CN111163468A

CN111163468A - Communication connection method and device

Info

Publication number: CN111163468A
Application number: CN201811325444.7A
Authority: CN
Inventors: 胡明; 赵望生; 岳东升
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd; Beijing Huawei Digital Technologies Co Ltd
Priority date: 2018-11-08
Filing date: 2018-11-08
Publication date: 2020-05-15

Abstract

The application relates to the field of communication, and discloses a communication connection method and device, which are used for realizing safety verification between a first wifi device and a second wifi device. The method comprises the following steps: the first wifi device encrypts the generated first plaintext by adopting a secret key to obtain a first ciphertext; broadcasting a detection request, wherein the detection request comprises a first plaintext and a first ciphertext, and the first plaintext and the first ciphertext are used for enabling a second wifi device receiving the detection request to verify whether the first wifi device is a legal wifi device capable of being connected with the second wifi device; the first wifi device receives a response message which is sent by the second wifi device and comprises a second ciphertext, wherein the response message is sent by the second wifi device after the first wifi device is verified to be a legal wifi device which can be connected with the second wifi device; and determining whether the second wifi device is a legal wifi device which can be connected with the second wifi device according to a result of decrypting the second ciphertext by adopting the secret key.

Description

Communication connection method and device

Technical Field

The embodiment of the application relates to the field of communication, in particular to a communication connection method and device.

Background

With the popularization of wireless communication, a gateway can be installed in a designated area to provide wireless wifi signals so that user equipment can access the internet. For larger designated areas, such as large homes or larger offices, the wifi signal provided by the gateway alone is not sufficient to cover the entire area. In order to enable the user equipment to access the internet through the wireless wifi signal at any position of the designated area, a plurality of wireless access nodes (APs) may be deployed to provide the wireless wifi signal, so as to achieve full coverage of the area.

In a distributed networking of a gateway and a plurality of APs, the gateway is the only interface provided by an operator for user equipment to access the Internet, and the APs are connected to the gateway through a wifi uplink mode to realize communication with the gateway and send and receive information through the gateway.

In the prior art, when an AP establishes a communication connection with a gateway, human intervention is generally required, and the following briefly describes a manner in which the AP establishes a communication connection with the gateway:

in the first mode, the AP establishes communication connection with the gateway through a WIFI Protected Setup (WPS) key, the AP and the gateway are both provided with the WPS keys, and when a user presses the WPS key on the gateway and the WPS key on the AP, the AP can realize WPS pairing with the gateway to realize communication connection.

And secondly, the AP establishes communication connection with the gateway through the wifi connection parameters, the user accesses a configuration interface of the wifi connection parameters on the terminal, and the wifi connection parameters of the gateway are configured in the configuration interface, so that the communication connection between the gateway and the corresponding AP is established.

The above introduced ways for establishing communication connection between the AP and the gateway all require manual operation by a user, are complicated, and have untimely connection and low connection efficiency.

When the AP and the gateway automatically establish a communication connection, for the AP to establish the communication connection, a malicious gateway may exist to establish a connection therewith, and for the gateway to establish the communication connection, a malicious AP may exist to establish a connection therewith. In order to avoid the connection with the malicious AP or the malicious gateway, the key point is that the legal AP and the legal gateway are authenticated to ensure the connection safety. In order to realize automatic connection between the AP and the gateway, how to perform security verification between the AP and the gateway is a technical problem to be solved.

Disclosure of Invention

The embodiment of the application provides a communication connection method and device, which are used for realizing security verification between a first wifi device and a second wifi device to be established in communication connection.

In a first aspect, a communication connection method is provided, which includes the following procedures:

the method comprises the steps that a first wifi device generates a first plaintext, and the first plaintext is encrypted by a pre-stored secret key to obtain a first ciphertext; the first wifi device broadcasts a detection request, wherein the detection request can comprise the first plaintext and the first ciphertext, and the first plaintext and the first ciphertext are used for enabling a second wifi device receiving the detection request to verify whether the first wifi device is a legal wifi device which can be connected with the second wifi device;

the method comprises the steps that a second wifi device receives a detection request broadcasted by a first wifi device, wherein the detection request comprises a first plaintext and a first ciphertext; at least one secret key is pre-stored in the second wifi device, and the at least one secret key is respectively pre-stored in different first wifi devices which can be connected with the second wifi device; the second wifi device encrypts the first plaintext by adopting at least one pre-stored secret key respectively to obtain at least one third ciphertext respectively, and when a third ciphertext identical to the first ciphertext exists in the at least one third ciphertext, the first wifi device is determined to be a legal wifi device which can be connected with the second wifi device; or the second wifi device decrypts the first ciphertext by respectively adopting at least one pre-stored secret key to respectively obtain at least one third plaintext, and when the third plaintext identical to the first plaintext exists in the at least one third plaintext, the first wifi device is determined to be a legal wifi device which can be connected with the second wifi device;

when the second wifi device determines that the first wifi device is a legal wifi device which can be connected with the second wifi device, generating a second plaintext, and encrypting the second plaintext by using a key corresponding to a third ciphertext which is the same as the first ciphertext or by using a key corresponding to a third plaintext which is the same as the first plaintext to obtain a second ciphertext; the second wifi device sends a response message to the first wifi device, the response message comprises a second ciphertext, and the second ciphertext is used for enabling the first wifi device to verify whether the second wifi device is a legal wifi device which can be connected with the first wifi device.

The first wifi device receives a response message sent by a second wifi device, wherein the response message comprises a second ciphertext, and the response message is sent by the second wifi device after the first wifi device is verified to be a legal wifi device which can be connected with the second wifi device; and the first wifi device decrypts the second ciphertext by adopting a key pre-stored by the first wifi device, and determines whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to a decryption result.

The first wifi device encrypts the generated first plaintext through the secret key stored by the first wifi device to obtain a first ciphertext and sends the first ciphertext to the second wifi device, the second wifi device realizes safety verification of the first wifi device according to the first plaintext and the first ciphertext, the second wifi device encrypts the generated second plaintext through the secret key of the first wifi device passing verification, a second ciphertext is obtained and sends the second ciphertext to the first wifi device, the first wifi device realizes safety verification of the second wifi device according to the second ciphertext, and therefore safety verification between the first wifi device and the second wifi device to be in communication connection can be achieved.

In a possible implementation, a coding and decoding manner of an abstract algorithm and Service Set Identification (SSID) information to which the second wifi device belongs may be pre-stored in the second wifi device, and the second wifi device may calculate abstract data of SSID information to which the second wifi device belongs by using the pre-stored abstract algorithm; coding SSID information and the summary data to which the second wifi device belongs by adopting a pre-stored coding and decoding mode to obtain a second plaintext; or the second wifi device may also generate a random number string, and the generated random number string is used as a second plaintext.

