WO2020090443A1 - Communication device, control method, and program - Google Patents

Communication device, control method, and program Download PDF

Info

Publication number
WO2020090443A1
WO2020090443A1 PCT/JP2019/040469 JP2019040469W WO2020090443A1 WO 2020090443 A1 WO2020090443 A1 WO 2020090443A1 JP 2019040469 W JP2019040469 W JP 2019040469W WO 2020090443 A1 WO2020090443 A1 WO 2020090443A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication device
authentication
communication
sharing
dpp
Prior art date
Application number
PCT/JP2019/040469
Other languages
French (fr)
Japanese (ja)
Inventor
篤志 皆川
史英 後藤
Original Assignee
キヤノン株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by キヤノン株式会社 filed Critical キヤノン株式会社
Publication of WO2020090443A1 publication Critical patent/WO2020090443A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to a device that performs communication parameter sharing processing.
  • Wi-Fi DPP Device Provisioning Protocol
  • the DPP standard specifies that a device called a configurator provides communication parameters to a device called an enrollee (Patent Document 1). Further, in the DPP standard, one communication device captures a QR code (registered trademark) to identify the partner device, thereby preventing sharing of communication parameters with an erroneous partner device.
  • a QR code registered trademark
  • the present invention aims to improve user convenience in parameter sharing processing that complies with the DPP standard.
  • a communication device of the present invention includes a first receiving unit that receives a first instruction to start a sharing process for sharing a communication parameter for connecting to a wireless network with another communication device, and the first receiving unit.
  • a predetermined public key defined by the Wi-Fi DPP (Device Provisioning Protocol) standard with the other communication device is used by using a fixed authentication code.
  • a first authenticating unit that performs an authenticating process when shared with another communication device; and a sharing unit that shares the communication parameter with the other communication device when the authenticating process by the first authenticating unit is successful.
  • FIG. 3 is a hardware configuration diagram of the communication device 101.
  • FIG. 3 is a flowchart realized by the communication device 101.
  • 3 is a sequence diagram between the communication device 101 and the communication device 102.
  • FIG. 3 is a flowchart realized by the communication device 101.
  • FIG. 1 shows the configuration of the communication system in this embodiment.
  • the communication device 101 operates as an access point, which is a wireless base station, and builds a wireless network 103. Specifically, the communication apparatus 101 periodically transmits a beacon including information on the wireless network 103, receives a connection request from another communication apparatus, and connects the other communication apparatus to the wireless network 103. Allow
  • the communication device 101 operates as a configurator that complies with the DPP (Device Provisioning Protocol) standard.
  • the configurator is a device having a role of providing communication parameters necessary for connecting to the wireless network 103. That is, the communication apparatus 101 provides the communication apparatus 102 with the communication parameters of the wireless network 103.
  • the communication parameter is, for example, a credential that complies with the DPP standard, and includes information such as netAccessKey that is key information necessary for connecting to the wireless network 103.
  • the key information is not limited to this, and may include information such as Pre Shared Key.
  • the communication parameter may include SSID (Service Set Identification) which is an identifier of the wireless network 103 and information on a frequency channel. Further, it may include information such as an encryption method and an authentication method used in the wireless network 103, and may include an expiration date of the communication parameter.
  • SSID Service Set Identification
  • the communication device 101 which is a configurator, also notifies role information when providing communication parameters.
  • the role information indicates a role after the communication parameter sharing process is performed. This role indicates either an access point that constructs a wireless network using the acquired communication parameters, or a connection device (hereinafter referred to as a station) that connects to the wireless network using the acquired communication parameters. Since the communication device 101 operates as an access point, it notifies role information indicating the access point.
  • the communication device 102 operates as a station connecting to the wireless network and connects to the wireless network 103. Further, the communication device 102 operates as an enrollee compliant with the DPP standard. That is, the communication device 102 can acquire communication parameters from the communication device 101 and connect to the wireless network 103.
  • Specific examples of the communication device 101 and the communication device 102 include, but are not limited to, an access point, a mobile phone, a digital camera, a video camera, a printer, a projector, a PC, a PDA, a smart phone, and a smart watch. ..
  • the wireless network 103 is a wireless network conforming to the IEEE 802.11 series, and is a network constructed by the communication device 101.
  • IEEE is an abbreviation for The Institute of Electrical and Electronics Engineers.
  • the wireless network 103 may be a network constructed by another access point different from the communication device 101 and the communication device 102.
  • the communication device 101 or a device different from the communication device 101 may be a network constructed as a Group Owner that complies with the Wi-Fi Direct standard.
  • the wireless network 103 may be a network based on wireless USB, MBOA, Bluetooth (registered trademark), UWB, ZigBee, NFC, or the like.
  • MBOA is an abbreviation of Multi Band OFDM Alliance
  • UWB is an abbreviation of Ultra Wide Band.
  • UWB includes wireless USB, wireless 1394, WINET, and the like.
  • FIG. 2 shows the hardware configuration of the communication device 101.
  • the communication device 102 also has a similar hardware configuration.
  • the storage unit 201 is composed of one or more memories such as ROM and RAM, and stores programs for performing various operations described below and various information such as communication parameters for wireless communication.
  • a storage medium such as a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a magnetic tape, a non-volatile memory card, and a DVD. May be used.
  • the control unit 202 is composed of one or more processors such as a CPU and an MPU, and controls the entire communication device 101 by executing a program stored in the storage unit 201.
  • the control unit 202 may control the entire communication device 101 by the cooperation of a program stored in the storage unit 201 and an OS (Operating System).
  • the control unit 202 may include a plurality of processors such as a multi-core, and the plurality of processors may control the entire communication device 101.
  • the control unit 202 also controls the functional unit 203 to execute a predetermined process such as imaging, printing, and projection.
  • the functional unit 203 is hardware for the communication apparatus 101 to execute a predetermined process.
  • the functional unit 203 is an image capturing unit and performs image capturing processing.
  • the functional unit 203 is a printing unit and performs print processing.
  • the functional unit 203 is a projection unit and performs projection processing.
  • the data processed by the functional unit 203 may be data stored in the storage unit 201 or data communicated with another communication device via the communication unit 206 described later.
  • the input unit 204 receives various operations from the user.
  • the output unit 205 performs various outputs to the user.
  • the output by the output unit 205 includes at least one of display on a screen, voice output by a speaker, vibration output, and the like.
  • both the input unit 204 and the output unit 205 may be realized by one module like a touch panel.
  • the communication unit 206 controls wireless communication conforming to the IEEE 802.11 series and IP (Internet Protocol) communication control. In addition, the communication unit 206 controls the antenna 207 to send and receive wireless signals for wireless communication.
  • the communication device 101 communicates content such as image data, document data, and video data with the communication device 102 via the communication unit 206.
  • FIG. 3 shows a flowchart of a process flow realized by the control unit 202 reading the program stored in the storage unit 201 and executing the program when the communication device 101 is powered on.
  • a predetermined operation mode such as a communication setting mode by a user operation or the like, or a predetermined application such as a communication setting application is activated. In some cases, it may be realized.
  • FIG. 3 may be implemented by hardware.
  • a dedicated compiler may be used to automatically generate a dedicated circuit on the FPGA from a program for realizing each step.
  • FPGA is an abbreviation for Field Programmable Gate Array.
  • a Gate Array circuit may be formed in the same manner as the FPGA and realized as hardware. Further, it may be realized by an ASIC (Application Specific Integrated Circuit).
  • each block in the following flowcharts can be regarded as a hardware block. It should be noted that a plurality of blocks may be collectively configured as one hardware block, or one block may be configured as a plurality of hardware blocks.
  • the communication device 101 waits for a DPP start instruction from the user (S301).
  • the communication apparatus 101 receives a DPP start instruction from the user via the input unit 204.
  • the input unit 204 may be a button as hardware or a button on a UI (User Interface) displayed on the output unit 205.
  • the communication device 101 may also receive a DPP start instruction from an external device (not shown) (for example, a remote controller that performs infrared communication).
  • the communication device 101 Upon receiving the DPP start instruction, the communication device 101 is a process conforming to the DPP standard, and sets a predetermined fixed character string as an authentication code used for the PKEX process conforming to the IETF draft (S302).
  • IETF is an abbreviation for Internet Engineering Task Force
  • PKEX is an abbreviation for Public Key Exchange.
  • the PKEX process based on the IETF draft is also called a public key exchange protocol.
  • the fixed character string is, for example, a fixed number string such as “0000”, a fixed alphabetic character string such as “Push-Button-Configuration” (may include a symbol), or a combination of alphanumeric characters. It is an alphanumeric string.
  • the fixed character string may be set as a common character string in the DPP standard, or may be set as a fixed character string corresponding to each service. For example, when the communication parameter sharing process is performed using the DPP standard to execute the print service, the first fixed character string “Print” is used as the authentication code. Then, when the communication parameter sharing process is performed using the DPP standard to execute the display service, the second fixed character string "Display" is used as the authentication code.
  • the print service is a service in which one device transmits print data and the other device receives the print data and prints.
  • the display service is a service in which one device transmits display image data and the other device receives and displays the display image data.
  • the authentication code may also be a fixed character string corresponding to the number of times the user presses the button (for example, "0005" when the button is pressed 5 times). In this case, the user needs to press the button on the communication device 101 and the communication device 102 the same number of times.
  • the communication apparatus 101 executes PKEX processing using the authentication code with the communication apparatus 102 (S303). Then, the communication apparatus 101 confirms whether or not the PKEX processing has succeeded (S304).
  • the authentication code is used to authenticate each other, and the public key for authentication (eg, bootstrapping key defined in the DPP standard) is used for subsequent processes. That is, when the PKEX process using the authentication code succeeds, the communication device 101 and the communication device 102 can share the mutual authentication public key.
  • the public key for authentication e.g, bootstrapping key defined in the DPP standard
  • the communication device 101 If the PKEX process fails due to a mismatch of authentication codes or a communication error (No in S304), the communication device 101 notifies the error (S305). Specifically, the communication apparatus 101 notifies the user of the error by displaying a message indicating an error indicating that the communication parameter sharing process has failed or the authentication process has failed on the output unit 205. .. The communication device 101 may additionally or alternatively notify the communication device 102 of an error. In addition, the error to be notified may include an error code indicating the reason of the error.
  • the communication device 101 ends the processing shown in FIG. Instead of ending the process shown in FIG. 3, the process may return to step S301 to wait for a new DPP start instruction.
  • the communication device 101 is an authentication process different from the authentication process performed in the PKEX process and is an authentication for starting the authentication process conforming to the DPP standard.
  • the request is transmitted to the communication device 102 (S306).
  • the authentication request is a DPP Authentication Request frame that complies with the DPP standard.
  • the authentication request includes the authentication information used for the authentication process, the identification information of the communication device 101, the random number generated by the communication device 101, and the public key for generating the shared key (communication key).
  • the public key of the device 101) is included.
  • the shared key is used when encrypting the random number for authentication.
  • the authentication information is specifically a hash value of the authentication public key of the communication device 102 acquired by the PKEX process.
  • the identification information of the communication device 101 is specifically a hash value of the authentication public key of the communication device 101 transmitted to the communication device 102 by the PKEX process.
  • the random number is used for authentication when receiving the authentication response described above.
  • the communication device 101 that has transmitted the authentication request then waits for an authentication response from the communication device 102 for a predetermined time (S307).
  • the time for waiting the authentication response may be a predetermined time after transmitting the authentication request, or may be a predetermined time after receiving the DPP start instruction in step S301.
  • the communication device 102 that has received the authentication request verifies the device that has transmitted the authentication request. This determination is performed using the authentication information included in the authentication request. That is, the communication device 102 calculates the hash value of the authentication public key of the communication device 102, compares the calculated hash value and the hash value (authentication information) included in the authentication request, and when both match, It is determined that the verification is successful.
  • the hash function used for calculating the hash value at this time is defined by the DPP standard and is the same as the hash function used by the communication apparatus 101 for calculating the hash value.
  • the communication device 102 further uses both the public key for generating the shared key of the communication device 101 and the shared key for generating the shared key of the communication device 102.
  • the shared key is generated based on, for example, the ECDH (Elliptic Curve Diffie-Hellman) method.
  • the method of generating the shared key is not limited to the ECDH method, and other public key encryption methods may be used.
  • the communication device 102 transmits an authentication response. If the verification fails, the communication device 102 does not send the authentication response. However, instead of this, when the verification fails, the communication device 102 may transmit an authentication response indicating that the verification fails.
  • the authentication response is a DPP Authentication Response frame that complies with the DPP standard.
  • the authentication response includes the public key for generating the shared key of the communication device 102, the random number generated by the communication device 102, and the tag information.
  • the tag information is the random number included in the authentication request transmitted by the communication device 101, encrypted with the shared key described above. The tag information is used for the authentication process in the communication device 101.
  • step S307. When the communication device 101 does not receive the authentication response within the predetermined time (No in S307), the communication device 101 notifies an error (S308). Even when an authentication response indicating that the verification has failed is received, the process proceeds to step S308.
