WO2018157782A1 - Credential information processing method and apparatus for network connection, and application (app) - Google Patents
Credential information processing method and apparatus for network connection, and application (app) Download PDFInfo
- Publication number
- WO2018157782A1 WO2018157782A1 PCT/CN2018/077364 CN2018077364W WO2018157782A1 WO 2018157782 A1 WO2018157782 A1 WO 2018157782A1 CN 2018077364 W CN2018077364 W CN 2018077364W WO 2018157782 A1 WO2018157782 A1 WO 2018157782A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- certificate
- module
- certificate data
- network
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an application APP for processing credential information for network connection.
- the terminal When the terminal accesses the wireless network, it is usually required to provide the networked credential information to the wireless network, and the terminal access is allowed only when the credential information is verified correctly.
- the terminal can use the network name and connection password of the wireless network to request to connect to the wireless network corresponding to the network name, at the input. After the connection password is verified, the terminal is allowed to access the wireless network.
- WIFI Wireless Fidelity
- the wireless network provider needs to announce the credential information for connecting to the wireless network to the user of the terminal, and the user of the terminal needs to manually input the credential information on the terminal.
- user X provides a wireless network in the home, that is, user X is a wireless network provider.
- connection password is manually input to make a network connection, and when the connection password is too complicated or lengthy, the user Y is not only inconvenient to remember but the input is also cumbersome. It can be seen that, on the one hand, the user operation is inconvenient in the process of connecting the terminal to the wireless network; on the other hand, the voucher information of the wireless network is publicly announced, which may lead to security risks.
- the technical problem to be solved by the present invention is to provide a method, a device and an application APP for processing credential information for network connection, so that the terminal can obtain credential information of the wireless network and use credential information without manual input by the user.
- Networking not only simplifies and facilitates the user's networking operations, but also avoids the disclosure of credential information for networking, improving the security of users using wireless networks.
- an embodiment of the present invention provides a method for processing credential information for a network connection, where the method includes:
- the first terminal sends a first credential download request to the server, in response to the instruction to apply for the network credential for the second terminal, where the first credential download request carries the user identity information of the first terminal, where the user identity
- the information is used by the server to perform user identity verification on the first terminal;
- the second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected;
- the second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal;
- the second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
- an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a first terminal, where the device includes: an application module;
- the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
- the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
- the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
- the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
- an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a second terminal, where the device includes: an application module, a storage module, and a network connection module;
- the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
- the storage module is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
- the network connection module is configured to connect, by using the first credential information in the secure storage area, a wireless network corresponding to the network identifier.
- an embodiment of the present invention provides an application APP, which is configured in a first terminal, where the application APP includes: an application module,
- the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
- the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
- the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
- the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
- an embodiment of the present invention provides an application APP, configured in a second terminal, where the application APP includes: an application module,
- the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
- the application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
- the application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
- the present invention has the following advantages:
- the first terminal having the voucher application right of the wireless network may request the server to download the credential information of the connection to the wireless network, and the voucher The information and the network identifier of the wireless network are sent to the second terminal, so that the second terminal can obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier.
- the second terminal may obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier.
- FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention
- FIG. 2 is a schematic flowchart of a method for processing credential information used for network connection according to an embodiment of the present invention
- FIG. 3 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
- FIG. 4 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
- FIG. 5 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
- FIG. 6 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
- FIG. 7 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
- the wireless network provider needs to inform the user of the terminal of the credential information for connecting to the wireless network, and then the user of the terminal manually inputs or installs the credential information on the terminal. Connect the terminal to the wireless network.
- the user needs to memorize the credential information (such as a password) used to connect to the wireless network, and manually input it to the wireless network connection interface of the terminal, which shows that the user operation is cumbersome; on the other hand, the wireless network provider needs The network credential information is advertised to other users who use the terminal to connect to the wireless network, and the voucher information is easily leaked when being published.
- the credential information is obtained by a malicious user, the malicious user may attack the wireless network, visible, wireless There are hidden dangers in the security of the network.
- the wireless network provider uses the first terminal, the first terminal has the voucher application right of the wireless network, that is, the user identity information provided by the first terminal can be verified by the server, so that the server can be obtained from the server. Download the networked voucher information.
- the wireless network provider can use the first terminal to request the server to download the networked credential information, and send the network identifier of the wireless network and the networked credential information to the first The second terminal, so that the second terminal can obtain the network identifier and credential information of the wireless network without manual input, and use the credential information to connect to the wireless network corresponding to the network identifier.
- the network connection operation is simplified, and the wireless network provider does not need to inform the credential information to use the second.
- the user connected to the terminal avoids the network information of the network to be advertised, which reduces the possibility that the malicious user obtains the credential information and attacks the wireless network due to the leakage of the credential information, thereby improving the security of the wireless network.
- FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention.
- the first terminal 110 can interact with the server 130 through a wireless access point AP (also referred to as a wireless router), and the first terminal 110 can interact with the second terminal 120.
- the first terminal 110 may include, for example, an application module 111, a certificate management module 112, a storage module 113, and a network connection module 114.
- the second terminal 120 may include, for example, an application module 121, a certificate management module 122, a storage module 123, and a network. Connection module 124.
- the first terminal 110 may only include an application module 111, and the application module 111 may send the first credential download to the server in response to an instruction to apply for a network credential for another terminal (in the embodiment of the present invention)
- the request, the instruction for applying for the network connection credential for the other terminal may be generated by the first terminal 110, or may be generated by the second terminal 120 and sent to the first terminal 110 by the application module 121.
- the first credential download request carries the user identity information provided by the first terminal 110.
- the server 130 may perform user identity verification on the first terminal 110 according to the user identity information, and send the first credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful.
- the first terminal 110 may receive the first credential information through the application module 111, and send the first credential information and the network identifier of the wireless network to be connected to the second terminal 120.
- the second terminal 120 may include only the application module 121, the storage module 123, and the network connection module 124.
- the second terminal 120 receives the first credential information and the network identifier through the application module 121, and the first The voucher information is stored in the secure storage area of the second terminal 120, and is connected to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area of the second terminal 120 by the network connection module 124.
- the network identifier may be manually input by the wireless network provider on the sending interface that the first terminal 110 sends the first credential information to the second terminal 120; or the first terminal 110 may send the first terminal 120 to the second terminal 120.
- the network identifier is generated by the first terminal 110 by default on the sending interface of the credential information.
- the sending interface is displayed on the first terminal 110.
- the application module 111 of the first terminal 110 may further send a second credential download request to the server in response to an instruction of the terminal (in the embodiment of the present invention, the first terminal) to apply for the network credential, where
- the second credential download request carries the user identity information provided by the first terminal 110.
- the first terminal 110 includes a storage module 113 and a network connection module 114 in addition to the application module 111.
- the server 130 performs user identity verification on the first terminal 110 according to the user identity information, and sends the second credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful.
- the first terminal 110 receives the second credential information through the application module 111, stores the second credential information in the secure storage area of the first terminal 110 through the storage module 113, and uses the secure storage of the first terminal 110 through the network connection module 114.
- the second credential information in the zone is connected to the wireless network.
- the credential information used to connect to the wireless network may be a network connection password, which is generally applicable to the WIFI network environment, and may also be applicable to a WAPI pre-shared key type network environment, which may enable the second terminal to be connected.
- the network provider does not need to disclose the networked credential information (such as a network connection password) to the user of the second terminal, thereby avoiding the leakage of the credential information and posing a potential danger to the security of the wireless network; The user can complete the network connection without manually inputting the networked credential information (such as the network connection password) on the second terminal, thereby improving the convenience of the terminal networking.
- the second terminal 120 may further include a certificate management module 122 in addition to the application module 121, the storage module 123, and the network connection module 124.
- the certificate management module 122 may be configured to: before the first credential information is stored in the secure storage area of the second terminal 120, perform naming processing on the certificate data according to the certificate identifier set for the certificate data, and invoke the storage module 123 to pass the The certificate data of the naming process is stored in the secure storage area of the second terminal 120.