Adaptively, the second ciphertext may be obtained by encrypting, by the second wifi device, SSID information of a first service identifier set to which the second wifi device belongs, or the second ciphertext is obtained by encrypting, by the second wifi device, a random number string; the second wifi device can encrypt the second plaintext by adopting an algorithm with a data integrity checking function, and the first wifi device can correspondingly decrypt the second ciphertext by adopting the algorithm with the data integrity checking function;

first wifi equipment is confirming whether second wifi equipment be can with during the legal wifi equipment that first wifi equipment is connected, can confirm whether successfully decrypt the second ciphertext, if the decryption is successful, then confirm second wifi equipment be can with the legal wifi equipment that first wifi equipment is connected, otherwise confirm second wifi equipment be can not with the legal wifi equipment that first wifi equipment is connected.

In a possible implementation, if the second ciphertext is obtained by encrypting, by the second wifi device, SSID information of a first service identifier set to which the second wifi device belongs; the second wifi device can encrypt the second plaintext by adopting an algorithm without a data integrity check function, and correspondingly, the first wifi device can decrypt the second ciphertext by adopting an algorithm without a data integrity check function. At this time, when the first wifi device determines whether the second wifi device is a legal wifi device which can be connected with the first wifi device, the first wifi device may decrypt the second ciphertext by using the secret key to obtain a third plaintext; the first wifi device may also pre-store an encoding and decoding mode of SSID information, and may decode the third plain text by using the pre-stored encoding and decoding mode, where the decoded third plain text includes second SSID information and first abstract data of the second SSID information, and the first wifi device may extract the decoded first abstract data in the third plain text; and calculating second abstract data of the second SSID information by adopting a pre-stored abstract algorithm, if the first abstract data is the same as the second abstract data, determining that the second wifi device is a legal wifi device which can be connected with the first wifi device, otherwise determining that the second wifi device is a legal wifi device which cannot be connected with the first wifi device.

In one possible implementation, if the second wifi device uses the generated random number string as a second plaintext, the second wifi device may encrypt the second plaintext by using an algorithm without a data integrity check function, and correspondingly, the first wifi device decrypts the second ciphertext by using an algorithm without a data integrity check function; the second plaintext may also be included in the reply message. At the moment, the first wifi device is determined whether the second wifi device is legal wifi device connected with the first wifi device, the key stored by the second wifi device can be used for decrypting the second ciphertext to obtain a third plaintext, if the third plaintext is the same as the second plaintext, the second wifi device is determined to be legal wifi device connected with the first wifi device, otherwise, the second wifi device is determined to be legal wifi device not connected with the first wifi device.

In a possible implementation, after the first wifi device determines that the second wifi device is a legal wifi device capable of establishing communication connection with the first wifi device, the first wifi device may also establish communication connection with the second wifi device according to the second SSID information obtained through decryption.

In a possible implementation, if the second wifi device uses the generated random number string as a second plaintext, the second wifi device determines that a third ciphertext same as the first ciphertext exists in the at least one third ciphertext, or after a third plaintext same as the first plaintext exists in the at least one third ciphertext, specifically sends a message that the second wifi device starts the WPS pairing function to the first wifi device, so as to request the first wifi device to establish communication connection. Correspondingly, after the first WIFI device determines that the second WIFI device is a legal WIFI device capable of establishing communication connection with the first WIFI device, the first WIFI device also can send a message that the first WIFI device starts a WIFI safety protection configuration (WPS) pairing function to request the second WIFI device to establish communication connection.

In a possible implementation, the service providing device can issue keys which can be respectively pre-stored by different first wifi devices connected with the second wifi device to the second wifi device, and then the second wifi device receives the keys which are issued by the service providing device and can be respectively pre-stored by different first wifi devices connected with the second wifi device and stores the keys.

In one possible implementation, the first wifi device may broadcast the detection request on each available channel on the preset frequency band, and the second wifi device may receive the detection request broadcast by the first wifi device on each available channel on the preset frequency band.

In one possible implementation, the second wifi device may send a response message to the first wifi device on each available channel on the preset frequency band, and then the first wifi device may receive the response message sent by the second wifi device on each available channel on the preset frequency band.

In one possible implementation, the first wifi device may generate the first plaintext when powered on; or the first plaintext is generated when the first wifi device confirms that the first wifi device is disconnected with the second wifi device.

In a possible implementation, the secret key used in encryption and decryption may be identification information of the wifi device, and the secret key pre-stored in the first wifi device is the identification information of the first wifi device.

In a second aspect, a communication connection device is provided, which has the functionality of the first wifi device in any possible implementation method that implements the above aspects and aspects. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible implementation, the device may be a chip or an integrated circuit.

In one possible implementation, the apparatus comprises: a transceiver and a processor; the processor is used for calling a group of programs, and when the programs are executed, the processor can execute the operation of the first wifi device in any one of the possible implementation methods of the aspects through the transceiver.

In one possible implementation, the apparatus may further include a memory for storing a program executed by the processor.

In one possible implementation, the device may be a wifi device, including but not limited to an AP, a wireless router, a wifi internet of things device, and the like.

In a third aspect, a communication connection device is provided, which has the function of a second wifi device in any possible implementation method for implementing the above aspects and aspects. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible implementation, the apparatus comprises: a transceiver and a processor; the processor is used for calling a group of programs, and when the programs are executed, the processor can execute the operation of the second wifi device in any one of the possible implementation methods of the aspects through the transceiver.

In one possible implementation, the device further comprises a memory for storing a program for execution by the processor.

In one possible implementation, the device may be a wifi device, including but not limited to a gateway, a wireless router, a wireless (AC) controller, and the like.

In a fourth aspect, a computer-readable storage medium is provided that has computer-readable instructions stored therein that, when read and executed by a computer, cause the computer to perform the operations of the first wifi device or the operations of the second wifi device in any one of the possible implementations of the above aspects and aspects.

In a fifth aspect, a computer program product is provided that, when read and executed by a computer, enables the computer to perform the operations of the first wifi device or the second wifi device in any one of the possible implementations of the above aspects and aspects.

In a sixth aspect, a chip is provided, the chip being coupled to a memory for reading and executing a software program stored in the memory to implement the operation of the first wifi device or the operation of the second wifi device in any one of the possible implementations of the above aspects and aspects.

Drawings

Fig. 1A is a schematic diagram of a communication connection scenario applicable to the embodiment of the present application;

fig. 1B is a block diagram of a communication connection system applicable to the embodiment of the present application;

fig. 2 is a schematic diagram of a communication connection method applicable to the embodiment of the present application;

fig. 3 is a schematic diagram of a communication connection method applicable to the embodiment of the present application;

fig. 4 is a block diagram of a communication connection apparatus suitable for use in the embodiments of the present application;

fig. 5 is a block diagram of a communication connection device applicable to the embodiment of the present application.