  • step S305 Since the error notification method is the same as in step S305, the description is omitted. When the error code or the like is included, it may be notified that the error is due to a reason different from step S305. After that, the communication device 101 ends the processing illustrated in FIG. Instead of ending the process shown in FIG. 3, the process may return to step S301 to wait for a new DPP start instruction.
  • the communication apparatus 101 authenticates the communication apparatus 102 based on the information included in the authentication response (S309). This will be described more specifically. First, the communication apparatus 101 uses the secret key for generating the shared key of the communication apparatus 101 and the public key for generating the shared key of the communication apparatus 102, and shares the same method by which the communication apparatus 102 generates the shared key. Generate a key.
  • the secret key for the shared key generation of the communication apparatus 101 is the secret key of the communication apparatus 101 corresponding to the public key for the shared key generation of the communication apparatus 101 used when the communication apparatus 102 generated the shared key.
  • the public key for generating the shared key of the communication device 102 is a public key corresponding to the secret key for generating the shared key of the communication device 102, which was used when the communication device 102 generated the shared key.
  • the communication device 101 decrypts the tag information included in the authentication response with the generated shared key, and confirms whether the random number included in the authentication request can be decrypted correctly.
  • the communication device 101 determines that the communication device 102 has been successfully authenticated. On the other hand, if the decryption is not successful, it is determined that the authentication has failed.
  • the case where the decryption cannot be correctly performed is, for example, the case where the same shared key cannot be generated.
  • the communication device 101 If the authentication fails (No in S309), the communication device 101 notifies the error in step S308. On the other hand, when the authentication is successful (Yes in S309), the communication apparatus 101 transmits an authentication confirmation to the communication apparatus 102 (S310).
  • the authentication confirmation is a DPP Authentication Confirm frame complying with the DPP standard, and includes tag information.
  • the tag information is the random number included in the authentication response transmitted by the communication device 102, which is encrypted by the communication device 101 using the shared key.
  • the communication device 101 that has transmitted the authentication confirmation then waits for a setting request from the communication device 102 for a predetermined time (S311).
  • the time for waiting for the setting request may be a predetermined time after transmitting the authentication request or may be a predetermined time after receiving the DPP start instruction in step S301. Further, the predetermined time in this step may be the same time as the predetermined time in step S307 or may be a different time.
  • the communication device 102 that has received the authentication confirmation determines that the authentication is successful if the tag information included in the authentication confirmation can be correctly decrypted with the shared key generated by itself.
  • the communication apparatus 102 recognizes the communication apparatus 101 that has transmitted the authentication request as a configurator, and transmits a setting request to the communication apparatus 101.
  • the setting request is a DPP Configuration Request frame that complies with the DPP standard.
  • This setting request includes device information and role information of the communication device 102.
  • the device information is a device name of the communication device 102 or the like.
  • the role information is information indicating a role after receiving the communication parameters, and is an “access point” or a “station”.
  • the information included in the setting request is encrypted with the shared key used by the communication device 102 to encrypt the tag information when transmitting the authentication response.
  • the communication device 102 does not transmit the setting request.
  • step S311 When the setting request from the communication device 102 is not received within the predetermined time (No in S311), the communication device 101 proceeds to step S308 and notifies an error.
  • the communication device 101 when the setting request from the communication device 102 is received within the predetermined time (Yes in S311), the communication device 101 performs a process of providing communication parameters for connecting to the wireless network 103 as a setting response ( S312).
  • the setting response is a DPP Configuration Response frame compliant with the DPP standard.
  • the setting response transmitted by the communication parameter processing unit 208 of the communication apparatus 101 includes communication parameters, an expiration date of the communication parameters, a public key dedicated to the configurator of the communication apparatus 101, role information, and the like.
  • the communication parameter includes a credential compliant with the DPP standard and a public key included in the authentication response from the communication device 102. Further, in the setting response, the communication parameter is encrypted with the private key dedicated to the configurator of the communication apparatus 101. Further, the information included in the setting response is encrypted with the shared key generated in the communication device 101.
  • the communication device 102 After transmitting the setting request, the communication device 102, which is an enrollee, waits for a setting response to be transmitted from the communication device 101, which is the configurator.
  • the communication device 102 that has received the setting response decrypts the information sharing key included in the setting response. Further, the communication apparatus 102 decrypts the communication parameter encrypted with the private key dedicated to the configurator of the communication apparatus 101 with the public key dedicated to the configurator of the communication apparatus 101.
  • the communication device 102 can connect to the wireless network 103 using the communication parameters obtained by decoding.
  • FIG. 4 is a sequence diagram when the communication apparatus 101 provides the communication apparatus 102 with communication parameters.
  • a fixed authentication code is set (S402). This authentication code corresponds to the password of the public key exchange protocol in the IETF draft.
  • the communication apparatus 101 when it receives a DPP start instruction from the push button from the user (S403), it sets a fixed authentication code (S404). Specifically, the communication device 101 generates a cryptographic element Qa by combining the hash (Hash) of the set authentication code and the element (Pi) defined in the DPP standard. Further, the communication device 101 generates a temporary key pair (secret key x and public key X), adds the generated public key X of the temporary key pair to the encryption element Qa, and the information element M To generate.
  • the public key X and the information element M are vectors that include an x component and ay component.
  • the communication device 101 transmits a code exchange request including the generated cryptographic element Qa, the information element M, and the identifier (eg, MAC address) of the communication device 101 to the communication device 102 (S405).
  • the code exchange request is transmitted by using the action frame conforming to the IEEE 802.11 series.
  • the present invention is not limited to this, and a signal conforming to NFC, Bluetooth, Transfer Jet (TransferJet), Ethernet, USB or the like may be used.
  • NFC is an abbreviation for Near Field Communication
  • USB is an abbreviation for Universal Serial Bus.
  • the communication device 102 calculates the temporary key X ′ from the information element M included in the code exchange request and the cipher element Qa ′ calculated by the own device.
  • the communication device 102 combines the hash of the authentication code set by the communication device 102 and the element (Pi) defined in the DPP standard to generate the cryptographic element Qa ′.
  • the communication device 102 can acquire the public key X of the temporary key pair of the communication device 101.
  • the communication device 102 further generates a cryptographic element Qb by combining the hash of the set authentication code and the element (Pr) defined in the DPP standard. Further, the communication device 101 generates a temporary key pair (secret key y and public key Y), adds the generated public key Y of the temporary key pair to the encryption element Qb, and the information element N To generate.
  • the public key Y and the information element N are vectors including x component and y component.
  • the communication device 102 transmits a code exchange response including the generated cryptographic element Qb, the information element N, and the identifier (eg, MAC address) of the communication device 102 to the communication device 101 (S406).
  • a code exchange response including the generated cryptographic element Qb, the information element N, and the identifier (eg, MAC address) of the communication device 102 to the communication device 101 (S406).
  • the communication device 101 When the communication device 101 receives the code exchange response from the communication device 102, the communication device 101 calculates the temporary key Y ′ from the information element N included in the code exchange response and the cipher element Qb ′ calculated by the own device. The communication device 101 combines the hash of the authentication code set by the communication device 101 and the element (Pr) defined in the DPP standard to generate the cryptographic element Qb ′.
  • the communication apparatus 101 can obtain the public key Y of the temporary key pair of the communication apparatus 102.
  • the communication device 101 may proceed as if the PKEX process failed. That is, the communication apparatus 101 may execute the error process of step S305 in FIG. 3 and end the sharing process without sharing the communication parameter. As a result, if the DPP start instruction is not issued between the communication device 101 and the communication device 102 within a predetermined time, the sharing process ends, and thus security is improved.
  • the communication device 101 calculates temporary encryption information K from the secret key x of the communication device 101 and the public key Y ′ of the communication device 102.
  • the cryptographic information K is a vector value including an x component and ay component.
  • the communication apparatus 101 further calculates a common key Z using a function KDF-n (Key Delivery Function) defined in the IETF draft.
  • ⁇ > indicates that the first argument passed to the function is blank.
  • M. x, N.N. x and K. x shows the value of the x component of M, N, and K, respectively.
  • the communication device 102 calculates temporary encryption information K ′ from the secret key y of the communication device 102 and the public key X ′ of the communication device 101. Then, the common key Z ′ is calculated using the same function KDF-n.
  • the public key sharing phase (Reveal Phase) of the public key exchange protocol in the IETF draft is started.
  • the communication device 101 includes an identifier of the communication device 101, an authentication public key of the communication device 101 (eg, bootstrapping key defined by the DPP standard), an X. x and Y '.
  • the information element u is calculated using x.
  • X. x and Y '. x represents the value of the x component of X and Y ', respectively.
  • the communication apparatus 101 encrypts the information element u and the authentication public key of the communication apparatus 101 with the common key Z and transmits the encrypted public key (S407).
  • the communication device 102 has an identifier of the communication device 101, an authentication public key of the communication device 101, X ′. x and Y.
  • the information element u' is calculated using x.
  • the communication device 102 encrypts the information element u'and the authentication public key of the communication device 102 with the common key Z and transmits the encrypted public key (S408).
  • the communication device 101 uses the common key Z to decrypt the information element u ′ received from the communication device 102 and the authentication public key of the communication device 102.
  • the acquired information element u ′ matches the information element u calculated by the own device, it is determined that the PKEX processing has succeeded.
  • the authentication codes set to each other match, the information element u and the information element u ′ match. In this way, the authentication process using the authentication code in the PKEX process is performed, and the mutual authentication public key is shared.
  • the public keys for authentication are shared with each other, the public key sharing phase (Reveal Phase) of the public key exchange protocol is completed.
  • the communication device 101 generates and sends an authentication request (S409).
  • the communication device 102 receives this authentication request and verifies the content of the received authentication request (S410). Then, the communication device 102 generates and transmits an authentication response (S411).
  • the communication device 102 that has transmitted the authentication response to the communication device 101 waits for the authentication confirmation to be transmitted from the communication device 101.
  • the communication device 101 that has received the authentication response performs authentication based on the authentication response (S412).
  • the communication apparatus 101 determines that the authentication is successful, the communication apparatus 101 transmits an authentication confirmation to the communication apparatus 102 (S413).
  • the communication device 102 verifies the content of the authentication confirmation (S414).
  • the communication apparatus 102 transmits a setting request for performing communication parameter setting processing (S415), and waits for a setting response to be transmitted from the communication apparatus 101.
  • the communication apparatus 101 transmits the communication parameter encrypted with the private key dedicated to the configurator of the communication apparatus 101 and the public key dedicated to the configurator in the setting response (S416).
  • the communication device 102 decrypts the communication parameter with the public key dedicated to the configurator of the communication device 101. After that, the communication device 102 connects to the wireless network 103 using the decrypted communication parameter (S417).
  • the communication device 101 can provide the communication parameter to the communication device 102 by the processing described with reference to FIGS. 3 and 4.
  • the communication device 101 which is the configurator, transmits the code exchange request in the above-described embodiment, it may be transmitted by the communication device 102, which is the enrollee. In that case, the communication device 101, which is a configurator, waits for a code exchange request and transmits a code exchange response.
  • the communication device 101 and the communication device 102 may alternately transmit and receive the code exchange request at appropriate time intervals so that transmission and reception can be performed.
  • the communication device 101 operates as a configurator to provide communication parameters.
  • the configuration is not limited to this, and the communication device 101 may operate as an enrollee and the communication device 102 may operate as a configurator so that the communication device 101 receives communication parameters from the communication device 102.
  • the communication device 101 may operate as shown in FIG. 5 instead of FIG. That is, the communication apparatus 101 waits for a DPP start instruction from the user (S501).
  • the user can instruct the start of DPP by a plurality of methods.
  • the communication device 101 may have a plurality of buttons each corresponding to a different instruction, or may have a switch. Further, these buttons and switches may be realized by hardware or software.
  • the communication apparatus 101 determines whether the DPP start instruction is a predetermined DPP start instruction (S502). When it is the predetermined DPP start instruction (Yes in S502), the communication apparatus 101 executes the processes of steps S302 to S312 described above. On the other hand, when it is not the predetermined DPP start instruction (No in S502), the user is prompted to input the authentication code (S503). Then, the communication apparatus 101 uses the authentication code input by the user instead of the fixed authentication code to perform the PKEX processing (S504). After that, the communication apparatus 101 executes the processes of steps S304 to S312 described above.
  • the present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in a computer of the system or apparatus read and execute the program. It can also be realized by the processing. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

Abstract

According to the present invention, when an instruction to start a sharing process for sharing, with another communication device, a communication parameter for connection to a wireless network is received, an authentication process is performed with the other communication device, by using a fixed authentication code, when sharing a predetermined public key defined by the Wi-Fi Device Provisioning Protocol (DPP) standard, and when the authentication process is successful, the communication parameter is shared with the other communication device.