- the first terminal 110 may further include a certificate management module 112 in addition to the application module 111, the storage module 113, and the network connection module 114.
- the certificate management module 112 may be configured to perform naming processing on the certificate data according to the certificate identifier set for the certificate data before the second credential information is stored in the secure storage area of the first terminal 110, and call the storage module 113 to pass the The certificate data of the naming process is stored in a secure storage area of the first terminal 110.
- the application module 111 generally runs at the application layer, and the certificate management module 112, the storage module 113, and the network connection module 114 operate at the system layer.
- the application module 121 typically runs at the application layer, while the certificate management module 122, the storage module 123, and the network connection module 124 operate at the system layer. Whether it is the application module 111 or the application module 121, it may be built in the terminal when the terminal is shipped from the factory, or may be acquired by the user from the outside and installed in the terminal after the terminal is shipped from the factory.
- the application module 111 or the application module 121 can be run in the terminal as a third-party application (Application, APP), that is, the third-party application APP including the application module 111 or the application module 121 can be installed on the terminal to facilitate the terminal to execute. Networked operation.
- APP Application, APP
- the application module 111 and the application module 121 can also run at the system layer, and the application module 111 and the application module 121 running at the system layer are built in the terminal when the terminal is shipped from the factory.
- a module running at the application layer which can be acquired by the user from the outside and installed on the terminal, or can be uninstalled by the user from the terminal; the module running at the system layer is built in the terminal. In the system, it cannot be uninstalled by the user. Moreover, even if each module running at the system level has different operating rights.
- FIG. 2 a flow chart of a method for processing credential information for network connection in an embodiment of the present invention is shown.
- the method includes the following steps:
- the first terminal sends a first credential download request to the server in response to the instruction to apply for the network credential for the second terminal.
- the first credential download request carries user identity information of the first terminal, and the user identity information is used by the server to perform user identity verification on the first terminal.
- the voucher download interface provided by the first terminal includes two operation options: “application for network connection voucher for the terminal” and “application for network connection voucher for other terminals”.
- the wireless network provider can select an operation option of "application for networking credentials for other terminals" on the voucher download interface, and then trigger an instruction to apply for networking credentials for other terminals, which is referred to as a second terminal in the embodiment of the present invention.
- An instruction to apply for a networked certificate Exemplarily, on the voucher download interface, the wireless network provider can input the user name and password as the user identity information of the first terminal, and can also input the Internet Protocol (IP) address and port number of the server.
- IP Internet Protocol
- the wireless network provider selects on the credential download interface. It is an operation option of "Requesting Networking Credentials for Other Terminals".
- the first terminal generates a first credential download request carrying the user identity information based on an operation of the wireless network provider on the credential download interface and transmits the request to the server.
- the server may obtain the user identity information and perform user identity verification on the first terminal according to the user identity information in response to the first credential download request.
- the user identity verification manner of the server to the first terminal may be, for example, the server verifies whether the username and password are legal and match. If the username and password are legal and match, the user authentication of the first terminal is successful.
- the first terminal receives the first credential information sent by the server in the case that the user identity verification of the first terminal is successful.
- the server may generate or acquire (for example, obtain the first credential information from the certificate issuing server) and send the first credential information to the first terminal, so that the first terminal can receive The first credential information sent to the server.
- the verification of the user identity information of the first terminal is successful, and may be used as a basis for the server to generate or obtain the first credential information.
- the first credential information may be encrypted during the transmission process between the first terminal and the server.
- the step 202 may include: the first terminal receives the first encrypted information that is sent by the server when the user identity verification of the first terminal is successful; and the first terminal decrypts the first encrypted information to obtain the first credential. information.
- the first encrypted information is obtained by encrypting the first credential information by the server.
- the encryption of the first credential information may be performed by any feasible encryption method, which is not limited in this embodiment.
- a terminal receives a certificate or a file
- the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send.
- the first terminal may send the first credential information directly from the system memory of the first terminal to the second The terminal does not have to be stored in other storage locations within the first terminal.
- the first credential information is temporarily stored in the traditional storage location in the first terminal, the first credential information may be read or copied by the unsecure application on the first terminal, and the first credential information is from the system of the first terminal.
- the in-secure application on the first terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
- the second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected.
- the first terminal may prompt the wireless network provider by using a credential sending interface.
- the wireless network provider may trigger a sending instruction to carry the network identifier and the first credential information on a credential sending interface provided by the first terminal.
- the first terminal sends the network identifier and the first credential information to the second terminal in response to the sending instruction.
- the network identifier of the wireless network may be that the first terminal obtains the network identifier of the default setting and provides the network identifier on the credential sending interface, or may be manually input by the wireless network provider on the credential sending interface.
- the wireless network provider sends the network identifier of the wireless network to the second terminal together with the first credential information by using the first terminal, so that the second terminal can directly and automatically connect to the wireless network when using the first credential information.
- the user of the second terminal does not need to manually click on the wireless network corresponding to the network identifier from the plurality of wireless network names on the second terminal (for example, in the "setting" of the second terminal), and then perform the wireless network. connection.
- the network identifier of the wireless network may be a display name of the wireless network.
- the network identifier of the wireless network may be a Service Set Identifier (SSID) of the wireless network.
- SSID Service Set Identifier
- the first terminal may send the first credential information to the second terminal by using a point-to-point wireless communication technology without networking.
- the first terminal may send the first credential information to the second terminal by using a near field communication NFC (Near Field Commutation) technology
- the second terminal may receive the first sent by the first terminal by using a near field communication NFC technology.
- Voucher information The first credential information is transmitted by the NFC technology, and the first terminal and the second terminal only need to be close to each other to implement the transmission of the first credential information.
- the first credential information such as Bluetooth technology, may also be sent between the first terminal and the second terminal by using other point-to-point wireless communication technologies.
- the Bluetooth transmission also needs to search and configure the connection between the terminals in advance, and the credential information can be sent only after the connection is successful, and the NFC technology only needs to be close to each other to transmit the credential information. Therefore, it is more convenient and convenient to use the NFC technology for the transmission of the voucher information.
- the NFC technology is transmitted, the distance between the terminal devices is very close and needs to be close to each other, so the transmission of the voucher information is not easily intercepted by the outside, and the transmission process is also relatively safe. .
- the use of the NFC technology to transmit the credential information between the terminals is a preferred solution.
- the embodiment of the present invention does not limit the manner of transmitting the credential information, and may also adopt other point-to-point technologies such as Bluetooth technology.
- Wireless communication technology performs the transmission of credential information.
- the second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal.
- a terminal receives a certificate or a file
- the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send.
- the second terminal may directly store the first credential information from the system memory of the second terminal in the second The secure storage area of the terminal without having to temporarily store it in other traditional storage locations within the second terminal.
- the first credential information is temporarily stored in the traditional storage location in the second terminal, the first credential information may be read or copied by the unsecure application on the second terminal, and the first credential information is from the second terminal system.
- the memory is directly stored in the secure storage area of the second terminal, so that the unsecure application on the second terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
- the secure storage area may be different from the traditional hard disk storage, and the secure storage area may be a separate storage area in the terminal.
- the voucher information is not stored in the form of a file in the storage area, but the voucher information can only be stored in the form of data. Therefore, a file management tool having a file scanning function (for example, a RE file manager, an ES file browser, etc.)
- the voucher information cannot be viewed by scanning, so the data stored in the area is invisible to the user and cannot be copied.
- the storage area can only be accessed using a specific interface provided by the system, and any storage-related API cannot access the storage area.
- the secure storage area in which the credential information is stored in the terminal is more secure than the conventional hard disk storage.
