User authentication method, wireless communication apparatus

US008474020B2
(12) United States Patent
(10) Patent No.:
Hamachi
(54)
US 8,474,020 B2
(45) Date of Patent:
£1251?Ig¥§$I€)%MgI%hZgég%)$TAPPARATUs’
USER AUTHENTICATION METHOD,
2007/0088951 A1*i
Jun. 25, 2013
4/2007 Nakajima
Eoulson
ogers eta....................
~~~~~~~~~~~~~~~~~~
..
..~~ 713/171
3
MANAGEMENT APPARATUS
(75)
.
Inventor:
.
FOREIGN PATENT DOCUMENTS
.
-
JP
Toshlfuml Hamachl, Kawasaki (JP)
7-307982 A
JP
2000496588 A
(73) Assignee: Canon Kabushiki Kaisha, Tokyo (JP)
(*)
(21)
11/1995
70000
(Continued)
Notice:
Subject to any disclaimer, the term of this
patent is extended or adjusted under 35
U.S.C. 154(b) by 358 days.
Appt No‘:
12/812,748
OTHER PUBLICATIONS
Japanese Of?ce Action dated Nov. 19, 2012 issued in corresponding
Japanese Patent Application No. 2008-95432.
(22) PCT Filed:
Mar. 23, 2009
(86)
PCT/JP2009/056405
Primary Examiner * Farid Homayounmehr
Jul 13 2010
Assistant Examiner * Lisa LeWis
1)
(2) (4) Date’,
’
(87)
_
(Continued)
a
(74) Attorney, Agent, orFirm * Fitzpatrick, Cella, Harper&
PCT Pub. No.. WO2009/123074
Scimo
PCT Pub. Date: Oct. 8, 2009
(65)
Us 2010/0299730 Al
N
(30)
A Wireless communication apparatus transmits a user identi
’
?er to an account management apparatus through a commu
Foreign Application Priority Data
Apr. 1, 2008
nication apparatus. The account management apparatus gen
erates code generation information, and generates code
(JP) ............................... .. 2008-095432
Int_ CL
G06F 21/00
infoiniation using authentication infonnation that Corie
sponds to the user identi?er and the code generation informa
tion. The account management apparatus transmits the code
in
ormat1on
t e co (1g
e enerat1on1n
ormat1on
'f_
_' andh
' '_f_
' tothe com
munlcanon aPParamS' The Sommumcanon apParémls Sets
(200601)
(52) U.S.Cl.
USPC ............................................. .. 726/5; 713/171
-
(58)
-
-
co e in orma ion, an
USPC
Field of Classi?cation Search
713/171, 726/5
See
orma
mation, and When Wireless netWork parameters are set, noti
?es the account management apparatus of success of authen
tication. The account management apparatus performs a
process to permit the Wireless communication apparatus to
U.S. PATENT DOCUMENTS
1/1997 Ohashi et al.
3/2006 Kawasaki
6/2012 Wynn et a1.
4/2002
enera 1on1
the code generation information and the authentication infor
References Cited
2002/0046092 A1*
e co e
communication apparatus generates code information using
'
5,596,641 A
7,010,688 B1
8,194,589 B2
ransmi s
tion
_ d to fthe Wireless communication
dt
,t H} apparatus.
d g
tThe Wireless
histor;
(56)
ABSTRACT
( )
25 2010
OV'
(51)
57
Prior Publication Data
connect to a communication network.
6 Claims, 12 Drawing Sheets
Ostroff .......................... .. 705/14
AP
PC
SRV
F801
USER OPERATlON
SEARCH
‘FOR NEI'WOHKS NFBDZ ,
JOIN NETWORK "F803
ID NOTIFTCATION
MESSAGE
"4:504
F805
1D AUTH ENTlCATlON
REQUEST MESSAGE
GENERATE
RANDOM VALUE
PIN CODE INFORMATION
MESSAGE
PlN CODE GENERATlON
lNFORMATION MESSAGE
GENEHATE
F'lN CODE
F812
SET Fl couE
F813
PROTOCOL
START REQUEST ~F8‘4
PROTOCOL START
MESSAGE
~F915
F816
PROTOCOL MESSAGE ~
4—)
1
(F819
pnoroom END n’nEssAeE
if
JOIN NETWORK
F820
P51 1
)
WPS SUCCESS NOTIFlCATION
F818
CONNECTTON
PERMIT-TING
PROCESS
US 8,474,020 B2
Page 2
FOREIGN PATENT DOCUMENTS
2002-55955
2004-80138
2005-269571
2006-295961
2007-310738
2010-503318
2008/030526
A
A
A
A
A
A
A2
2/2002
3/2004
9/2005
10/2006
11/2007
1/2010
3/2008
OTHER PUBLICATIONS
Japanese Of?ceAction datedAug. 27, 2012 issued in Japanese Patent
Application No. 2008-095432.
“Wireless LAN Installation Strategy-Installation: Con?guration is
Easier Than You Think”, Nikkei Personal Computing, Nikkei Busi
ness Publications Inc., Oct. 8, 2007, No. 539, pp. 54-58.
* cited by examiner
US. Patent
Jun. 25, 2013
Sheet 1 0f 12
wow
wow
US 8,474,020 B2
US. Patent
Jun. 25, 2013
Sheet 3 0f 12
US 8,474,020 B2
m2
w
momwow
\
6o$:zaw527m;o8l
A
2896%;:2 8
:75:75
wE2m1:ZMQéE/O6mQx5zé55:8i75
@:z7Em5w
Aq
v
wow8mmom
US. Patent
Jun. 25, 2013
Sheet 5 0f 12
FIG. 5
I START I
,
US 8,474,020 B2
[F501
TRANS MIT ID
NOTIFICATION MESSAGE
I
F502
PIN CODE GENERATION
INFORMATION MESSAGE
RECEIVED?
[F504
II
F503
GENERATE PIN CODE
/F505
PROTOCOL FAILURE
NOTIFICATION
RECEIVED?