Detailed Description

The embodiments of the present application will be described in detail below with reference to the accompanying drawings.

The network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.

Some terms of the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.

1) The wifi device can be connected to the electronic device of the wireless local area network.

2) The service set identifies SSID, the information of the wireless local area network wifi is uniquely identified, the SSID technology can divide a wireless local area network into a plurality of sub-networks which need different identity authentication, each sub-network needs independent identity authentication, and only a user who passes the identity authentication can enter the corresponding sub-network, so that the purpose of preventing unauthorized users from entering the network is achieved.

3) The plain text refers to an unencrypted character or character string.

4) Cipher text means that a plaintext is changed into another form through a certain encryption algorithm, and the receiving and transmitting party of the unclear encryption algorithm cannot obtain the meaning of the cipher text to be expressed.

5) "and/or" in the present application describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

The plural in the present application means two or more.

In addition, it is to be understood that the terms first, second, etc. in the description of the present application are used for distinguishing between the descriptions and not necessarily for describing a sequential or chronological order.

In order to facilitate understanding of the embodiment of the present application, first, an application scenario diagram shown in fig. 1A is taken as an example to illustrate an application scenario applicable to the present application, in a home or a company, a home gateway may be deployed to implement wifi networking, an area covered by a wifi signal of the home gateway is limited, in order to implement wifi networking at any position of a home of a terminal device used by a user, a plurality of APs may also be deployed to provide a wireless wifi signal, so as to implement wifi signal full coverage in the home or the company area. The home gateway is the only interface provided by an operator for applying a user to access the internet, and the AP must be connected to the home gateway in a wifi uplink mode, so that the communication with the gateway can be realized, and information can be transmitted and received with the external internet through the gateway. As shown in fig. 1A, a home gateway may exist in a home, the home gateway may communicate with the external internet, in order to improve wifi signal coverage in other areas in a home area, two APs may also be deployed in other places, and the two APs implement communication with the home gateway by accessing the home gateway, thereby achieving the purpose of communicating with the external internet through the home gateway.

In fig. 1A, when an AP and a gateway automatically establish a communication connection, for the AP to establish the communication connection, a malicious gateway may exist to establish a connection therewith, and for the gateway to establish the communication connection, a malicious AP may also exist to establish a connection therewith. In order to avoid the connection with the malicious AP or the malicious gateway, the key point is that the legal AP and the legal gateway perform identity authentication to ensure the connection security. As described in the background art, bidirectional authentication between the AP and the gateway is usually performed manually, which is inefficient and highly dependent on manual operation. In view of this, in order to realize timely and fast establishment of communication connection between the AP and the gateway, the present application provides a method for automatically performing bidirectional authentication between the AP and the gateway, so as to improve efficiency of establishing communication connection between the AP and the gateway and get rid of dependence on manual operation.

The above description only takes the home gateway and the AP as examples, and the present application is applicable to automatic connection between all wifi devices, and two wifi devices to be communicatively connected may be referred to as a first wifi device and a second wifi device, respectively. The first wifi device includes but is not limited to an AP, a wireless router, a wifi internet of things device, and the like. The second wifi device includes, but is not limited to, a gateway, a wireless router, a wireless controller, and the like, wherein the gateway includes, but is not limited to, an Optical Network Terminal (ONT) gateway, a Digital Subscriber Loop (DSL) gateway, a Cable gateway, a Local Area Network (LAN) gateway, and the like.

For the convenience of understanding the embodiment of the present application, the communication connection system applicable to the embodiment of the present application will be described in detail by taking the schematic diagram of the communication connection system shown in fig. 1B as an example. As shown in fig. 1B, the communication connection system 200 includes a first wifi device 201, a second wifi device 202 and a service delivery device 203. The first wifi device 201 and the second wifi device 202 can be connected through a wireless network, the service issuing device 203 can issue legal first wifi devices which can be connected with the second wifi devices to the second wifi devices, the legal first wifi devices correspond to stored key information respectively, and the functions of keys stored by the first wifi devices are specifically described in the following text.

Specifically, the operator can utilize the service issuing device 203 to issue the secret key stored in the legal wifi device which can be connected with the second wifi device to the second wifi device, and the first wifi device can encrypt the generated first plaintext by adopting the secret key stored by the first wifi device, and broadcast the generated first ciphertext to the second wifi device. And the second wifi device performs identity security verification on the first wifi device according to the stored secret key of the second wifi device and the ciphertext sent by the first wifi device, wherein the specific verification process is described in detail later. After the identity verification of the first wifi device is passed, the second wifi device can send a second ciphertext obtained by encrypting a second plaintext generated by the key pair of the first wifi device passing the verification to the first wifi device passing the verification. The first wifi device can conduct safety verification on the second wifi device according to a secret key stored by the first wifi device and a ciphertext sent by the second wifi device. Therefore, effective cooperation between two wifi devices (such as a gateway and an AP) is achieved, automatic identity verification of the AP and the gateway is achieved, and automatic connection establishment is achieved. Namely, safety verification can be mutually carried out between the first wifi device and the second wifi device, whether the other party is legal wifi device which can be connected with the other party is verified, after the other party is legal wifi device which can be connected with the other party is verified by the two parties, the two parties can automatically carry out communication connection, and therefore manual operation is avoided. The following describes in detail a specific process of performing security verification between a first wifi device and a second wifi device in two embodiments, and firstly, refer to a processing procedure of the first embodiment shown in fig. 2, where the processing procedure includes:

step 1: the first wifi device generates a first plaintext, and the first plaintext is encrypted by a pre-stored secret key to obtain a first ciphertext.

In one example, a first wifi device may automatically generate a plaintext, referred to as a first plaintext, when a communication connection needs to be established with a second wifi device, and the first wifi device may also generate the first plaintext each time it is powered on.

For another example, a first wifi device may be connected to a second wifi device before, the first wifi device may be disconnected from the second wifi device due to power failure, poor wifi signal, and the like, the first wifi device may detect whether the first wifi device is disconnected from the second wifi device, and if so, may generate a first plaintext, that is, the first wifi device generates the first plaintext when confirming the disconnection from the second wifi device.

The first wifi device pre-stores a key, where the key may be identification information of the first wifi device, and may be, for example, a Media Access Control (MAC) address, a Serial Number (SN), or a MAC address and a SN. The first plaintext may be a random number string, and the first wifi device may encrypt the random number string by using identification information of the first wifi device to obtain a first ciphertext.

Step 2: the first wifi device broadcasts a Probe Request (Probe Request), wherein the Probe Request comprises the generated first plaintext and first ciphertext.

For example, the probe request broadcast by the first wifi device may carry an extended Information Element (IE), and the extended IE carries a first plaintext and a first ciphertext.

