 1 10, the AP 130 and a further device in, for example a point of sale (not shown) for the server 140.
  • processor hardware processing unit
  • I/O hardware communication interfaces
  • Non-transitory storage media 240 stores instructions that, when executed by a processor, perform the functions of the server 140 as further described hereinafter.
  • FIG. 2 illustrates a flow chart of a method according to an embodiment of the present principles.
  • the AP 130 registers in an account of a user at the server 140, which receives the registration at the interface 143, in step S202.
  • the processor 141 processes the registration, and sends, in step S204, via the interface 143 at least one encryption key in response.
  • the AP 130 can also take part in the key generation, for example using information received from the server 140; the AP 130 and the server 140 should end up with corresponding keys, i.e. the same symmetric key or a public/private key pair each, with the public key also stored by the other device.
  • the AP 130 is already registered in the user account at the server 140, for example by the provider of the AP when the AP is sold or delivered to the user. In the variant, the AP 130 simply sends a notification message and receives the at least one encryption key in response.
  • the processor 141 of the server 140 receives via the interface 143 an instruction to register the new device 1 10 in the user account, and registers the new device 1 10 in the user account, effectively linking the AP 130 and the new device 110 in the user account.
  • the instruction preferably comes from the point-of-sale of the new device 1 10 when the new device has been sold to the user. While the instruction could also come from the user, this would require more interaction from the user, which from a user point of view could be undesirable.
  • a sales assistant can scan a machine readable token on the package of the new device 1 10 to link the new device 1 10 to the end user’s account in the network operator’s customer database backend. This action confirms the trust relation with the user and the already installed equipment (notably the AP 130) in the network 120 which has already been linked to the same user account.
  • the new device 1 10 When the new device 1 10 is first powered, it searches, in step S208, for an open hotspot, i.e. an unprotected connection, which is operated by the network operator or through a partner of the network operator. Typically, the new device 1 10 will be powered within range of the AP 130.
  • the unprotected connection should provide a pinhole (access without authentication) to at least a specific API gateway endpoint.
  • step S210 the new device 1 10 establishes a connection with the server 140 in which the processor 141 sends, in step S212, at least one encryption key to the new device 1 10.
  • the at least one encryption key preferably corresponds to the at least one encryption key mentioned with reference to step S204.
  • step S214 the new device 1 10 requests the credentials for the network 120.
  • the credentials are the ones for the AP 130 together with which the new device 1 10 has been registered, which means that the correct credentials will be obtained regardless of the AP through which the new device 1 10 communicates with the server 140.
  • step S214 may also be combined with or implicit in any messages used to establish the connection in step S210; in this case, step S214 is superfluous.
  • the server 140 has stored entries about devices are registered together through the pre-provisioning that, in an embodiment, was established at the point- of-sale.
  • step S216 the processor 141 of the server 140 requests the credentials from the AP 130.
  • the AP 130 sends the credentials, protected, notably using encryption, using the at least encryption key received in step S204, to the server 140 that receives the credentials in step S218.
  • step S220 the processor 141 of the server 140 sends the credentials, protected, notably using encryption, using the at least encryption key sent in step S212, to the new device 1 10.
  • step S222 the new device 1 10 obtains the credentials in the clear, for example through decryption, stores and applies the received credentials.
  • step S224 the new device 1 10 establishes a protected connection, using the received credentials.
  • the transfer of the credentials from the AP 130 to the new device 1 10 can be performed using technologies such as Message Queue Telemetry Transport Secure (MQTT-S) that ensures that the server 140 does not have access to unprotected credentials.
  • MQTT-S Message Queue Telemetry Transport Secure
  • the server 140 stores the credentials for the network 120. The server 140 can then send these credentials, protected, directly to the new device when requested by the new device 110, for example using TR- 069 or a Representational State Transfer (REST) API.
  • REST Representational State Transfer
  • the server instructs the AP 130 to send the credentials, suitably protected, to the new device 1 10.
  • the present principles can provide exchange of credentials, such as Wi-Fi credentials, during the installation into an existing network without any further intervention of the end user.
  • processors When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared.
  • explicit use of the term“processor” or“controller” should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor (DSP) hardware, read only memory (ROM) for storing software, random access memory (RAM), and non-volatile storage.
  • DSP digital signal processor
  • ROM read only memory
  • RAM random access memory
  • any switches shown in the figures are conceptual only. Their function may be carried out through the operation of program logic, through dedicated logic, through the interaction of program control and dedicated logic, or even manually, the particular technique being selectable by the implementer as more specifically understood from the context.
  • any element expressed as a means for performing a specified function is intended to encompass any way of performing that function including, for example, a) a combination of circuit elements that performs that function or b) software in any form, including, therefore, firmware, microcode or the like, combined with appropriate circuitry for executing that software to perform the function.
  • the disclosure as defined by such claims resides in the fact that the functionalities provided by the various recited means are combined and brought together in the manner which the claims call for. It is thus regarded that any means that can provide those functionalities are equivalent to those shown herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Selon la présente invention, un serveur (240) transfère des justificatifs d'identité dans un réseau (120) par la réception (S202) d'un enregistrement d'un point d'accès (130), enregistré dans un compte d'un utilisateur, dans le réseau (120), la transmission (S204) d'au moins une première clé de chiffrement au point d'accès (130), la réception (S206) d'un enregistrement d'un nouveau dispositif (110), enregistré dans le compte de l'utilisateur, à installer dans le réseau (120), la réception (S214), à partir du nouveau dispositif (110), d'une requête pour les justificatifs d'identité, la transmission (S212) d'au moins une seconde clé de chiffrement au nouveau dispositif (110), et la transmission (S216, S218, S220) des justificatifs d'identité sous forme cryptée au nouveau dispositif (110).
PCT/EP2019/058011 2018-04-06 2019-03-29 Transfert de justificatifs d'identité pendant l'insertion d'un dispositif de réseau WO2019192935A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP18305409.7 2018-04-06
EP18305409 2018-04-06