YES
,
[F506
EXECUTE SETTINGS INFORMATION
NOTIFICATION PROTOCOL
SETTINGS
INFORMATION NOTIFICATION
PROTOCOL EXECUTED
SUCCESSFULLY
YES
/ F508
CONNECT TO NETWORK
I
(END)
US. Patent
Jun. 25, 2013
Sheet 6 0f 12
US 8,474,020 B2
F601
ID NOTIFICATION
MESSAGEORECEIVED
YES
/F602
TRANSMIT ID AUTHENTICATION
REQUEST MESSAGE
"
F603
PIN CODE INFORMATION
MESSAGE RECEIvED
?
"
/F605
SET PIN CODE
NO
REJECTION
NOTIFICATION MESSAGE
RECEIvED?
YES
"
/ F606
TRANSMIT PIN
CODE GENERATION
INFORMATION MESSAGE
F607
II
/
EXECUTE SETTINGS INFORMATION
NOTIFICATION PROTOCOL
SETTINGS
INFORMATION NOTIFICATION
PROTOCOL EXECUTED
SUCCESSFULLY
,
[F609
TRANSMIT PROTOCOL
FAILURE NOTIFICATION
?
YES
[F610
TRANSMIT WPS SUCCESS
NOTIFICATION
V
END
US. Patent
FIG.
Jun. 25, 2013
Sheet 7 0f 12
7
=
US 8,474,020 B2
F701
AUTHENTICATION
REQUEST MESSAGE
RECEIVED?
YES
F702
VALID USER ID?
YES
[F703
GENERATE RANDOM VALUE
[F704
GENERATE PIN CODE
[F705
TRANSMIT PIN CODE
INFORMATION MESSAGE
[F706
ACTIVATE USER
AUTHENTICATION PERIOD TIMER
I
F707
WPS SUCCESS
NOTIFICATION RECEIVED
?
YES
F708
HAS
USER AUTHENTICATION
PERIOD EILIJ/ITER TIMED
,
[F709
CONNECTION
PERMITTING PROCESS
.
/F71O
YES
TRANSMIT REJECTION
NOTIFICATION MESSAGE
I
I
END
US. Patent
Jun. 25, 2013
Sheet 8 0f 12
PC
US 8,474,020 B2
AP
SRv
| IF8O1
USER OPERATION
SEARCH
‘FOR NETWORKS NF8O2 ,
‘JOIN NETWORK ~F803
ID NOTIFICATION
MESSAGE
F805
“2804
ID AUTHENTICATION
REQUEST MESSAGE
F806
,
wCI-IECI<USER
VALIDITY
OF
ID
|
F807
w
F809
Z
F808“
GENERATE
RANDOM VALUE
'
GENERATE
PIN CODE
PIN CODE INFORMATION
‘ MESSAGE
F811
I
SET PIN CODE ~F810
PIN CODE GENERATION
‘ INFORMATION MESSAGE
GENERATE
PIN CODE
N
F812
| SET PIN CODE |~F813
PROTOCOL
START REQUEST N F814 ’
PROTOCOL START~F81 5
MESSAGE
‘
F816
‘ PROTOCOL MESSAGE~ ’
'
vvPS SUCCESS NOTIFICATION
[F819
PROTOCOL END MESSAGE
‘
‘ JOIN NETWORK 2
F820
F817
>
> IF818
CONNECTION
PERMITTING
PROCESS
US. Patent
Jun. 25, 2013
Sheet 9 0f 12
US 8,474,020 B2
( START )
[F901
TRANSMIT ID
NOTIFICATION MESSAGE
"
F | G_
9
F902
PIN CODE GENERATION
INFORMATION MESSAGE
RECEIVED?
"
F903
PROTOCOL FAILURE
NOTIFICATION
RECEIVED?
YES
[F904
GENERATE PIN CODE
"
[F905
SET PIN CODE
"
[F906
ACTIVATE PIN
INVALIDATION TIMER
,
[F907
EXECUTE SETTINGS INFORMATION
NOTIFICATION PROTOCOL
SETTINGS
INFORMATION NOTIFICATION
PROTOCOL EXECUTED
SUCCESSFULLY
YES
/F909
CONNECT TO NETWORK
END
US. Patent
Jun. 25, 2013
lg
Sheet 10 0f 12
US 8,474,020 B2
F1001
FIG. 10
NOTIFICATION
MESSAGEvRECElvED
YES
[F1002
TRANSMIT ID AUTHENTICATION
REQUEST MESSAGE
>0
F1003
CODE INFORMATION
MESSAGE7RECEIVED
'
SET PIN CODE
/F1OO5
I
ACTIVATE PIN
/ F1006
REJECTION
NOTIFICATION MESSAGE
'NVAL'DAT'ON TIMER
RECEIVED?
I
TRANSMIT PIN CODE
YES
GENERATION
/ F1007
INFORMATION MESSAGE
I
EXECUTE SETTINGS INFORMATION
NOTIFICATION PROTOCOL
F1008
/
SETTINGS
INFORMATION NOTIFICATION
PROTOCOL EXECUTED
SUCCESSFULLY
YES
/ F1 01 O
TRANSMIT PROTOCOL
FAILURE NOTIFICATION
/ F101 1
TRANSMIT WPS SUCCESS
NOTIFICATION
I
(END)
US. Patent
Jun. 25, 2013
Sheet 11 0f 12
US 8,474,020 B2
FIG. 11
AUTHENTICATION
REQUEST MESSAGE
RECEIVED?
YES F1102
VALID USER ID?
NO
YES
GENERATE TIME INFORMATION
I
/F1104
OENERATE PIN CODE
I
ACTIVATE PIN
INVALIDATION TIIvIER
[F1103
/F1105
I
TRANsIvIIT PIN CODE
/F1106
INFORMATION MESSAGE
I
ACTIVATE USER
fF‘l ‘IO7
AUTHENTICATION PERIOD TIMER
I
III-I10
WPS SUCCESS
NOTIFICATION
RECEIVED?
CONNECTION
PERMITTING PROCESS
F1 109
HAS
usER AUTHENTICATION
F1111
PERIOD TIIvIER T
‘'
IMEDQOUT
TRANsIvIIT REJECTION
.