For example, the first wifi device may store frequency band information of the broadcast probe request in advance, and the first wifi device may broadcast the probe request on the pre-stored frequency band. Specifically, the first wifi device may broadcast a probe request on each available channel on the pre-saved frequency band.

And step 3: the second wifi device receives a detection request broadcasted by the first wifi device, wherein the detection request comprises a first plaintext and a first ciphertext. The first plaintext and the first ciphertext are used for enabling a second wifi device receiving the detection request to verify whether the first wifi device is a legal wifi device which can be connected with the second wifi device.

The detection request broadcast by the first wifi device can be received by the second wifi device on each available channel on the preset frequency band.

And 4, step 4: and the second wifi equipment verifies whether the first wifi equipment is legal wifi equipment which can be connected with the second wifi equipment or not according to the first plain text, the first ciphertext and at least one secret key stored by the second wifi equipment.

At least one secret key is pre-stored in the second wifi device, and each secret key is a secret key pre-stored in a legal wif device which can be connected with the second wifi device. Specifically, the key may be identification information of the wifi device, for example, at least one key stored in the second wifi device is identification information corresponding to each legal wifi device that can be connected to the second wifi device.

Generally, when a user purchases a certain wifi device, a vendor may communicate with the user, determine which second wifi device the purchased wifi device may establish a connection with, and identify a key pre-configured and stored in the purchased wifi device. The seller adopts operator Operation Support System (OSS) to issue the key of saving in advance in this wifi equipment of purchase to corresponding second wifi equipment, just can save the key that saves in wifi equipment that can be connected with this second wifi equipment legal like this in the second wifi equipment to analogize, can save the key that respectively saves in a plurality of other wifi equipment that can establish being connected with it in the second wifi equipment.

In an example, the process of pre-storing at least one key by the second wifi device may be that the second wifi device receives and stores keys which are issued by the service providing device and can be pre-stored by different first wifi devices connected to the second wifi device. It should be noted that, the process of issuing the key pre-stored by the first wifi device to the second wifi device by the operator OSS may be completed by using a communication mechanism of the existing broadband service system of the operator, for example, by using protocols such as TR069, SNMP + OMCI/OAM.

The second wifi device verifies whether the first wifi device is a legal wifi device which can be connected with the second wifi device according to the first plain text, the first cipher text and at least one secret key stored by the second wifi device, and verification can be achieved in but not limited to the following two modes.

The first verification mode is as follows: the second wifi device respectively adopts at least one secret key preserved in advance, and is right the first plaintext is encrypted, obtains at least one third ciphertext respectively, and when the third ciphertext the same as the first ciphertext exists in the at least one third ciphertext, then can confirm that the first wifi device is the legal wifi device that can be connected with the second wifi device.

For example, 3 secret keys are prestored in the second wifi device, which are k1, k2 and k3 respectively, the first plain text is D, the second wifi device encrypts D by using k1 to obtain a third ciphertext D1, encrypts D by using k2 to obtain a third ciphertext D2, encrypts D by using k3 to obtain a third ciphertext D3, and assuming that the first ciphertext carried in the detection request is D2, the second wifi device determines that D2 in the third ciphertexts D1, D2 and D3 obtained by encryption is the same as the first ciphertext, it can be determined that the first wifi device is a legal wifi device capable of being connected with the second wifi device, and further, the prestored k2 in the second wifi device is the secret key prestored in the first wifi device. Assuming that the first ciphertext carried in the probe request is D4, and the second wifi device determines that the third ciphertext D1, D2, D3 obtained by encryption does not have the ciphertext identical to the first ciphertext D4, it may be determined that the first wifi device is a legal wifi device that cannot be connected to the second wifi device.

The second verification mode is as follows: the second wifi device decrypts the first ciphertext by adopting at least one pre-stored secret key respectively to obtain at least one third plaintext respectively, and when the third plaintext identical to the first plaintext exists in the at least one third plaintext, the first wifi device can be determined to be a legal wifi device which can be connected with the second wifi device.

For example, 3 keys, namely k1, k2 and k3, are pre-stored in the second wifi device, the first ciphertext is D, the second wifi device decrypts D by using k1 to obtain a third plaintext D1, decrypts D by using k2 to obtain a third plaintext D2, and decrypts D by using k3 to obtain a third plaintext D3, assuming that the first plaintext carried in the detection request is D3, the second wifi device determines that D3 in the encrypted third plaintext D1, D2 and D3 is the same as the first plaintext, and then the first wifi device can be determined to be a legal wifi device capable of being connected with the second wifi device, further, k3 pre-stored in the second wifi device is the key pre-stored in the first wifi device. Assuming that the first plaintext carried in the probe request is d4, and the second wifi device determines that no ciphertext identical to the first ciphertext d4 exists in the third plaintext d1, d2 and d3 obtained by encryption, it may be determined that the first wifi device is a legal wifi device that cannot be connected with the second wifi device.

After verifying that a certain first wifi device is a legal wifi device which can be connected with the second wifi device, the second wifi device can send a Response message (Probe Response) to the first wifi device which passes the verification. In a period of time, a plurality of second wifi devices may send response messages to the first wifi devices which are successfully verified respectively, so that the first wifi devices can also perform security identity verification on the second wifi devices which send the response messages, and whether the received second wifi devices which send the response messages are legal wifi devices which can be connected with the second wifi devices is determined. In order to facilitate the verification of the first wifi device on the second wifi device, the second wifi device can generate a second plaintext, a secret key pre-stored by the first wifi device is adopted to encrypt the second plaintext, a second ciphertext obtained through encryption is carried in a response message and sent to the first wifi device, and the second ciphertext is used for enabling the first wifi device to verify whether the second wifi device is a legal wifi device which can be connected with the first wifi device.

And 5: the second wifi device generates a second plaintext after verifying that the first wifi device is a legal wifi device which can be connected with the second wifi device, and encrypts the second plaintext by adopting a key corresponding to the legal first wifi device to obtain a second ciphertext. When the second wifi device encrypts the second plaintext by using the secret key, the second plaintext may be encrypted by using an algorithm with a data integrity check function to obtain a second ciphertext, or the second plaintext may be encrypted by using an algorithm without a data integrity check function to obtain a second ciphertext.

The key corresponding to the legitimate wifi device may be a key corresponding to the third ciphertext that is the same as the first ciphertext, such as k2 in the example of the first authentication method, or a key corresponding to the third plaintext that is the same as the first plaintext, such as k3 in the example of the second authentication method.

When the second wifi device generates the second plaintext, one way to implement may be to generate a random number string, and determine the generated random number string as the second plaintext. Another achievable way may also be to determine a second plaintext according to SSID information to which a second wifi device belongs, specifically, an abstract algorithm and a coding/decoding way are pre-stored in the second wifi device, and the second wifi device may calculate abstract data of the SSID information to which the second wifi device belongs by using the pre-stored abstract algorithm; and coding the SSID information and the abstract data by adopting a pre-stored coding and decoding mode to obtain a second plaintext.

