EP3925253A1 - Récupération de clé réseau, envoi de clé réseau, gestion de récupération de clé réseau, terminal, serveur de médiation et point d'accès les mettant en ?uvre - Google Patents
Récupération de clé réseau, envoi de clé réseau, gestion de récupération de clé réseau, terminal, serveur de médiation et point d'accès les mettant en ?uvreInfo
- Publication number
- EP3925253A1 EP3925253A1 EP20711230.1A EP20711230A EP3925253A1 EP 3925253 A1 EP3925253 A1 EP 3925253A1 EP 20711230 A EP20711230 A EP 20711230A EP 3925253 A1 EP3925253 A1 EP 3925253A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- terminal
- network key
- access point
- mediation server
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011084 recovery Methods 0.000 title claims abstract description 128
- 230000005540 biological transmission Effects 0.000 title claims description 88
- 238000000034 method Methods 0.000 claims abstract description 115
- 238000004891 communication Methods 0.000 claims description 60
- 238000007726 management method Methods 0.000 claims description 41
- 238000012795 verification Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 7
- 230000004913 activation Effects 0.000 description 52
- 238000010586 diagram Methods 0.000 description 18
- 230000001960 triggered effect Effects 0.000 description 18
- 230000009471 action Effects 0.000 description 11
- 238000010200 validation analysis Methods 0.000 description 7
- 238000013475 authorization Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000011423 initialization method Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101001077535 Emericella nidulans (strain FGSC A4 / ATCC 38163 / CBS 112.46 / NRRL 194 / M139) Nicotinate hydroxylase hnxS Proteins 0.000 description 1
- 101000666098 Homo sapiens WAP four-disulfide core domain protein 12 Proteins 0.000 description 1
- 102100038089 WAP four-disulfide core domain protein 12 Human genes 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004377 microelectronic Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/50—Secure pairing of devices
Definitions
- a network key recovery method, a network key sending method, a network key recovery management method, a terminal, a mediation server and an access point are provided.
- the network key is in particular a key for associating a terminal with an access point via a wireless network such as the Wifi network (registered trademark).
- a terminal computer, smartphone, printer, camera, etc.
- a wireless network in particular WiFi
- an access point device to a communication network
- a communication network in particular an Internet router or a gateway between a private network and a public network such as the Internet
- the access points are equipped with a network key also called WEP key (Wired Equivalent Privacy in English for "intimacy equivalent to the wired” that is to- ie securing wireless access), WAP (Wifi Protected Access in English or Wifi protected access) or WAP2 (registered trademarks) depending on the standard used.
- WEP key Wired Equivalent Privacy in English for "intimacy equivalent to the wired” that is to- ie securing wireless access
- WAP Wi Protected Access in English or Wifi protected access
- WAP2 registered trademarks
- the network key can be simply written on the access point device, also called access point by abuse of language (for example on a label directly affixed to the access point and / or a label affixed to the packaging access point).
- the user wishing to connect a tablet via the WiFi network to this access point will enter the WiFi key read on the access point during a connection request to this access point on his tablet.
- This first connection is therefore tedious because the network keys are often long to avoid the risk of intrusion into the private network.
- the security of the network depends on where the access point is located because if it is accessible to a large number of people, this will be reduced since the network key is easily readable.
- This network key can be modified by users by means of an access point interface accessible via the Internet (either directly on an Internet page or via an application dedicated to the access point, such as the My Livebox application - brand filed). The risk is then the forgetting of the network key modified by the user preventing any new association of terminal with the access point, that is to say addition of terminal to the private network managed by the access point. access.
- the network key affixed to the access point can be either replaced or combined with a barcode or QR code type code comprising the network key.
- the security of the private network again depends on the location of the access point and its physical accessibility by third parties.
- the WPS standard (Wifi Protected Setup in English for secure Wifi initialization) also proposes to facilitate this first connection by proposing to generate a random network key that is stronger than the network key provided by the access point manufacturer. So that this random network key is known to the two devices to be associated: the access point and the terminal (tablet, printer, smartphone ...), the WPS protocol comprises a series of message exchanges between the access point and the terminal following an action by the user of the terminal which when the series of exchanges is carried out successfully ends with the indication that the protocol is complete allowing the transmission of the random network key and the first connection of the terminal to the access point.
- the WPS standard provides for several operating modes:
- NFC mode in which the user brings the terminal near the access point to enable NFC (Near Field Communication) communication.
- WPS exchanges are carried out between the terminal and the access point via the Wifi network following the action of the user (sends a PIN code to the access point and / or presses the push buttons).
- One of the aims of the present invention is to remedy the drawbacks of the state of the art.
- An object of the invention is a method for recovering the network key of a point of access to a network implemented by a terminal, the network key allowing the terminal to be associated with the access point during the first connection of the terminal to the access point, the network key recovery method comprising a reception by a terminal of a network key sent via a mediation server by an access point, the terminal having been identified by the mediation server by means of an association prior to the first connection of an identifier of the terminal and an identifier of the access point.
- the key is not easily retrievable by a third party since it is neither displayed on the access point nor transmitted by the access point directly to the terminal, in particular via a local radio network such as Wifi or Bluetooth. (registered trademarks). This limits intrusions into the private network managed by the access point, particularly intrusions linked to the vulnerability of the local radio network.
- the network key recovery method comprises, prior to reception of the network key, a transmission of a network key request by the terminal to the mediation server.
- the network key is only received by the terminal on request from the terminal, preventing the terminal from keeping a network key in its memory. This limits, if the terminal were the object of an intrusion by a third party, the risks of recovery of the network key by a third party directly in the terminal and therefore of intrusion into the private network managed by the access point.
- the issuance of a network key request triggers at least one of the following steps:
- the establishment of the communication session allows that, as soon as the terminal requests it, the transmission of the network key by the mediation server can be effected upon receipt thereof by the mediation server.
- the network key recovery method comprises decryption of the received network key.
- the decryption is performed by means of a private key generated by the terminal with a public key sent to the mediation server by the terminal during an association, carried out prior to the implementation of the recovery method, from the terminal to the Mediation Server, the network key having been encrypted with the public key by the Mediation Server.
- An object of the invention is also a method for sending a network key from an access point to a network implemented by an access point, the network key allowing a terminal to be associated with the point of access. 'access during the first connection of the terminal to the access point, the method of sending a network key comprising a transmission of a network key by an access point via a mediation server at a terminal, the terminal having been identified by the mediation server by means of an association prior to the first connection of an identifier of the terminal and of an identifier of the access point.
- the transmission of the network key consists of the transmission of a message to the mediation server, the message comprising the network key and an identifier of the access point allowing the mediation server to determine an identifier of the terminal associated with the. access point identifier prior to the first connection.
- the network key sending method comprises actuation of an actuatable device of the access point triggering the transmission of the network key.
- the transmission of the network key by the access point to the mediation server is performed in a secure manner.
- An object of the invention is also a method for managing network key recovery of an access point to a network implemented by a mediation server, the network key allowing a terminal to be associated with the point of 'access during the first connection of the terminal to the access point, the method for managing the recovery of the network key comprising a transmission by the mediation server to a terminal of a network key received from an access point, the mediation server having identified the terminal by means of an association prior to the first connection of an identifier of the terminal and of an identifier of the access point.
- the recovery management method comprises, prior to transmission, encryption of the network key.
- the various steps of the method according to the invention are implemented by software or computer program, this software comprising software instructions intended to be executed by a data processor of a device forming part of ... and being designed to control the execution of the various steps of this process.
- the invention therefore also relates to a program comprising program code instructions for the execution of the steps of at least one of the following methods:
- This program can use any programming language and be in the form of source code, object code or intermediate code between source code and object code such as in a partially compiled form or in any other desirable form.
- An object of the invention is also a terminal comprising an interface for retrieving the network key of an access point to a network implemented by a terminal, the network key allowing the terminal to be associated with the access point during the first connection of the terminal to the access point, the recovery interface comprising a receiver of a network key sent via a mediation server by an access point, the terminal having been identified by the mediation server at the way an association prior to the first connection of an identifier of the terminal and an identifier of the access point.
- An object of the invention is also a mediation server comprising a network key recovery manager of an access point to a network implemented by a mediation server, the network key allowing a terminal to be associated. at the access point during the first connection of the terminal to the access point, the network key recovery manager comprising a transmitter to a terminal of a network key received from an access point, the mediation server having identified the terminal by means of an association prior to the first connection of an identifier of the terminal and an identifier of the access point.