NOTIFICATION
YES
MESSAGE
I
END
US. Patent
Jun. 25, 2013
Sheet 12 0f 12
US 8,474,020 B2
AP
SRv
PC
| /(F1201
USER OPERAT|ON
SEARCR
~F12 2
FOR NETWORKS
O
JOIN NETWORK/VIII 203
F1 5205
|0 NOT|RCAT|ON~F1204
MESSAGE
ID AUTHENTICATION
REQUEST MESSAGE
F1206
w CHECK VALIDITY OF
F1207
F1208
F1 321 O
USER |0
w GENERATE T|ME
|NFORMAT|ON
w
GENERATE
P|N CODE
ACT|vATE T|MER
P|N CODE |NFORMAT|ON
F1213
MESSAGE
5
I
F1209
SET PIN CODE ~F1211
P|N CODE
I
GENERAT|ON
|NFORMAT|ON
MESSAGE
ACT|vATE T|MER @F1212
GENERATE PIN CODE ~F1214
SET PIN CODE
F1215
ACTIVATE TIMER F1216
PROTOCOL / F1217
START REQUEST
PROTOCOL \A
START MESSAGE F1218
PROTOCOL MESSAGE L/AF1219
F1 8220
fF1222 WPS SUCCESS NOTIFICATION
PROTOCOL END MESSAGE
JOIN NETWORK
2
F1223
I F1221
CONNECTION
PERM|TT|NG
PROCESS
US 8,474,020 B2
1
2
USER AUTHENTICATION METHOD,
WIRELESS COMMUNICATION APPARATUS,
BASE STATION, AND ACCOUNT
authentication information, such as user IDs and passWords,
in order to check Whether or not they have an authoriZed
account, and permits only users Who have an authoriZed
MANAGEMENT APPARATUS
account to access the Internet. HoWever, this user authentica
tion has to be executed each time a user uses the public
This application is a National Stage application under 35
U.S.C. §37l of International Application No. PCT/JP2009/
Wireless LAN, Which is troublesome for the user. To address
056405 ?led on Mar. 23, 2009, Which claims priority to
80138 proposes a method for automating user authentication,
Wireless connection to a public Wireless LAN, and the like.
According to the WPS, a PIN code is set in the Registrar
and the Enrollee, and if it is con?rmed that the PIN code set in
the Registrar and the Enrollee are the same in the Registration
this, for example, Japanese Patent Laid-Open No. 2004
JapaneseApplicationNo. 2008-095432, ?led onApr. l, 2008,
the contents of each of the foregoing applications being incor
porated by reference herein.
protocol, Wireless parameters are exchanged. So, this system
does not permit the exchange of Wireless parameters With
TECHNICAL FIELD
unintended devices.
The present invention relates to a Wireless parameter set
ting technique and a user authentication technique.
Nevertheless, a case can be conceived in Which the WPS is
applied to a public Wireless LAN. HoWever, since general
BACKGROUND ART
When using an IEEE 802.11 Wireless LAN, users must set
Wireless parameters such as a netWork identi?er (ESSID), a
users cannot operate access points, it is impossible to set a
PIN code in the Registrars, so the application of the WPS to a
20
public Wireless LAN is not possible.
LikeWise, When a con?guration is adopted in Which gen
frequency channel, an encryption scheme, an encryption key,
eral users can set a PIN code in access points, even users Who
an authentication scheme, an authentication key, and the like.
do not have an authoriZed account can easily set a PIN code
Because these settings operations are complicated, methods
have been proposed for automatically setting Wireless param
eters betWeen terminals. For example, a method for transfer
and obtain the Wireless LAN parameters, causing problems in
terms of security.
In addition, in public Wireless LANs, after the Wireless
ring Wireless parameter settings betWeen a relay station (ac
parameters have been set, user authentication has to be per
25
cess point) and a terminal station (station) from the access
formed manually or With dedicated softWare, requiring users
point to the station With a simple operation has been imple
to perform troublesome operations.
mented as an actual product.
30
DISCLOSURE OF INVENTION
In recent years, an organiZation called the Wi-Fi Alliance
has developed a standard for automatic setting of Wireless
parameters called Wi-Fi Protected Setup (WPS), Which has
already been implemented in some products.
According to WPS, Wireless parameters are provided from
The present invention provides a user authentication
method of improving user operability by ensuring that user
35
authentication is successfully completed by setting code
a Registrar to an Enrollee using a Registration protocol, a
information generated using authentication information in a
special protocol for setting Wireless parameters. The Regis
base station apparatus and a Wireless communication appa
ratus, and acquiring Wireless parameters using the code infor
trar is an apparatus that manages Wireless parameters and
provides Wireless parameters to Enrollees. The Enrollee is an
apparatus that receives Wireless parameters from a Registrar.
The communication betWeen the Registrar and the
40
mation.
According to one aspect of the present invention, there is
provided a user authentication method in a communication
Enrollee according to the Registration protocol is performed
using EAP (Extensible Authentication Protocol) packets. The
system comprising a Wireless communication apparatus, a
base station that performs Wireless communication With the
EAP packets are packets that enable communication betWeen
the Registrar and the Enrollee Without an encryption or
authentication.
An example Will be described in Which Wireless param
Wireless communication apparatus, and an account manage
ment apparatus that manages user account information of a
user permitted to connect to a communication netWork, the
eters are provided from an access point that acts as a Registrar
to a station that acts as an Enrollee. First, the station searches
tus, transmitting a user identi?er that is used to determine
Whether or not to permit a connection to the communication
method comprising: at the Wireless communication appara
rarily joins the network. At this point in time, the ESSIDs and
netWork to the account management apparatus through the
base station; at the account management apparatus, generat
frequency channels of the access point and the station are the
ing code information that is used to set a Wireless parameter
same, but the encryption key, authentication key and the like
for performing Wireless communication betWeen the Wireless
communication apparatus and the base station, based on
authentication information that corresponds to the user iden
ti?er transmitted from the Wireless communication apparatus
for a netWork to Which the access point belongs, and tempo
are not the same, and thus, ordinary data communication
using an encryption or authentication is not possible.
The access point and the station perform transmission/
50
55
reception of messages using EAP packets according to the
Registration protocol, and thereby, Wireless parameters are
provided from the access point to the station. The provided
Wireless parameters are neWly set in the station, and thereby,
data communication using an encryption or authentication is
established betWeen the station and the access point.