- the secure storage area may also be a non-hardware Android system keystore, a Windows system system storage area, and a hardware security chip, etc., which may be used to implement the function of the secure storage area. Since the first credential information is stored in the secure storage area, the first credential information is not scanned by the file management tool, and cannot be accessed by the API related to the file operation, thereby preventing the first credential information from being leaked on the second terminal. So that the security of the first voucher information is better protected. It should be noted here that the secure storage area described above does not only refer to the secure storage area of the second terminal, and the secure storage area of the first terminal also has the same function.
- the first credential information may be encrypted and then stored in the secure storage area.
- the second terminal reads the encrypted first credential information from the secure storage area, the encrypted first credential information needs to be decrypted first, and then the decrypted first credential information is used to connect to the wireless network.
- the second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
- the second terminal may determine the wireless network corresponding to the network identifier and send a connection request to the access point of the wireless network, so as to be connected through the access point of the wireless network. wireless network.
- the mentioned wireless network may be any feasible wireless communication technology.
- Wireless networks of different wireless communication technologies correspond to different kinds of credential information. Therefore, there are many possible types of credential information mentioned in this embodiment.
- the wireless network adopts a Wireless LAN Authentication and Privacy Infrastructure (WAPI) mode the first credential information may be WAPI certificate data.
- the wireless network adopts the WIFI mode and the encryption mode is WPA/WPA2PSK
- the first credential information may be a password.
- the first credential information may include CA certificate data and other credential parameters, where the other credential parameters include, for example, a specific EAP method (eg, PEAP, TLS, TTLS, PWD, etc.), Phase 2 authentication (eg MSCHAPV2, GTC), identity, anonymous identity, password, etc.
- a specific EAP method eg, PEAP, TLS, TTLS, PWD, etc.
- Phase 2 authentication eg MSCHAPV2, GTC
- identity anonymous identity, password, etc.
- the manner in which the first credential information is processed when the first terminal connects to the wireless network may be different.
- the second terminal may directly store the credential information itself and use the credential information itself to connect to the wireless network, or the second terminal may directly use the credential information. Connect to the wireless network itself.
- the second terminal may install the certificate, that is, store the certificate data and connect to the wireless network using the certificate data.
- the first credential information includes the certificate data
- the first credential information is stored in the secure storage area of the second terminal in step 204, and the second terminal may be based on the certificate identifier set for the credential data
- the certificate data is subjected to naming processing.
- the storing manner of step 204 is specifically: storing the certificate data subjected to the naming process in a secure storage area of the second terminal.
- the method of the step 205 is specifically to connect the wireless network corresponding to the network identifier by using the certificate data in the secure storage area.
- the certificate data may be WAPI certificate data, corresponding to the WAPI network connection mode, or may be WIFI certificate data, corresponding to the WIFI network connection mode.
- a certificate used by a wireless network to connect to a network is usually a set of certificates containing multiple certificate data.
- the WAPI certificate data used for networking refers to a set of WAPI certificate data.
- a set of WAPI certificate data in the embodiment of the present invention includes user certificate data, issuer certificate data, and user private key.
- the second terminal can name the WAPI certificate data, that is, set a certificate name, that is, a certificate identifier, for the WAPI certificate data.
- the user certificate data, the issuer certificate data, and the user private key in the WAPI certificate data all contain the same certificate identifier.
- a set of WAPI certificate data for networking is named, wherein the user certificate data is set to "WAPI_USRCERT_NAME1", the issuer certificate data is set to "WAPI_CACERT_NAME1", and the user private key is set. Is set to "WAPI_USRPKEY_NAME1".
- the naming of the three certificate data in a set of WAPI certificate data includes the certificate identifier "NAME1". Therefore, when searching for WAPI certificate data, the second terminal only needs to find the certificate identifier "NAME1" to obtain a complete set of WAPI certificate data.
- the certificate identifier may be an identifier set by the user.
- the user can input the certificate identifier on the certificate naming interface provided by the second terminal and trigger the installation of the certificate.
- the second terminal names the certificate data according to the input certificate identifier.
- the certificate identification may be automatically assigned or generated by the second terminal. Specifically, when the certificate needs to be installed, the second terminal may display the automatically assigned or generated certificate identifier to the user, and automatically trigger the installation of the certificate after naming the certificate data according to the automatically assigned or generated certificate identifier.
- the second terminal may use the certificate data to connect to the wireless network, that is, a manual connection mode, or the second terminal may automatically use the certificate data connection to connect the second terminal.
- Wireless network that is, automatic connection.
- the certificate data to be used may be found by the second terminal based on the certificate identifier manually selected by the user.
- the network connection mode of step 205 is that the second terminal enumerates the certificate identifiers of all the certificate data in the secure storage area in response to the manual connection instruction, and reads the corresponding certificate based on the certificate identifier manually selected by the user. Data is connected to the wireless network using the read certificate data.
- the certificate data to be used may be automatically found by the second terminal.
- the network connection manner of step 205 is that the second terminal queries the certificate data for connecting to the wireless network in the secure storage area in response to the automatic connection instruction, and uses the queried certificate data. Connect to the wireless network.
- the second terminal when the second terminal self-query the certificate data for networking in the secure storage area, the second terminal first needs to read the secure storage area. All the WAPI certificate data in the internal storage is temporarily stored in the memory, and then associated with the external wireless access point AP.
- the identity of the local ASU (Authentication Service Unit) in the packet is obtained. Field, then traverse all WAPI certificate data previously read, and obtain the "holder name", "issuer name” and “serial number” from the issuer certificate data in each set of WAPI certificate data, and use The three pieces of information constitute "identity” information.
- the set of WAPI certificate data is used for network connection.
- the second terminal needs to first read the certificate data in the secure storage area and temporarily store it in the memory, and obtain the “local ASU” in the authentication activation packet. After the "identity" field, traversing the certificate data from memory to obtain the “identity” information will greatly reduce the time spent, thereby avoiding the authentication activation packet failure.
- the second terminal 120 can cooperate with other modules using the certificate management module 122 to implement storage and use of the certificate data.
- the application module 121 can invoke the certificate installation interface of the certificate management module 122 and provide Interface parameters of the certificate installation interface.
- the interface parameters may include user certificate data, issuer certificate data, and user private key in the WAPI certificate data.
- the certificate installation interface of the certificate management module 122 opens the certificate naming interface, and displays the default certificate identifier on the certificate naming interface. Alternatively, the user can modify the certificate identifier on the certificate naming interface.
- the certificate installation interface of the certificate management module 122 After the certificate installation interface of the certificate management module 122 obtains the user certificate data, the issuer certificate data, and the user private key from the interface parameters, the user certificate data and the issuer certificate are determined according to the default certificate identifier or the certificate identifier entered on the certificate naming interface. Data and user private keys are named. Then, the certificate management module 122 calls the storage module 123, and the storage module 123 stores the naming processed certificate data in the secure storage area according to the naming rules of the certificate management module 122, thereby completing the certificate installation process.
- the network connection module 124 invokes the certificate enumeration interface of the certificate management module 122 to enumerate and present the certificate identifiers of all the certificate data in the secure storage area, after the user selects the target certificate identifier.
- the network connection module 124 calls the storage module 123 to find the certificate data in the secure storage area that matches the target certificate identifier, and then the network connection module 124 connects to the wireless network based on the wireless network driver and using the found certificate data. .
- the certificate naming interface is provided by the certificate management module 122 running at the system layer, rather than by the application module 121 running at the application layer.
- the certificate naming interface provided by the certificate management module of the system layer is usually not controlled by the unsafe application of the application layer and maliciously operated, so as to prevent the unsafe application of the application layer from maliciously inputting the name for certificate installation or certificate deletion on the naming interface.
- the terminal of the embodiment of the present invention is based on the Android Android system, and the network configuration interface of the network connection module 124 may not need to add a new class, but may By modifying Android's original WLAN network configuration interface (including modifying the WifiConfiguration class and its subclass KeyMgmt), it can achieve the purpose of compatibility with WAPI, and can also provide two different networking modes: manual connection and automatic connection.
