WO2018157782A1 - Credential information processing method and apparatus for network connection, and application (app) - Google Patents

Credential information processing method and apparatus for network connection, and application (app) Download PDF

Info

Publication number
WO2018157782A1
WO2018157782A1 PCT/CN2018/077364 CN2018077364W WO2018157782A1 WO 2018157782 A1 WO2018157782 A1 WO 2018157782A1 CN 2018077364 W CN2018077364 W CN 2018077364W WO 2018157782 A1 WO2018157782 A1 WO 2018157782A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
certificate
module
certificate data
network
Prior art date
Application number
PCT/CN2018/077364
Other languages
French (fr)
Chinese (zh)
Inventor
田玉存
张伟
童伟刚
颜湘
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201710150249.4A external-priority patent/CN108696868B/en
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Priority to KR1020197021587A priority Critical patent/KR102200936B1/en
Priority to EP18761355.9A priority patent/EP3592017B1/en
Priority to JP2019560452A priority patent/JP6917474B2/en
Priority to US16/482,475 priority patent/US11751052B2/en
Publication of WO2018157782A1 publication Critical patent/WO2018157782A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an application APP for processing credential information for network connection.
  • the terminal When the terminal accesses the wireless network, it is usually required to provide the networked credential information to the wireless network, and the terminal access is allowed only when the credential information is verified correctly.
  • the terminal can use the network name and connection password of the wireless network to request to connect to the wireless network corresponding to the network name, at the input. After the connection password is verified, the terminal is allowed to access the wireless network.
  • WIFI Wireless Fidelity
  • the wireless network provider needs to announce the credential information for connecting to the wireless network to the user of the terminal, and the user of the terminal needs to manually input the credential information on the terminal.
  • user X provides a wireless network in the home, that is, user X is a wireless network provider.
  • connection password is manually input to make a network connection, and when the connection password is too complicated or lengthy, the user Y is not only inconvenient to remember but the input is also cumbersome. It can be seen that, on the one hand, the user operation is inconvenient in the process of connecting the terminal to the wireless network; on the other hand, the voucher information of the wireless network is publicly announced, which may lead to security risks.
  • the technical problem to be solved by the present invention is to provide a method, a device and an application APP for processing credential information for network connection, so that the terminal can obtain credential information of the wireless network and use credential information without manual input by the user.
  • Networking not only simplifies and facilitates the user's networking operations, but also avoids the disclosure of credential information for networking, improving the security of users using wireless networks.
  • an embodiment of the present invention provides a method for processing credential information for a network connection, where the method includes:
  • the first terminal sends a first credential download request to the server, in response to the instruction to apply for the network credential for the second terminal, where the first credential download request carries the user identity information of the first terminal, where the user identity
  • the information is used by the server to perform user identity verification on the first terminal;
  • the second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected;
  • the second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal;
  • the second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  • an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a first terminal, where the device includes: an application module;
  • the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
  • the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a second terminal, where the device includes: an application module, a storage module, and a network connection module;
  • the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
  • the storage module is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
  • the network connection module is configured to connect, by using the first credential information in the secure storage area, a wireless network corresponding to the network identifier.
  • an embodiment of the present invention provides an application APP, which is configured in a first terminal, where the application APP includes: an application module,
  • the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
  • the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • an embodiment of the present invention provides an application APP, configured in a second terminal, where the application APP includes: an application module,
  • the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
  • the application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
  • the application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
  • the present invention has the following advantages:
  • the first terminal having the voucher application right of the wireless network may request the server to download the credential information of the connection to the wireless network, and the voucher The information and the network identifier of the wireless network are sent to the second terminal, so that the second terminal can obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier.
  • the second terminal may obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier.
  • FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for processing credential information used for network connection according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
  • the wireless network provider needs to inform the user of the terminal of the credential information for connecting to the wireless network, and then the user of the terminal manually inputs or installs the credential information on the terminal. Connect the terminal to the wireless network.
  • the user needs to memorize the credential information (such as a password) used to connect to the wireless network, and manually input it to the wireless network connection interface of the terminal, which shows that the user operation is cumbersome; on the other hand, the wireless network provider needs The network credential information is advertised to other users who use the terminal to connect to the wireless network, and the voucher information is easily leaked when being published.