Currently, public Wireless LANs are available Which pro
vide Internet connection services by installing access points
in public places such as fast-food restaurants, railWay sta
tions, airports, and the like. Such a public Wireless LAN
authenticates users (performs user authentication) using
and code generation information, and transmitting the gener
60
65
ated code information and the code generation information to
the base station; at the base station, storing the code informa
tion transmitted from the account management apparatus and
transmitting code generation information to the Wireless
communication apparatus; at the Wireless communication
apparatus, generating code information based on the code
generation information transmitted from the base station and
the authentication information corresponding to the user
identi?er transmitted to the account management apparatus;
at the base station, checking Whether or not the stored code
US 8,474,020 B2
3
4
information and the code information generated by the wire
less communication apparatus match, and providing the wire
less parameter to the wireless communication apparatus and
tion to the base station; a reception unit that receives a success
noti?cation indicating success in setting the wireless param
eters from the base station; and a permitting unit that permits
notifying the account management apparatus of success in
setting the wireless parameter, when it is con?rmed that the
stored code information and the code information generated
by the wireless communication apparatus match; and at the
account management apparatus, permitting the wireless com
the wireless communication apparatus to connect to the com
munication network when the success noti?cation is
munication apparatus to connect to the communication net
embodiments with reference to the attached drawings.
received.
Further features of the present invention will become
apparent from the following description of exemplary
work, when success in setting the wireless parameters is
noti?ed from the base station.
According to another aspect of the present invention, there
BRIEF DESCRIPTION OF DRAWINGS
is provided a wireless communication apparatus that con
FIG. 1 is a diagram illustrating an example of the con?gu
ration of a typical communication system according to
nects to a communication network through a wireless net
work, the apparatus comprising: a transmission unit that
Embodiment 1.
FIG. 2 is a block diagram illustrating an example of the
transmits a user identi?er that is used to determine whether or
not to permit a connection to the communication network to
con?guration of a personal computer according to Embodi
an account management apparatus through a base station; a
reception unit that receives code generation information
transmitted from the account management apparatus through
the base station; a generation unit that generates code infor
mation using the received code generation information and
authentication information that corresponds to the user iden
ti?er transmitted to the account management apparatus; and
an acquisition unit that acquires a parameter of the wireless
ment 1.
20
25
network from the base station by using the generated code
information.
According to still another aspect of the present invention,
there is provided a base station that performs wireless com
munication with a wireless communication apparatus, the
base station comprising: a reception unit that receives a user
identi?er that is used to determine whether or not to permit a
connection to a communication network from the wireless
communication apparatus; a transfer unit that transfers the
user identi?er to an account management apparatus; an acqui
30
FIG. 8 is a diagram illustrating a user authentication
sequence according to Embodiment 1.
FIG. 9 is a ?owchart illustrating a process performed by a
wireless communication apparatus according to Embodiment
35
sition unit that acquires, from the account management appa
wireless base station apparatus according to Embodiment 2.
FIG. 11 is a ?owchart illustrating a process performed by
for performing wireless communication between the wireless
communication apparatus and the base station, and code gen
information by the wireless communication apparatus and the
code information acquired from the account management
apparatus match; a provision unit that provides the wireless
parameter to the wireless communication apparatus when it is
con?rmed that the generated code information and the
acquired code information match; and a noti?cation unit that
noti?es the account management apparatus of success in set
40
an account management server according to Embodiment 2.
FIG. 12 is a diagram illustrating a user authentication
sequence according to Embodiment 2.
BEST MODE FOR CARRYING OUT THE
INVENTION
45
Hereinafter, best modes for carrying out the invention will
be described in detail with reference to the attached drawings
of the present invention.
50
Embodiment 1
55
FIG. 1 is a diagram illustrating an example of the con?gu
ration of a typical communication system according to
Embodiment l. A personal computer (PC) 101 has a function
for performing wireless LAN communication according to
ting the wireless parameter, when it is con?rmed that the
generated code information and the acquired code informa
tion match.
According to yet another aspect of the present invention,
there is provided an account management apparatus that man
2.
FIG. 10 is a ?owchart illustrating a process performed by a
ratus, code information that is used to set a wireless parameter
eration information; a transmission unit that transmits the
acquired code generation information to the wireless commu
nication apparatus; a checking unit that checks whether or not
code information generated based on the code generation
FIG. 3 is a block diagram illustrating an example of the
con?guration of an access point according to Embodiment 1.
FIG. 4 is a block diagram illustrating an example of the
con?guration of an account management server according to
Embodiment 1.
FIG. 5 is a ?owchart illustrating a process performed by a
wireless communication apparatus according to Embodiment
1.
FIG. 6 is a ?owchart illustrating a process performed by a
wireless base station apparatus according to Embodiment 1.
FIG. 7 is a ?owchart illustrating a process performed by an
account management server according to Embodiment 1.
ages user account information of a user permitted to connect
the IEEE 802.11 standard series and a WPS Enrollee func
to a communication network, the apparatus comprising: a
reception unit that receives a user identi?er that is used to
tion. An access point (AP) 102 has a function for performing
wireless LAN communication and Ethemet® communica
tion, and a WPS Registrar function. An account management
server (SRV) 103 has a function for performing Ethemet®
communication, a function for managing user accounts (user
IDs and passwords, etc.) of a public wireless LAN, and a
function for authenticating users and providing communica
tion permission. The Internet 104 is a communication net
determine whether or not to permit a connection to the com
munication network from a wireless communication appara
60
tus through a base station; a generation unit that generates
code information that is used to set a wireless parameter for
performing wireless communication between the wireless
communication apparatus and the base station using authen
tication information that corresponds to the user identi?er and
code generation information; a transmission unit that trans
mits the code information and the code generation informa
65
work capable of connecting computers around the world.
The AP 102, the SRV 103 and the Internet 104 are con
nected with a wired LAN, and the PC 101 is connected to an
US 8,474,020 B2
5
6
infrastructure mode Wireless network to Which the AP 102
diagram illustrating an example of the con?guration of the
belongs. Upon activation of an application for automatically
setting Wireless parameters in the PC 101, it is checked, by a
access point according to Embodiment 1. In FIG. 3, reference
numeral 302 denotes a communication unit that performs
Wireless communication and Wired communication; 303
settings information noti?cation protocol, Whether or not the
PIN code of the PC 101 and the PIN code of the AP 102
match, and if it is con?rmed that they match, the PC 101 can
acquire Wireless parameters. That is, it can be said that the
PIN code is code information used for a Wireless parameter
setting process, or code information used to determine
Whether or not to provide Wireless parameters in a Wireless
denotes a communication control unit that controls the com
munication unit; 304 denotes a timer unit that performs a
timer process and manages time; 305 denotes an interface
processing unit that controls various interfaces.