Wherein, the above abstract algorithm includes but is not limited to: a Cyclic Redundancy Check (CRC) algorithm, a message-digest algorithm (MD 5), a Secure Hash Algorithm (SHA) algorithm, and the like.

Whether the second wifi device specifically uses the random number string as the second plaintext or determines the second plaintext according to the SSID information may be determined depending on which connection method the second wifi device selects to connect with the first wifi device. The communication connection mode between the wifi devices comprises two modes of WPS pairing connection and SSID information connection. If the second wifi device selects to establish communication connection with the first wifi device in a WPS pairing mode, the random number string can be selected as a second plaintext, and if the second wifi device selects to establish communication connection with the first wifi device through SSID information, the second plaintext can be determined according to the SSID information.

The second wifi device can agree in advance with the first wifi device which kind of mode is adopted to determine the second plaintext, and the second wifi device can also send a notification message to the first wifi device to notify the first wifi device which kind of mode is adopted to determine the second plaintext.

In the first embodiment, the second wifi device determines the second plaintext according to the SSID information as an example, and how the first wifi device performs security verification on the second wifi device is described, specifically referring to steps after step 5 in fig. 2.

Step 6.1: and the second wifi equipment sends a response message to the first wifi equipment, wherein the response message comprises a second cryptograph obtained by encrypting the first SSID information to which the second wifi equipment belongs. Specifically, after the second ciphertext is determined, the second ciphertext can be carried in the response message by the second wifi device and sent to the first wifi device, the frequency band for sending the response message can be stored in the second wifi device in advance, the second wifi device sends the response message on the frequency band stored in advance, and the second wifi device can send the response message to the first wifi device on each available channel on the frequency band stored in advance. It should be noted that, when the second wifi device encrypts the second plaintext by using the algorithm with the data integrity check function to obtain the second ciphertext, if decryption is performed by using a different key than that used in encryption, decryption cannot be successful, that is, the second plaintext cannot be decrypted. When the second wifi device encrypts the second plaintext by using an algorithm without a data integrity check function to obtain the second ciphertext, if decryption is performed by using a different key than encryption, decryption can be successful, and only the second plaintext obtained by decryption is different from the second plaintext used by encryption, that is, the second plaintext obtained by decryption is incorrect.

The above algorithms with data integrity check function include, but are not limited to, AES-CCM, AES-GCM, etc. Algorithms without data integrity checking functionality include, but are not limited to: AES-ECB, AES-CBC, AES-CFB, AES-OFB, AES-CTR mode, DES, 3DES and other algorithms.

Step 6.2: and the first wifi equipment receives a response message sent by the second wifi equipment, wherein the response message comprises a second ciphertext. The response message received by the first wifi device is that the second wifi device is verifying that the first wifi device is sent after being a legal wifi device connected with the second wifi device.

Specifically, the frequency band information of receiving the response message can be pre-stored in the first wifi device, the first wifi device can receive the response message on the pre-stored frequency band, and in the example, the first wifi device can receive the response message sent by the second wifi device on each available channel on the pre-stored frequency band.

Step 6.3: and the first wifi device decrypts the second ciphertext in the response message by adopting the pre-stored secret key, and determines whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to a decryption result.

Specifically, when the first wifi device determines whether the second wifi device is a legal wifi device that can be connected to the first wifi device according to the decrypted result, the first wifi device may be divided into the following implementable modes:

the first method is as follows: the first wifi device and the second wifi device agree to adopt an algorithm with a data integrity verification function to encrypt and decrypt the second plaintext, and the second wifi device can be considered as a legal wifi device which can be connected with the first wifi device as long as decryption of the first wifi device is successful. The following are exemplified: and the first wifi equipment determines whether the response message is decrypted successfully or not, if the decryption is successful, the second wifi equipment is determined to be legal wifi equipment which can be connected with the first wifi equipment, otherwise, the second wifi equipment is determined to be legal wifi equipment which cannot be connected with the first wifi equipment.

In addition, the third plaintext obtained by successful decryption includes second SSID information and first digest data of the second SSID information, where the second SSID information is the first SSID information to which the second wifi device described above belongs.

The second method comprises the following steps: the first wifi device and the second wifi device are preset to adopt an algorithm without a data integrity check function to encrypt and decrypt the second plaintext, even if the first wifi device is decrypted successfully, the second wifi device cannot be determined to be a legal wifi device which can be connected with the first wifi device, and the first wifi device needs to further verify whether the plaintext obtained through decryption is correct.

Specifically, the first wifi device needs to decrypt the second ciphertext by using the key pre-stored by the first wifi device to obtain a third plaintext; next, the first wifi device continues to decode the third plain text by adopting a pre-stored coding and decoding mode, the decoded third plain text comprises second SSID information and first abstract data of the second SSID information, and the first wifi device extracts the first abstract data in the decoded third plain text; the second SSID information is the first SSID information to which the second wifi device belongs. And the first wifi equipment continues to adopt a pre-stored abstract algorithm to calculate second abstract data of the second SSID information, if the first abstract data is the same as the second abstract data, the second wifi equipment is determined to be legal wifi equipment which can be connected with the first wifi equipment, otherwise, the second wifi equipment is determined to be legal wifi equipment which cannot be connected with the first wifi equipment.

In the second mode, the encryption and decryption algorithms pre-stored in the first wifi device and the second wifi device are the same, the abstract algorithm is the same, and the coding and decoding modes are the same.

Step 6.4: and the first wifi device establishes communication connection with the second wifi device according to the second SSID information in the third plain text obtained by decryption. Namely, after the first wifi device determines that the second wifi device is a legal wifi device capable of being connected with the first wifi device, the first wifi device may further establish communication connection with the second wifi device according to the decrypted second SSID information (i.e. the first SSID information to which the second wifi device belongs).

The process of establishing communication connection between wifi devices through SSID information may specifically refer to the specification of standard 802.11 common to wireless local area networks, and is not described in detail here.

The SSID information may be encoded as shown in table 1 below:

TABLE 1

Referring next to the second embodiment process shown in fig. 3, the process includes:

the implementation process of steps 1 to 5 is the same as that of steps 1 to 5 in the processing process of the first embodiment shown in fig. 2, and will not be repeated here. In the second embodiment, taking the second wifi device determining the second plaintext according to the random number string as an example, how the first wifi device performs security verification on the second wifi device is described, specifically referring to the steps after step 5 in fig. 3.

Step 7.1: and the second wifi equipment sends a response message to the first wifi equipment, wherein the response message comprises a second ciphertext, and the second ciphertext is obtained by encrypting the random number string.