Description

通信装置、制御方法及びプログラムCommunication device, control method, and program
 本発明は、通信パラメータの共有処理を行う装置に関する。 The present invention relates to a device that performs communication parameter sharing processing.
 近年、無線ネットワークにアクセスするための通信パラメータを共有する技術として、Wi-Fi DPP(Device Provisioning Protocol)規格が策定された。 In recent years, the Wi-Fi DPP (Device Provisioning Protocol) standard has been established as a technology for sharing communication parameters for accessing a wireless network.
 DPP規格では、コンフィグレータと呼ばれる装置が、エンローリと呼ばれる装置に通信パラメータを提供することが定められている(特許文献1)。また、DPP規格では、一方の通信装置がQRコード(登録商標)を撮影して相手装置を特定することによって、誤った相手装置と通信パラメータを共有してしまうことを防いでいる。 The DPP standard specifies that a device called a configurator provides communication parameters to a device called an enrollee (Patent Document 1). Further, in the DPP standard, one communication device captures a QR code (registered trademark) to identify the partner device, thereby preventing sharing of communication parameters with an erroneous partner device.
米国特許出願公開第2017/0295448号明細書U.S. Patent Application Publication No. 2017/0295448
 しかしながら、QRコードを撮影することのできるスマートフォンやカメラなどの装置がない場合であっても、簡便なユーザ操作でDPP規格に準拠した通信パラメータの共有処理を行えるようにすることが求められている。 However, even when there is no device such as a smartphone or a camera that can capture a QR code, it is required to be able to perform a communication parameter sharing process compliant with the DPP standard with a simple user operation. ..
 上記の課題を鑑み、本発明は、DPP規格に準拠したパラメータ共有処理において、ユーザの利便性を向上させることを目的とする。 In view of the above problems, the present invention aims to improve user convenience in parameter sharing processing that complies with the DPP standard.
 本発明の通信装置は、無線ネットワークに接続するための通信パラメータを他の通信装置と共有するための共有処理を開始する第1の指示を受け付ける第1の受け付け手段と、前記第1の受け付け手段により前記第1の指示を受け付けた場合に、固定の認証コードを用いて、前記他の通信装置との間で、Wi-Fi DPP(Device Provisioning Protocol)規格によって定められた所定の公開鍵を前記他の通信装置と共有する際に認証処理を行う第1の認証手段と、前記第1の認証手段による認証処理に成功した場合に、前記他の通信装置と前記通信パラメータを共有する共有手段と、を有する。 A communication device of the present invention includes a first receiving unit that receives a first instruction to start a sharing process for sharing a communication parameter for connecting to a wireless network with another communication device, and the first receiving unit. When the first instruction is accepted by the above, a predetermined public key defined by the Wi-Fi DPP (Device Provisioning Protocol) standard with the other communication device is used by using a fixed authentication code. A first authenticating unit that performs an authenticating process when shared with another communication device; and a sharing unit that shares the communication parameter with the other communication device when the authenticating process by the first authenticating unit is successful. , With.
 本発明によれば、DPP規格に準拠したパラメータ共有処理において、ユーザの利便性を向上させることができる。 According to the present invention, user convenience can be improved in the parameter sharing process based on the DPP standard.
通信システムの構成図。The block diagram of a communication system. 通信装置101のハードウェア構成図。3 is a hardware configuration diagram of the communication device 101. FIG. 通信装置101により実現されるフローチャート。3 is a flowchart realized by the communication device 101. 通信装置101と通信装置102との間のシーケンス図。3 is a sequence diagram between the communication device 101 and the communication device 102. FIG. 通信装置101により実現されるフローチャート。3 is a flowchart realized by the communication device 101.
 図1に、本実施形態における通信システムの構成を示す。 FIG. 1 shows the configuration of the communication system in this embodiment.
 通信装置101は、無線基地局であるアクセスポイントとして動作して、無線ネットワーク103を構築する。具体的には、通信装置101は、無線ネットワーク103の情報を含むビーコンを周期的に送信し、また、他の通信装置からの接続要求を受け付け、当該他の通信装置の無線ネットワーク103への接続を許可する。 The communication device 101 operates as an access point, which is a wireless base station, and builds a wireless network 103. Specifically, the communication apparatus 101 periodically transmits a beacon including information on the wireless network 103, receives a connection request from another communication apparatus, and connects the other communication apparatus to the wireless network 103. Allow
 また、通信装置101は、DPP(Device Provisioning Protocol)規格に準拠したコンフィギュレータとして動作する。コンフィギュレータとは、無線ネットワーク103に接続するために必要な通信パラメータを提供する役割の装置である。即ち、通信装置101は、通信装置102に対して無線ネットワーク103の通信パラメータを提供する。 Further, the communication device 101 operates as a configurator that complies with the DPP (Device Provisioning Protocol) standard. The configurator is a device having a role of providing communication parameters necessary for connecting to the wireless network 103. That is, the communication apparatus 101 provides the communication apparatus 102 with the communication parameters of the wireless network 103.
 なお、通信パラメータとは、例えば、DPP規格に準拠したクレデンシャルであり、無線ネットワーク103に接続するために必要な鍵情報であるnetAccessKey等の情報が含まれる。しかし、これに限らず、鍵情報としてPre Shared Key等の情報を含むものであってもよい。また、通信パラメータは、無線ネットワーク103の識別子であるSSID(Service Set Identification)や周波数チャネルの情報を含んでいてもよい。また、無線ネットワーク103において用いられる暗号方式や認証方式等の情報を含んでいてもよいし、当該通信パラメータの有効期限を含んでいてもよい。 Note that the communication parameter is, for example, a credential that complies with the DPP standard, and includes information such as netAccessKey that is key information necessary for connecting to the wireless network 103. However, the key information is not limited to this, and may include information such as Pre Shared Key. Further, the communication parameter may include SSID (Service Set Identification) which is an identifier of the wireless network 103 and information on a frequency channel. Further, it may include information such as an encryption method and an authentication method used in the wireless network 103, and may include an expiration date of the communication parameter.
 また、コンフィギュレータである通信装置101は、通信パラメータを提供する際に、役割情報も通知する。この役割情報とは、通信パラメータの共有処理が行われた後の役割を示す。この役割は、取得した通信パラメータを用いて無線ネットワークを構築するアクセスポイント、もしくは、取得した通信パラメータを用いて無線ネットワークに接続する接続装置(以下ステーションと称する)のどちらかを示す。通信装置101は、アクセスポイントとして動作するため、アクセスポイントを示す役割情報を通知する。 The communication device 101, which is a configurator, also notifies role information when providing communication parameters. The role information indicates a role after the communication parameter sharing process is performed. This role indicates either an access point that constructs a wireless network using the acquired communication parameters, or a connection device (hereinafter referred to as a station) that connects to the wireless network using the acquired communication parameters. Since the communication device 101 operates as an access point, it notifies role information indicating the access point.
 一方、通信装置102は、無線ネットワークに接続するステーションとして動作して、無線ネットワーク103に接続する。また、通信装置102は、DPP規格に準拠したエンローリとして動作する。即ち、通信装置102は、通信装置101から通信パラメータを取得し、無線ネットワーク103に接続することができる。 On the other hand, the communication device 102 operates as a station connecting to the wireless network and connects to the wireless network 103. Further, the communication device 102 operates as an enrollee compliant with the DPP standard. That is, the communication device 102 can acquire communication parameters from the communication device 101 and connect to the wireless network 103.
 なお、通信装置101および通信装置102の具体例としては、アクセスポイント、携帯電話、デジタルカメラ、ビデオカメラ、プリンタ、プロジェクタ、PC、PDA、スマートフォン、スマートウォッチなどが挙げられるが、これらに限られない。 Specific examples of the communication device 101 and the communication device 102 include, but are not limited to, an access point, a mobile phone, a digital camera, a video camera, a printer, a projector, a PC, a PDA, a smart phone, and a smart watch. ..
 また、無線ネットワーク103は、IEEE802.11シリーズに準拠した無線ネットワークであり、通信装置101が構築したネットワークである。ここで、IEEEとは、The Institute of Electrical and Electronics Engineersの略である。しかしこれに限らず、無線ネットワーク103は、通信装置101や通信装置102とは異なる他のアクセスポイントが構築したネットワークであってもよい。また、通信装置101、もしくは、これとは異なる装置が、Wi-Fi Direct規格に準拠したGroup Ownerとして構築したネットワークであってもよい。更に、無線ネットワーク103は、ワイヤレスUSB、MBOA、Bluetooth(登録商標)、UWB、ZigBee、NFC等に準拠したネットワークであってもよい。ここで、MBOAは、Multi Band OFDM Allianceの略であり、UWBは、Ultra Wide Bandの略である。また、UWBは、ワイヤレスUSB、ワイヤレス1394、WINETなどが含まれる。 Also, the wireless network 103 is a wireless network conforming to the IEEE 802.11 series, and is a network constructed by the communication device 101. Here, IEEE is an abbreviation for The Institute of Electrical and Electronics Engineers. However, not limited to this, the wireless network 103 may be a network constructed by another access point different from the communication device 101 and the communication device 102. Alternatively, the communication device 101 or a device different from the communication device 101 may be a network constructed as a Group Owner that complies with the Wi-Fi Direct standard. Furthermore, the wireless network 103 may be a network based on wireless USB, MBOA, Bluetooth (registered trademark), UWB, ZigBee, NFC, or the like. Here, MBOA is an abbreviation of Multi Band OFDM Alliance, and UWB is an abbreviation of Ultra Wide Band. UWB includes wireless USB, wireless 1394, WINET, and the like.
 図2に、通信装置101のハードウェア構成を示す。なお、通信装置102も同様のハードウェア構成を有する。 FIG. 2 shows the hardware configuration of the communication device 101. The communication device 102 also has a similar hardware configuration.
 記憶部201はROMやRAM等の1以上のメモリにより構成され、後述する各種動作を行うためのプログラムや、無線通信のための通信パラメータ等の各種情報を記憶する。なお、記憶部201として、ROM、RAM等のメモリの他に、フレキシブルディスク、ハードディスク、光ディスク、光磁気ディスク、CD-ROM、CD-R、磁気テープ、不揮発性のメモリカード、DVDなどの記憶媒体を用いてもよい。 The storage unit 201 is composed of one or more memories such as ROM and RAM, and stores programs for performing various operations described below and various information such as communication parameters for wireless communication. As the storage unit 201, in addition to a memory such as a ROM and a RAM, a storage medium such as a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a magnetic tape, a non-volatile memory card, and a DVD. May be used.
 制御部202はCPUやMPU等の1以上のプロセッサにより構成され、記憶部201に記憶されたプログラムを実行することにより通信装置101全体を制御する。なお、制御部202は、記憶部201に記憶されたプログラムとOS(Operating System)との協働により通信装置101全体を制御するようにしてもよい。また、制御部202がマルチコア等の複数のプロセッサを備え、複数のプロセッサにより通信装置101全体を制御するようにしてもよい。 The control unit 202 is composed of one or more processors such as a CPU and an MPU, and controls the entire communication device 101 by executing a program stored in the storage unit 201. The control unit 202 may control the entire communication device 101 by the cooperation of a program stored in the storage unit 201 and an OS (Operating System). In addition, the control unit 202 may include a plurality of processors such as a multi-core, and the plurality of processors may control the entire communication device 101.
 また、制御部202は、機能部203を制御して、撮像や印刷、投影等の所定の処理を実行する。機能部203は、通信装置101が所定の処理を実行するためのハードウェアである。例えば、通信装置101がカメラである場合、機能部203は撮像部であり、撮像処理を行う。また、例えば、通信装置101がプリンタである場合、機能部203は印刷部であり、印刷処理を行う。また、例えば、通信装置101がプロジェクタである場合、機能部203は投影部であり、投影処理を行う。機能部203が処理するデータは、記憶部201に記憶されているデータであってもよいし、後述する通信部206を介して他の通信装置と通信したデータであってもよい。 The control unit 202 also controls the functional unit 203 to execute a predetermined process such as imaging, printing, and projection. The functional unit 203 is hardware for the communication apparatus 101 to execute a predetermined process. For example, when the communication device 101 is a camera, the functional unit 203 is an image capturing unit and performs image capturing processing. Further, for example, when the communication device 101 is a printer, the functional unit 203 is a printing unit and performs print processing. Further, for example, when the communication device 101 is a projector, the functional unit 203 is a projection unit and performs projection processing. The data processed by the functional unit 203 may be data stored in the storage unit 201 or data communicated with another communication device via the communication unit 206 described later.
 入力部204は、ユーザからの各種操作の受付を行う。出力部205は、ユーザに対して各種出力を行う。ここで、出力部205による出力とは、画面上への表示や、スピーカーによる音声出力、振動出力等の少なくとも1つを含む。なお、タッチパネルのように入力部204と出力部205の両方を1つのモジュールで実現するようにしてもよい。 The input unit 204 receives various operations from the user. The output unit 205 performs various outputs to the user. Here, the output by the output unit 205 includes at least one of display on a screen, voice output by a speaker, vibration output, and the like. Note that both the input unit 204 and the output unit 205 may be realized by one module like a touch panel.
 通信部206は、IEEE802.11シリーズに準拠した無線通信の制御や、IP(Internet Porotocol)通信の制御を行う。また、通信部206はアンテナ207を制御して、無線通信のための無線信号の送受信を行う。通信装置101は通信部206を介して、画像データや文書データ、映像データ等のコンテンツを通信装置102と通信する。 The communication unit 206 controls wireless communication conforming to the IEEE 802.11 series and IP (Internet Protocol) communication control. In addition, the communication unit 206 controls the antenna 207 to send and receive wireless signals for wireless communication. The communication device 101 communicates content such as image data, document data, and video data with the communication device 102 via the communication unit 206.
 図3に、通信装置101の電源が投入された場合に、記憶部201に記憶されたプログラムを制御部202が読み出し、それを実行することで実現される処理の流れのフローチャートを示す。なお、通信装置101の電源が投入された場合に代えて、ユーザ操作等により通信装置101が通信設定モード等、所定の動作モードに入った場合や、通信設定アプリケーション等、所定のアプリケーションが起動した場合に、実現されるようにしてもよい。 FIG. 3 shows a flowchart of a process flow realized by the control unit 202 reading the program stored in the storage unit 201 and executing the program when the communication device 101 is powered on. Instead of turning on the power of the communication apparatus 101, when the communication apparatus 101 enters a predetermined operation mode such as a communication setting mode by a user operation or the like, or a predetermined application such as a communication setting application is activated. In some cases, it may be realized.
 また、図3に示すフローチャートの少なくとも一部をハードウェアにより実現してもよい。ハードウェアにより実現する場合、例えば、所定のコンパイラを用いることで、各ステップを実現するためのプログラムからFPGA上に自動的に専用回路を生成すればよい。FPGAとは、Field Programmable Gate Arrayの略である。また、FPGAと同様にしてGate Array回路を形成し、ハードウェアとして実現するようにしてもよい。また、ASIC(Application Specific Integrated Circuit)により実現するようにしてもよい。この場合、以下のフローチャートにおける各ブロックは、ハードウェアブロックとして見做すことができる。なお、複数のブロックをまとめて1つのハードウェアブロックとして構成してもよいし、1つのブロックを複数のハードウェアブロックとして構成してもよい。 Also, at least part of the flowchart shown in FIG. 3 may be implemented by hardware. When it is realized by hardware, for example, a dedicated compiler may be used to automatically generate a dedicated circuit on the FPGA from a program for realizing each step. FPGA is an abbreviation for Field Programmable Gate Array. Further, a Gate Array circuit may be formed in the same manner as the FPGA and realized as hardware. Further, it may be realized by an ASIC (Application Specific Integrated Circuit). In this case, each block in the following flowcharts can be regarded as a hardware block. It should be noted that a plurality of blocks may be collectively configured as one hardware block, or one block may be configured as a plurality of hardware blocks.