Reference numeral 306 denotes a Wireless parameter set
ting unit that sets Wireless parameters by a settings informa
parameter setting process.
tion noti?cation protocol; 307 denotes a determination unit
that makes various determinations in a process described
later; 308 denotes a storage unit that stores Wireless param
eters, and the like; 309 denotes an apparatus control unit that
As used herein, the settings information noti?cation pro
tocol refers to a Registration protocol, and EAP packets are
used for transmission/reception of various messages.Accord
ingly, if the ESSIDs and frequency channels of the PC 101
controls the operation of the Whole apparatus.
and the AP 102 match, various messages can be transmitted/
A con?guration of the SRV 103 shoWn in FIG. 1 Will be
received by the settings information noti?cation protocol
described next With reference to FIG. 4. FIG. 4 is a block
Without an encryption or authentication for Wireless LAN.
diagram illustrating an example of the con?guration of the
Also, the Wireless parameters set by the settings informa
tication scheme, an authentication key, and so on. The PIN
account management server according to Embodiment 1. In
FIG. 4, reference numeral 402 denotes a communication unit
that performs Wired communication; 403 denotes a commu
code is the abbreviation of Personal Identi?cation Number,
nication control unit that controls the communication unit;
tion noti?cation protocol include an ESSID, a frequency
channel, an encryption scheme, an encryption key, an authen
and can be a number string, character string, or the like.
The PC 101 and the SRV 103 can communicate With each
other through the AP 102. The PC 101 executes authentica
tion of a user (executes user authentication) With the SRV
103, and can connect to the Internet 104 only if the user is
20
404 denotes a timer unit that performs a timer process and
25
provides various displays.
Reference numeral 407 denotes an authentication process
ing unit that performs user authentication for public Wireless
successfully authenticated. Accordingly, the PC 101 cannot
connect to the Internet 104 even after the PC 101 establishes
a connection to the Wireless netWork of the AP 102 until the
30
LAN; 408 denotes a code calculation unit that calculates
various encryptions, hash values, and the like; 409 denotes a
determination unit that makes various determinations in a
user is successfully authenticated. The SRV 103 stores a list
of valid user accounts (user IDs and passWords, etc.) to
execute user authentication. That is, it can be said that a user
identi?er (user ID) for public Wireless LAN, Which Will be
manages time; 405 denotes an interface processing unit that
controls various interfaces; 406 denotes a display unit that
35
process described later; 410 denotes a storage unit that stores
Wireless parameters, user account information and the like;
411 denotes an apparatus control unit that controls the opera
described later, refers to identi?cation information used for
tion of the Whole apparatus.
user authentication that determines Whether or not to permit
connection to the Internet as a communication netWork. Also,
operates as a Wireless communication apparatus to execute a
NoW, a processing procedure performed by the PC 101 that
settings information noti?cation protocol Will be described
it can be said that authentication information (passWord) for
public Wireless LAN, Which Will be described later, refers to
40
With reference to FIG. 5.
authentication information used for user authentication that
determines Whether or not to permit connection to the Internet
FIG. 5 is a ?owchart illustrating a process performed by the
Wireless communication apparatus according to Embodiment
as a communication netWork.
1. This process starts When the PC 101 connects to a Wireless
netWork to Which the AP 102, Which operates as a Wireless
Next, a con?guration of the PC 101 shoWn in FIG. 1 Will be
described With reference to FIG. 2. FIG. 2 is a block diagram
45
illustrating an example of the con?guration of the personal
computer according to Embodiment 1. In FIG. 2, reference
numeral 202 denotes a communication unit that performs
Wireless communication, and reference numeral 203 denotes
a communication control unit that controls the communica
tion unit. Reference numeral 204 denotes a timer unit that
performs a timer process and manages time; 205 denotes an
and the like are not set in the PC 101 and the AP 102. Accord
ingly, the PC 101 is in a state in Which the PC 101 can
50
communicate With the AP 102 using only particular signals
(alert signals, EAP packets, etc.) in the Wireless netWork of
the AP 102, and cannot perform ordinary data communication
using an encryption or authentication. Here, it is assumed that
interface processing unit that controls various interfaces; 206
denotes a display unit that provides various displays.
Reference numeral 207 denotes a Wireless parameter set
base station apparatus of a public Wireless LAN, belongs. At
this point in time, the same encryption key, authentication key
various messages are transmitted/received betWeen the PC
101 and the AP 102 using EAP packets.
ting unit that sets Wireless parameters by a settings informa
The PC 101 transmits, to the AP 102, an ID noti?cation
message to Which a user identi?er (user ID) for public Wire
tion noti?cation protocol; 208 denotes a code calculation unit
less LAN is assigned (F501). After transmitting the ID noti
that calculates various encryptions, hash values, and the like;
?cation message, the PC 101 Waits for reception of a PIN code
generation information message or a protocol failure noti?
209 denotes a determination unit that makes various determi
nations in a process described later; 210 denotes a storage unit
that stores Wireless parameters, user account information and
the like. The user account information may be stored in
55
60
devices in advance, or may be inputted by the user. Reference
numeral 211 denotes an apparatus control unit that controls
the operation of the Whole apparatus.
cation from the AP 102 (F502, F503). Ifthe PC 101 receives
a protocol failure noti?cation, the PC 101 ends this process.
If, on the other hand, the PC 101 receives a PIN code
generation information message, it generates a PIN code
based on a random value and authentication information
A con?guration of the AP 102 shoWn in FIG. 1 Will be
(passWord) for public Wireless LAN that are assigned to the
message (F504). The method for generating a PIN code using
described next With reference to FIG. 3. FIG. 3 is a block
a random value and a passWord can be any method such as a
65
US 8,474,020 B2
7
8
method of using a cryptographic algorithm such as RC4 or
sage, the AP 102 executes the settings information noti?ca
AES, or a method of using a hash algorithm such as MD5 or
SHAl.
tion protocol With the PC 101 using the set PIN code (F607).