When the second wifi device encrypts the second plaintext by using the secret key, the second plaintext can be encrypted by using an algorithm with a data integrity check function to obtain a second ciphertext, when the first wifi device decrypts, if the secret key is incorrect, decryption cannot be successful, namely the plaintext cannot be decrypted, namely, as long as the secret key is correct, the plaintext is decrypted, verification can be considered to be successful, and the response message can only carry the second ciphertext.

When the second wifi device encrypts the second plaintext by using the secret key, the second plaintext may also be encrypted by using an algorithm without a data integrity check function, so as to obtain a second ciphertext. When the first wifi device decrypts, even if the secret key is not correct, the plaintext can be obtained through decryption, and in order to achieve effective verification of the second wifi device, the response message also needs to carry a second plaintext generated by the second wifi device.

Step 7.2: and the first wifi equipment receives a response message sent by the second wifi equipment, wherein the response message comprises a second ciphertext.

Step 7.3: and the first wifi device decrypts the second ciphertext in the response message by adopting a key pre-stored by the first wifi device, and determines whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to a decryption result. The first wifi device can be divided into the following implementable modes when determining whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to the decryption result:

the first method is as follows: if the first wifi device and the second wifi device agree to adopt the algorithm with the data integrity check function to encrypt and decrypt the second plaintext, the second wifi device can be considered as a legal wifi device which can be connected with the first wifi device as long as the first wifi device successfully decrypts the second ciphertext.

The second method comprises the following steps: the first wifi device and the second wifi device are preset to adopt an algorithm without a data integrity checking function to encrypt and decrypt the second plaintext, even if the first wifi device is decrypted successfully, the second wifi device cannot be directly determined to be a legal wifi device which can be connected with the first wifi device, and the first wifi device needs to further verify whether the plaintext obtained through decryption is correct. Specifically, the first wifi device adopts the secret key pair after the second ciphertext is decrypted to obtain the third plaintext, it is not necessary to determine whether the third plaintext is the same as the second plaintext included in the received response message, if so, the second wifi device is determined to be a legal wifi device which can be connected with the first wifi device, otherwise, the second wifi device is determined to be a legal wifi device which cannot be connected with the first wifi device.

Step 7.4: when the second WIFI device takes the generated random number string as a second plaintext, the second WIFI device determines that the first WIFI device is a legal WIFI device which can be connected with the second WIFI device if the third ciphertext which is the same as the first ciphertext exists in the at least one third ciphertext, or the third plaintext which is the same as the first plaintext exists in the at least one third ciphertext, and can send a message that the second WIFI device starts a WIFI safety protection configuration WPS pairing function to the first WIFI device, so as to request the first WIFI device to establish communication connection.

Step 7.5: after the first WIFI device determines that the second WIFI device is legal WIFI device connected with the first WIFI device, the first WIFI device can also send a message that the first WIFI device starts a WIFI safety protection configuration (WPS) pairing function to the second WIFI device so as to request the second WIFI device to establish communication connection.

In this way, the first wifi device and the second wifi device can be communicatively connected through the WPS pairing function through step 7.4 and step 7.5, and specific connection procedures may refer to wireless network simple configuration Technical specifications (Wi-Fi simple configuration Technical specifications), which are not described herein in detail.

Based on the same inventive concept as the communication connection method, as shown in fig. 4, an embodiment of the present application further provides a communication connection device 400, where the communication connection device 400 is configured to perform an operation performed by a first wifi device in the communication connection method, and the communication connection device 400 includes: a processing unit 401 and a transceiver unit 402.

The processing unit 401 is configured to generate a first plaintext, and encrypt the first plaintext with a pre-stored key to obtain a first ciphertext;

the transceiver unit 402 is configured to broadcast a detection request, where the detection request includes the first plaintext and the first ciphertext, and the first plaintext and the first ciphertext are used to enable a second wifi device that receives the detection request to verify whether the device is a valid wifi device that can be connected to the second wifi device; receiving a response message sent by a second wifi device, wherein the response message comprises a second ciphertext and is sent by the second wifi device after the second wifi device is verified to be a legal wifi device which can be connected with the second wifi device;

the processing unit 401 is further configured to decrypt the second ciphertext with the key, and determine whether the second wifi device is a valid wifi device that can be connected to the device according to a decryption result.

In an example, the second ciphertext is obtained by encrypting, by the second wifi device, SSID information of a first service identifier set to which the second wifi device belongs;

the processing unit 401 is specifically configured to decrypt the second ciphertext with the key to obtain a third plaintext; decoding the third plain text by adopting a pre-stored coding and decoding mode, wherein the decoded third plain text comprises second SSID information and first abstract data of the second SSID information, and extracting the first abstract data of the decoded third plain text; and calculating second abstract data of the second SSID information by adopting a pre-stored abstract algorithm, if the first abstract data is the same as the second abstract data, determining that the second wifi device is a legal wifi device which can be connected with the device, otherwise determining that the second wifi device is a legal wifi device which cannot be connected with the device.

For example, the processing unit 401 is further configured to establish a communication connection with the second wifi device according to the decrypted second SSID information after it is determined that the second wifi device is a legal wifi device capable of being connected with the device.

In an example, the response message further includes a second plaintext, where the second plaintext is a random number string;

the processing unit 401 is specifically configured to decrypt the second ciphertext by using the secret key to obtain a third plaintext, determine that the second wifi device is a legal wifi device that can be connected to the device if the third plaintext is the same as the second plaintext, and otherwise determine that the second wifi device is a legal wifi device that cannot be connected to the device.

For example, after the processing unit 401 determines that the second WIFI device is a legal WIFI device that can be connected to the device, the transceiver unit 402 is further configured to send a message that the device starts a WIFI security configuration WPS pairing function to the second WIFI device, so as to request to establish a communication connection with the second WIFI device.

In an example, the second ciphertext is obtained by encrypting, by the second wifi device, SSID information of a first service identifier set to which the second wifi device belongs, or the second ciphertext is obtained by encrypting, by the second wifi device, a random number string;

the processing unit 401 is specifically configured to determine that the second wifi device is a legal wifi device that can be connected to the device if it is determined that decryption is successful, and otherwise determine that the second wifi device is a legal wifi device that cannot be connected to the device.

For example, the processing unit 401 is specifically configured to generate the first plaintext when being powered on; or generating the first plaintext when the disconnection with the second wifi device is confirmed.

For example, the transceiver unit 402 is specifically configured to broadcast the probe request on each available channel on the preset frequency band; and receiving response messages sent by the second wifi device on each available channel on the preset frequency band.

Illustratively, the device further comprises a memory unit 404 for storing program steps executed by the processing unit 401.