 通信装置101は、まず、ユーザからのDPP開始指示を待ち受ける(S301)。ここでは、通信装置101は、入力部204を介してユーザからのDPP開始指示を受け付ける。なお、入力部204として、ハードウェアとしてのボタンであってもよいし、出力部205に表示されたUI(User Interface)上のボタンであってもよい。また、通信装置101は、不図示の外部装置(例えば赤外線通信を行うリモコンなど)からDPP開始指示を受け付けるようにしてもよい。 First, the communication device 101 waits for a DPP start instruction from the user (S301). Here, the communication apparatus 101 receives a DPP start instruction from the user via the input unit 204. The input unit 204 may be a button as hardware or a button on a UI (User Interface) displayed on the output unit 205. The communication device 101 may also receive a DPP start instruction from an external device (not shown) (for example, a remote controller that performs infrared communication).
 DPP開始指示を受け付けると、通信装置101は、DPP規格に準拠した処理であり、IETFドラフトに準拠したPKEX処理に用いられる認証コードとして、予め定められた固定の文字列を設定する(S302)。なお、IETFはInternet Engineering Task Forceの略であり、PKEXはPublic Key Exchangeの略である。IETFドラフトに準拠したPKEX処理は、公開鍵交換プロトコルとも呼ばれる。 Upon receiving the DPP start instruction, the communication device 101 is a process conforming to the DPP standard, and sets a predetermined fixed character string as an authentication code used for the PKEX process conforming to the IETF draft (S302). Note that IETF is an abbreviation for Internet Engineering Task Force, and PKEX is an abbreviation for Public Key Exchange. The PKEX process based on the IETF draft is also called a public key exchange protocol.
 ここで、固定の文字列とは、例えば、“0000”のような固定の数字列や、“Push-Button-Configuration”などの固定の英字列(記号を含んでもよい)や、英数字を組み合わせた英数字列である。固定の文字列は、DPP規格において共通の文字列として定めるようにしてもよいし、各サービスに対応する固定の文字列として定めるようにしてもよい。例えば、プリントサービスを実行するためにDPP規格を用いて通信パラメータの共有処理を行う場合には第1の固定の文字列“Print”が認証コードとして用いられるようにする。そして、ディスプレイサービスを実行するためにDPP規格を用いて通信パラメータの共有処理を行う場合には第2の固定の文字列“Display”が認証コードとして用いられるようにする。 Here, the fixed character string is, for example, a fixed number string such as “0000”, a fixed alphabetic character string such as “Push-Button-Configuration” (may include a symbol), or a combination of alphanumeric characters. It is an alphanumeric string. The fixed character string may be set as a common character string in the DPP standard, or may be set as a fixed character string corresponding to each service. For example, when the communication parameter sharing process is performed using the DPP standard to execute the print service, the first fixed character string “Print” is used as the authentication code. Then, when the communication parameter sharing process is performed using the DPP standard to execute the display service, the second fixed character string "Display" is used as the authentication code.
 なお、プリントサービスとは、一方の装置が印刷データを送信し、他方の装置が印刷データを受信して印刷するサービスのことである。また、ディスプレイサービスとは、一方の装置が表示画像データを送信し、他方の装置が表示画像データを受信して表示するサービスのことである。 The print service is a service in which one device transmits print data and the other device receives the print data and prints. The display service is a service in which one device transmits display image data and the other device receives and displays the display image data.
 また、認証コードは、ユーザがボタンを押す回数に対応する固定の文字列(例えば、5回ボタンを押した場合は“0005”など)であってもよい。この場合、ユーザは通信装置101と通信装置102とで同じ回数だけボタンを押す必要がある。 The authentication code may also be a fixed character string corresponding to the number of times the user presses the button (for example, "0005" when the button is pressed 5 times). In this case, the user needs to press the button on the communication device 101 and the communication device 102 the same number of times.
 なお、認証コードとして、いずれの固定コードを用いるかは、規格や、システムにおいて、予め決められているものとする。 Note: Which fixed code is used as the authentication code is determined in advance in the standard and the system.
 認証コードの設定がされると通信装置101は、通信装置102との間で、当該認証コードを用いたPKEX処理を実行する(S303)。そして、通信装置101は当該PKEX処理が成功したかを確認する(S304)。 When the authentication code is set, the communication apparatus 101 executes PKEX processing using the authentication code with the communication apparatus 102 (S303). Then, the communication apparatus 101 confirms whether or not the PKEX processing has succeeded (S304).
 なお、PKEX処理では、認証コードを用いて互いの認証が行われ、また、その後の処理に用いられる認証用公開鍵(例えばDPP規格で規定されたbootstrapping key)の授受が為される。即ち、認証コードを用いたPKEX処理に成功すると、通信装置101と通信装置102とは、各々、互いの認証用公開鍵を共有できる。なお、PKEX処理の詳細は、図4を用いて後述する。 In the PKEX process, the authentication code is used to authenticate each other, and the public key for authentication (eg, bootstrapping key defined in the DPP standard) is used for subsequent processes. That is, when the PKEX process using the authentication code succeeds, the communication device 101 and the communication device 102 can share the mutual authentication public key. The details of the PKEX process will be described later with reference to FIG.
 認証コードの不一致や、通信エラー等によりPKEX処理に失敗した場合(S304のNo)、通信装置101はエラーを通知する(S305)。具体的には、通信装置101は、出力部205に通信パラメータの共有処理に失敗した旨や、認証処理に失敗をした旨を示すエラーを示すメッセージを表示することで、ユーザにエラーを通知する。なお、通信装置101は、これに加えて、もしくは、代えて、通信装置102に対してエラーを通知するようにしてもよい。また、通知するエラーに、エラーの理由を示すエラーコード等を含めてもよい。 If the PKEX process fails due to a mismatch of authentication codes or a communication error (No in S304), the communication device 101 notifies the error (S305). Specifically, the communication apparatus 101 notifies the user of the error by displaying a message indicating an error indicating that the communication parameter sharing process has failed or the authentication process has failed on the output unit 205. .. The communication device 101 may additionally or alternatively notify the communication device 102 of an error. In addition, the error to be notified may include an error code indicating the reason of the error.
 その後、通信装置101は、図3に示す処理を終了する。なお、図3に示す処理を終了することに代えて、ステップS301に戻り、新たなDPP開始指示を待ち受けるようにしてもよい。 After that, the communication device 101 ends the processing shown in FIG. Instead of ending the process shown in FIG. 3, the process may return to step S301 to wait for a new DPP start instruction.
 一方、PKEX処理に成功した場合(S304のYes)は、通信装置101は、PKEX処理で行われた認証処理とは異なる認証処理であって、DPP規格に準拠した認証処理を開始するための認証要求を通信装置102に送信する(S306)。ここで、認証要求とは、DPP規格に準拠したDPP Authentication Requestフレームである。また、認証要求には、認証処理に用いられる認証情報、通信装置101の識別情報、通信装置101が生成した乱数、および、共有鍵を生成するために用いられる共有鍵生成用の公開鍵(通信装置101の公開鍵)が含まれる。なお、当該共有鍵は、認証のために当該乱数を暗号化する際に用いられる。 On the other hand, when the PKEX process is successful (Yes in S304), the communication device 101 is an authentication process different from the authentication process performed in the PKEX process and is an authentication for starting the authentication process conforming to the DPP standard. The request is transmitted to the communication device 102 (S306). Here, the authentication request is a DPP Authentication Request frame that complies with the DPP standard. Further, the authentication request includes the authentication information used for the authentication process, the identification information of the communication device 101, the random number generated by the communication device 101, and the public key for generating the shared key (communication key). The public key of the device 101) is included. The shared key is used when encrypting the random number for authentication.
 ここで、認証情報とは、具体的にはPKEX処理により取得した通信装置102の認証用公開鍵のハッシュ値である。また、通信装置101の識別情報とは、具体的には、PKEX処理により通信装置102に送信した通信装置101の認証用公開鍵のハッシュ値である。また、乱数は、述する認証応答の受信時に、認証のために使用される。 Here, the authentication information is specifically a hash value of the authentication public key of the communication device 102 acquired by the PKEX process. Further, the identification information of the communication device 101 is specifically a hash value of the authentication public key of the communication device 101 transmitted to the communication device 102 by the PKEX process. Further, the random number is used for authentication when receiving the authentication response described above.
 認証要求を送信した通信装置101は、その後、通信装置102からの認証応答を所定時間、待ち受ける(S307)。なお、認証応答を待ち受ける時間は、認証要求を送信してから所定時間であってもよいし、ステップS301においてDPP開始指示を受け付けてから所定時間であってもよい。 The communication device 101 that has transmitted the authentication request then waits for an authentication response from the communication device 102 for a predetermined time (S307). The time for waiting the authentication response may be a predetermined time after transmitting the authentication request, or may be a predetermined time after receiving the DPP start instruction in step S301.
 認証要求を受信した通信装置102は、認証要求を送信した装置の検証処理を行う。この判定は、認証要求に含まれている認証情報を用いて行われる。即ち、通信装置102が、通信装置102の認証用公開鍵のハッシュ値を計算し、計算されたハッシュ値と認証要求に含まれるハッシュ値(認証情報)とを比較し、両者が一致した場合に検証が成功したと判定する。なお、このときのハッシュ値の計算に用いられるハッシュ関数は、DPP規格において定められており、通信装置101がハッシュ値の計算に用いたハッシュ関数と同じである。 The communication device 102 that has received the authentication request verifies the device that has transmitted the authentication request. This determination is performed using the authentication information included in the authentication request. That is, the communication device 102 calculates the hash value of the authentication public key of the communication device 102, compares the calculated hash value and the hash value (authentication information) included in the authentication request, and when both match, It is determined that the verification is successful. The hash function used for calculating the hash value at this time is defined by the DPP standard and is the same as the hash function used by the communication apparatus 101 for calculating the hash value.
 検証に成功した場合、通信装置102は、認証に成功した場合、更に、通信装置101の共有鍵生成用の公開鍵と、通信装置102の共有鍵生成用の秘密鍵の双方を用いて共有鍵を生成する。共有鍵は、例えば、ECDH(Elliptic Curve Diffie-Hellman)方式に基づいて生成される。なお、共有鍵の生成方法は、ECDH方式に限定されるものではなく、その他の公開鍵暗号方式であってもよい。 If the verification is successful, if the authentication is successful, the communication device 102 further uses both the public key for generating the shared key of the communication device 101 and the shared key for generating the shared key of the communication device 102. To generate. The shared key is generated based on, for example, the ECDH (Elliptic Curve Diffie-Hellman) method. The method of generating the shared key is not limited to the ECDH method, and other public key encryption methods may be used.
 そして、通信装置102は認証応答を送信する。なお、検証に失敗した場合には、通信装置102は、通信装置102は認証応答を送信しない。しかし、これに代えて、検証に失敗した場合に、通信装置102は、検証に失敗したことを示す認証応答を送信するようにしてもよい。 Then, the communication device 102 transmits an authentication response. If the verification fails, the communication device 102 does not send the authentication response. However, instead of this, when the verification fails, the communication device 102 may transmit an authentication response indicating that the verification fails.
 ここで、認証応答とは、DPP規格に準拠したDPP Authentication Responseフレームである。認証応答には、通信装置102の共有鍵生成用の公開鍵、通信装置102が生成した乱数、および、タグ情報が含まれる。なお、タグ情報とは、通信装置101の送信した認証要求に含まれていた乱数を、上述した共有鍵により暗号化したものである。当該タグ情報は、通信装置101における認証処理に用いられる。 Here, the authentication response is a DPP Authentication Response frame that complies with the DPP standard. The authentication response includes the public key for generating the shared key of the communication device 102, the random number generated by the communication device 102, and the tag information. Note that the tag information is the random number included in the authentication request transmitted by the communication device 101, encrypted with the shared key described above. The tag information is used for the authentication process in the communication device 101.
 ステップS307の説明に戻る。通信装置101は、所定時間内に認証応答を受信しなかった場合(S307のNo)、エラーを通知する(S308)。なお、検証に失敗したことを示す認証応答を受信した場合にも、ステップS308に進む。 Return to the description of step S307. When the communication device 101 does not receive the authentication response within the predetermined time (No in S307), the communication device 101 notifies an error (S308). Even when an authentication response indicating that the verification has failed is received, the process proceeds to step S308.
 エラーの通知方法についてはステップS305と同様であるため説明を省略する。なお、エラーコード等を含める場合には、ステップS305とは異なる理由によるエラーであることを通知してもよい。その後、通信装置101は、図3に示す処理を終了する。なお、図3に示す処理を終了することに代えて、ステップS301に戻り、新たなDPP開始指示を待ち受けるようにしてもよい。 Since the error notification method is the same as in step S305, the description is omitted. When the error code or the like is included, it may be notified that the error is due to a reason different from step S305. After that, the communication device 101 ends the processing illustrated in FIG. Instead of ending the process shown in FIG. 3, the process may return to step S301 to wait for a new DPP start instruction.
 一方、所定時間内に認証応答を受信した場合(S307のYes)、通信装置101は、認証応答に含まれる情報に基づいて、通信装置102の認証を行う(S309)。より具体的に説明する。通信装置101は、まず、通信装置101の共有鍵生成用の秘密鍵と通信装置102の共有鍵生成用の公開鍵とを用いて、通信装置102が共有鍵を生成したのと同じ方法により共有鍵を生成する。 On the other hand, when the authentication response is received within the predetermined time (Yes in S307), the communication apparatus 101 authenticates the communication apparatus 102 based on the information included in the authentication response (S309). This will be described more specifically. First, the communication apparatus 101 uses the secret key for generating the shared key of the communication apparatus 101 and the public key for generating the shared key of the communication apparatus 102, and shares the same method by which the communication apparatus 102 generates the shared key. Generate a key.
 ここで、通信装置101の共有鍵生成用の秘密鍵は、通信装置102が共有鍵を生成した際に用いられた通信装置101の共有鍵生成用の公開鍵に対応する通信装置101の秘密鍵である。また、通信装置102の共有鍵生成用の公開鍵は、通信装置102が共有鍵を生成した際に用いられた通信装置102の共有鍵生成用の秘密鍵に対応する公開鍵である。このような組み合わせの鍵を用いることにより、通信装置101は、通信装置102が生成した共有鍵と同じ共有鍵を生成することができる。 Here, the secret key for the shared key generation of the communication apparatus 101 is the secret key of the communication apparatus 101 corresponding to the public key for the shared key generation of the communication apparatus 101 used when the communication apparatus 102 generated the shared key. Is. The public key for generating the shared key of the communication device 102 is a public key corresponding to the secret key for generating the shared key of the communication device 102, which was used when the communication device 102 generated the shared key. By using such a combination of keys, the communication apparatus 101 can generate the same shared key as the shared key generated by the communication apparatus 102.