- An object of the invention is also an access point to a network comprising a network key supplier, the network key allowing the terminal to be associated with the access point during the first connection of the terminal to the access point.
- the network key provider comprising a sender of a message via a mediation server to a terminal, the message comprising the network key of the access point, the terminal having been identified by the mediation server by means of an association prior to the first connection of an identifier of the terminal and an identifier of the access point.
- FIG 1 Figure 1
- Figure 2 Figure 2
- Figure 2 a simplified initialization diagram of a network key recovery method according to the invention
- FIG 3 Figure 3, a simplified diagram of a method for sending a network key according to the invention
- FIG 4 Figure 4, a simplified diagram of a method for managing network key recovery according to the invention
- FIG 5 a simplified diagram of a method for associating a mediation server with a terminal during the initialization of a method for recovering a network key according to the invention
- FIG 6 Figure 6, a simplified diagram of exchanges during the implementation of network key sending, network key recovery management and network key recovery methods according to the invention
- FIG 7 Figure 7, a simplified diagram of a communication architecture implementing the invention
- FIG 8a Figure 8a, a simplified diagram of a communication architecture comprising a terminal, a mediation server and an access point according to the invention, detailing the devices implemented during the prior association of a access point identifier with a terminal identifier
- Figure 8b a simplified diagram of a communication architecture comprising a terminal, a mediation server and an access point according to the invention, detailing the devices implemented during the initialization of the key collector terminal network
- FIG 8c Figure 8c, a simplified diagram of a communication architecture comprising a terminal, a mediation server and an access point according to the invention, detailing the devices implemented during the implementation of the data collector. network key of the terminal.
- Figure 1 illustrates a simplified diagram of a network key recovery method according to the invention.
- the method NK_RVY for recovering a network key of an access point to a network implemented by a terminal T The network key nk allows the terminal T to be associated with the access point PA during the first connection of the terminal T to the access point PA.
- the network key recovery method NK_RVY comprises a REC reception by a terminal T of a network key nk sent via a mediation server SM by an access point PA.
- the terminal T was identified by the mediation server SM by means of an association prior to the first connection of an identifier of the terminal TJd and an identifier of the access point PJd.
- the method for recovering NK_RVY of a network key comprises, prior to the reception REC of the network key nk, a transmission NKRQ_EM of a request for a network key nk rq by the terminal T to the mediation server SM.
- the NKRQ_EM issuance of a network key request triggers at least one of the following steps:
- the mediation server SM a verification by the mediation server SM that the terminal T which issued the request nk rq corresponds to the terminal T whose identifier TJd is associated with an identifier of the access point PAJd.
- the method for recovering the network key NK_RVY comprises a DCRPT decryption of the received network key nk * .
- the DCRPT decryption is performed by means of a private key ck pv generated by the terminal T with a public key ck pb sent to the mediation server SM by the terminal T during an association SM_ASS, carried out prior to the setting.
- the prior association with the SM_ASS mediation server allows ok the implementation of the recovery of the network key NK_RVY, in particular by authorizing the start of the recovery process NK_RVY_ST.
- the authorization message is sent following the generation of the pair of asymmetric keys (ck pv , ck pb ), in particular as soon as the public key ck pb of this pair of keys is transmitted to the mediation server SM and / or as soon as the private key ck pv is recorded in the terminal T, in particular in a memory T_MEM of the terminal T, such as a database, a memory card, etc.
- the method for recovering the network key NK_RVY comprises a step of starting the method NK RVY ST.
- This starting step NK RVY ST is in particular triggered by a st cmd action of a user U, for example on an input interface of the terminal or by means of a capture interface, such as a voice interface, a camera, etc.
- the user U can indicate to the terminal T that he wishes the latter to recover the network key of the access point PA whose identifier PAJd has been previously associated with an identifier of the terminal TJd.
- the NK_RVY_ST start step is not authorized if the terminal T has not been previously associated with a mediation server SM by means of a pair asymmetric keys (ck;: V. ck pb ).
- the start of the recovery of the NK_RVY_ST network key directly generates a cnx cmd command which controls a transmission of an NKRQ EM request.
- the start of the recovery of the NK_RVY_ST network key generates an rpr cmd reproduction command which controls the CPT_RPR reproduction of a cpt rq message to the access point PA.
- the reproduced message cpt rq asks a user U of the terminal T to interact with the access point PA.
- the CPT_RPR reproduction sends the NKRQ_EM network key request issuance the cnx cmd command which controls the NKRQ_EM request issuance.
- the transmission of request NKRW_EM sends a request for a network key nk rq to a mediation server SM, in particular the mediation server previously associated SM_ASS with the terminal T.
- the request for network key nk rq includes in particular an identifier of the requesting terminal T_id: nk_rq (T_id).
- the transmission of the network key request nk rq directly or indirectly triggers the establishment of a communication session between the terminal and the mediation server T / SM_SS allowing transmission of the network key nk of the mediation server SM to terminal T.
- the network key of the access point PA can be transmitted from the mediation server SM to the terminal T without processing nk, encrypted nk * (in particular by means of the public key ck pb ), integrated in a message mssg ( nk), embedded encrypted in an mssg (nk * ) message, embedded in an encrypted message mssg * (nk), etc.
- the T / SM_SS communication session between the terminal and the mediation server is in particular a Web socket securing the transmission of the network key.
- the network key nk received by the terminal of the mediation server is possibly received by the mediation server SM of the access point PA during the period of execution of the method for retrieving the network key by the terminal T.
- the recovery of the network key on the mediation server by a third party is limited to the time during which the method for recovering the network key by the terminal is being executed.
- the method for recovering the network key NK_RVY comprises a DCRPT decryption using in particular the private key ck pv to decrypt the encrypted message mssg * (nk) and / or the encrypted network key received nk * or the encrypted message received mssg * ( nk).
- the private key ck pv possibly used by the DCRPT decryption is read by the decryption in a memory of the terminal T_MEM in which it has been previously recorded in particular during the prior association of the terminal with the mediation server SM_ASS.
- the use of asymmetric keys to encrypt / decrypt the network key before / after its transmission between the mediation server and the terminal further reduces the risk of recovery of the network key by a third party, thereby reducing the risks of intrusion into the private network managed by the access point PA.
- the method for recovering the network key NK_RVY comprises an extraction MSSG_XTR to extract from the received message, possibly decrypted, mssg (nk * ), mssg (nk) the encrypted network key or not nk * , nk.
- the method for recovering the NK_RVY network key comprises a collection of the NK_CLT network key comprising one or more of the following steps:
- the network key nk thus received, or even collected, can be used during a first connection PA_CNX from the terminal T to the access point PA.
- the network key nk is temporarily stored in the terminal T for a first subsequent connection of the terminal T to the access point PA
- FIG. 2 illustrates a simplified diagram of initialization of a network key recovery method according to the invention.
- the NKAPPJNIT initialization method comprises associating the terminal with the SM_ASS mediation server prior to the NK_RVY network key recovery method, in particular as illustrated in FIG. 1.
- the NKAPPJNIT initialization method comprises a NKAPP_LD loading of the network key recovery method by the terminal T, in particular from an application server APP_S.
- the network key recovery process is notably loaded in the form of an nkapp application.
- the NKAPPJNIT initialization method comprises an execution of the initialization of the NKAPP_XI network key recovery method.
- the execution of the initialization is in particular triggered init_trg by the end of the NKAPP_LD loading.
- the execution of the NKAPP_XI initialization notably controls the association of the terminal with the SM_ASS mediation server and possibly other steps (not illustrated) such as the initialization of at least one parameter useful for the execution of the recovery method.
- network key such as in particular reading an identifier of the terminal T_id, and / or searching for an address of a mediation server, etc.
- the association with the SM_ASS mediation server notably sends an association request ass rq from the terminal T to the mediation server SM.
- the association with the SM_ASS mediation server comprises a generation CK_GN of a pair of asymmetric keys (ck pv , ck pb ).
- the private key ck pv is recorded in a memory of the terminal T_MEM and the public key ck pb transmitted via a first network N1 to the mediation server SM.
- the public key ck pb is possibly associated with an identifier of the terminal T_id during its transmission to the mediation server, such as the identifier of the terminal T_id previously associated with an identifier of an access point PA id.