Next, the AP 102 determines Whether or not the settings
information noti?cation protocol has been executed success
After generating the PIN code, the PC 101 sets the PIN
code in the application for automatically setting Wireless
fully (F608). As used herein, the phrase “the settings infor
mation noti?cation protocol has been executed successfully”
parameters (F505), and then executes a settings information
noti?cation protocol using the set PIN code (F506). The set
refers to a state in Which the PIN code of the Registrar and the
tings information noti?cation protocol authenticates mutual
validity betWeen the Enrollee and the Registrar by determin
PIN code of the Enrollee match, and Wireless parameters have
been provided from the Registrar to the Enrollee. If it is
determined that settings information noti?cation protocol has
ing Whether or not their PIN codes match. Accordingly, the
Enrollee can acquire Wireless parameters from a Registrar
With the same PIN code. Subsequently, after the settings
been executed successfully, the AP 102 transmits a WPS
success noti?cation to the SRV 103 (F610), and then ends this
information noti?cation protocol ends, it is determined
process. If, on the other hand, the settings information noti
?cation protocol fails, the AP 102 ends this process.
Whether or not the settings information noti?cation protocol
A processing procedure performed by the account manage
has been executed successfully (F507). As used herein, the
phrase “the settings information noti?cation protocol has
ment server (SRV) 103 that performs user authentication
When the PC 101 connects to the Internet 104 Will be
described next With reference to FIG. 7.
FIG. 7 is a ?owchart illustrating a process performed by the
been executed successfully” refers to a state in Which the
Enrollee has acquired Wireless parameters from the Registrar
With a PIN code that matches the PIN code of the Enrollee. If
it is determined that the settings information noti?cation pro
tocol has failed, the PC 101 ends this process. If, on the other
20
SRV 103 Waits for reception of an ID authentication request
message from the AP 102 (F701). If the SRV 103 receives an
ID authentication request message from the AP 102, the SRV
hand, the settings information noti?cation protocol has been
executed successfully, the PC 101 connects to the Wireless
netWork to Which the AP 102 belongs using the acquired
Wireless parameters (F508). By doing so, the same encryption
1 03 checks Whether or not the user ID as signed to the message
25
key, authentication key and the like as those of the AP 102 is
set in the PC 101, and therefore, the PC 101 can perform
ordinary data communication using an encryption or authen
tication.
A processing procedure performed by the AP 102 that
IDs can be, for example, a method in Which user account
and if a user ID that is the same as the received user ID is
30
found, the received user ID is validated.
If the received user ID is invalid, the SRV 103 transmits a
35
rejection noti?cation message to the AP 102 (F710), and then
ends this process. If, on the other hand, the received user ID is
valid, the SRV 103 generates a random value (F703). Then,
the SRV 103 generates a PIN code using the passWord corre
sponding to the received user ID and the generated random
settings information noti?cation protocol Will be described
next With reference to FIG. 6.
value (F704).
of automatic setting of Wireless parameters joins the Wireless
netWork to Which the AP 102 belongs. At this point in time,
the same encryption key, authentication key and the like are
not set in the PC 101 and the AP 102. Accordingly, the PC 101
is valid (F702). The method for checking the validity of user
information that is stored in the storage unit 410 is referred to,
operates as a Wireless base station apparatus to execute a
FIG. 6 is a ?owchart illustrating a process performed by the
Wireless base station apparatus according to Embodiment 1.
This process starts When the PC 101 requesting the execution
account management server according to Embodiment l . The
After generating the PIN code, the SRV 103 assigns the
generated PIN code and the random value used to generate the
PIN code to a PIN code information message, and transmits
40
the message to the AP 102 (F705). After transmitting the PIN
is in a state in Which the PC 1 01 can communicate With the AP
code information message, the SRV 103 activates a user
102 using only particular signals (alert signals, EAP packets,
authentication period timer (F706), and Waits for reception of
etc.) in the Wireless netWork of the AP 102, and cannot per
form ordinary data communication using an encryption or
authentication. Here, it is assumed that various messages are
transmitted/received betWeen the PC 101 and the AP 102
a WPS success noti?cation from the AP 102, or for timeout of
the user authentication period timer (F707, F708).
45
If the user authentication period timer times out, the SRV
103 ends this process. If, on the other hand, the SRV 103
using EAP packets.
receives a WPS success noti?cation, the SRV 103 performs a
The AP 102 Waits for reception of an ID noti?cation mes
sage from the PC 101 (F601). If the AP 102 receives an ID
process for permitting the PC 101, Which transmitted the user
ID received in P701, to connect to the Internet 104 (F709),
and then ends this process.
A user authentication sequence performed by the PC 101,
the AP 102 and the SRV 103 Will be described next With
noti?cation message from the PC 101, the AP 102 assigns the
50
user ID assigned to the message to an ID authentication
request message, and transmits the ID authentication request
message to the SRV 103 (F602). After transmitting the ID
authentication request message, the AP 102 Waits for recep
tion of a PIN code information message or a rejection noti?
55
reference to FIG. 8.
FIG. 8 is a diagram illustrating a user authentication
sequence according to Embodiment l . In the PC 101, When an
cation message from the SRV 103 (F603, F604). IftheAP 102
application for automatically setting Wireless parameters is
receives a rejection noti?cation message, it transmits a pro
tocol failure noti?cation to the Wireless communication appa
activated by a user operation or the like (F801), the PC 101
searches for Wireless netWorks in the surrounding area
ratus (F609), and then ends this process.
If, on the other hand, the AP 102 receives a PIN code
information message, it sets the PIN code assigned to the
(F802). Next, a Wireless netWork is automatically or manually
60
message in the application for automatically setting Wireless
parameters (F605), and then assigns the random value
assigned to the PIN code information message to a PIN code
generation information message and transmits the PIN code
generation information message to the PC 101 (F606). Next,
after transmitting the PIN code generation information mes
65
selected from among the found Wireless netWorks. In this
example, the Wireless netWork of the AP 102 is selected, and
the PC 101 joins the Wireless netWork of the AP 102 (F803).