 なお、共有鍵生成用の互いの公開鍵が、上述した認証要求および認証応答の送受により、通信装置101と通信装置102との間で正しく授受されなかった場合には、同じ共有鍵を生成できないことになる。 It should be noted that if the mutual public keys for shared key generation are not correctly exchanged between the communication device 101 and the communication device 102 due to the above-mentioned transmission / reception of the authentication request and the authentication response, the same shared key cannot be generated. It will be.
 次に、通信装置101は、認証応答に含まれるタグ情報を、生成した共有鍵で復号し、認証要求に含めた乱数を正しく復号できるかを確認する。正しく復号できた場合には、通信装置101は、通信装置102の認証に成功したと判定する。一方、正しく復号できなかった場合には認証に失敗したと判定する。なお、正しく復号できない場合とは、例えば、同じ共有鍵を生成できなかった場合である。 Next, the communication device 101 decrypts the tag information included in the authentication response with the generated shared key, and confirms whether the random number included in the authentication request can be decrypted correctly. When the communication device 101 can be decrypted correctly, the communication device 101 determines that the communication device 102 has been successfully authenticated. On the other hand, if the decryption is not successful, it is determined that the authentication has failed. The case where the decryption cannot be correctly performed is, for example, the case where the same shared key cannot be generated.
 認証に失敗した場合(S309のNo)、ステップS308に進み、通信装置101はエラーを通知する。一方、認証に成功した場合(S309のYes)、通信装置101は、通信装置102へ認証確認を送信する(S310)。ここで、認証確認とは、DPP規格に準拠したDPP Authentication Confirmフレームであり、タグ情報を含む。タグ情報は、通信装置102が送信した認証応答に含まれていた乱数を通信装置101が共有鍵によって暗号化したものである。 If the authentication fails (No in S309), the communication device 101 notifies the error in step S308. On the other hand, when the authentication is successful (Yes in S309), the communication apparatus 101 transmits an authentication confirmation to the communication apparatus 102 (S310). Here, the authentication confirmation is a DPP Authentication Confirm frame complying with the DPP standard, and includes tag information. The tag information is the random number included in the authentication response transmitted by the communication device 102, which is encrypted by the communication device 101 using the shared key.
 認証確認を送信した通信装置101は、その後、通信装置102からの設定要求を所定時間、待ち受ける(S311)。なお、設定要求を待ち受ける時間は、認証要求を送信してから所定時間であってもよいし、ステップS301においてDPP開始指示を受け付けてから所定時間であってもよい。また、本ステップにおける所定時間は、ステップS307における所定時間と同じ時間であってもよいし、異なる時間であってもよい。 The communication device 101 that has transmitted the authentication confirmation then waits for a setting request from the communication device 102 for a predetermined time (S311). The time for waiting for the setting request may be a predetermined time after transmitting the authentication request or may be a predetermined time after receiving the DPP start instruction in step S301. Further, the predetermined time in this step may be the same time as the predetermined time in step S307 or may be a different time.
 認証確認を受信した通信装置102は、当該認証確認に含まれているタグ情報を自身が生成した共有鍵で正しく復号できた場合に、認証成功と判定する。認証成功と判定すると、通信装置102は、認証要求を送信した通信装置101をコンフィギュレータと認定し、通信装置101に対して設定要求を送信する。ここで、設定要求とは、DPP規格に準拠したDPP Configuration Requestフレームである。この設定要求には、通信装置102のデバイス情報および役割情報が含まれる。デバイス情報とは、通信装置102のデバイス名などである。また、役割情報とは、通信パラメータ受信後の役割を示す情報であり、「アクセスポイント」もしくは「ステーション」である。設定要求に含まれる情報は、通信装置102が認証応答の送信時においてタグ情報の暗号化に使用した共有鍵で暗号化される。一方、認証成功と判定されなかった場合、即ち、認証に失敗した場合は、通信装置102は、設定要求を送信しない。 The communication device 102 that has received the authentication confirmation determines that the authentication is successful if the tag information included in the authentication confirmation can be correctly decrypted with the shared key generated by itself. When it is determined that the authentication is successful, the communication apparatus 102 recognizes the communication apparatus 101 that has transmitted the authentication request as a configurator, and transmits a setting request to the communication apparatus 101. Here, the setting request is a DPP Configuration Request frame that complies with the DPP standard. This setting request includes device information and role information of the communication device 102. The device information is a device name of the communication device 102 or the like. The role information is information indicating a role after receiving the communication parameters, and is an “access point” or a “station”. The information included in the setting request is encrypted with the shared key used by the communication device 102 to encrypt the tag information when transmitting the authentication response. On the other hand, if it is not determined that the authentication is successful, that is, if the authentication is unsuccessful, the communication device 102 does not transmit the setting request.
 ステップS311の説明に戻る。通信装置101は、所定時間内に、通信装置102からの設定要求が受信されなかった場合(S311のNo)、ステップS308に進み、エラーを通知する。一方、所定時間内に、通信装置102からの設定要求が受信された場合(S311のYes)、通信装置101は、設定応答として、無線ネットワーク103に接続するための通信パラメータの提供処理を行う(S312)。ここで、設定応答とは、DPP規格に準拠したDPP Configuration Responseフレームである。 Return to the description of step S311. When the setting request from the communication device 102 is not received within the predetermined time (No in S311), the communication device 101 proceeds to step S308 and notifies an error. On the other hand, when the setting request from the communication device 102 is received within the predetermined time (Yes in S311), the communication device 101 performs a process of providing communication parameters for connecting to the wireless network 103 as a setting response ( S312). Here, the setting response is a DPP Configuration Response frame compliant with the DPP standard.
 通信装置101の通信パラメータ処理部208が送信する設定応答には、通信パラメータ、通信パラメータの有効期限、通信装置101のコンフィギュレータ専用の公開鍵、役割情報などが含まれる。なお、通信パラメータは、DPP規格に準拠したクレデンシャルの他、通信装置102からの認証応答に含まれる公開鍵を含む。また、設定応答において、通信パラメータは、通信装置101のコンフィギュレータ専用の秘密鍵で暗号化されている。さらに、設定応答に含まれる情報は、通信装置101において生成された共有鍵で暗号化される。 The setting response transmitted by the communication parameter processing unit 208 of the communication apparatus 101 includes communication parameters, an expiration date of the communication parameters, a public key dedicated to the configurator of the communication apparatus 101, role information, and the like. The communication parameter includes a credential compliant with the DPP standard and a public key included in the authentication response from the communication device 102. Further, in the setting response, the communication parameter is encrypted with the private key dedicated to the configurator of the communication apparatus 101. Further, the information included in the setting response is encrypted with the shared key generated in the communication device 101.
 エンローリである通信装置102は、設定要求を送信後、コンフィギュレータである通信装置101から設定応答が送信されるのを待ち受ける。設定応答を受信した通信装置102は、設定応答に含まれる情報共有鍵で復号する。さらに、通信装置102は、通信装置101のコンフィギュレータ専用の秘密鍵で暗号化された通信パラメータを、通信装置101のコンフィギュレータ専用の公開鍵で復号する。通信装置102は、復号して得られた通信パラメータで無線ネットワーク103に接続することができる。 After transmitting the setting request, the communication device 102, which is an enrollee, waits for a setting response to be transmitted from the communication device 101, which is the configurator. The communication device 102 that has received the setting response decrypts the information sharing key included in the setting response. Further, the communication apparatus 102 decrypts the communication parameter encrypted with the private key dedicated to the configurator of the communication apparatus 101 with the public key dedicated to the configurator of the communication apparatus 101. The communication device 102 can connect to the wireless network 103 using the communication parameters obtained by decoding.
 以上のような処理を行う通信装置101が通信装置102に通信パラメータを提供するまでの、通信装置101と通信装置102の動作についてさらに説明する。図4は、通信装置101が、通信装置102に通信パラメータを提供する際のシーケンス図である。 The operation of the communication device 101 and the communication device 102 until the communication device 101 performing the above processing provides the communication device 102 with communication parameters will be further described. FIG. 4 is a sequence diagram when the communication apparatus 101 provides the communication apparatus 102 with communication parameters.
 まず、通信装置102は、押しボタンによるDPP開始指示をユーザから受け付けると(S401)、固定の認証コードを設定する(S402)。この認証コードとは、IETFドラフトにおける公開鍵交換プロトコルのpasswordに相当する。 First, when the communication device 102 receives a DPP start instruction from the push button from the user (S401), a fixed authentication code is set (S402). This authentication code corresponds to the password of the public key exchange protocol in the IETF draft.
 一方、通信装置101は、押しボタンによるDPP開始指示をユーザから受け付けると(S403)、固定の認証コードを設定する(S404)。具体的には、通信装置101は、設定した認証コードのハッシュ(Hash)と、DPP規格において定められた要素(Pi)とを組み合わせて暗号要素Qaを生成する。また、通信装置101は、一時的な鍵ペア(秘密鍵xおよび公開鍵X)を生成し、暗号要素Qaに、生成された一時的な鍵ペアの公開鍵Xを付与して、情報要素Mを生成する。なお、公開鍵Xおよび情報要素Mは、x成分およびy成分を含むベクトルである。
 Qa=Hash(認証コード)*Pi
 M=X+Qa On the other hand, when the communication apparatus 101 receives a DPP start instruction from the push button from the user (S403), it sets a fixed authentication code (S404). Specifically, the communication device 101 generates a cryptographic element Qa by combining the hash (Hash) of the set authentication code and the element (Pi) defined in the DPP standard. Further, the communication device 101 generates a temporary key pair (secret key x and public key X), adds the generated public key X of the temporary key pair to the encryption element Qa, and the information element M To generate. The public key X and the information element M are vectors that include an x component and ay component.
Qa = Hash (authentication code) * Pi
M = X + Qa
 そして、通信装置101は、生成した暗号要素Qa、情報要素M、および、通信装置101の識別子(例えばMACアドレス)を含むコード交換要求を、通信装置102に送信する(S405)。ここでは、IEEE802.11シリーズに準拠したアクションフレームを用いて、コード交換要求を送信するものとする。しかしこれに限らず、NFCやBluetooth、トランスファージェット(TransferJet)、Ethernet、USB等に準拠した信号を用いるようにしてもよい。なお、NFCとは、Near Field Communicationの、USBとはUniversal Serial Busの各々、略である。 Then, the communication device 101 transmits a code exchange request including the generated cryptographic element Qa, the information element M, and the identifier (eg, MAC address) of the communication device 101 to the communication device 102 (S405). Here, it is assumed that the code exchange request is transmitted by using the action frame conforming to the IEEE 802.11 series. However, the present invention is not limited to this, and a signal conforming to NFC, Bluetooth, Transfer Jet (TransferJet), Ethernet, USB or the like may be used. NFC is an abbreviation for Near Field Communication, and USB is an abbreviation for Universal Serial Bus.
 これにより、IETFドラフトにおける公開鍵交換プロトコルの認証フェーズ(Authentication Phase)が開始される。 This starts the authentication phase (Authentication Phase) of the public key exchange protocol in the IETF draft.
 通信装置102は、通信装置101からのコード交換要求を受信すると、コード交換要求に含まれる情報要素Mと、自装置で計算した暗号要素Qa’とから、一時鍵X’の算出を行う。なお、通信装置102は、自装置が設定した認証コードのハッシュと、DPP規格において定められた要素(Pi)とを組み合わせて暗号要素Qa’を生成する。
 Qa’=Hash(認証コード)*Pi
 X’=M-Qa’ When the communication device 102 receives the code exchange request from the communication device 101, the communication device 102 calculates the temporary key X ′ from the information element M included in the code exchange request and the cipher element Qa ′ calculated by the own device. The communication device 102 combines the hash of the authentication code set by the communication device 102 and the element (Pi) defined in the DPP standard to generate the cryptographic element Qa ′.
Qa '= Hash (authentication code) * Pi
X '= M-Qa'
 ここで、通信装置101が設定した固定の認証コードと、通信装置102が設定した固定の認証コードとが同じである場合には、QaとQa’とは同じ値になる。その結果、XとX’も同じ値となる。これにより、通信装置102は、通信装置101の一時的な鍵ペアの公開鍵Xを取得できることになる。 Here, when the fixed authentication code set by the communication device 101 and the fixed authentication code set by the communication device 102 are the same, Qa and Qa ′ have the same value. As a result, X and X'also have the same value. As a result, the communication device 102 can acquire the public key X of the temporary key pair of the communication device 101.
 また、通信装置102は、更に、設定した認証コードのハッシュと、DPP規格において定められた要素(Pr)とを組み合わせて暗号要素Qbを生成する。また、通信装置101は、一時的な鍵ペア(秘密鍵yおよび公開鍵Y)を生成し、暗号要素Qbに、生成された一時的な鍵ペアの公開鍵Yを付与して、情報要素Nを生成する。なお、公開鍵Y、および、情報要素Nは、x成分およびy成分を含むベクトルである。
 Qb=Hash(認証コード)*Pr
 N=Y+Qb In addition, the communication device 102 further generates a cryptographic element Qb by combining the hash of the set authentication code and the element (Pr) defined in the DPP standard. Further, the communication device 101 generates a temporary key pair (secret key y and public key Y), adds the generated public key Y of the temporary key pair to the encryption element Qb, and the information element N To generate. The public key Y and the information element N are vectors including x component and y component.
Qb = Hash (authentication code) * Pr
N = Y + Qb
 そして、通信装置102は、生成した暗号要素Qb、情報要素N、および、通信装置102の識別子(例えばMACアドレス)を含むコード交換応答を、通信装置101に送信する(S406)。 Then, the communication device 102 transmits a code exchange response including the generated cryptographic element Qb, the information element N, and the identifier (eg, MAC address) of the communication device 102 to the communication device 101 (S406).
 通信装置101は、通信装置102からのコード交換応答を受信すると、コード交換応答に含まれる情報要素Nと、自装置で計算した暗号要素Qb’とから、一時鍵Y’の算出を行う。なお、通信装置101は、自装置が設定した認証コードのハッシュと、DPP規格において定められた要素(Pr)とを組み合わせて暗号要素Qb’を生成する。
 Qb’=Hash(認証コード)*Pr
 Y’=N-Qb’ When the communication device 101 receives the code exchange response from the communication device 102, the communication device 101 calculates the temporary key Y ′ from the information element N included in the code exchange response and the cipher element Qb ′ calculated by the own device. The communication device 101 combines the hash of the authentication code set by the communication device 101 and the element (Pr) defined in the DPP standard to generate the cryptographic element Qb ′.
Qb '= Hash (authentication code) * Pr
Y '= N-Qb'