Or, the communication connection device 400 is configured to perform the operations performed by the second wifi device in the communication connection method:

the transceiver unit 402 is configured to receive a detection request broadcasted by a first wifi device, where the detection request includes a first plaintext and a first ciphertext;

the processing unit 401 is configured to encrypt the first plaintext by using at least one pre-stored key respectively to obtain at least one third ciphertext respectively, or decrypt the first ciphertext by using the at least one key respectively to obtain at least one third plaintext, where the at least one key is a key pre-stored by different first wifi devices that can be connected to the device respectively; when a third ciphertext identical to the first ciphertext exists in the at least one third ciphertext or a third plaintext identical to the first plaintext exists in the at least one third plaintext, generating a second plaintext, and encrypting the second plaintext by using a key corresponding to the third ciphertext identical to the first ciphertext or by using a key corresponding to the third plaintext identical to the first plaintext to obtain a second ciphertext;

the transceiving unit 402 is further configured to send a response message to the first wifi device, where the response message includes the second ciphertext, and the second ciphertext is used to enable the first wifi device to verify whether the device is a legal wifi device that can be connected to the first wifi device.

Illustratively, the processing unit 401 is specifically configured to calculate, by using a pre-stored digest algorithm, digest data of SSID information of a service identifier set to which the device belongs; coding the SSID information and the abstract data by adopting a pre-stored coding and decoding mode to obtain a second plaintext; or will generate a random number string as the second plaintext.

For example, if a random number string is generated as a second plaintext, the response message further includes the second plaintext.

For example, if a random number string is generated as a second plaintext, after it is determined that a third ciphertext that is the same as the first ciphertext exists in the at least one third ciphertext or a third plaintext that is the same as the first plaintext exists in the at least one third plaintext, the transceiver unit 402 is further configured to send a message that the WIFI security configuration WPS pairing function is started by the device to the first WIFI device, so as to request to establish a communication connection with the first WIFI device.

For example, the processing unit 401 is further configured to receive and store, through the transceiving unit 402, keys that are issued by the service providing device and pre-stored by different first wifi devices that can be connected to the device.

For example, the transceiver unit 402 is specifically configured to receive, on each available channel on a preset frequency band, a probe request broadcasted by the first wifi device; and sending a response message to the first wifi device on each available channel on a preset frequency band.

Based on the same inventive concept as the communication connection method, as shown in fig. 5, an embodiment of the present application further provides a communication connection device 500, where the communication connection device 500 is configured to perform an operation performed by a first wifi device or a second wifi device in the communication connection method, and the communication connection device 500 includes: a processor 501 and a transceiver 502, optionally including a memory 503. The processor 501 is configured to call a set of programs, and when the programs are executed, the processor 501 is enabled to execute the operations executed by the first wifi device or the second wifi device in the communication connection method. The memory 503 is used for storing programs executed by the processor 501. The functional module processing unit 401 in fig. 4 may be implemented by the processor 501, the transceiver unit 402 may be implemented by the transceiver 502, and the storage unit 403 may be implemented by the memory 503.

The processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.

The processor may further include a hardware chip or other general purpose processor. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The aforementioned PLDs may be Complex Programmable Logic Devices (CPLDs), field-programmable gate arrays (FPGAs), General Array Logic (GAL) and other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., or any combination thereof. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will also be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double data rate Synchronous Dynamic random access memory (DDR SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous link SDRAM (SLDRAM), and Direct Rambus RAM (DR RAM). It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

The embodiment of the application provides a computer-readable storage medium, wherein computer-readable instructions are stored in the computer-readable storage medium, and when the computer reads and executes the computer-readable instructions, the computer is enabled to execute the operation executed by the first wifi device or the second wifi device in the communication connection method.

The embodiment of the application provides a computer program product, and when a computer reads and executes the computer program product, the computer is enabled to execute the operation executed by the first wifi device or the second wifi device in the communication connection method.

The embodiment of the application provides a chip, which is coupled with a memory and used for reading and executing a software program stored in the memory so as to realize the operation executed by a first wifi device or a second wifi device in the communication connection method.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.

Claims

1. A method of communication connection, comprising:

the method comprises the steps that a first wifi device generates a first plaintext, and the first plaintext is encrypted by a pre-stored secret key to obtain a first ciphertext;

the first wifi device broadcasts a detection request, wherein the detection request comprises the first plaintext and the first ciphertext, and the first plaintext and the first ciphertext are used for enabling a second wifi device receiving the detection request to verify whether the first wifi device is a legal wifi device which can be connected with the second wifi device;

the first wifi device receives a response message sent by a second wifi device, wherein the response message comprises a second ciphertext, and the response message is sent by the second wifi device after the first wifi device is verified to be a legal wifi device which can be connected with the second wifi device;

the first wifi device decrypts the second ciphertext through the secret key, and determines whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to a decryption result.

2. The method of claim 1, wherein the second ciphertext is obtained by the second wifi device encrypting first service identification set, SSID, information to which the second wifi device belongs;

the first wifi device determines whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to the decrypted result, and the method comprises the following steps:

the first wifi device decrypts the second ciphertext by using the secret key to obtain a third plaintext;

the first wifi device decodes the third plain text in a pre-stored coding and decoding mode, the decoded third plain text comprises second SSID information and first abstract data of the second SSID information, and the first wifi device extracts the decoded first abstract data in the third plain text;

the first wifi device calculates second abstract data of the second SSID information by adopting a pre-stored abstract algorithm, if the first abstract data is the same as the second abstract data, the second wifi device is determined to be legal wifi device connected with the first wifi device, the second SSID information is used for enabling the first wifi device to be in communication connection with the second wifi device, and if not, the second wifi device is determined to be legal wifi device not connected with the first wifi device.

3. The method of claim 1, wherein the response message further comprises a second plaintext, the second plaintext being a random number string;

the first wifi device adopts the secret key pair the second ciphertext is decrypted to obtain a third plaintext, if the third plaintext is the same as the second plaintext, the second wifi device is determined to be a legal wifi device which can be connected with the first wifi device, otherwise, the second wifi device is determined to be a legal wifi device which cannot be connected with the first wifi device.

4. The method of claim 1, wherein the second ciphertext is obtained by the second wifi device encrypting SSID information of a first service identification set to which the second wifi device belongs, or the second ciphertext is obtained by the second wifi device encrypting a random number string;

determining whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to the decryption result, including:

if the decryption is successful, determining that the second wifi device is a legal wifi device which can be connected with the first wifi device, otherwise determining that the second wifi device is a legal wifi device which cannot be connected with the first wifi device.

5. The method of any of claims 1 to 4, wherein the first wifi device broadcasting a probe request comprises:

the first wifi device broadcasts detection requests on all available channels on a preset frequency band;

first wifi equipment receives the response message that second wifi equipment sent, includes:

and the first wifi equipment receives response messages sent by the second wifi equipment on each available channel on the preset frequency band.