- the association request message ass rq includes the public key ck pb and / or an identifier of the terminal TJd: ass_rq (ck pb ), ass_rq (ck pb T_id), ass_rq (T_id), ...
- the association with the mediation server SM_ASS comprises a reception of the activation code of the association AC_RC from the mediation server SM via a second network N2.
- the act cd activation code is received by the terminal T from the mediation server SM having received a public key ck pb from the terminal T. It allows the mediation server SM to trigger validation of the authentication of the sender of the association request by means of the activation code.
- the reception of the activation code AC_RC receives an authentication message auth mssg comprising the activation code act cd: auth_mssg (act_cd).
- the association with the mediation server SM_ASS comprises a transmission of the activation code AC_EM from the terminal T to the mediation server SM via the first network N1.
- the reception of the activation code AC_RC provides the activation code act cd to the transmission of the activation code AC_EM after possibly having extracted the activation code act cd from an authentication message received auth mssg.
- the association with the mediation server SM_ASS comprises a validation of the sender of the association request T_VD comprising the reception of the activation code AC_RC from the mediation server SM via a second network N2 followed by the transmission of the activation code AC_EM to the mediation server SM via the first network N1.
- the first network N1 is in particular a mobile Internet network such as the 4G network, the transmission of the public key is carried out in particular over a secure Internet link such as https;
- the second network N2 is in particular a 3G mobile telephone network
- the transmission of the activation code of the public key is for example an SMS, MMS or a control SMS, etc.
- the association with the SM_ASS mediation server includes switching from the network key recovery method to operational NKAPP OP.
- Switching to operational NKAPP OP notably provides an authorization command nk_rvy_ok for executing the recovery of network key NK_RVY, in particular at the start of the method for recovering network key NK RVY ST.
- FIG. 3 illustrates a simplified diagram of a method of sending a network key according to the invention.
- the method of sending the network key NK_SND from an access point to a network is implemented by an access point PA, the network key nk allowing a terminal T to be associated with the access point PA when the terminal T is connected for the first time to the access point PA.
- the method of sending network key NK_SND comprises sending a network key NK_EM by an access point PA via a mediation server SM to a terminal T.
- the terminal T has been identified by the mediation server SM by means of an association prior to the first connection of an identifier of the terminal T_id and of an identifier of the access point PA id.
- the transmission of the NK_EM network key comprises the transmission of information comprising the network key of the access point PA and an identifier of this access point (nk, PA id).
- the issuance of the network key NK_EM retrieves the network key nk from a memory of the PA_MEM access point: database, encrypted memory, etc.
- the issuance of the NK_EM network key consists of the issuance of an mssg nk message to the mediation server SM.
- the message mssg nk includes the network key nk and an identifier of the access point PA id allowing the mediation server SM to determine an identifier of the terminal T_id associated with the identifier of the access point PA id prior to the first connection.
- the method for sending the NK_SND network key comprises a CPT actuation of an operable device of the access point triggering nk sh trg the issuance of the NK_EM network key.
- a message cpt rq reproduced as illustrated in FIG. 1 asks a user U of the terminal T to perform an interaction with the access point PA. User U then performs the interaction c which triggers the CPT actuation.
- the message cpt rq reproduced by the terminal T generates an interaction c of the terminal T directly with the access point PA placed near which the terminal T is placed.
- the interaction c of the terminal T with the access point PA triggers the CPT actuation.
- the method for sending network key NK_SND comprises a request for establishment SM_CNX_STB of a connection of the access point PA with a mediation server SM.
- the request to establish a connection with the mediation server SM_CNX_STB sends a request to establish a connection stb_rq to the mediation server SM.
- the stb_rq connection establishment request includes in particular an identifier of the access point PA id: stb_rq (PA_id).
- the request for establishment SM_CNX_STB of a connection of the access point PA with a mediation server SM triggers an establishment of a communication session between the access point and the mediation server PA / SM_SS capable of allowing a transmission of network key nk of the access point PA to the mediation server SM.
- the transmission of network key NK EM transmits via this communication session PA / SM SS.
- the PA / SM_SS communication session between the access point and the mediation server is in particular a Web socket securing the transmission of the network key.
- the NK_EM transmission of the network key by the access point to the mediation server is carried out in a secure manner, for example via a secure hypertext link https, or IPSEC, or via a tunnel such as VPN, etc.
- Figure 4 illustrates a simplified diagram of a network key recovery management method according to the invention.
- the method for managing network key recovery NK_MNGT from an access point PA to a network is implemented by a mediation server SM, the network key nk allowing a terminal T- to be associated with the point d 'PA access when the terminal T- is first connected to the PA access point.
- the network key recovery management method NK_MNGT comprises a transmission NK_TR, EM by the mediation server M to a terminal T-, of a network key nk received from an access point PA.
- the mediation server SM identified the terminal T-i by means of a T / PA_ASS association prior to the first connection of an identifier of the terminal T-iJd and an identifier of the access point PA.
- FIG. 4 further illustrates the association T / PA_ASS prior to the first connection of an identifier of a terminal T-iJd and of an identifier of an access point PA.
- This association of T / PA_ASS identifiers is implemented by a server, in particular the mediation server SM.
- the pair of identifiers thus associated (T-iJd, PA id) is notably recorded in a memory of the server SM_MEM, such as a database ...
- the network key recovery management method NK_MNGT comprises, prior to a network key transmission EM, a CRPT encryption of the network key nk.
- the emission EM sends the encrypted network key nk * or data or message mssg comprising the encrypted network key nk * .
- FIG. 4 also illustrates a T_ASS association of a terminal T 2 to the mediation server transmitting the network key.
- the mediation server receives from the terminal T-, an encryption key, such as a public key ck pb allowing the mediation server SM to encrypt data, if necessary the network key nk, prior to their transmission NK_TR, EM to the terminal T-
- other data such as the identifier of the terminal T-iJd are transmitted in association with the encryption key ck pb .
- the mediation server SM stores the data received from the terminal T- ,, in particular the encryption key ck pb , for example in a memory or database SM_MEM.
- the method for managing the recovery of the network key NK_MNGT comprises a CRPT encryption using in particular the public key ck pb to encrypt a message mssg (nk) and / or the network key nk to be sent.
- the public key ck pb possibly used by the CRPT encryption is read by the encryption in a memory of the mediation server SM_MEM in which it has been previously recorded in particular during the prior association of the terminal with the mediation server SM ASS.
- the use of asymmetric keys to encrypt / decrypt the network key before / after its transmission between the mediation server and the terminal further reduces the risk of recovery of the network key by a third party, thereby reducing the risks of intrusion into the private network managed by the access point PA.
- the network key recovery management method NK_MNGT comprises a generation of message MSSG_GN to create a message to be sent, possibly encrypted, mssg (nk * ), mssg (nk) comprising the network key whether or not nk * , nk encrypted.
- the method for managing the recovery of the NK_MNGT network key comprises a transmission of the NK_TR network key comprising one or more of the following steps:
- the method for managing the recovery of network key NK_MNGT comprises reception of network key NK_REC by the mediation server SM of an access point PA.
- the reception NK_REC allows the mediation server SM to receive a network key nk allowing a terminal Ti, T 2 to be associated with the access point PA.
- the NK_MNGT network key recovery management method comprises, prior to receiving the NK_REC network key, an establishment PA_CNX_STB of a connection of the access point PA with a mediation server SM.
- the connection establishment with the PA_CNX_STB Mediation Server receives a stb_rq connection establishment request from the PA access point.
- the stb_rq connection establishment request includes an identifier of the access point PA id: stb_rq (PA_id).
- the establishment PA_CNX_STB of a connection of the access point PA with a mediation server SM triggers PA_cnx_trg an establishment of a communication session between the access point and the PA / SM_SS mediation server capable of allowing a transmission of network key nk of the access point PA to the mediation server SM.
- PA_cnx_trg an establishment of a communication session between the access point and the PA / SM_SS mediation server capable of allowing a transmission of network key nk of the access point PA to the mediation server SM.
- the reception of network key NK_EM receives the network key nk via this communication session PA / SM_SS.
- the network key recovery management method NK_MNGT comprises a search ASS_DT of the terminal Ti whose identifier T-iJd has been previously associated with an identifier PA id of the access point PA whose network key nk has been received by the NK_MNGT network key recovery management method.
- the ASS_DT search is performed using an identifier of the access point PA id received with the network key nk: (nk, PA id).