- some member variables can be added under the WifiConfiguration class, so that the member variables include wapiPskType, wapiPsk, wapiCertSelMode, and wapiCertSel.
- wapiPskType is used to describe the key type of WAPI pre-shared key
- wapiPsk is used to describe the content of WAPI pre-shared key
- wapiCertSelMode is used to describe the selection mode of WAPI certificate
- wapiCertSel is used to describe the WAPI certificate selected in manual mode.
- the certificate identifier; the new wapiCertSelMode and wapiCertSel correspond to the case of using the WAPI certificate for networking
- wapiPskType and wapiPsk correspond to the case of using the key to connect to the network.
- the network connection module needs to implement automatic connection and manual connection two different networking modes for the key mode, it is necessary to add some member variables to the WifiConfiguration class. It includes a member variable describing the key selection mode and a member variable describing the identity of the selected key in the manual mode.
- each of the other modules that call the storage module 123 are run as different users, and different user identities have different operation rights.
- a module running as the system user can install a certificate for the terminal, delete the certificate data installed in the terminal, and enumerate the certificate identifier, but cannot read the certificate data in the terminal; run as the wlan user.
- the module can perform the operation of reading the certificate data and obtaining the certificate identifier for the certificate in the terminal.
- the certificate management module 122 runs as the system user
- the network connection module 124 runs as the wlan user.
- the certificate management module 122 calls the storage module 123 to install the certificate data for the terminal, and can also call the storage module 123 to perform the certificate data installed in the terminal.
- the certificate identifier of the certificate is deleted and enumerated, but the storage module 123 cannot be called to read the certificate data in the terminal; and the network connection module 124 can call the storage module 123 to read the certificate data and the certificate identifier in the terminal, but cannot call the storage.
- Module 123 deletes the certificate data and installs the certificate data.
- the certificate installation interface, the certificate deletion interface, and the certificate identification enumeration interface of the certificate management module 122 may adopt the Andriod system.
- the Intent mechanism is designed. Specifically, an Activity can be preset in the system, and a related Intent Action is defined.
- the related Intent Action includes: "com.wapi.certificate.INSTALL" for installing WAPI certificate data, used to enumerate the certificate identifier "com .wapi.certificate.GET_ALIASES”, "com.wapi.certificate.DELETE” for deleting WAPI certificate data.
- the application module 121 or the application APP of the built-in application module 121 can send a corresponding Intent Action to the preset activity in the system, and the Activity performs the operation of installing the certificate data, deleting the certificate data or enumerating the certificate identifier according to the corresponding Intent Action.
- the application module 121 or the application APP of the built-in application module 121 sends the relevant parameters by using the putExtra function of the Intent, and the preset activity in the system acquires the parameters sent by the application module 121 or the application APP of the built-in application module 121 through the getExtras function of the Intent.
- the definition of related parameters is shown in Table 1.
- the Activity determines whether the certificate identifier is duplicated with the alias of the installed certificate data. If it is repeated, the user is prompted to re-edit.
- the Activity obtains the certificate identifier finally confirmed by the user through the interactive interface, the operation of installing the WAPI certificate is performed. Then, the corresponding return value is set by the setResult function of the Activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is successfully installed or failed.
- the return value set by the setResult function when installing the certificate data is defined as follows:
- the return value of 1 means the installation was successful, and a return value of 0 means the installation failed.
- the deletion operation fails; at the same time, the corresponding return value is set by the setResult function of the Activity; if it is, the Activity pops up an interactive interface, allowing the user to confirm whether to delete the set of certificate data, after the user confirms the deletion, The deletion operation is performed, and the corresponding return value is set by the setResult function of the activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is deleted successfully or failed this time.
- the return value set by the setResult function when deleting the certificate data is defined as follows: the return value 1 indicates that the certificate is successfully deleted, and the return value 0 indicates that the certificate deletion failed.
- the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, and the naming of the credential information (here, the certificate data) can use the default name generated by the terminal, and the installation of the certificate can be automatically performed by the terminal. Installation, and the terminal automatically queries the certificate data used for networking and automatically makes a network connection.
- the first terminal 110 can cooperate with other modules by using the certificate management module 112 to implement the certificate data.
- the embodiment in which the first terminal 110 specifically stores and uses the certificate data is the same as the embodiment in which the second terminal 120 specifically stores and uses the certificate data, and the certificate management of the first terminal 110 and the second terminal 120 is as described above.
- the design mechanism of modules, storage modules, and network connection modules is also the same, and will not be described here.
- FIG. 3 a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown.
- the device is configured in the first terminal, and the device may include, for example, an application module 301;
- the application module 301 is configured to send a first credential download request to the server, in response to the instruction for requesting the network credential for the second terminal, to receive the first credential information sent by the server in the case that the user identity verification succeeds, and Transmitting, by the first terminal system memory, the first credential information and the network identifier of the wireless network to be connected to the second terminal; or
- the application module 301 is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
- the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
- the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
- the application module 301 is further configured to send the first credential information and the network identifier to the second terminal by using a point-to-point wireless communication technology that does not require networking.
- the device further includes: a storage module 303 and a network connection module 304;
- the storage module 303 is configured to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
- the network connection module 304 is configured to connect to the wireless network by using the second credential information stored in the secure storage area.
- the second credential information includes certificate data, and correspondingly, as shown in FIG. 5, the apparatus further includes: a certificate management module 302;
- the certificate management module 302 is configured to: before storing the second credential information directly from the first terminal system memory in the secure storage area of the first terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 303 is called to store the certificate data subjected to the naming process directly from the first terminal system memory in the secure storage area of the first terminal.
- the certificate management module 302 is further configured to use the certificate identifier to perform naming processing for each part of the data included in the certificate data, so that each part of the data included in the certificate data has the same certificate identifier.
- the partial data includes user certificate data, issuer certificate data, and a user private key.
- each module that invokes the storage module 303 runs as a different user, and different user identities correspond to different operation rights;
- the certificate management module 302 runs as the system user, and the operation authority includes: calling the storage module 303 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 303 to read the certificate data;
- the network connection module 304 runs as the wlan user, and the operation authority includes: calling the storage module 303 to read the certificate data and the certificate identifier, but cannot invoke the storage module 303 to install and delete the certificate data.
- the certificate management module 302 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 302 when the storage module 303 is invoked to install, delete, and enumerate the certificate data.
- the interface is designed using the Intent mechanism of Android, including:
- the application module 301 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
- the network connection module 304 is further configured to:
- the certificate management module 302 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 303 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read The certificate data retrieved is connected to the wireless network.
- the network connection module 304 in response to the automatic connection instruction, invokes the storage module 303 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
- the network connection module 304 is configured to invoke the storage module 303 to read WAPI certificate data in the secure storage area;
- the network connection module 304 is configured to associate with the wireless access point AP, receive the authentication activation packet sent by the wireless access point AP, and obtain an identity field of the local authentication service unit ASU in the authentication activation packet.
- the network connection module 304 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
- the network connection module 304 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
- the network configuration interface of the network connection module 304 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
- a member variable describing the key type of the pre-shared key a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
- the network configuration interface of the network connection module 304 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
- the modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
- the certificate management module, the storage module and the network connection module located in the first terminal have different functions for storing and using the second credential information when the second credential information is used for networking.
- the certificate management module, the storage module and the network connection module located in the second terminal described above, in the different implementation manners for storing and using the first credential information when the first credential information is used for networking. The functions that are available are not described here.
- the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network, so that the first terminal can
- the voucher information of the wireless network is obtained without manual input by the user, so that the voucher information can be used to connect to the wireless network. It can be seen that, in the process of connecting the wireless network to the first terminal, not only the manual input of the voucher information is saved. The user operation simplifies the user operation, and the credential information does not need to be publicly announced, thereby avoiding leakage of credential information of the wireless network and improving the security of the wireless network.
- FIG. 6 a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown.