6. A method of communication connection, comprising:

the method comprises the steps that a second wifi device receives a detection request broadcasted by a first wifi device, wherein the detection request comprises a first plaintext and a first ciphertext;

the second wifi device encrypts the first plain text by adopting at least one pre-stored secret key respectively to obtain at least one third ciphertext respectively, or decrypts the first ciphertext by adopting the at least one secret key respectively to obtain at least one third plain text respectively, wherein the at least one secret key is a secret key pre-stored by different first wifi devices which can be connected with the second wifi device respectively;

when a third ciphertext identical to the first ciphertext exists in the at least one third ciphertext or a third plaintext identical to the first plaintext exists in the at least one third plaintext, the second wifi device generates a second plaintext, and encrypts the second plaintext by using a key corresponding to the third ciphertext identical to the first ciphertext or by using a key corresponding to the third plaintext identical to the first plaintext to obtain a second ciphertext;

the second wifi device sends a response message to the first wifi device, the response message comprises a second ciphertext, and the second ciphertext is used for enabling the first wifi device to verify whether the second wifi device is a legal wifi device which can be connected with the first wifi device.

7. The method of claim 6, wherein the second wifi device generates a second plaintext comprising:

the second wifi device calculates abstract data of service identifier set SSID information to which the second wifi device belongs by adopting a pre-stored abstract algorithm; coding the SSID information and the abstract data by adopting a pre-stored coding and decoding mode to obtain a second plaintext; or

And the second wifi device generates a random number string and uses the random number string as a second plaintext.

8. The method of claim 7, wherein if the second wifi device generates a random number string as a second plaintext, then the response message further includes the second plaintext.

9. The method of any one of claims 6 to 8, wherein the process of pre-saving at least one key by the second wifi device comprises:

and the second wifi equipment receives and stores the secret keys which are issued by the service issuing equipment and can be respectively pre-stored by different first wifi equipment connected with the second wifi equipment.

10. The method of any one of claims 6 to 9, wherein the receiving, by the second wifi device, the probe request broadcast by the first wifi device comprises:

the second wifi device receives the detection request broadcast by the first wifi device on each available channel on a preset frequency band;

the second wifi equipment sends response message to the first wifi equipment, including:

and the second wifi equipment sends response messages to the first wifi equipment on each available channel on a preset frequency band.

11. A communication connection device, the device is in or for a first wifi device, characterized in that, includes: a transceiver and a processor;

the processor is configured to invoke a set of programs, and when the programs are executed, the processor is configured to:

generating a first plaintext, and encrypting the first plaintext by adopting a prestored secret key to obtain a first ciphertext;

broadcasting a detection request through a transceiver, wherein the detection request comprises the first plaintext and the first ciphertext, and the first plaintext and the first ciphertext are used for enabling a second wifi device receiving the detection request to verify whether the first wifi device is a legal wifi device which can be connected with the second wifi device;

receiving a response message sent by a second wifi device through a transceiver, wherein the response message comprises a second ciphertext, and the response message is sent by the second wifi device after the first wifi device is verified to be a legal wifi device which can be connected with the second wifi device;

and decrypting the second ciphertext by adopting the secret key, and determining whether the second wifi device is a legal wifi device which can be connected with the first wifi device according to a decrypted result.

12. The device of claim 11, wherein the second ciphertext is obtained by the second wifi device encrypting first service identification set, SSID, information to which the second wifi device belongs;

the processor is specifically configured to decrypt the second ciphertext with the key to obtain a third plaintext; decoding the third plain text by adopting a pre-stored coding and decoding mode, wherein the decoded third plain text comprises second SSID information and first abstract data of the second SSID information, and extracting the first abstract data of the decoded third plain text; and calculating second abstract data of the second SSID information by adopting a pre-stored abstract algorithm, if the first abstract data is the same as the second abstract data, determining that the second wifi device is a legal wifi device which can be connected with the first wifi device, wherein the second SSID information is used for enabling the first wifi device to be in communication connection with the second wifi device, otherwise determining that the second wifi device is a legal wifi device which cannot be connected with the first wifi device.

13. The apparatus according to claim 11, wherein the response message further includes a second plaintext, the second plaintext being a random number string;

the processor is specifically used for decrypting the second ciphertext by adopting the secret key to obtain a third plaintext, if the third plaintext is the same as the second plaintext, the second wifi device is determined to be a legal wifi device which can be connected with the first wifi device, otherwise, the second wifi device is determined to be a legal wifi device which cannot be connected with the first wifi device.

14. The device of claim 11, wherein the second ciphertext is obtained by the second wifi device encrypting SSID information of a first service identification set to which the second wifi device belongs, or the second ciphertext is obtained by the second wifi device encrypting a random number string;

the processor is specifically configured to determine that the second wifi device is a legal wifi device that can be connected to the first wifi device if it is determined that decryption is successful, and otherwise determine that the second wifi device is a legal wifi device that cannot be connected to the first wifi device.

15. The device according to any of claims 11 to 16, wherein the processor is specifically configured to broadcast, via the transceiver, a probe request on each available channel on a predetermined frequency band; and receiving response messages sent by the second wifi device on each available channel on the preset frequency band through the transceiver.

16. A communication connection device, the device is in or for a second wifi device, characterized in that, includes: a transceiver and a processor;

receiving a detection request broadcasted by a first wifi device through the transceiver, wherein the detection request comprises a first plaintext and a first ciphertext;

the processor is configured to encrypt the first plaintext by using at least one pre-stored key respectively to obtain at least one third ciphertext respectively, or decrypt the first ciphertext by using the at least one key respectively to obtain at least one third plaintext, where the at least one key is a key pre-stored by different first wifi devices that can be connected to the second wifi device respectively;

when a third ciphertext identical to the first ciphertext exists in the at least one third ciphertext or a third plaintext identical to the first plaintext exists in the at least one third plaintext, generating a second plaintext, and encrypting the second plaintext by using a key corresponding to the third ciphertext identical to the first ciphertext or by using a key corresponding to the third plaintext identical to the first plaintext to obtain a second ciphertext;

the transceiver sends a response message to the first wifi device, the response message comprises a second ciphertext, and the second ciphertext is used for enabling the first wifi device to verify whether the second wifi device is a legal wifi device which can be connected with the first wifi device.

17. The device according to claim 16, wherein the processor is specifically configured to calculate, using a pre-stored digest algorithm, digest data of SSID information of a service identifier set to which the second wifi device belongs; coding the SSID information and the abstract data by adopting a pre-stored coding and decoding mode to obtain a second plaintext; or will generate a random number string as the second plaintext.

18. The device according to any one of claims 16 to 17, wherein the processor is further configured to receive and store, through the transceiver, keys that are issued by the service providing device and pre-stored in different first wifi devices that can be connected to the second wifi device.

19. The device according to any one of claims 16 to 18, wherein the processor is specifically configured to receive, through the transceiver, a probe request broadcasted by the first wifi device on each available channel on a preset frequency band; and sending a response message to the first wifi device through the transceiver on each available channel on a preset frequency band.