- the ASS_DT search includes in particular a reading of the terminal identifier T-iJd stored in a memory of a server S_MEM, SM_MEM in association with an identifier of the access point PA id which provided the network key nk.
- the NK MNGT network key recovery management method comprises, prior to the transmission of the network key NK_TR, EM, a T_CNX_STB establishment of a connection of the terminal T-, determined by the ASS_DT search with the mediation server SM.
- the establishment T_CNX_STB of a connection of the mediation server SM with the determined terminal Ti triggers T_cnx_trg an establishment of a communication session between the mediation server and the determined terminal Ti: T / SM_SS able to allow the transmission NK_TR, EM of network key nk of the mediation server SM to the determined terminal T- ,.
- T_cnx_trg an establishment of a communication session between the mediation server and the determined terminal Ti: T / SM_SS able to allow the transmission NK_TR, EM of network key nk of the mediation server SM to the determined terminal T- ,.
- the transmission of network key NK_TR, EM emits the network key nk via this communication session
- the NK MNGT network key recovery management method comprises, prior to the transmission of the NK_TR, EM network key, a T_CNX_STB establishment of a connection d 'a terminal T 2 with a mediation server SM.
- the connection establishment with the mediation server T_CNX_STB receives a connection establishment request stb_rq from a terminal T 2 , also called a second terminal.
- the stb_rq connection establishment request comprises in particular an identifier of the second terminal T ⁇ / cf: stb_rq (T2_id).
- the establishment T_CNX_STB of a connection of the second terminal T 2 with a mediation server SM triggers T_cnx_trg an establishment of a communication session between the second terminal T 2 and the mediation server T / SM_SS capable of allowing key transmission network nk from the mediation server SM to the terminal T 2 .
- the transmission of the network key NK_TR, EM transmits, where appropriate, the network key nk via this communication session T / SM_SS.
- the NK MNGT network key recovery management method comprises, prior to the transmission of the NK_TR, EM network key, an ASS_VFY check if the second terminal T 2 corresponds to the terminal, also called the first terminal, T ! whose identifier T-iJd has been previously associated with an identifier PAJd of the access point PA from which the reception NK REC has received the network key nk.
- the ASS_VFY check includes the ASS_DT search for the first terminal Ti whose identifier T-i_id has been previously associated with an identifier PA id of the access point PA whose network key nk has been received by the management method of NK_MNGT network key recovery.
- the ASS_DT search is performed on the basis of an identifier of the access point PA id received with the network key nk: (nk, PA id).
- the ASS_DT search includes in particular a reading of the terminal identifier T-iJd stored in a memory of a server S_MEM, SM_MEM in association with an identifier of the access point PA id which provided the network key nk.
- the NK_MNGT network key recovery management method comprises a timing TM triggered ign by the establishment of the connection with the terminal T_CNX_STB.
- the timing TM makes it possible to authorize the transmission of the network key to the terminal Ti, T 2 connected for a limited time D M.
- the timing TM comprises an inverted countdown of the time from a maximum duration D M.
- the TM timing is stopped A_stp directly or indirectly by the reception of the network key NK_REC from the access point PA.
- timing TM includes timing MN counting time upward from the trigger ign of timing TM.
- the MN timing is stopped A_stp directly or indirectly by the reception of the network key NK_REC coming from the access point PA.
- the timing MN then provides a time A counted down between the triggering instant ign, that is to say the instant of establishment of a connection between the mediation server SM and the terminal T- ,, T 2 and the instant of reception of the network key from the access point PA.
- the timing TM then comprises a comparison of the measured time A with the maximum duration D M: D ⁇ D M ?
- the MN timing is stopped (in reverse count or not) directly by the reception of the network key NK_REC, it is the reception NK_REC that sends the timing (without intermediate step) the A_stp command.
- the MN timing is stopped (in reverse count or not) indirectly by the reception of the network key NK_REC, it is the ASS_VFY verification carried out following the reception of the network key NK_REC which sends to the timing (without intermediate step) the A_stp command, in particular on condition that the ASS_VFY check authorizes the transmission [Y] (this reduces the costs of calculations).
- the remaining timed time is not zero (reverse counting), or if the timed time A is less than or equal to the maximum duration D M: [Y], then the transmission of the network key NK_TR , EM is allowed.
- the timed time is zero (reverse countdown), or if the timed time A is greater than the maximum duration D M: [N], then the network key recovery management process NK_MNGT is stopped without transmission of the key network at terminal Ti, T 2 .
- the NK_MNGT network key recovery management method comprising both the ASS_VFY verification of the terminal identifier and the TM timing, it is sufficient that at least one of the two steps among the ASS_VFY verification and the timing TM commands stp stop without transmission of the network key so that the NK_MNGT network key recovery management process is stopped stp without transmission of the network key.
- the timing MN receives the network key nk from the reception NK_REC and provides it, if the maximum duration D M is not exceeded:
- MN timing receives or retrieves:
- the ASS_VFY check receives or recovers:
- an identifier of the access point PA id of the access point from which the mediation server SM received the network key nk in particular directly from the reception of the network key NK_REC or from the establishment of a connection with the access point PA_CNX_STB or indirectly from MN timing (for example, only when this allows the transmission of the network key to reduce calculation costs), and / or
- the mediation server SM an identifier of the second terminal T2_id, that is to say the terminal T2 to which the mediation server SM is connected, in particular directly from the establishment of connection with the second terminal T_CNX_STB when the establishment ignites the timing connection with the second terminal T_CNX_STB or indirectly with MN timing (for example, only when this authorizes transmission of the network key to reduce calculation costs),
- FIG. 5 illustrates a simplified diagram of a method for associating a mediation server with a T_ASS terminal during the initialization of a method for retrieving an NKAPPJNIT network key according to the invention.
- the association of the terminal T with the mediation server T_ASS comprises in particular a receipt of an association request ass rq from the terminal T to the mediation server SM.
- the public key ck pb was generated during generation of a pair of asymmetric keys (ck pv , ck pb ) by the terminal T.
- the public key received ck pb is possibly received associated with an identifier of the terminal T_id during its reception CK_REC by the mediation server SM, such as the identifier of the terminal T_id previously associated with an identifier of an access point PA id.
- the association with the terminal T_ASS comprises sending an activation code for the association AUTH_RQ to the terminal T via a second network N2.
- the act cd activation code is sent by the mediation server SM to the terminal T having sent the public key ck pb received. It allows the SM mediation server to trigger a validation the authentication of the issuer of the association request by means of the activation code.
- the transmission of the activation code AUTH_RQ sends an authentication message auth mssg comprising the activation code act cd: auth_mssg (act_cd).
- the association with the terminal T_ASS includes receipt of the activation code VD_REC from the terminal T by the mediation server SM via the first network N1.
- the association with the terminal T_ASS includes authentication of the terminal sending the association request T_AUTH comprising the transmission of the activation code AUTH_RQ by the mediation server SM via a second network N2 followed by the reception of the code d 'VD_REC activation by the mediation server SM via the first network N1.
- the association method T_ASS comprises a triggering of the passage of the network key recovery method in operational NK_APP_TRG by sending an ok trigger message to the terminal T .
- An embodiment of at least one of the methods illustrated by Figures 1 to 5 is a program comprising program code instructions for performing the steps of at least one of the following methods:
- FIG. 6 illustrates a simplified diagram of the exchanges during the implementation of the methods of sending network key, managing network key recovery and recovering network key according to the invention.
- the identifiers of a terminal T_id and of an access point PA id are associated T / P_ASS within a server, such as a server of a trusted third party or the mediation server according to the invention (cf. FIG. 4).
- the terminal T implements an association with a mediation server SM_ASS in particular by executing a method of initialization NKAPPJNIT of a method for retrieving a network key and the mediation server implements an association to a T_ASS terminal in particular by executing a method for initializing NKMNGTJNIT of a method for managing network key recovery.
- the association with the mediation server SM_ASS notably sends an association request ass rq from the terminal T to the mediation server SM.
- the association with the SM_ASS mediation server generates an asymmetric key pair (ck pv , ck pb ).
- the private key ck pv esl recorded in a memory of the terminal T_MEM and the public key ck pb transmitted to the mediation server SM.
- the issued public key ck pb is possibly associated with an identifier of the terminal T_id during its transmission to the mediation server, such as the identifier of the terminal T_id previously associated with an identifier of an access point PA id.