- the device is configured in the second terminal, and the device may include, for example, an application module 601, a storage module 603, and a network connection module 604;
- the application module 601 is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is an instruction that the first terminal requests to apply for a network credential for the second terminal. And downloading from the server and sending to the second terminal;
- the storage module 603 is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
- the network connection module 604 is configured to connect the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
- the application module 601 is further configured to receive the first credential information and the network identifier sent by the first terminal by using a point-to-point wireless communication technology that does not require networking.
- the first credential information includes certificate data; correspondingly, as shown in FIG. 7, the apparatus further includes: a certificate management module 602;
- the certificate management module 602 is configured to: before storing the first credential information directly from the second terminal system memory in the secure storage area of the second terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 603 is called to store the certificate data subjected to the naming process directly from the second terminal system memory in the secure storage area of the second terminal.
- the certificate management module 602 is further configured to perform naming processing for each part of the data included in the certificate data by using the certificate identifier, so that each part of the data included in the certificate data has the same certificate identifier.
- the partial data includes user certificate data, issuer certificate data, and a user private key.
- each module that invokes the storage module 603 runs as a different user, and different user identities correspond to different operation rights;
- the certificate management module 602 runs as the system user, and the operation authority includes: calling the storage module 603 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 603 to read the certificate data;
- the network connection module 604 is operated as a wlan user, and the operation authority includes: calling the storage module 603 to read the certificate data and the certificate identifier, but the storage module 603 cannot be called to install and delete the certificate data.
- the certificate management module 602 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 602 when the storage module 603 is invoked to install, delete, and enumerate the certificate data.
- the interface is designed using the Intent mechanism of Android, including:
- the application module 601 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
- the network connection module 604 is further configured to:
- the certificate management module 602 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 603 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read.
- the certificate data retrieved is connected to the wireless network.
- the network connection module 604 in response to the automatic connection instruction, invokes the storage module 603 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
- the network connection module 604 is configured to invoke the storage module 603 to read WAPI certificate data in the secure storage area;
- the network connection module 604 is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet.
- the network connection module 604 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
- the network connection module 604 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
- the network configuration interface of the network connection module 604 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
- a member variable describing the key type of the pre-shared key a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
- the network configuration interface of the network connection module 604 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
- the modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
- the certificate management module, the storage module, and the network connection module located in the second terminal when using the first credential information for networking, have different implementations of the storage and use of the first credential information.
- the function refer to the above description, and details are not described herein again.
- the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, so that the credential information can be used to connect to the wireless network.
- the credential information can be used to connect to the wireless network.
- the application module 111 in the first terminal 110 shown in FIG. 1 can be built in the first terminal 110 not only when the terminal is shipped, but also built in the third-party application APP.
- the third-party application APP in which the application module 111 is built is acquired from the outside by the user, and is installed in the terminal to perform the operation of networking. Therefore, the embodiment of the present invention further provides an application APP, configured in the first terminal, where the application APP includes: an application module,
- the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
- the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
- the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
- the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
- the application module is further configured to invoke the storage module of the first terminal to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
- the application module is further configured to invoke a network connection module of the first terminal to connect to the wireless network by using the second credential information stored in the secure storage area.
- the second credential information includes certificate data; correspondingly, before the second credential information is directly stored in the first terminal system security storage area from the first terminal system memory, the application module further uses Calling the certificate management module of the first terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the first terminal to be named.
- the certificate data is directly stored in the first terminal system's secure storage area from the first terminal system memory.
- the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the first terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
- the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the first terminal to enumerate the secure storage area.
- the certificate identifier of all the certificate data, and the storage module invoking the first terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
- the application APP configured in the first terminal provided by the embodiment of the present invention has the same function as the application module 111 shown in FIG. 1 and has the application as shown in FIG. 3, 4, and 5. The same functions of the module are not described here.
- the application module 121 in the second terminal 120 shown in FIG. 1 can be built in the second terminal 120 not only when the terminal is shipped from the factory, but also built in the third-party application APP, and externally by the user.
- the third-party application APP with the application module 121 built therein is obtained and installed in the terminal to perform the networked operation. Therefore, the embodiment of the present invention further provides an application APP, configured in the second terminal, where the application APP includes: an application module,
- the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
- the application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
- the application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
- the first credential information includes certificate data; correspondingly, before the first credential information is directly stored in the second terminal system memory from the second terminal's secure storage area, the application module further uses Calling the certificate management module of the second terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the second terminal to be named.
- the certificate data is directly stored in the second terminal system memory in the secure storage area of the second terminal.
- the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the second terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
- the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the second terminal to enumerate the secure storage area.
- the certificate identifier of all the certificate data, and the storage module invoking the second terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
- the application APP configured in the second terminal provided by the embodiment of the present invention has the same function as the application module 121 shown in FIG. 1 and has the same application module as shown in FIG. The function is not repeated here.
- the system embodiment since it basically corresponds to the method embodiment, it can be referred to the partial description of the method embodiment.
- the system embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- the code can be implemented by a non-transitory computer readable storage medium, and when the instructions in the storage medium are executed by the processor of the terminal, the terminal is caused.
- the various embodiments of the present invention can be carried out while being understood and carried out by those skilled in the art without departing from the invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (34)
- 一种用于网络连接的凭证信息的处理方法,其特征在于,包括:A method for processing credential information for a network connection, comprising:第一终端响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,其中,所述第一凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;The first terminal sends a first credential download request to the server, in response to the instruction to apply for the network credential for the second terminal, where the first credential download request carries the user identity information of the first terminal, where the user identity The information is used by the server to perform user identity verification on the first terminal;所述第一终端接收所述服务器在所述用户身份验证成功的情况下发送的第一凭证信息;Receiving, by the first terminal, first credential information sent by the server in case that the user identity verification succeeds;第二终端接收第一终端从第一终端***内存中直接发送的第一凭证信息以及待连接的无线网络的网络标识;The second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected;所述第二终端将接收的所述第一凭证信息从第二终端***内存中直接存储在所述第二终端的安全存储区;The second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal;所述第二终端使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
- 根据权利要求1所述的方法,其特征在于,所述第一终端采用无需组网的点对点无线通信技术向所述第二终端发送所述第一凭证信息以及网络标识,所述第二终端采用无需组网的点对点无线通信技术接收所述第一终端发送的所述第一凭证信息以及网络标识。The method according to claim 1, wherein the first terminal sends the first credential information and the network identifier to the second terminal by using a point-to-point wireless communication technology without networking, and the second terminal adopts The first credential information and the network identifier sent by the first terminal are received by a point-to-point wireless communication technology that does not require networking.
- 根据权利要求1所述的方法,其特征在于,所述第一凭证信息包括证书数据;相应的,The method of claim 1 wherein said first credential information comprises certificate data; correspondingly,在将所述第一凭证信息从第二终端***内存中直接存储在所述第二终端的安全存储区之前,所述方法还包括:Before the storing the first credential information directly from the second terminal system memory in the secure storage area of the second terminal, the method further includes:所述第二终端根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理;The second terminal performs naming processing on the certificate data according to the certificate identifier set for the certificate data;相应的,将所述第一凭证信息存储在所述第二终端的安全存储区为:Correspondingly, storing the first credential information in the secure storage area of the second terminal is:将经过命名处理的所述证书数据存储在所述第二终端的安全存储区。The certificate data subjected to the naming process is stored in a secure storage area of the second terminal.
- 根据权利要求3所述的方法,其特征在于,所述第二终端根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,进一步包括:The method according to claim 3, wherein the second terminal performs naming processing on the certificate data according to the certificate identifier set for the certificate data, and further includes:所述第二终端使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。The second terminal uses the certificate identifier to perform naming processing for each part of the data included in the certificate data, so that each part of the data included in the certificate data has the same certificate identifier; wherein each part of the data includes User certificate data, issuer certificate data, and user private key.