 ここで、通信装置101が設定した固定の認証コードと、通信装置102が設定した固定の認証コードとが同じである場合には、QbとQb’とは同じ値になる。その結果、YとY’も同じ値となる。これにより、通信装置101は、通信装置102の一時的な鍵ペアの公開鍵Yを取得できることになる。 Here, when the fixed authentication code set by the communication device 101 and the fixed authentication code set by the communication device 102 are the same, Qb and Qb 'have the same value. As a result, Y and Y'have the same value. As a result, the communication apparatus 101 can obtain the public key Y of the temporary key pair of the communication apparatus 102.
 なお、通信装置101は、DPP開始指示を受け付けてから所定時間内に通信装置102からコード交換応答を受信しなかった場合には、PKEX処理に失敗したものとして処理を進めるようにしてもよい。即ち、通信装置101は、図3におけるステップS305のエラー処理を実行して、通信パラメータを共有することなく、共有処理を終了してもよい。これにより、通信装置101と通信装置102との間で所定時間内にDPP開始指示が為されなければ共有処理が終了されるため、セキュリティが向上する。 If the communication device 101 does not receive the code exchange response from the communication device 102 within a predetermined time after receiving the DPP start instruction, the communication device 101 may proceed as if the PKEX process failed. That is, the communication apparatus 101 may execute the error process of step S305 in FIG. 3 and end the sharing process without sharing the communication parameter. As a result, if the DPP start instruction is not issued between the communication device 101 and the communication device 102 within a predetermined time, the sharing process ends, and thus security is improved.
 次に、通信装置101は、通信装置101の秘密鍵xと通信装置102の公開鍵Y’から一時的な暗号情報Kを算出する。ここで、暗号情報Kは、x成分およびy成分を含むベクトル値である。通信装置101は、更に、IETFドラフトに定められた関数KDF-n(Key Delivery Function)を用いて、共通鍵Zを算出する。
 K=x*Y’
 Z=KDF-n(<>,通信装置101の識別子|通信装置102識別子|M.x|N.x|認証コード,K.x) Next, the communication device 101 calculates temporary encryption information K from the secret key x of the communication device 101 and the public key Y ′ of the communication device 102. Here, the cryptographic information K is a vector value including an x component and ay component. The communication apparatus 101 further calculates a common key Z using a function KDF-n (Key Delivery Function) defined in the IETF draft.
K = x * Y '
Z = KDF-n (<>, identifier of communication device 101 | identifier of communication device 102 | Mx | Nx | authentication code, K.x)
 ここで、<>は関数に引き渡される第1の引数がブランクであることを示す。また、|は、各要素を結合させることを示す。また、M.x、N.x、および、K.xは、各々、M、N、Kのx成分の値を示す。 Here, <> indicates that the first argument passed to the function is blank. Further, | indicates that the respective elements are combined. In addition, M. x, N.N. x and K. x shows the value of the x component of M, N, and K, respectively.
 一方、通信装置102は、通信装置102の秘密鍵yと通信装置101の公開鍵X’から一時的な暗号情報K’を算出する。そして、同じ関数KDF-nを用いて、共通鍵Z’を算出する。
 K’=y*X’
 Z=KDF-n(<>,通信装置101の識別子|通信装置102識別子|M.x|N.x|認証コード,K’.x) On the other hand, the communication device 102 calculates temporary encryption information K ′ from the secret key y of the communication device 102 and the public key X ′ of the communication device 101. Then, the common key Z ′ is calculated using the same function KDF-n.
K '= y * X'
Z = KDF-n (<>, identifier of communication device 101 | identification of communication device 102 | M.x | N.x | authentication code, K'.x)
 ここで、XとX’とが同じ値であり、かつ、YとY’とが同じ値である場合には、KとK’とは同じ値になる。その結果、Z’とZも同じ値となる。これにより、通信装置101と通信装置102は、同じ共通鍵Zを共有することができ、公開鍵交換プロトコルの認証フェーズ(Authentication Phase)が完了する。 Here, if X and X'have the same value and Y and Y'have the same value, K and K'have the same value. As a result, Z'and Z have the same value. As a result, the communication device 101 and the communication device 102 can share the same common key Z, and the authentication phase (Authentication Phase) of the public key exchange protocol is completed.
 公開鍵交換プロトコルの認証フェーズ(Authentication Phase)が完了すると、IETFドラフトにおける公開鍵交換プロトコルの公開鍵共有フェーズ(Reveal Phase)が開始される。 When the authentication phase (Authentication Phase) of the public key exchange protocol is completed, the public key sharing phase (Reveal Phase) of the public key exchange protocol in the IETF draft is started.
 具体的には、通信装置101は、通信装置101の識別子、通信装置101の認証用公開鍵(例えばDPP規格で規定されたbootstrapping key)、X.x、および、Y’.xを用いて情報要素uを算出する。ここで、X.x、および、Y’.xは、各々、XおよびY’のx成分の値を示す。そして、通信装置101は、情報要素uおよび通信装置101の認証用公開鍵を、共通鍵Zで暗号化して送信する(S407)。 Specifically, the communication device 101 includes an identifier of the communication device 101, an authentication public key of the communication device 101 (eg, bootstrapping key defined by the DPP standard), an X. x and Y '. The information element u is calculated using x. Here, X. x and Y '. x represents the value of the x component of X and Y ', respectively. Then, the communication apparatus 101 encrypts the information element u and the authentication public key of the communication apparatus 101 with the common key Z and transmits the encrypted public key (S407).
 また、通信装置102は、通信装置101の識別子、通信装置101の認証用公開鍵、X’.x、および、Y.xを用いて情報要素u’を算出する。そして、通信装置102は、情報要素u’および通信装置102の認証用公開鍵を、共通鍵Zで暗号化して送信する(S408)。 Further, the communication device 102 has an identifier of the communication device 101, an authentication public key of the communication device 101, X ′. x and Y. The information element u'is calculated using x. Then, the communication device 102 encrypts the information element u'and the authentication public key of the communication device 102 with the common key Z and transmits the encrypted public key (S408).
 通信装置101は、共通鍵Zを用いて、通信装置102から受信した情報要素u’および通信装置102の認証用公開鍵を復号する。その結果、取得した情報要素u’が、自装置が算出した情報要素uと一致していた場合には、PKEX処理に成功したものと判定する。なお、上述したように、互いに設定された認証コードが一致していた場合には、情報要素uと情報要素u’とが一致することになる。このようにして、PKEX処理における認証コードを用いた認証処理が行われ、互いの認証用公開鍵が共有される。互いの認証用公開鍵が共有されると、公開鍵交換プロトコルの公開鍵共有フェーズ(Reveal Phase)が完了する。 The communication device 101 uses the common key Z to decrypt the information element u ′ received from the communication device 102 and the authentication public key of the communication device 102. As a result, when the acquired information element u ′ matches the information element u calculated by the own device, it is determined that the PKEX processing has succeeded. In addition, as described above, when the authentication codes set to each other match, the information element u and the information element u ′ match. In this way, the authentication process using the authentication code in the PKEX process is performed, and the mutual authentication public key is shared. When the public keys for authentication are shared with each other, the public key sharing phase (Reveal Phase) of the public key exchange protocol is completed.
 次に、通信装置101は認証要求を生成し、送信する(S409)。通信装置102はこの認証要求を受信し、受信した認証要求の内容を検証する(S410)。そして、通信装置102は、認証応答を生成、送信する(S411)。通信装置101へ認証応答を送信した通信装置102は、通信装置101から認証確認が送信されるのを待ち受ける。 Next, the communication device 101 generates and sends an authentication request (S409). The communication device 102 receives this authentication request and verifies the content of the received authentication request (S410). Then, the communication device 102 generates and transmits an authentication response (S411). The communication device 102 that has transmitted the authentication response to the communication device 101 waits for the authentication confirmation to be transmitted from the communication device 101.
 認証応答を受信した通信装置101は、認証応答に基づく認証を行う(S412)。通信装置101は、認証成功と判定すると、通信装置102へ認証確認を送信する(S413)。通信装置101から認証確認を受信した通信装置102は、認証確認の内容を検証する(S414)。そして、認証に成功したと判定されると、通信装置102は、通信パラメータの設定処理を行うために設定要求を送信し(S415)、通信装置101から設定応答が送信されるのを待ち受ける。設定要求を受信した通信装置101は、通信装置101のコンフィギュレータ専用の秘密鍵で暗号化した通信パラメータと、コンフィギュレータ専用の公開鍵を設定応答に含めて送信する(S416)。設定応答を受信した通信装置102は、通信装置101のコンフィギュレータ専用の公開鍵で通信パラメータを復号する。その後、通信装置102は、この復号された通信パラメータを用いて無線ネットワーク103に接続する(S417)。 The communication device 101 that has received the authentication response performs authentication based on the authentication response (S412). When the communication apparatus 101 determines that the authentication is successful, the communication apparatus 101 transmits an authentication confirmation to the communication apparatus 102 (S413). Upon receiving the authentication confirmation from the communication device 101, the communication device 102 verifies the content of the authentication confirmation (S414). Then, when it is determined that the authentication is successful, the communication apparatus 102 transmits a setting request for performing communication parameter setting processing (S415), and waits for a setting response to be transmitted from the communication apparatus 101. Upon receiving the setting request, the communication apparatus 101 transmits the communication parameter encrypted with the private key dedicated to the configurator of the communication apparatus 101 and the public key dedicated to the configurator in the setting response (S416). Upon receiving the setting response, the communication device 102 decrypts the communication parameter with the public key dedicated to the configurator of the communication device 101. After that, the communication device 102 connects to the wireless network 103 using the decrypted communication parameter (S417).
 以上、図3、図4を用いて説明した処理によって、通信装置101が、通信装置102に通信パラメータを提供することができる。なお、上述の実施形態では、コンフィギュレータである通信装置101がコード交換要求を送信したが、エンローリである通信装置102が送信してもよい。その場合、コンフィギュレータである通信装置101がコード交換要求を待ち受け、コード交換応答を送信する。また、通信装置101と通信装置102がコード交換要求の送信処理と待ち受け処理を適当な時間間隔で交互に繰り返すことで、送受信できるようにしてもよい。 As described above, the communication device 101 can provide the communication parameter to the communication device 102 by the processing described with reference to FIGS. 3 and 4. Although the communication device 101, which is the configurator, transmits the code exchange request in the above-described embodiment, it may be transmitted by the communication device 102, which is the enrollee. In that case, the communication device 101, which is a configurator, waits for a code exchange request and transmits a code exchange response. Alternatively, the communication device 101 and the communication device 102 may alternately transmit and receive the code exchange request at appropriate time intervals so that transmission and reception can be performed.
 以上のようにして、DPPを用いた通信パラメータの共有処理を行う場合であっても簡易なユーザインタフェースを利用することが可能となり、ユーザの利便性が向上する。より具体的には、例えば、ユーザは2台の装置のボタンを押すだけで、DPPを用いた通信パラメータの共有処理を行うことができる。 As described above, even when performing communication parameter sharing processing using DPP, it becomes possible to use a simple user interface, and user convenience is improved. More specifically, for example, the user can perform communication parameter sharing processing using DPP simply by pressing buttons on two devices.
 また、上述の実施形態では、通信装置101がコンフィギュレータとして動作して通信パラメータを提供した。これに限らず、通信装置101がエンローリとして動作し、通信装置102がコンフィギュレータとして動作することによって、通信装置101が通信装置102から通信パラメータを受信する構成であってもよい。 Further, in the above-described embodiment, the communication device 101 operates as a configurator to provide communication parameters. The configuration is not limited to this, and the communication device 101 may operate as an enrollee and the communication device 102 may operate as a configurator so that the communication device 101 receives communication parameters from the communication device 102.
 また、通信装置101は、図3に代えて図5のように動作してもよい。即ち、通信装置101は、ユーザからのDPP開始指示を待ち受ける(S501)。ここでは、ユーザは複数の方法で、DPPの開始を指示できるものとする。例えば、通信装置101が、各々が異なる指示に対応する複数のボタンを有する構成であってもよいし、切り替えスイッチを有する構成であってもよい。また、これらのボタンやスイッチは、ハードウェアによって実現されてもよいし、ソフトウェアによって実現されてもよい。 Further, the communication device 101 may operate as shown in FIG. 5 instead of FIG. That is, the communication apparatus 101 waits for a DPP start instruction from the user (S501). Here, it is assumed that the user can instruct the start of DPP by a plurality of methods. For example, the communication device 101 may have a plurality of buttons each corresponding to a different instruction, or may have a switch. Further, these buttons and switches may be realized by hardware or software.
 そして、通信装置101は、ユーザからのDPP開始指示を受け付けると、当該DPP開始指示が所定のDPP開始指示であるかを判定する(S502)。所定のDPP開始指示である場合には(S502のYes)、通信装置101は、上述したステップS302からS312の処理を実行する。一方、所定のDPP開始指示でない場合には(S502のNo)、ユーザに認証コードを入力させる(S503)。そして、通信装置101は、固定の認証コードではなく、ユーザに入力された認証コードを用いてPKEX処理を行うようにする(S504)。その後、通信装置101は、上述したステップS304からS312の処理を実行する。 Then, when receiving the DPP start instruction from the user, the communication apparatus 101 determines whether the DPP start instruction is a predetermined DPP start instruction (S502). When it is the predetermined DPP start instruction (Yes in S502), the communication apparatus 101 executes the processes of steps S302 to S312 described above. On the other hand, when it is not the predetermined DPP start instruction (No in S502), the user is prompted to input the authentication code (S503). Then, the communication apparatus 101 uses the authentication code input by the user instead of the fixed authentication code to perform the PKEX processing (S504). After that, the communication apparatus 101 executes the processes of steps S304 to S312 described above.
 このような構成によれば、固定の認証コードを用いたDPPの通信パラメータ共有処理を行うか、ユーザに入力された認証コードを用いたDPPの通信パラメータ共有処理を行うかを切り替えることができる。 With such a configuration, it is possible to switch between performing DPP communication parameter sharing processing using a fixed authentication code and performing DPP communication parameter sharing processing using an authentication code input by the user.
 本発明は、上述の実施形態の1以上の機能を実現するプログラムを、ネットワーク又は記憶媒体を介してシステム又は装置に供給し、そのシステム又は装置のコンピュータにおける1つ以上のプロセッサがプログラムを読出し実行する処理でも実現可能である。また、1以上の機能を実現する回路(例えば、ASIC)によっても実現可能である。 The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in a computer of the system or apparatus read and execute the program. It can also be realized by the processing. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.
 本発明は上記実施の形態に制限されるものではなく、本発明の精神及び範囲から離脱することなく、様々な変更及び変形が可能である。従って、本発明の範囲を公にするために以下の請求項を添付する。 The present invention is not limited to the above embodiments, and various changes and modifications can be made without departing from the spirit and scope of the present invention. Therefore, the following claims are attached to open the scope of the present invention.
 本願は、2018年11月2日提出の日本国特許出願特願2018-207194を基礎として優先権を主張するものであり、その記載内容の全てをここに援用する。 This application claims priority on the basis of Japanese patent application Japanese Patent Application No. 2018-207194 filed on November 2, 2018, and the entire content of the description is incorporated herein.