- the association request message ass rq includes the public key ck pb and / or an identifier of the terminal TJd: ass_rq (ck pb ), ass_rq (ck pb T_id), ass_rq (T_id), ...
- the association with the terminal T of the mediation server T_ASS notably comprises a reception of the association request ass rq from the terminal T to the mediation server SM.
- the public key ck pb received with this ass rq request is stored by the mediation server SM in a memory or database SM_MEM.
- the NKAPP INIT initialization methods of a network key recovery method and NKMNGTJNIT initialization of a network key recovery management method further implement, respectively, a validation of the sender of the association request T_VD and an authentication of the terminal sending the association request T_AUTH before registering the keys, respectively, private ck pv and public ck pv .
- the validation of the T_VD transmitter notably provides an authorization command nk_rvy_ok for executing the NK_RVY network key recovery process triggering the Phll network key recovery phase.
- the access point PA implements a method for sending a network key NK_SND
- the mediation server implements a method for managing the recovery of the NK MNGT network key
- the terminal T implements a method for recovering the network key NK_RVY.
- the NK_SND sending process includes an NK_EM transmission of a network key from the access point PA to a mediation server SM.
- the network key recovery management method NK_MNGT comprises a transmission NK_TR of the network key received from the access point PA by the mediation server SM, the network key nk is transmitted to the terminal T whose identifier TJd has been associated, during the preliminary phase Ph0, with the identifier of the access point PA which provided the network key nk.
- the method for recovering the network key NK RVY comprises a reception NK CLT, from the mediation server SM with which the terminal T was associated during the initialization phase Phi, of a network key of the access point PA of which l
- the identifier PAJd was associated with its identifier TJd during the preliminary phase PhO.
- the method for recovering the network key NK_RVY comprises a reproduction of a CPT_RPR message in particular triggered by a reproduction command l.rpr cmd.
- the l.rpr cmd reproduction command is generated in particular when starting the NK_RVY_ST recovery (see figure 1).
- the reproduced message is intended directly or indirectly for the access point PA whose identifier PJd was associated, during the preliminary phase PhO, with the identifier of the terminal T reproducing the message.
- the reproduced message is indirectly intended for the PA access point, it is notably read, listened to, etc. by a user U of the terminal T.
- the message in this case is a request for action 2.cpt_rq triggering an action 3.c from user U relative to the access point PA.
- the message 3.c is reproduced CPT_RPT by the terminal T.
- the NK_SND sending method comprises in particular a CPT capture respectively of the action of the user U relative to the access point or of the message reproduced by the terminal T: 3. c. CPT capture triggers 4.nk_sh_trg directly or indirectly the NK_EM issuance of the network key to the Mediation Server.
- the sending method includes a request to establish a connection of the access point with the SM_CNX_STB mediation server.
- the request to establish a connection between the access point and the SM_CNX_STB mediation server is triggered in particular by 4.nk_sh_trg by the CPT capture.
- the request to establish a connection between the access point and the mediation server SM_CNX_STB sends in particular, to the mediation server SM, a connection establishment request 5.stb_rq possibly including an identifier of the access point PA id : 5.stb_rq (PA_id).
- the NK_MNGT network key recovery management method includes establishing a connection from the mediation server with the access point PA_CNX_STB triggered by the connection establishment request 5.stb_rq from the access point PA. Establishing a connection from the Mediation Server to the PA_CNX_STB access point triggers 6. PA cnx trg to establish a communication session between the Mediation Server and the PA / SM_SS access point.
- the NK_EM broadcast sends 7'.nk the network key to the SM Mediation Server using this communication session between the Mediation Server and the PA / SM_SS access point.
- the network key recovery management method NK_MNGT comprises a reception of the network key NK_REC which receives the network key sent 7'.nk by the access point PA via the communication session PA / SM_SS established between the point d access PA and the SM mediation server.
- the reception of network key NK_REC supplies the received network key 8.nk to the transmission of network key NK TR.
- the method for recovering the network key NK_RVY comprises an NKRQ EM transmission of a request for a network key.
- the NKRQ EM network key request issuance is initiated 4'.cnx_cmd by the CPT RPR reproduction.
- the network key request NKRQ EM sends in particular, to the mediation server SM, a network key request 5'.nk_rq possibly comprising an identifier of the terminal T_id: 5'.nk_rq (T_id).
- This request for a network key NKRQ_EM is made in particular in parallel with the request for establishing a connection between the access point and the mediation server SM_CNX_STB of the NK SND sending method.
- the NK_MNGT network key recovery management method comprises establishing a connection from the mediation server to the T_CNX_STB terminal triggered by the network key request 5′.nk_rq coming from the terminal T.
- the establishment of a a connection from the mediation server to the T_CNX_STB terminal triggers 6 '.
- T_cnx_trg the establishment of a communication session between the Mediation Server and the T / SM_SS terminal.
- the NK_MNGT management method implements the steps of establishing the connection of the mediation server with the T_CNX_STB terminal and of establishing a connection of the mediation server with the access point PA_CNX_STB in parallel.
- the NK_MNGT management method implements the steps of establishing the connection of the mediation server with the terminal T_CNX_STB and of establishing a connection of the mediation server with the access point PA_CNX_STB simultaneously.
- the network key recovery management method includes an ASS_DT search (see FIG. 4 ) which makes it possible to search for the identifier of the terminal T_id associated with the identifier of the access point which provided the network key 7'.nk.
- the ASS_DT search then triggers the establishment of a T_CNX_STB connection with the terminal identified by the T search.
- the transmission of the network key NK_TR is triggered directly or indirectly by the establishment of the connection of the mediation server with the T CNX STB terminal.
- the network key recovery management method includes TM timing.
- establishing the Mediation Server connection with the T_CNX_STB terminal triggers 8'.tm_trg a TM timer.
- TM timing is stopped 8 ”.tm_stp by NK_REC receipt of a nk network key from the PA access point.
- the transmission of the NK_TR network key is triggered indirectly by the establishment of a connection with the T_CNX_STB terminal, it is the TM timing that triggers the transmission of the NK TR network key.
- the network key recovery management method includes an ASS_VFY check (see FIG. 4) which makes it possible to check whether the terminal T requesting the network key is the terminal whose identifier has been previously associated with an identifier of the network key.
- AP access point whose network key is requested.
- the ASS_VFY verification authorizes the transmission of the NK_TR network key if the verification is positive [Y].
- the transmission of the network key NK_TR includes CRPT encryption and / or an integration of the network key in a message or data packet MSSG_GN (cf. FIG. 4).
- the transmission of the network key NK_TR sends either the encrypted network key nk * or not nk, or an encrypted or unencrypted message comprising the encrypted network key mssg * (nk) or not mssg (n * ), mssg (nk), etc. : 11.
- nk, nk * , mssg (nk), mssg (nk * ), mssg * (nk) via the communication session T / SM_SS established between the terminal T and the communication server intended for the terminal T.
- the encryption is carried out using the public key ck pb stored during the initialization phase Phi.
- the collection of the network key NK_CLT comprises a DCRPT decryption and / or an MSSG_XTR extraction of the network key of a message or data packet comprising the network key received from the mediation server SM (cf. FIG. 4).
- the decryption is carried out using the private key ck pv stored during the initialization phase Phi.
- the NK_CLT collection provides in particular the received network key 13. nk, possibly decrypted and / or extracted in a method for associating the terminal with an access point PA_CNX which will be implemented in a later phase Phlll.
- FIG. 7 illustrates a simplified diagram of a communication architecture implementing the invention.
- system implemented by the invention consists of:
- the network key recovery device is implemented in particular in the form of a mobile application implemented by a processor of the communication terminal 1 y.
- a mediation server 2 placed between a communication terminal 1 y and an access point 3, such as a box (eg LiveBox, registered trademark) or a modem.
- the mediation server implements an exchange between the access point 3 and the terminal 1 y of a network key of the access point 3, in particular in an encrypted manner.
- the mediation server authenticates in particular the two actors of the system according to the invention, namely the communication terminal 1 y and the access point 3.
- the mediation server 2 therefore constitutes a pivot between the access point 3 and the communication terminal 1 y.
- an actuatable device triggering the transmission of the network key to the communication terminal 1 y, the actuatable device being implemented in the access point 3.
- the actuatable device is the WPS button on the access point 3, then the only action by user U of terminal 1 y is to press the WPS button on access point 3.