- 根据权利要求3所述的方法,其特征在于,所述第二终端使用所述第一凭证信息连接所述网络标识对应的无线网络,包括:The method according to claim 3, wherein the second terminal uses the first credential information to connect to the wireless network corresponding to the network identifier, including:所述第二终端响应于自动连接指令,在所述安全存储区内查询用于连接所述无线网络的证书数据;使用查询到的所述证书数据连接到所述无线网络;The second terminal queries, in the secure storage area, certificate data for connecting to the wireless network in response to an automatic connection instruction; and connects to the wireless network by using the queried certificate data;或者,所述第二终端响应于手动连接指令,枚举出所述安全存储区内所有证书数据的证书标识;基于手动选择的证书标识读取对应的证书数据;使用读取的所述证书数据连接到所述无线网络。Alternatively, the second terminal enumerates, according to the manual connection instruction, a certificate identifier of all certificate data in the secure storage area; reads corresponding certificate data based on the manually selected certificate identifier; and uses the read certificate data Connect to the wireless network.
- 根据权利要求5所述的方法,其特征在于,当所述证书数据为WAPI证书数据 时;相应的,所述第二终端在所述安全存储区内查询用于连接所述无线网络的证书数据,包括:The method according to claim 5, wherein when the certificate data is WAPI certificate data; correspondingly, the second terminal queries, in the secure storage area, certificate data for connecting to the wireless network ,include:所述第二终端读取所述安全存储区内的WAPI证书数据;The second terminal reads WAPI certificate data in the secure storage area;与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;Correlating with the wireless access point AP, receiving the authentication activation packet sent by the wireless access point AP, and obtaining an identity field of the local authentication service unit ASU in the authentication activation packet;通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;Obtaining identity information of the WAPI certificate data by traversing the read WAPI certificate data;当所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。When the identity information matches the identity field of the local authentication service unit ASU, it is determined that the WAPI certificate data corresponding to the identity information is certificate data used to connect to the wireless network.
- 一种用于网络连接的凭证信息的处理装置,配置于第一终端,其特征在于,所述装置包括:应用模块;A processing device for credential information for a network connection, configured in a first terminal, wherein the device comprises: an application module;所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
- 根据权利要求7所述的装置,其特征在于,所述应用模块,还用于采用无需组网的点对点无线通信技术向第二终端发送所述第一凭证信息以及所述网络标识。The apparatus according to claim 7, wherein the application module is further configured to send the first credential information and the network identifier to a second terminal by using a point-to-point wireless communication technology that does not require networking.
- 根据权利要求7所述的装置,其特征在于,所述装置进一步包括:存储模块和网络连接模块;The device according to claim 7, wherein the device further comprises: a storage module and a network connection module;所述存储模块,用于将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区;The storage module is configured to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;所述网络连接模块,用于使用存储在所述安全存储区的所述第二凭证信息连接无线网络。The network connection module is configured to connect to the wireless network by using the second credential information stored in the secure storage area.
- 根据权利要求9所述的装置,其特征在于,所述第二凭证信息包括证书数据;相应的,所述装置进一步包括:证书管理模块;The apparatus according to claim 9, wherein the second credential information comprises certificate data; and correspondingly, the apparatus further comprises: a certificate management module;所述证书管理模块,用于在将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区之前,根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,以及,调用所述存储模块将经过命名处理的所述证书数据从第一终端***内存中直接存储在第一终端的安全存储区。The certificate management module is configured to: before the storing the second credential information directly from the first terminal system memory in the secure storage area of the first terminal, according to the certificate identifier set for the certificate data, the certificate The data is subjected to naming processing, and the storage module is called to store the certificate data subjected to the naming process directly from the first terminal system memory in the secure storage area of the first terminal.
- 根据权利要求10所述的装置,其特征在于,所述证书管理模块,还用于使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。The device according to claim 10, wherein the certificate management module is further configured to perform naming processing for each part of data included in the certificate data by using the certificate identifier, so that each of the certificate data includes Part of the data has the same certificate identifier; wherein the partial data includes user certificate data, issuer certificate data, and user private key.
- 根据权利要求10所述的装置,其特征在于,调用所述存储模块的各个模块以 不同的用户身份运行,不同的用户身份对应不同的操作权限;其中,The device according to claim 10, wherein each module that invokes the storage module operates as a different user, and different user identities correspond to different operation rights;所述证书管理模块以system用户身份运行,其操作权限包括:调用所述存储模块对证书数据进行安装、删除以及枚举证书标识,但无法调用所述存储模块读取证书数据;The certificate management module runs as the system user, and the operation authority includes: calling the storage module to install, delete, and enumerate the certificate data, but cannot invoke the storage module to read the certificate data;所述网络连接模块以wlan用户身份运行,其操作权限包括:调用所述存储模块读取证书数据和证书标识,但无法调用所述存储模块对证书数据进行安装及删除。The network connection module runs as the wlan user, and the operation authority includes: calling the storage module to read the certificate data and the certificate identifier, but cannot invoke the storage module to install and delete the certificate data.
- 根据权利要求12所述的装置,其特征在于,所述证书管理模块在调用所述存储模块对证书数据进行安装、删除以及枚举证书标识时,所述证书管理模块的证书安装接口、证书删除接口以及证书标识枚举接口采用安卓***的Intent机制设计,包括:The device according to claim 12, wherein the certificate management module deletes the certificate installation interface and the certificate of the certificate management module when the storage module is called to install, delete, and enumerate the certificate data. The interface and the certificate identifier enumeration interface are designed using the Android Intent mechanism, including:在***中预置一个Activity并定义与安装证书数据、删除证书数据以及枚举证书标识相关的Intent Action;Presetting an Activity in the system and defining an Intent Action related to installing certificate data, deleting certificate data, and enumerating certificate identifiers;所述应用模块通过发送相关的Intent Action给所述Activity,由所述Activity根据所述Intent Action执行安装证书数据、删除证书数据或枚举证书标识的操作。The application module sends the related Intent Action to the Activity, and the Activity performs an operation of installing certificate data, deleting certificate data, or enumerating a certificate identifier according to the Intent Action.
- 根据权利要求10所述的装置,其特征在于,所述网络连接模块,还用于:The device according to claim 10, wherein the network connection module is further configured to:响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Responding to the automatic connection instruction, calling the storage module to query certificate data for connecting to the wireless network in the secure storage area, and connecting to the wireless network by using the queried certificate data; or响应于手动连接指令,调用所述证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,调用所述存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In response to the manual connection instruction, the certificate management module is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module is invoked to read the corresponding certificate data based on the manually selected certificate identifier, and the read certificate is used. The certificate data is connected to the wireless network.
- 根据权利要求14所述的装置,其特征在于,当所述证书数据为WAPI证书数据,所述网络连接模块响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据时,The device according to claim 14, wherein when the certificate data is WAPI certificate data, the network connection module invokes the storage module to query the secure storage area for connection in response to an automatic connection instruction. When the certificate data of the wireless network is所述网络连接模块,用于调用所述存储模块读取所述安全存储区内的WAPI证书数据;The network connection module is configured to invoke the storage module to read WAPI certificate data in the secure storage area;所述网络连接模块,用于与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;The network connection module is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet;所述网络连接模块,用于通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;The network connection module is configured to obtain identity information of WAPI certificate data by traversing the read WAPI certificate data;所述网络连接模块,用于在判断所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。The network connection module is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate data used to connect to the wireless network. .