  • the credential information is obtained by a malicious user, the malicious user may attack the wireless network, visible, wireless There are hidden dangers in the security of the network.
  • the wireless network provider uses the first terminal, the first terminal has the voucher application right of the wireless network, that is, the user identity information provided by the first terminal can be verified by the server, so that the server can be obtained from the server. Download the networked voucher information.
  • the wireless network provider can use the first terminal to request the server to download the networked credential information, and send the network identifier of the wireless network and the networked credential information to the first The second terminal, so that the second terminal can obtain the network identifier and credential information of the wireless network without manual input, and use the credential information to connect to the wireless network corresponding to the network identifier.
  • the network connection operation is simplified, and the wireless network provider does not need to inform the credential information to use the second.
  • the user connected to the terminal avoids the network information of the network to be advertised, which reduces the possibility that the malicious user obtains the credential information and attacks the wireless network due to the leakage of the credential information, thereby improving the security of the wireless network.
  • FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention.
  • the first terminal 110 can interact with the server 130 through a wireless access point AP (also referred to as a wireless router), and the first terminal 110 can interact with the second terminal 120.
  • the first terminal 110 may include, for example, an application module 111, a certificate management module 112, a storage module 113, and a network connection module 114.
  • the second terminal 120 may include, for example, an application module 121, a certificate management module 122, a storage module 123, and a network. Connection module 124.
  • the first terminal 110 may only include an application module 111, and the application module 111 may send the first credential download to the server in response to an instruction to apply for a network credential for another terminal (in the embodiment of the present invention)
  • the request, the instruction for applying for the network connection credential for the other terminal may be generated by the first terminal 110, or may be generated by the second terminal 120 and sent to the first terminal 110 by the application module 121.
  • the first credential download request carries the user identity information provided by the first terminal 110.
  • the server 130 may perform user identity verification on the first terminal 110 according to the user identity information, and send the first credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful.
  • the first terminal 110 may receive the first credential information through the application module 111, and send the first credential information and the network identifier of the wireless network to be connected to the second terminal 120.
  • the second terminal 120 may include only the application module 121, the storage module 123, and the network connection module 124.
  • the second terminal 120 receives the first credential information and the network identifier through the application module 121, and the first The voucher information is stored in the secure storage area of the second terminal 120, and is connected to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area of the second terminal 120 by the network connection module 124.
  • the network identifier may be manually input by the wireless network provider on the sending interface that the first terminal 110 sends the first credential information to the second terminal 120; or the first terminal 110 may send the first terminal 120 to the second terminal 120.
  • the network identifier is generated by the first terminal 110 by default on the sending interface of the credential information.
  • the sending interface is displayed on the first terminal 110.
  • the application module 111 of the first terminal 110 may further send a second credential download request to the server in response to an instruction of the terminal (in the embodiment of the present invention, the first terminal) to apply for the network credential, where
  • the second credential download request carries the user identity information provided by the first terminal 110.
  • the first terminal 110 includes a storage module 113 and a network connection module 114 in addition to the application module 111.
  • the server 130 performs user identity verification on the first terminal 110 according to the user identity information, and sends the second credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful.
  • the first terminal 110 receives the second credential information through the application module 111, stores the second credential information in the secure storage area of the first terminal 110 through the storage module 113, and uses the secure storage of the first terminal 110 through the network connection module 114.
  • the second credential information in the zone is connected to the wireless network.
  • the credential information used to connect to the wireless network may be a network connection password, which is generally applicable to the WIFI network environment, and may also be applicable to a WAPI pre-shared key type network environment, which may enable the second terminal to be connected.
  • the network provider does not need to disclose the networked credential information (such as a network connection password) to the user of the second terminal, thereby avoiding the leakage of the credential information and posing a potential danger to the security of the wireless network; The user can complete the network connection without manually inputting the networked credential information (such as the network connection password) on the second terminal, thereby improving the convenience of the terminal networking.
  • the second terminal 120 may further include a certificate management module 122 in addition to the application module 121, the storage module 123, and the network connection module 124.
  • the certificate management module 122 may be configured to: before the first credential information is stored in the secure storage area of the second terminal 120, perform naming processing on the certificate data according to the certificate identifier set for the certificate data, and invoke the storage module 123 to pass the The certificate data of the naming process is stored in the secure storage area of the second terminal 120.