- the access point 3 is connected to the mediation server 2 via a communication network N1, in particular an Internet network.
- a communication network N1 in particular an Internet network.
- mediation server 2 is connected L2, N1 to network N1 by a TCP link (for "Transmission Control Protocol” in English or reliable transport protocol in French).
- TCP link for "Transmission Control Protocol” in English or reliable transport protocol in French.
- access point 3 is connected to network N1 by means of a TCP link and / or a dedicated link such as https or IPsec.
- the communication terminal 1 is connected there to the mediation server 2 via a communication network N1, in particular an Internet network.
- the mediation server 2 is connected LN1, 2 to the network N1 by a TCP link.
- the communication terminal 1 is connected there to the network N1 by means of a mobile data link such as 4G, 5G etc.
- FIGS. 8a, 8b and 8c illustrate simplified diagrams of a communication architecture comprising a terminal, a mediation server and an access point according to the invention, detailing the devices implemented respectively during the association previously d an identifier of the access point with an identifier of the terminal, during the initialization of the network key recuperator of the terminal, and during the implementation of the network key recuperator of the terminal.
- Figure 8a corresponds to an architecture implementing the prior association, in particular as illustrated by Figure 4.
- the architecture implementing the prior association includes:
- a server respectively a trusted third party server 4 or a mediation server 2 of the architecture implementing the network key recovery according to the invention.
- the terminal 1 y, 1 TC comprises an identifier transmitter 13 transmitting an identifier 4 ′.
- the identifier of the communication terminal is an identifier of at least one communication terminal of a user or a group of users (eg of a family) purchasing an access point from the seller and the access point identifier is an identifier of the access point sold.
- the identifier of the communication terminal is either the identifier of this communication terminal of the user 1 y, or an identifier of at at least one communication terminal of this user U or of a user group (for example of a family) comprising this user U recorded in a secure client file on a third party server, for example the trusted third party server 4.
- the identifier of the access point is an identifier of an access point recorded in a secure client file associated with this user U on a third party server, for example the trusted third party server 4.
- the server 2, 4 comprises an identifier receiver 401 receiving an identifier 4 'from the communication terminal 1 u, 1 T c. T_id of a communication terminal of a user 1 y and an identifier 4 ”.PA_id of an access point 3, in particular the identifiers sent by the terminal 1 u, 1 T c-
- the server 2, 4 comprises a coupler 412 associating the two identifiers provided 6 '. T_id and 6 ”.PA_id by receiver 401.
- the coupler 412 stores the associated identifiers 7. (T_id, PA id) in particular in a memory or database 419 possibly implemented in the server 2, 4.
- the server 2, 4 comprises a verifier 410 which determines whether all the identifiers necessary for the coupler 412 have been received. If all the identifiers have been received, the verifier 410 triggers 6 ”'. Ok the coupler 412.
- the server 2, 4 includes a requestor for identifiers 41 1 and / or a transmitter 420. If the verifier 410 determines that all the identifiers have not been received, for example when the receiver 401 has received only the terminal identifier 5 '. T_id, the verifier 410 triggers the requestor of identifiers 41 1 trg which generates an O.pp request to the terminal 1 y, 1 TC . The transmitter 420 sends the O.pp request to the terminal 1 y, 1 TC .
- the terminal 1 u, 1 TC comprises a reproduction interface 1 1.
- the reproduction interface 1 1 makes it possible in particular to reproduce the request for identifiers to, respectively, the user U, the trusted third party TC.
- the terminal 1 y, 1 TC comprises a capture and / or input interface 10.
- the capture interface 1 1 allows the user U, TC to interact with the terminal 1 y, 1 TC to indicate and / select a PAJd access point identifier.
- the requestor of identifiers 41 1 supplies one or more lists of identifiers of terminals and / or access points O.pp which are sent to the terminal 1 y, 1 TC .
- the list of terminal identifiers are terminals associated with the user U or with a group (family) in which the user U is a member and the list of access point identifiers includes the access points registered in a client file associated with this user U or consists of the identifier of the access point sold.
- These lists of identifiers are reproduced by the terminal 1 y, 1 TC allowing, respectively, the user U, the trusted third party TC to select 2.slt from the list, respectively, a terminal and an access point.
- either the requester of identifiers provides initially a list of terminal identifiers from which the user U or the trusted third party TC selects on his terminal 1 y, 1 TC a terminal from which the sender 13 receives 3.d the identifier that it emits 4 '. T_id to the server 2, 4.
- the verifier 410 determines that the access point identifier is missing and triggers 6.trg the requestor 41 1 which returns the list of access points O.pp.
- the user U or the trusted third party TC selects on his terminal 1 y, 1 TC an access point from the list from which the sender 13 receives 3.d the identifier that he sends 4 ”.PA_id to the server 2, 4.
- the verifier 410 then triggers the coupler 412 which associates the identifiers 7. (T_id, PA id).
- the server 2, 4 comprises association means comprising the coupler 412 and at least one of the following devices:
- Figure 8b corresponds to an architecture implementing the initialization, in particular as illustrated by at least one of the following figures: Figure 2, Figure 5, Figure 6.
- the architecture implementing the initialization comprises:
- the terminal 1 y comprises a coupler 15 from the terminal 1 y to the mediation server 2 associating beforehand with the network key recovery the terminal 1 y with the mediation server 2, in particular as illustrated by FIG. 2 or FIG. 6.
- the terminal 1 y comprises a loader 120 of the network key recovery method, in particular an application loader when the network key recovery device is implemented in the form of an application executed by a processor of the terminal 1 y , by the terminal 1 from in particular an application server 5.
- the network key recovery method is loaded in particular in the form of an O.nkapp application.
- the terminal 1 comprises therein a network key recovery initializer 14, in particular the initializer 14 comprises a processor implementing an initialization of a network key recovery method, for example in the form of a network key recovery application.
- network key or initializes a network key collector implemented in terminal 1 y.
- the initializer 14 is in particular triggered 1.ini by the charger 120 as soon as the end of the loading of the network key recovery process is loaded.
- the initializer 14 notably controls the coupler 15 from the terminal to the mediation server and possibly other devices (not illustrated) such as an initializer of at least one parameter of the network key collector or useful for the execution of the method of network key recovery, such as in particular reading an identifier of the terminal T_id, and / or looking for an address of a mediation server, etc.
- the coupler 15 to the mediation server in particular sends an association request ass rq from the terminal 1 y to the mediation server 2.
- the server 2 comprises in particular a receiver 202 of an association request ass rq from the terminal T to the mediation server SM.
- the coupler 15 to the SM_ASS mediation server comprises a generator 152 of a pair of asymmetric keys (ck pv , ck pb ).
- the private key ck pv is recorded in a memory of the terminal 150 and the public key ck pb transmitted via a first network N1 to the mediation server 2.
- the public key ck pb is optionally associated with an identifier of the terminal T_id during its transmission to the mediation server.
- mediation server such as the identifier of the terminal T_id previously associated with an identifier of an access point PA id.
- the association request message ass rq includes the public key ck pb and / or an identifier of the terminal TJd: ass_rq (ck pb ), ass_rq (ck pb T_id), ass_rq (T_id), ...
- the server 2 comprises an authenticator 23.
- the authenticator 23 comprises a transmitter (not shown) of an activation code for the destination association of the terminal T via a second network N2.
- the act cd activation code is sent by the mediation server 2 to the terminal 1 which sent the public key ck pb received there. It allows the mediation server 2 to trigger validation of the authentication of the sender of the association request by means of the activation code.
- the sender of the activation code AUTH_RQ sends an authentication message 5.auth_mssg comprising the activation code act cd: auth_mssg (act_cd).
- the coupler 15 to the SM_ASS mediation server comprises an authentication transmitter / receiver 153 comprising in particular a receiver receiving an activation code from the association coming from the mediation server 2 via a second network N2.
- the act cd activation code is received by the terminal 1 y from the mediation server 2 having received a public key ck pb from the terminal 1 y. It allows the mediation server 2 to trigger validation of the authentication of the sender of the association request by means of the activation code.
- the authentication transmitter / receiver 153 receives an authentication message auth mssg comprising the activation code act cd: auth_mssg (act_cd).
- the authentication transmitter / receiver 153 comprises a transmitter which transmits the activation code AC_EM from the terminal 1 y to the mediation server 2 via the first network N1 .