Claims (17)

  1.  通信装置であって、
     無線ネットワークに接続するための通信パラメータを他の通信装置と共有するための共有処理を開始する第1の指示を受け付ける第1の受け付け手段と、
     前記第1の受け付け手段により前記第1の指示を受け付けた場合に、固定の認証コードを用いて、前記他の通信装置との間で、Wi-Fi DPP(Device Provisioning Protocol)規格によって定められた所定の公開鍵を前記他の通信装置と共有する際に認証処理を行う第1の認証手段と、
     前記第1の認証手段による認証処理に成功した場合に、前記他の通信装置と前記通信パラメータを共有する共有手段と、
     を有することを特徴とする通信装置。     A communication device,
    A first accepting means for accepting a first instruction to start a sharing process for sharing the communication parameter for connecting to the wireless network with another communication device;
    When the first instruction is accepted by the first accepting unit, a fixed authentication code is used to establish a connection with the other communication device according to the Wi-Fi DPP (Device Provisioning Protocol) standard. A first authentication means for performing an authentication process when sharing a predetermined public key with the other communication device;
    Sharing means for sharing the communication parameter with the other communication device when the authentication processing by the first authenticating means is successful,
    A communication device comprising:
  2.  前記所定の公開鍵は、DPP規格に準拠したbootstrapping keyであることを特徴とする請求項1に記載の通信装置。 The communication device according to claim 1, wherein the predetermined public key is a bootstrapping key compliant with the DPP standard.
  3.  前記共有処理を開始する第2の指示を受け付ける第2の受け付け手段と、
     前記第2の受け付け手段により前記第2の指示を受け付けた場合に、ユーザに認証コードを入力させる入力手段を更に有し、
     前記第2の指示を受け付けた場合、前記第1の認証手段は、前記入力手段により入力された認証コードを用いて、前記他の通信装置との間で認証処理を行うことを特徴とする請求項1または2に記載の通信装置。     Second accepting means for accepting a second instruction to start the sharing process,
    Further comprising input means for allowing a user to input an authentication code when the second instruction is received by the second receiving means,
    When the second instruction is accepted, the first authenticating means performs an authentication process with the other communication device using the authentication code input by the inputting means. Item 2. The communication device according to Item 1 or 2.
  4.  前記共有手段は、DPP規格に準拠した信号を前記他の通信装置と送受信することにより、前記通信パラメータを共有することを特徴とする請求項1から3のいずれか1項に記載の通信装置。 The communication device according to any one of claims 1 to 3, wherein the sharing means shares the communication parameter by transmitting and receiving a signal conforming to the DPP standard with the other communication device.
  5.  前記第1の認証手段による認証処理に成功した場合に前記他の通信装置から取得される前記他の通信装置の公開鍵を用いて、前記他の通信装置とDPP規格によって定められた認証処理を行う第2の認証手段を更に有し、
     前記共有手段は、前記第2の認証手段による認証処理に成功した場合に、前記他の通信装置と前記通信パラメータを共有することを特徴とする請求項1から4のいずれか1項に記載の通信装置。     When the authentication process by the first authentication means is successful, the public key of the other communication device obtained from the other communication device is used to perform the authentication process defined by the DPP standard with the other communication device. Further comprising a second authentication means for performing,
    The said sharing means shares the said communication parameter with the said other communication apparatus, when the authentication process by the said 2nd authentication means succeeds, The any one of Claim 1 to 4 characterized by the above-mentioned. Communication device.
  6.  前記第2の認証手段による認証処理に失敗した場合、エラーを通知する第1の通知手段を更に有することを特徴とする請求項5に記載の通信装置。 The communication device according to claim 5, further comprising a first notification unit that notifies an error when the authentication processing by the second authentication unit fails.
  7.  前記第1の通知手段は、ユーザにエラーを通知することを特徴とする請求項6に記載の通信装置。 The communication device according to claim 6, wherein the first notifying unit notifies the user of an error.
  8.  前記第1の通知手段は、前記他の通信装置にエラーを通知することを特徴とする請求項6または7に記載の通信装置。 The communication device according to claim 6 or 7, wherein the first notification means notifies the other communication device of an error.
  9.  前記第1の認証手段による認証処理に失敗した場合、エラーを通知する第2の通知手段を更に有することを特徴とする請求項1から8のいずれか1項に記載の通信装置。 The communication device according to any one of claims 1 to 8, further comprising a second notifying unit for notifying an error when the authentication process by the first authenticating unit fails.
  10.  前記第2の通知手段は、ユーザにエラーを通知することを特徴とする請求項9に記載の通信装置。 The communication device according to claim 9, wherein the second notifying unit notifies the user of an error.
  11.  前記第2の通知手段は、前記他の通信装置にエラーを通知することを特徴とする請求項9または10に記載の通信装置。 The communication device according to claim 9 or 10, wherein the second notifying unit notifies the other communication device of an error.
  12.  前記共有手段は、前記他の通信装置に前記通信パラメータを提供することにより、前記他の通信装置と前記通信パラメータを共有することを特徴とする請求項1から11のいずれか1項に記載の通信装置。 The said sharing means shares the said communication parameter with the said other communication apparatus by providing the said communication parameter to the said other communication apparatus, The any one of Claim 1 to 11 characterized by the above-mentioned. Communication device.
  13.  前記共有手段は、前記他の通信装置から前記通信パラメータを受信することにより、前記他の通信装置と前記通信パラメータを共有することを特徴とする請求項1から11のいずれか1項に記載の通信装置。 12. The sharing unit shares the communication parameter with the other communication device by receiving the communication parameter from the other communication device, according to any one of claims 1 to 11. Communication device.
  14.  前記第1の認証手段は、IETF(Internet Engineering Task Force)において規定されたPublic Key Exchangeにおける認証フェーズに準拠した認証処理を行うことを特徴とする請求項1から13のいずれか1項に記載の通信装置。 The said 1st authentication means performs the authentication process based on the authentication phase in Public Key Exchange specified by IETF (Internet Engineering Task Force), The authentication method according to any one of claims 1 to 13 characterized in that Communication device.
  15.  前記第1の受け付け手段は、ボタンであることを特徴とする請求項1から14のいずれか1項に記載の通信装置。 The communication device according to any one of claims 1 to 14, wherein the first reception means is a button.
  16.  通信装置の制御方法であって、
     無線ネットワークに接続するための通信パラメータを他の通信装置と共有するための共有処理を開始する指示を受け付ける受け付け工程と、
     前記指示を受け付けた場合に、固定の認証コードを用いて、前記他の通信装置との間で、Wi-Fi DPP(Device Provisioning Protocol)規格によって定められた所定の公開鍵を前記他の通信装置と共有する際に認証処理を行う認証工程と、
     前記認証処理に成功した場合に、前記他の通信装置と前記通信パラメータを共有する共有工程と、
     を有することを特徴とする制御方法。     A method for controlling a communication device, comprising:
    A receiving step of receiving an instruction to start a sharing process for sharing a communication parameter for connecting to a wireless network with another communication device,
    When the instruction is accepted, a predetermined public key defined by the Wi-Fi DPP (Device Provisioning Protocol) standard with the other communication device is used by using a fixed authentication code. An authentication process that performs authentication processing when sharing with
    A sharing step of sharing the communication parameter with the other communication device when the authentication process is successful;
    A control method comprising:
  17.  コンピュータを請求項1から15のいずれか1項に記載の通信装置として動作させるためのプログラム。 A program for operating a computer as the communication device according to any one of claims 1 to 15.
PCT/JP2019/040469 2018-11-02 2019-10-15 Communication device, control method, and program WO2020090443A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018207194A JP2020072441A (en) 2018-11-02 2018-11-02 Communication device, control method, and program
JP2018-207194 2018-11-02