- 根据权利要求14所述的装置,其特征在于,所述网络连接模块的网络配置接口通过修改安卓***的WifiConfiguration类得到;修改后的WifiConfiguration类包括:The device according to claim 14, wherein the network configuration interface of the network connection module is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:描述预共享密钥的密钥类型的成员变量、描述预共享密钥内容的成员变量、描述证书选择模式的成员变量以及描述手动模式下所选择证书的证书标识的成员变量。A member variable describing the key type of the pre-shared key, a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
- 根据权利要求16所述的装置,其特征在于,当所述证书数据为WAPI证书数据时,所述网络连接模块的网络配置接口进一步通过修改WifiConfiguration类的KeyMgmt子类得到;The device according to claim 16, wherein when the certificate data is WAPI certificate data, the network configuration interface of the network connection module is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;修改后的KeyMgmt子类包括:WAPI预共享密钥类型的定义以及WAPI证书类型的定义。The modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
- 一种用于网络连接的凭证信息的处理装置,配置于第二终端,其特征在于,所述装置包括:应用模块、存储模块和网络连接模块;A processing device for credential information for a network connection, configured in a second terminal, wherein the device comprises: an application module, a storage module, and a network connection module;所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;所述存储模块,用于将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The storage module is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;所述网络连接模块,用于使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The network connection module is configured to connect, by using the first credential information in the secure storage area, a wireless network corresponding to the network identifier.
- 根据权利要求18所述的装置,其特征在于,所述应用模块,还用于采用无需组网的点对点无线通信技术接收第一终端发送的所述第一凭证信息以及所述网络标识。The device according to claim 18, wherein the application module is further configured to receive the first credential information and the network identifier sent by the first terminal by using a point-to-point wireless communication technology that does not require networking.
- 根据权利要求18所述的装置,其特征在于,所述第一凭证信息包括证书数据;相应的,所述装置进一步包括:证书管理模块;The apparatus according to claim 18, wherein the first credential information comprises certificate data; and correspondingly, the apparatus further comprises: a certificate management module;所述证书管理模块,用于在将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区之前,根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,以及,调用所述存储模块将经过命名处理的所述证书数据从第二终端***内存中直接存储在第二终端的安全存储区。The certificate management module is configured to: before the storing the first credential information from the second terminal system memory directly in the secure storage area of the second terminal, according to the certificate identifier set for the certificate data, the certificate The data is subjected to naming processing, and the storage module is called to store the certificate data subjected to the naming process directly from the second terminal system memory in the secure storage area of the second terminal.
- 根据权利要求20所述的装置,其特征在于,所述证书管理模块,还用于使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。The device according to claim 20, wherein the certificate management module is further configured to perform naming processing for each part of data included in the certificate data by using the certificate identifier, so that each of the certificate data includes Part of the data has the same certificate identifier; wherein the partial data includes user certificate data, issuer certificate data, and user private key.
- 根据权利要求20所述的装置,其特征在于,调用所述存储模块的各个模块以不同的用户身份运行,不同的用户身份对应不同的操作权限;其中,The device according to claim 20, wherein each module that invokes the storage module operates as a different user, and different user identities correspond to different operation rights;所述证书管理模块以system用户身份运行,其操作权限包括:调用所述存储模块对证书数据进行安装、删除以及枚举证书标识,但无法调用所述存储模块读取证书数据;The certificate management module runs as the system user, and the operation authority includes: calling the storage module to install, delete, and enumerate the certificate data, but cannot invoke the storage module to read the certificate data;所述网络连接模块以wlan用户身份运行,其操作权限包括:调用所述存储模块读取证书数据和证书标识,但无法调用所述存储模块对证书数据进行安装及删除。The network connection module runs as the wlan user, and the operation authority includes: calling the storage module to read the certificate data and the certificate identifier, but cannot invoke the storage module to install and delete the certificate data.
- 根据权利要求22所述的装置,其特征在于,所述证书管理模块在调用所述存储模块对证书数据进行安装、删除以及枚举证书标识时,所述证书管理模块的证书安装接口、证书删除接口以及证书标识枚举接口采用安卓***的Intent机制设计,包括:The device according to claim 22, wherein the certificate management module deletes the certificate installation interface and the certificate of the certificate management module when the storage module is called to install, delete, and enumerate the certificate data. The interface and the certificate identifier enumeration interface are designed using the Android Intent mechanism, including:在***中预置一个Activity并定义与安装证书数据、删除证书数据以及枚举证书标识相关的Intent Action;Presetting an Activity in the system and defining an Intent Action related to installing certificate data, deleting certificate data, and enumerating certificate identifiers;所述应用模块通过发送相关的Intent Action给所述Activity,由所述Activity根据所述Intent Action执行安装证书数据、删除证书数据或枚举证书标识的操作。The application module sends the related Intent Action to the Activity, and the Activity performs an operation of installing certificate data, deleting certificate data, or enumerating a certificate identifier according to the Intent Action.
- 根据权利要求20所述的装置,其特征在于,所述网络连接模块,还用于:The device according to claim 20, wherein the network connection module is further configured to:响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Responding to the automatic connection instruction, calling the storage module to query certificate data for connecting to the wireless network in the secure storage area, and connecting to the wireless network by using the queried certificate data; or响应于手动连接指令,调用所述证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,调用所述存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In response to the manual connection instruction, the certificate management module is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module is invoked to read the corresponding certificate data based on the manually selected certificate identifier, and the read certificate is used. The certificate data is connected to the wireless network.
- 根据权利要求24所述的装置,其特征在于,当所述证书数据为WAPI证书数据,所述网络连接模块响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据时,The apparatus according to claim 24, wherein when said certificate data is WAPI certificate data, said network connection module invokes said storage module to query said secure storage area for connection in response to an automatic connection instruction When the certificate data of the wireless network is所述网络连接模块,用于调用所述存储模块读取所述安全存储区内的WAPI证书数据;The network connection module is configured to invoke the storage module to read WAPI certificate data in the secure storage area;所述网络连接模块,用于与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;The network connection module is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet;所述网络连接模块,用于通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;The network connection module is configured to obtain identity information of WAPI certificate data by traversing the read WAPI certificate data;所述网络连接模块,用于在判断所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。The network connection module is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate data used to connect to the wireless network. .
- 根据权利要求24所述的装置,其特征在于,所述网络连接模块的网络配置接口通过修改安卓***的WifiConfiguration类得到;修改后的WifiConfiguration类包括:The device according to claim 24, wherein the network configuration interface of the network connection module is obtained by modifying a WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:描述预共享密钥的密钥类型的成员变量、描述预共享密钥内容的成员变量、描述证书选择模式的成员变量以及描述手动模式下所选择证书的证书标识的成员变量。A member variable describing the key type of the pre-shared key, a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
- 根据权利要求26所述的装置,其特征在于,当所述证书数据为WAPI证书数据时,所述网络连接模块的网络配置接口进一步通过修改WifiConfiguration类的KeyMgmt子类得到;The device according to claim 26, wherein when the certificate data is WAPI certificate data, the network configuration interface of the network connection module is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;修改后的KeyMgmt子类包括:WAPI预共享密钥类型的定义以及WAPI证书类型的定义。The modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
- 一种应用APP,配置于第一终端,其特征在于,所述应用APP包括:应用模块,An application APP is configured in the first terminal, where the application APP includes: an application module,所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
- 根据权利要求28所述的应用APP,其特征在于,The application APP according to claim 28, characterized in that所述应用模块,还用于调用第一终端的存储模块将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区;The application module is further configured to invoke the storage module of the first terminal to directly store the second credential information from the first terminal system memory in a secure storage area of the first terminal;所述应用模块,还用于调用第一终端的网络连接模块使用存储在所述安全存储区的所述第二凭证信息连接无线网络。The application module is further configured to invoke a network connection module of the first terminal to connect to the wireless network by using the second credential information stored in the secure storage area.
- 根据权利要求29所述的应用APP,其特征在于,所述第二凭证信息包括证书数据;相应的,在将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区之前,所述应用模块还用于调用第一终端的证书管理模块,执行根据为所述证书数据设置的证书标识对所述证书数据进行命名处理的操作,以便所述证书管理模块调用第一终端的存储模块将经过命名处理的所述证书数据从第一终端***内存中直接存储在第一终端的安全存储区。The application APP according to claim 29, wherein the second credential information comprises certificate data; and correspondingly, the second credential information is directly stored in the first terminal system from the first terminal system memory. Before the storage area, the application module is further configured to invoke a certificate management module of the first terminal, and perform an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the The storage module of the terminal stores the certificate data subjected to the naming process directly from the memory of the first terminal system in the secure storage area of the first terminal.