- the receiver Following receipt of the activation code by the authentication transmitter / receiver 153, the receiver provides the activation code act cd to the transmitter of the activation code implemented in the authentication transmitter / receiver 153 after having possibly extracted the activation code act cd from an authentication message received auth mssg.
- the authenticator 23 comprises an activation code receiver (not shown) which, following the transmission of an activation code by the transmitter of the authenticator 23, receives the activation code 6 .
- ck pb _vd from terminal 1 y via the first network N1.
- the first network N1 is in particular a mobile Internet network such as the 4G network, the transmission of the public key is carried out in particular over a secure Internet link such as https;
- the second network N2 is in particular a 2G, 3G mobile telephone network
- the transmission of the activation code of the public key is for example an SMS, MMS or a command SMS, etc.
- the authenticator 23 controls a validator 24 which triggers the passage of the network key recuperator or of the network key retrieval method into operational mode by sending a trigger message 7.ok to the user. terminal 1 y.
- the coupler 15 comprises a state changer 154 turning the network key recuperator into operational mode.
- the state changer 1054 notably provides an authorization command nk_rvy_ok for implementing the recoverer or for executing the method for recovering the network key.
- FIG. 8c corresponds to an architecture implementing the recovery of the network key, in particular as illustrated by at least one of the following figures: FIG. 1, FIG. 3, FIG. 4 and FIG. 6.
- the architecture implementing network key recovery includes:
- Access point 3 has a transmitter 33 of a network key from access point 3 to a mediation server 2.
- the mediation server 2 comprises a transmitter 221 of the network key received from the access point 3 by the mediation server 2 to the terminal 1 y whose identifier TJd was associated, during the preliminary phase (cf. FIG. 8a), to the identifier of the access point 3 which provided the network key nk.
- Terminal 1 comprises therein a receiver 121, coming from mediation server 2 with which terminal 1 was associated with it during the initialization phase (see FIG. 8b), of a network key of the access point PA of which l
- the identifier PAJd was associated with its identifier TJd during the preliminary phase (cf. FIG. 8a).
- the terminal 1 comprises an interface or device 18 for recovering the network key of an access point 3 to a network implemented by a terminal 1 y, the network key nk allowing the terminal 1 y to be associated with the point access 3 during the first connection of the terminal 1 y to the access point 3.
- the recovery interface comprising a receiver 121 of a network key sent via a mediation server 2 by an access point 3.
- the terminal 1 has been identified there by the mediation server 2 by means of an association prior to the first connection of an identifier of the terminal T_id and of an identifier of the access point PA id (cf. in particular FIG. 8a).
- the mediation server 2 comprises a manager 28 for recovering the network key of an access point to a network implemented by a mediation server 2, the network key nk allowing the terminal 1 y to be associated with the point d 'access 3 during the first connection of terminal 1 y to access point 3.
- the network key recovery manager comprises a transmitter 221 to a terminal 1 y of a network key 7'.nk received from a point d access 3.
- the mediation server 2 having identified the terminal by means of an association prior to the first connection of an identifier of the terminal T_id and of an identifier of the access point PA id (cf. in particular FIG. 8a) .
- the access point 3 to a network comprising a network key supplier 38, the network key nk allowing the terminal 1 y to be associated with the access point 3 during the first connection of the terminal 1 y to the access point 3.
- the network key provider includes a transmitter 33 via a mediation server 2 at a terminal 1 y of the network key nk of the access point 3.
- the terminal 1 has been identified there by the mediation server 2 by means of an association prior to the first connection of an identifier of the terminal T_id and of an identifier of the access point PA id (cf. in particular FIG. 8a).
- the terminal 1 U comprises a reproducer or a reproduction interface 1 1 of a message reproducing the message rq mssg on reproduction command l.rpr cmd of a network key collector 16.
- the l.rpr cmd reproduction command is generated in particular when starting the collector 16.
- the reproduced message is intended directly or indirectly for access point 3 whose identifier PJd was associated, during the preliminary phase (see Figure 8a), with the identifier of terminal 1 reproducing the message there.
- the reproduced message is indirectly intended for access point 3, it is notably reproduced on a screen 110 and / or by speakers 11 to be read, listened to, etc. by a user U of terminal 1 y.
- the message in this case is a request for action 2.cpt_rq triggering an action 3.c of the user U relative to the access point 3.
- the message 3.c is reproduced by the terminal 1 y, in particular by the reproduction interface 1 1.
- the access point 3, or even the network key provider 38 comprises in particular a sensor 30 respectively of the action of the user U relative to the access point 3 or of the message reproduced by the terminal 1 y: 3. vs.
- the sensor 30 triggers 4.nk_sh_trg directly or indirectly the transmitter 33 of the network key to the mediation server 2.
- the access point 3, or even the network key provider 38 includes a requester 37 requesting the establishment of a connection from the access point 3 with the mediation server 2.
- the requester 37 is in particular triggered 4 .nk_sh_trg by the sensor 30.
- the requester 37 sends in particular, to the mediation server 2, a connection establishment request 5.stb_rq possibly comprising an identifier of the access point PA id: 5.stb_rq (PA_id).
- the mediation server 2 comprises a connection establishment device 27 establishing a connection from the mediation server 2 with the access point 3 triggered by the establishment request. 5.stb_rq connection from the access point 3.
- the connection establishment device comprises means of connection establishment with an access point 270 receiving the connection establishment request 5.stb_rq in from the access point 3.
- the connection establishment device 27, or even the establishment means 270 triggers 6.
- PA cnx trg the establishment of a communication session between the mediation server and the point of PA / SM_SS access.
- the sender 33 sends 7′.nk the network key to the mediation server 2 using this communication session between the mediation server and the access point PA / SM_SS.
- the mediation server 2 or even the network key recovery manager 28, comprises a network key receiver 203 which receives the network key sent 7′.nk by the access point 3 via the communication session PA / SM_SS established between Access Point 3 and Mediation Server 2.
- the network key receiver 203 supplies the received network key 8.nk to the network key transmitter 221.
- the terminal 1 U see the network key recovery interface 18, includes a sender 17 of a network key request.
- the network key request transmitter 17 is triggered 4'.cnx_cmd by the collector 16 or the reproducer 1 1 during the reproduction of the rq mssg meessage.
- the network key request sender 17 sends in particular, to the mediation 2 a network key request 5'.nk_rq possibly including an identifier of the terminal TJd: 5'.nk_rq (T_id).
- This network key request transmitter 17 is implemented in particular in parallel with the implementation of the requester 37.
- the establishment device comprises means 271 for establishing a connection between the mediation server and the terminal.
- the establishment device 27 of the mediation server 2 is triggered by the network key request 5'.nk_rq coming from the terminal T.
- the establishment device 27, or even the establishment means 271 triggers 6 ' .
- T_cnx_trg the establishment of a communication session between the Mediation Server and the T / SM_SS terminal.
- the mediation server 2 or even the network key recovery manager 28, implements the means for establishing a connection with the terminal 271 and the means for establishing a connection with the point of access 270 in parallel.
- the mediation server 2 or even the network key recovery manager 28, implements the means for establishing a connection with the terminal 271 and the means for establishing a connection with the point of access 270 simultaneously.
- the mediation server 2 in one embodiment in which the mediation server does not receive a network key request 5'.nk_rq from a terminal 1 u, the mediation server 2, or even the network key recovery manager 28, comprises a search engine 25 which makes it possible to search for the identifier of the terminal T_id associated with the identifier of the access point which provided the network key 7'.nk.
- the search engine 25 then triggers the means for establishing a connection 271 with the terminal identified by the search l y.
- the transmitter of the network key 221 is triggered directly or indirectly by the establishment device 270 during the establishment of a connection with the terminal identified 1 y, or even the means of establishment of the connection of the server. mediation with terminal 271.
- the mediation server 2, or even the network key recovery manager 28, comprises a timer 26.
- the establishment device 270 when establishing a connection with the identified terminal 1 y, or even the means for establishing the connection of the mediation server with the terminal 271 triggers 8'.tm_trg the timer 26.
- the timer 26 is stopped 8 ”.tm_stp by the receiver 203 when receiving a network key nk from the point d access 3.
- the transmitter of the network key 221 is triggered indirectly by the setting device 27, 271, it is the timer 26 which triggers the transmitter of the network key 221.