Publications (1)

Publication Number Publication Date
WO2020090443A1 true WO2020090443A1 (en) 2020-05-07

Family

ID=70462356

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/040469 WO2020090443A1 (en) 2018-11-02 2019-10-15 Communication device, control method, and program

Country Status (2)

Country Link
JP (1) JP2020072441A (en)
WO (1) WO2020090443A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2021190930A (en) * 2020-06-03 2021-12-13 株式会社バッファロー Wireless communication system, communication method, wireless access point, and control program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018037979A (en) * 2016-09-02 2018-03-08 キヤノン株式会社 Communication device, communication method, and program
JP2018046435A (en) * 2016-09-15 2018-03-22 キヤノン株式会社 Communication device, control of the same, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018037979A (en) * 2016-09-02 2018-03-08 キヤノン株式会社 Communication device, communication method, and program
JP2018046435A (en) * 2016-09-15 2018-03-22 キヤノン株式会社 Communication device, control of the same, and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WI-FI ALLIANCE: "Device Provisioning Protocol Specification v1.0", WI-FI.ORG, 9 April 2018 (2018-04-09), pages 41 - 55, XP055632290, Retrieved from the Internet <URL:https://www.wi-fi.org/download.php?file=/sites/default/files/private/Device_Provisioning_Protocol_Specification_v1.0.pdf> *

Also Published As

Publication number Publication date
JP2020072441A (en) 2020-05-07

Similar Documents

Publication Publication Date Title
US20200154276A1 (en) Communication device, control method for communication device, and non-transitory computer-readable storage medium
US10613805B2 (en) Terminal device, access point, communication device, and computer programs therefor
EP2963959B1 (en) Method, configuration device, and wireless device for establishing connection between devices
KR102200766B1 (en) Communication device, communication method, and program to facilitate direct communication
US11757874B2 (en) Mutual authentication system
US11825302B2 (en) Non-transitory computer-readable medium storing computer-readable instructions for terminal device and communication device
US11736274B2 (en) Terminal device and non-transitory computer-readable medium storing computer-readable instructions for terminal device
EP3068091A1 (en) Network configuration method, and related device and system
KR101963545B1 (en) Communication device, communication method, and program
WO2018030296A1 (en) Communication device, communication method and program
US20210282011A1 (en) Communication apparatus, control method, and storage medium
US20220022034A1 (en) Communication apparatus, communication method, program, and storage medium
WO2020090443A1 (en) Communication device, control method, and program
JP2023120266A (en) Communication device, control method, and program
JP7406893B2 (en) Communication device, control method and program
JP7387283B2 (en) Communication device, control method and program for communication device
JP6486228B2 (en) Communication apparatus, control method, and program
JP2011061574A (en) Radio communication device and radio communication system
WO2023053699A1 (en) Communication device, control method, and communication system
WO2023218759A1 (en) Communication device, control method therefor, and communication system
JP7266727B2 (en) Communication device and its control method
JP2024055092A (en) Communication device, control method, and program
JP2012195781A (en) Radio communication apparatus and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19879690

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19879690

Country of ref document: EP

Kind code of ref document: A1