HoWever, at this point in time, the same encryption key,
authentication key and the like are not set in the PC 101 and
the AP 102. Accordingly, the PC 101 is in a state in Which the
PC 101 can communicate With the AP 102 using only par
ticular signals (alert signals, EAP packets, etc.) in the Wireless
US 8,474,020 B2
9
10
network of the AP 102, and cannot perform ordinary data
communication using an encryption or authentication. Here,
mits the PC 101 to connect to the Internet 104, and the PC 101
can connect to the Internet 104 through the AP 102.
According to Embodiment 1, it becomes possible to safely
it is assumed that various messages are transmitted/received
between the PC 101 and the AP 102 using EAP packets.
and automatically set the same PIN code in a wireless com
5
for public wireless LAN, it is possible to adopt a con?gura
munication apparatus and a wireless base station apparatus
that execute a wireless parameter setting scheme in a public
wireless LAN.
In addition, because a PIN code to be set is generated based
tion that permits the user to manually select a user ID, or a
on a random value and a password, a different PIN code is
Next, the PC 101 assigns a user ID to an ID noti?cation
message, and transmits the message to the AP 102 (F804).
Here, in the case where the PC 101 stores multiple user IDs
con?guration in which a user ID is selected automatically
generated each time, and therefore, a high level of security is
based on network information such as an ESSID. If the AP
achieved.
102 receives the ID noti?cation message, it assigns the user
ID assigned to the message to an ID authentication request
message, and transmits the ID authentication request mes
sage to the SRV 103 (F805). Here, an example is described in
which the ID noti?cation message and the ID authentication
request message are separate messages, but they may be
con?gured as a single message.
If the SRV 103 receives the ID authentication request mes
sage, it checks the validity of the received user ID (F806).
After con?rming the validity of the received user ID, the SRV
103 generates a random value (F807). After generating the
random value, the SRV 103 generates a PIN code using the
password corresponding to the received user ID and the gen
erated random value (F808).
Furthermore, because the password is used only within the
wireless communication terminal and the account manage
ment server, the password will not be leaked to the outside of
20
connect to the Internet.
Accordingly, the user’s task of setting a PIN code in the
wireless communication apparatus and an access point of a
25
public wireless LAN as well as the user’s task of undergoing
user authentication can be eliminated, and as a result, user
Next, after generating the PIN code, the SRV 103 assigns
the generated PIN code and the random value to a PIN code
information message, and transmits the message to the AP
102 (F809). If the AP 102 receives the PIN code information
the wireless base station apparatus and the like, and therefore,
a high level of security is achieved.
In addition, in a wireless parameter setting scheme, by
regarding the matching of PIN codes as the matching of
passwords instead of performing user authentication, it is
possible to permit the wireless communication apparatus to
operability is improved.
Embodiment 2
30
message, it starts an application for automatically setting
wireless parameters, and sets the assigned PIN code in the
Next, Embodiment 2 of the present invention will be
described in detail with reference to the drawings.
application for automatically setting wireless parameters
The con?gurations of a communication system, a PC, an
(F810). After setting the PIN code, the AP 102 assigns the
AP and a SRV according to Embodiment 2 are the same as
random value to a PIN code generation information message,
and transmits the message to the PC 101 (F811).
If the PC 101 receives the PIN code generation information
message, it generates a PIN code using the assigned random
value and the password stored in the PC 101 (F812). After
generating the PIN code, the PC 101 sets the PIN code in an
35
those of Embodiment 1 described above with reference to
FIGS. 1 to 4, and thus, descriptions thereof are omitted here.
A processing procedure performed by the PC 101 that
operates as a wireless communication apparatus to execute a
settings information noti?cation protocol will be described
40
application for automatically setting wireless parameters
with reference to FIG. 9.
FIG. 9 is a ?owchart illustrating a process performed by the
wireless communication apparatus according to Embodiment
(F813). After setting the PIN code, the PC 101 transmits a
protocol start request to the AP 102 so as to start the settings
2. The processes spanning from P901 to F905 are the same as
information noti?cation protocol (F814).
those of P501 to F505 shown in FIG. 5, and thus, descriptions
If the AP 102 receives the protocol start request from the
PC 101, it transmits a protocol start message to the PC 101
(F815). Then, the PC 101 and the AP 102 exchange protocol
messages in accordance with the WPS Registration protocol
(F816). Here, the wireless parameters of the AP 102 are
transmitted to and set in the PC 101 only if it is con?rmed by
both the PC 101 and the AP 102 that the PIN code set in the PC
101 and the PIN code set in the AP 102 match.
Next, if the AP 102 con?rms that its PIN code and the PIN
code set in the PC 101 match, it transmits a WPS success
noti?cation to the SRV 103 (F817). If the SRV 103 receives
the WPS success noti?cation, it performs a process for per
mitting the PC 101 to connect to the Internet 104 (F818).
45
application for automatically setting wireless parameters
(F905), and activates a PIN invalidation timer (F906). Spe
50
55
PIN invalidation timer times out, the processing of the appli
cation for automatically setting wireless parameters is sus
pended, and then this process ends.
The subsequent processes (P907 to F909) are the same as
After completion of the settings information noti?cation pro
If the PC 101 receives the protocol end message, it tempo
rarily disconnects from the network, and reconnects to the
wireless network of the AP 102 using the wireless parameters
acquired from the AP 102 (F820). Here, because the same
encryption key, authentication key and the like as the AP 102
are set in the PC 101, ordinary data communication using an
encryption or authentication is possible. The SRV 103 per
ci?cally, the PIN invalidation timer is activated based on time
information assigned to a PIN code generation information
message sent from the AP 102. The time information can be
a time period after which the PIN is invalidated. When the
P506 to F508 of Embodiment l, and thus, descriptions
thereof are omitted here.
A processing procedure performed by the AP 102 that
tocol, the AP 102 transmits a protocol end message to the PC
101 (F819).
thereof are omitted here.
Similar to Embodiment l, the PC 101 sets a PIN code in the
60
operates as a wireless base station apparatus to execute a
settings information noti?cation protocol will be described
next with reference to FIG. 10.
FIG. 10 is a ?owchart illustrating a process performed by
the wireless base station apparatus according to Embodiment
65
2. Because the processes spanning from F1001 to F1005 are
the same as those of P601 to F605 shown in FIG. 6, descrip
tions thereof are omitted here.