- the mediation server 2, or even the network key recovery manager 28, comprises a verifier 25 which makes it possible to verify whether the terminal 1 requesting the network key is the terminal whose identifier has been previously associated with a identifier of the access point 3 whose network key is requested.
- the verifier 25 authorizes the transmitter of the network key 221 to send the received network key nk if the verification is positive.
- the verifier 25 comprises a search engine which makes it possible to search for the identifier of the terminal T_id associated with the identifier of the access point which provided the network key 7'.nk, recorded for example in a memory 223 of the server. mediation 2 or 423 of another server 4 (cf. figure 8a).
- the verifier 25 comprises a comparator (not illustrated) of the terminal identifier obtained by the search engine with the identifier of the terminal 1 y requesting the network key.
- the transmitter of the network key 221 comprises an encryptor, also called an encryptor, 2212 and / or an integrator 2213 of the network key in a message or data packet.
- the network key transmitter 221 sends either the encrypted network key nk * or not nk, or an encrypted or unencrypted message comprising the encrypted network key mssg * (nk) or not mssg (n * ), mssg (nk), etc. . : 11.
- the transmitter of the network key 221 comprises a transmitter 2211 capable of transmitting data comprising a network key via the communication session T / SM_SS.
- the encryptor performs the encryption using the public key ck pb stored during the initialization phase (cf. FIG. 8b) in a memory 29 of the mediation server.
- the terminal 1 comprises therein a network key collector 12 comprising the network key receiver 121.
- the network key collector 12 comprises, in particular, a decryptor, also called a decryptor, 122 and / or an extractor 123 of the network key.
- a message or data packet comprising the network key received from the mediation server 2.
- the decryptor 122 performs the decryption using the private key ck pv stored during the initialization phase (see FIG. 8b).
- the collector 12 provides in particular the received network key 13.nk, possibly decrypted and / or extracted to a coupler 19 making it possible to associate the terminal 1 y with the access point 3 during a first connection.
- the invention is also aimed at a support.
- the information medium can be any entity or device capable of storing the program.
- the medium can comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM or else a magnetic recording means, for example a floppy disk or a hard disk.
- the information medium can be a transmissible medium such as an electrical or optical signal which can be conveyed via an electrical or optical cable, by radio or by other means.
- the program according to the invention can in particular be downloaded over a network, in particular of the Internet type.
- the information medium can be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.
- the invention is implemented by means of software and / or hardware components.
- module can correspond equally well to a software component or to a hardware component.
- a software component corresponds to one or more computer programs, one or more subroutines of a program, or more general to any element of a program or software capable of implementing a function or a set of functions according to the description above.
- a hardware component corresponds to any element of a hardware set (or hardware) capable of implementing a function or a set of functions.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1901553A FR3092954A1 (fr) | 2019-02-15 | 2019-02-15 | Récupération de clé réseau, envoi de clé réseau, gestion de récupération de clé réseau, terminal, serveur de médiation et point d’accès les mettant en œuvre |
PCT/FR2020/050260 WO2020165540A1 (fr) | 2019-02-15 | 2020-02-13 | Récupération de clé réseau, envoi de clé réseau, gestion de récupération de clé réseau, terminal, serveur de médiation et point d'accès les mettant en œuvre |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3925253A1 true EP3925253A1 (fr) | 2021-12-22 |
Family
ID=67185304
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP20711230.1A Pending EP3925253A1 (fr) | 2019-02-15 | 2020-02-13 | Récupération de clé réseau, envoi de clé réseau, gestion de récupération de clé réseau, terminal, serveur de médiation et point d'accès les mettant en ?uvre |
Country Status (4)
Country | Link |
---|---|
US (1) | US11963002B2 (fr) |
EP (1) | EP3925253A1 (fr) |
FR (1) | FR3092954A1 (fr) |
WO (1) | WO2020165540A1 (fr) |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7853788B2 (en) * | 2002-10-08 | 2010-12-14 | Koolspan, Inc. | Localized network authentication and security using tamper-resistant keys |
US8743778B2 (en) * | 2006-09-06 | 2014-06-03 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
US20170048700A1 (en) * | 2012-08-16 | 2017-02-16 | Mivalife Mobile Technology, Inc. | Self-configuring wireless network |
US20140247941A1 (en) * | 2013-03-01 | 2014-09-04 | Oplink Communications, Inc. | Self-configuring wireless network |
US20150229475A1 (en) * | 2014-02-10 | 2015-08-13 | Qualcomm Incorporated | Assisted device provisioning in a network |
DE102016114136A1 (de) * | 2016-07-29 | 2018-02-01 | Deutsche Telekom Ag | Verfahren zur Inbetriebnahme eines Heimnetzes mit gebäudeinterner Basisstation und gebäudeinternem Elektrogerät |
US10547448B2 (en) * | 2016-10-19 | 2020-01-28 | Qualcomm Incorporated | Configurator key package for device provisioning protocol (DPP) |
-
2019
- 2019-02-15 FR FR1901553A patent/FR3092954A1/fr not_active Withdrawn
-
2020
- 2020-02-13 WO PCT/FR2020/050260 patent/WO2020165540A1/fr unknown
- 2020-02-13 EP EP20711230.1A patent/EP3925253A1/fr active Pending
- 2020-02-13 US US17/430,918 patent/US11963002B2/en active Active
Also Published As
Publication number | Publication date |
---|---|
WO2020165540A1 (fr) | 2020-08-20 |
FR3092954A1 (fr) | 2020-08-21 |
US20220132308A1 (en) | 2022-04-28 |
US11963002B2 (en) | 2024-04-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2884716B1 (fr) | Mécanisme d'authentificaiton par jeton | |
EP1687953B1 (fr) | Méthode d'authentification d'applications | |
EP1549011A1 (fr) | Procédé et système de communication entre un terminal et au moins un équipment communicant | |
US11824855B1 (en) | Computer system and device for controlling use of secure media recordings | |
FR3027176A1 (fr) | Rejeu d'un batch de commandes securisees dans un canal securise | |
CN111177699B (zh) | 一种数据提取方法、秘钥生成方法、解锁方法及装置 | |
WO2016207715A1 (fr) | Gestion securisee de jetons électroniques dans un telephone mobile. | |
EP3925253A1 (fr) | Récupération de clé réseau, envoi de clé réseau, gestion de récupération de clé réseau, terminal, serveur de médiation et point d'accès les mettant en ?uvre | |
EP1737191B1 (fr) | Procédé de création d'un terminal éclaté entre un terminal de base et des équipements connectés en serie | |
EP4162658A1 (fr) | Procede de discrimination d'un message entre un terminal et un serveur de donnees | |
EP3599782A1 (fr) | Recuperation de cle reseau, gestion de recuperation de cle reseau, mise a disposition de cle reseau, terminal, serveur et point d'acces les mettant en oeuvre | |
EP2911365B1 (fr) | Procédé et système de sécurisation de transactions offertes par une pluralité de services entre un appareil mobile d'un utilisateur et un point d'acceptation | |
EP3868069B1 (fr) | Procédé et dispositif de protection de données saisies au moyen d'une interface utilisateur non sécurisée | |
EP2471237A1 (fr) | Dispositif électronique nomade configuré pour établir une communication sans fil sécurisé | |
FR3097666A1 (fr) | Procédé de stockage de données d’authentification de documents | |
WO2006051197A1 (fr) | Procédé d'autorisation d'accès d'un terminal client d'un réseau nominal à un réseau de communication différent du réseau nominal, système, serveur d'authentification et programme informatique correspondants | |
FR3111252A1 (fr) | Procédé de capture d’un paquet d’une session chiffrée | |
EP3360293A1 (fr) | Moyens de gestion d'accès à des données | |
WO2010133459A1 (fr) | Procede de chiffrement de parties particulieres d' un document pour les utilisateurs privileges | |
FR3105482A1 (fr) | Procédé d’obtention de mot de passe pour l’accès à un service | |
FR2825213A1 (fr) | Systeme d'authentification d'un utilisateur | |
WO2016034812A1 (fr) | Sécurisation de clés de cryptage pour transaction sur un dispositif dépourvu de module sécurisé | |
WO2010003957A1 (fr) | Dispositif d'attestation électronique | |
FR2963526A1 (fr) | Telephone mobile muni d'un systeme securise d'identification | |
FR2884996A1 (fr) | Procede de transfert d'un droit d'usage d'un contenu numerique entre deux terminaux numeriques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20210913 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20230908 |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: ORANGE |