Publications (1)

Publication Number Publication Date
WO2019192935A1 true WO2019192935A1 (fr) 2019-10-10

Family

ID=62046807

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2019/058011 WO2019192935A1 (fr) 2018-04-06 2019-03-29 Transfert de justificatifs d'identité pendant l'insertion d'un dispositif de réseau

Country Status (1)

Country Link
WO (1) WO2019192935A1 (fr)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150072653A1 (en) * 2013-09-11 2015-03-12 Tencent Technology (Shenzhen) Company Limited Method, apparatus and system for network access
US20150085848A1 (en) * 2012-04-26 2015-03-26 Nokia Corporation Method and Apparatus for Controlling Wireless Network Access Parameter Sharing
US20150139210A1 (en) * 2012-06-29 2015-05-21 Nokia Corporation Method and apparatus for access parameter sharing
US9241270B1 (en) * 2014-11-05 2016-01-19 Google Inc. In-field smart device updates
US20160050565A1 (en) * 2014-08-18 2016-02-18 Qualcomm Incorporated Secure provisioning of an authentication credential
US20170195313A1 (en) * 2014-09-30 2017-07-06 Google Inc. Method and System for Provisioning an Electronic Device
US20170338972A1 (en) * 2014-12-03 2017-11-23 China Iwncomm Co., Ltd. Method for device having wlan function to access network and device for implementing method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150085848A1 (en) * 2012-04-26 2015-03-26 Nokia Corporation Method and Apparatus for Controlling Wireless Network Access Parameter Sharing
US20150139210A1 (en) * 2012-06-29 2015-05-21 Nokia Corporation Method and apparatus for access parameter sharing
US20150072653A1 (en) * 2013-09-11 2015-03-12 Tencent Technology (Shenzhen) Company Limited Method, apparatus and system for network access
US20160050565A1 (en) * 2014-08-18 2016-02-18 Qualcomm Incorporated Secure provisioning of an authentication credential
US20170195313A1 (en) * 2014-09-30 2017-07-06 Google Inc. Method and System for Provisioning an Electronic Device
US9241270B1 (en) * 2014-11-05 2016-01-19 Google Inc. In-field smart device updates
US20170338972A1 (en) * 2014-12-03 2017-11-23 China Iwncomm Co., Ltd. Method for device having wlan function to access network and device for implementing method

Similar Documents

Publication Publication Date Title
CN114189857B (zh) 网关及由网关实施的方法
US11974132B2 (en) Routing method, apparatus, and system
US9807605B2 (en) Method and device for switching subscription manager-secure routing device
US11317340B2 (en) Method and device for enabling access of an unconfigured device to a network hotspot device
US10721622B2 (en) Wireless communication system with multiple security levels
US10769615B2 (en) Device and method in wireless communication system and wireless communication system
CN1835436B (zh) 一种通用鉴权网络及一种实现鉴权的方法
JP2020527914A (ja) ネットワークセキュリティ管理方法および装置
US20150281116A1 (en) Method for setting sensor node and setting security in sensor network, and sensor network system including the same
CN104010309A (zh) 接入点和终端之间建立连接的方法及终端
CN108781110B (zh) 用于通过通信网络中继数据的系统和方法
JP2018525939A (ja) セキュリティ認証方法、構成方法、および関連デバイス
KR20150051568A (ko) 이동 통신 시스템 환경에서 프락시미티 기반 서비스 단말 간 발견 및 통신을 지원하기 위한 보안 방안 및 시스템
US11357062B2 (en) Communication method and apparatus
US20200059786A1 (en) End-to-end security for roaming 5g-nr communications
US20220046532A1 (en) Communications Method and Apparatus
CN114173328A (zh) 密钥交换方法、装置、电子设备
US20160105407A1 (en) Information processing apparatus, terminal, information processing system, and information processing method
JP2015517747A (ja) モバイル装置の認証方法、装置及びシステム
US11251960B1 (en) Server-based Wi-Fi protected setup (WPS) PIN procedure
WO2019192935A1 (fr) Transfert de justificatifs d'identité pendant l'insertion d'un dispositif de réseau
KR102209289B1 (ko) 이동 통신 시스템 환경에서 프록시미티 기반 서비스를 위한 보안 및 정보 지원 방법 및 시스템
CN111885595B (zh) 智能家电配置入网方法、装置和系统
KR102048271B1 (ko) 서비스에 가입되지 않은 비가입자 단말에 서비스를 제공하는 서버, 가입자 단말 및 방법
CN113452513A (zh) 密钥分发方法、装置和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19712803

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19712803

Country of ref document: EP

Kind code of ref document: A1