US 8,474,020 B2
11
12
timer, the AP 102 assigns the time information to a PIN code
generation information message, and transmits the message
to the PC 101 (P1213).
If the PC 101 receives the PIN code generation information
message, it generates a PIN code using the assigned time
Similar to Embodiment 1, the AP 102 sets a PIN code in the
application for automatically setting Wireless parameters
(E1005), and activates a PIN invalidation timer (F1006). Spe
ci?cally, the PIN invalidation timer is activated based on time
information assigned to a PIN code information message sent
from the SRV 1 03. When the PIN invalidation timer times out,
the processing of the application for automatically setting
information and the passWord stored in the PC 101 (P1214).
After generating the PIN code, the PC 101 sets the PIN code
Wireless parameters is forcibly suspended, and then this pro
in the application for automatically setting Wireless param
cess ends. Next, the AP 102 assigns the received time infor
mation to a PIN code generation information message, and
transmits the message to the PC 101 (P1007).
The subsequent processes (F1008 to F1011) are the same
as P607 to F610 of Embodiment 1, and thus, descriptions
eters (F1215). After setting the PIN code, the PC 101 activates
the PIN code invalidation timer using the assigned time infor
mation (F1216). After setting the PIN code invalidation timer,
thereof are omitted here.
(P1217).
the PC 101 transmits a protocol start request to start the
settings information noti?cation protocol to the AP 102
A processing procedure performed by the account manage
ment server (SRV) 103 that performs user authentication
When the PC 101 connects to the Internet 104 Will be
described next With reference to FIG. 11.
FIG. 11 is a ?owchart illustrating a process performed by
the account management server according to Embodiment 2.
Because the processes spanning from F1101 to E1102 and the
The subsequent processes (F1217 to F1223) in this
sequence are the same as P814 to F820 of Embodiment 1, and
thus, descriptions thereof are omitted here.
According to Embodiment 2, by providing a validity
20
continuously set for a long time betWeen a Wireless commu
nication terminal and a Wireless base station apparatus. In
process of F1111 are the same as those of P701 to F702 and
F710 shoWn in FIG. 7, descriptions thereof are omitted here.
Similar to Embodiment 1, the SRV 103 generates time
information to be transmitted to the AP 102 if the received
user ID is valid (F1103). After generating the time informa
tion, the SRV 103 generates a PIN code using the passWord
corresponding to the user ID received from the AP 1 02 and the
generated time information (F1104). After generating the
25
addition, because the validity period can be set to expire
substantially at the same time in the apparatuses, it is possible
to prevent mismatching of valid PIN codes stored in the
apparatuses. Accordingly, the possibility of success in auto
matically setting Wireless parameters With unintended
devices can be reduced.
30
PIN code, the SRV 103 activates a PIN invalidation timer
using the generated time information (F1105). When the PIN
Embodiments 1 and 2 have been described in the context of
using an IEEE 802.11 Wireless LAN as an example, but these
embodiments are applicable to other Wireless communication
schemes such as Wireless USB, Bluetooth®, UWB (Ultra
Wide Band), etc.
invalidation timer times out, the authentication process is
forcibly suspended, and then this process ends.
Next, the SRV 103 assigns the generated PIN code and the
period to the PIN code, in addition to the effects of Embodi
ment 1, it is possible to prevent a single PIN code from being
35
time used to generate the PIN code to a PIN code information
It goes Without saying that the object of the present inven
tion can also be achieved by supplying, to a system or appa
ratus, a recording medium in Which the program code for
softWare that realiZes the functions of the above-described
message, and transmits the message to the AP 102 (P1106).
The subsequent processes (F1107 to F1110) are the same
as P706 to F709 of Embodiment 1, and thus, descriptions
A user authentication sequence performed by the PC 101,
embodiments has been recorded, and causing a computer
(CPU or MPU) of the system or apparatus to read out and
execute the program code stored in the recording medium.
the AP 102 and the SRV 103 Will be described next With
reference to FIG. 12.
FIG. 12 is a diagram illustrating a user authentication
sequence according to Embodiment 2. The processes span
computer-readable recording medium realiZes the functions
of the above-described embodiments, and the present inven
tion is con?gured of the recording medium in Which the
thereof are omitted here.
40
In such a case, the program code itself read out from the
45
program code is stored.
ning from F1201 to F1206 are the same as those of P801 to
F806 shoWn in FIG. 8, and thus, descriptions thereof are
omitted here.
Similar to Embodiment 1, the SRV 103 checks the validity
of the received user ID, and generates time information that is
a feature of Embodiment 2 (E1207). After generating the time
information, the SRV 103 generates a PIN code using the
passWord corresponding to the received user ID and the gen
Examples of a recording medium for supplying the pro
gram code include a ?exible disk, a hard disk, an optical disk,
a magneto-optical disk, a CD-ROM, a CD-R, magnetic tape,
50
a non-volatile memory card, a ROM, and so on.
55
Moreover, it goes Without saying that the folloWing case
also falls under the scope of the present invention, Which is
not limited to implementing the functions of the above-de
scribed embodiments by a computer executing the read-out
program code. That is, the case Where an operating system
(OS) or the like running on a computer performs part or all of
the actual processing based on instructions of the program
code, and the functions of the above-described embodiments
are realiZed by that processing.
erated time information (F1208). Next, after generating the
PIN code, the SRV 103 activates a PIN code invalidation
timer using the time information (F1209) . After activating the
PIN code invalidation timer, the SRV 103 assigns the gener
ated PIN code and the time information to a PIN code infor
mation message, and transmits the message to the AP 102
(P1210).
If the AP 102 receives the PIN code information message,
Furthermore, needless to say, the case in Which the pro
gram code read out from the recording medium is Written into
it starts the application for automatically setting Wireless
parameters, and sets the assigned PIN code in the application
a memory included in a function expansion board inserted
into the computer, a function expansion unit connected to the
60
for automatically setting Wireless parameters (F1211). Next,
after setting the PIN code, the AP 102 activates the PIN code
invalidation timer using the assigned time information
(F1212). Then, after activating the PIN code invalidation
computer, or the like, a CPU or the like included in the
65
function expansion board or function expansion unit then
performs all or part of the actual processing based on instruc
tions of the program code, and the functions of the above