- 根据权利要求30所述的应用APP,其特征在于,The application APP according to claim 30, characterized in that所述应用模块,还用于调用第一终端的网络连接模块响应于自动连接指令后执行网络连接操作,以便所述网络连接模块调用第一终端的存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,The application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes a storage module of the first terminal to query the security storage area for querying Connecting to the certificate data of the wireless network, using the queried certificate data to connect to the wireless network; or所述应用模块,还用于调用第一终端的网络连接模块响应于手动连接指令后执行网络连接操作,以便所述网络连接模块调用第一终端的证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,以及调用第一终端的存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。The application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the first terminal to enumerate the secure storage area. The certificate identifier of all the certificate data, and the storage module invoking the first terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
- 一种应用APP,配置于第二终端,其特征在于,所述应用APP包括:应用模块,An application APP is configured in the second terminal, where the application APP includes: an application module,所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;所述应用模块,还用于调用第二终端的存储模块将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;所述应用模块,还用于调用第二终端的网络连接模块使用存储在所述安全存储区的所述第一凭证信息连接所述网络标识对应的无线网络。The application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
- 根据权利要求32所述的应用APP,其特征在于,所述第一凭证信息包括证书数据;相应的,在将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区之前,所述应用模块还用于调用第二终端的证书管理模块,执行根据为所述证书数据设置的证书标识对所述证书数据进行命名处理的操作,以便所述证书管理模块调用第二终端的存储模块将经过命名处理的所述证书数据从第二终端***内存中直接存储在第二终端的安全存储区。The application APP according to claim 32, wherein the first credential information comprises certificate data; and correspondingly, the first credential information is directly stored in the second terminal system memory from the second terminal. Before the storage area, the application module is further configured to invoke a certificate management module of the second terminal, and perform an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the The storage module of the second terminal directly stores the certificate data subjected to the naming process from the second terminal system memory in the secure storage area of the second terminal.
- 根据权利要求33所述的应用APP,其特征在于,The application APP according to claim 33, wherein所述应用模块,还用于调用第二终端的网络连接模块响应于自动连接指令后执行网络连接操作,以便所述网络连接模块调用第二终端的存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,The application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes a storage module of the second terminal to query the secure storage area for querying Connecting to the certificate data of the wireless network, using the queried certificate data to connect to the wireless network; or所述应用模块,还用于调用第二终端的网络连接模块响应于手动连接指令后执行网络连接操作,以便所述网络连接模块调用第二终端的证书管理模块枚举出所述安全 存储区内所有证书数据的证书标识,以及调用第二终端的存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。The application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the second terminal to enumerate the secure storage area. The certificate identifier of all the certificate data, and the storage module invoking the second terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020197021587A KR102200936B1 (en) | 2017-03-01 | 2018-02-27 | Credential information processing method and device for network connection, and application program (APP) |
EP18761355.9A EP3592017B1 (en) | 2017-03-01 | 2018-02-27 | Credential information processing method and apparatus for network connection, and application (app) |
JP2019560452A JP6917474B2 (en) | 2017-03-01 | 2018-02-27 | Credential processing method, device, and application APP for network connection |
US16/482,475 US11751052B2 (en) | 2017-03-01 | 2018-02-27 | Credential information processing method and apparatus for network connection, and application (APP) |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710117743 | 2017-03-01 | ||
CN201710117743.0 | 2017-03-01 | ||
CN201710150249.4A CN108696868B (en) | 2017-03-01 | 2017-03-14 | Processing method and device of credential information for network connection |
CN201710150249.4 | 2017-03-14 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018157782A1 true WO2018157782A1 (en) | 2018-09-07 |
Family
ID=63369805
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/077364 WO2018157782A1 (en) | 2017-03-01 | 2018-02-27 | Credential information processing method and apparatus for network connection, and application (app) |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018157782A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2020088673A (en) * | 2018-11-28 | 2020-06-04 | Necプラットフォームズ株式会社 | Radio communication device, communication system and setting information provision program |
US11405216B2 (en) * | 2020-05-07 | 2022-08-02 | Adp, Inc. | System for authenticating verified personal credentials |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102026197A (en) * | 2010-12-31 | 2011-04-20 | 东莞宇龙通信科技有限公司 | Method and device for acquiring WAPI (wireless LAN authentication and privacy infrastructure) digital certificate |
CN103220669A (en) * | 2012-01-19 | 2013-07-24 | ***通信集团公司 | Share method, system, server, terminal and gateway management server of private wireless local area network (WLAN) |
CN105636030A (en) * | 2016-01-29 | 2016-06-01 | 北京小米移动软件有限公司 | Method and device for sharing access point |
US20160261587A1 (en) * | 2012-03-23 | 2016-09-08 | Cloudpath Networks, Inc. | System and method for providing a certificate for network access |
CN105959971A (en) * | 2016-06-30 | 2016-09-21 | 维沃移动通信有限公司 | WiFi password sharing method and mobile terminal |
-
2018
- 2018-02-27 WO PCT/CN2018/077364 patent/WO2018157782A1/en unknown
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102026197A (en) * | 2010-12-31 | 2011-04-20 | 东莞宇龙通信科技有限公司 | Method and device for acquiring WAPI (wireless LAN authentication and privacy infrastructure) digital certificate |
CN103220669A (en) * | 2012-01-19 | 2013-07-24 | ***通信集团公司 | Share method, system, server, terminal and gateway management server of private wireless local area network (WLAN) |
US20160261587A1 (en) * | 2012-03-23 | 2016-09-08 | Cloudpath Networks, Inc. | System and method for providing a certificate for network access |
CN105636030A (en) * | 2016-01-29 | 2016-06-01 | 北京小米移动软件有限公司 | Method and device for sharing access point |
CN105959971A (en) * | 2016-06-30 | 2016-09-21 | 维沃移动通信有限公司 | WiFi password sharing method and mobile terminal |
Non-Patent Citations (1)
Title |
---|
See also references of EP3592017A4 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2020088673A (en) * | 2018-11-28 | 2020-06-04 | Necプラットフォームズ株式会社 | Radio communication device, communication system and setting information provision program |
US11405216B2 (en) * | 2020-05-07 | 2022-08-02 | Adp, Inc. | System for authenticating verified personal credentials |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3592017B1 (en) | Credential information processing method and apparatus for network connection, and application (app) | |
US10667131B2 (en) | Method for connecting network access device to wireless network access point, network access device, and application server | |
CN109286932B (en) | Network access authentication method, device and system | |
CN108551675B (en) | Application client, server and corresponding Portal authentication method | |
US8769612B2 (en) | Portable device association | |
US9674173B2 (en) | Automatic certificate enrollment in a special-purpose appliance | |
US8099761B2 (en) | Protocol for device to station association | |
US11765164B2 (en) | Server-based setup for connecting a device to a local area network | |
WO2022111187A1 (en) | Terminal authentication method and apparatus, computer device, and storage medium | |
US10045212B2 (en) | Method and apparatus for providing provably secure user input/output | |
US20230112606A1 (en) | Device enrollment in a unified endpoint management system over a closed network | |
WO2018157782A1 (en) | Credential information processing method and apparatus for network connection, and application (app) | |
US9231932B2 (en) | Managing remote telephony device configuration | |
US9143510B2 (en) | Secure identification of intranet network | |
JP4775154B2 (en) | COMMUNICATION SYSTEM, TERMINAL DEVICE, PROGRAM, AND COMMUNICATION METHOD | |
US10756899B2 (en) | Access to software applications | |
CN113746779A (en) | Digital certificate installation method and equipment | |
US20230199489A1 (en) | Peer-to-peer secure communication system, apparatus, and method | |
WO2024028291A1 (en) | Certificate from server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18761355 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20197021587 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019560452 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2018761355 Country of ref document: EP Effective date: 20191001 |