  • the first terminal 110 may further include a certificate management module 112 in addition to the application module 111, the storage module 113, and the network connection module 114.
  • the certificate management module 112 may be configured to perform naming processing on the certificate data according to the certificate identifier set for the certificate data before the second credential information is stored in the secure storage area of the first terminal 110, and call the storage module 113 to pass the The certificate data of the naming process is stored in a secure storage area of the first terminal 110.
  • the application module 111 generally runs at the application layer, and the certificate management module 112, the storage module 113, and the network connection module 114 operate at the system layer.
  • the application module 121 typically runs at the application layer, while the certificate management module 122, the storage module 123, and the network connection module 124 operate at the system layer. Whether it is the application module 111 or the application module 121, it may be built in the terminal when the terminal is shipped from the factory, or may be acquired by the user from the outside and installed in the terminal after the terminal is shipped from the factory.
  • the application module 111 or the application module 121 can be run in the terminal as a third-party application (Application, APP), that is, the third-party application APP including the application module 111 or the application module 121 can be installed on the terminal to facilitate the terminal to execute. Networked operation.
  • APP Application, APP
  • the application module 111 and the application module 121 can also run at the system layer, and the application module 111 and the application module 121 running at the system layer are built in the terminal when the terminal is shipped from the factory.
  • a module running at the application layer which can be acquired by the user from the outside and installed on the terminal, or can be uninstalled by the user from the terminal; the module running at the system layer is built in the terminal. In the system, it cannot be uninstalled by the user. Moreover, even if each module running at the system level has different operating rights.
  • FIG. 2 a flow chart of a method for processing credential information for network connection in an embodiment of the present invention is shown.
  • the method includes the following steps:
  • the first terminal sends a first credential download request to the server in response to the instruction to apply for the network credential for the second terminal.
  • the first credential download request carries user identity information of the first terminal, and the user identity information is used by the server to perform user identity verification on the first terminal.
  • the voucher download interface provided by the first terminal includes two operation options: “application for network connection voucher for the terminal” and “application for network connection voucher for other terminals”.
  • the wireless network provider can select an operation option of "application for networking credentials for other terminals" on the voucher download interface, and then trigger an instruction to apply for networking credentials for other terminals, which is referred to as a second terminal in the embodiment of the present invention.
  • An instruction to apply for a networked certificate Exemplarily, on the voucher download interface, the wireless network provider can input the user name and password as the user identity information of the first terminal, and can also input the Internet Protocol (IP) address and port number of the server.
  • IP Internet Protocol
  • the wireless network provider selects on the credential download interface. It is an operation option of "Requesting Networking Credentials for Other Terminals".
  • the first terminal generates a first credential download request carrying the user identity information based on an operation of the wireless network provider on the credential download interface and transmits the request to the server.
  • the server may obtain the user identity information and perform user identity verification on the first terminal according to the user identity information in response to the first credential download request.
  • the user identity verification manner of the server to the first terminal may be, for example, the server verifies whether the username and password are legal and match. If the username and password are legal and match, the user authentication of the first terminal is successful.
  • the first terminal receives the first credential information sent by the server in the case that the user identity verification of the first terminal is successful.
  • the server may generate or acquire (for example, obtain the first credential information from the certificate issuing server) and send the first credential information to the first terminal, so that the first terminal can receive The first credential information sent to the server.
  • the verification of the user identity information of the first terminal is successful, and may be used as a basis for the server to generate or obtain the first credential information.
  • the first credential information may be encrypted during the transmission process between the first terminal and the server.
  • the step 202 may include: the first terminal receives the first encrypted information that is sent by the server when the user identity verification of the first terminal is successful; and the first terminal decrypts the first encrypted information to obtain the first credential. information.
  • the first encrypted information is obtained by encrypting the first credential information by the server.
  • the encryption of the first credential information may be performed by any feasible encryption method, which is not limited in this embodiment.
  • a terminal receives a certificate or a file
  • the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send.
  • the first terminal may send the first credential information directly from the system memory of the first terminal to the second The terminal does not have to be stored in other storage locations within the first terminal.
  • the first credential information is temporarily stored in the traditional storage location in the first terminal, the first credential information may be read or copied by the unsecure application on the first terminal, and the first credential information is from the system of the first terminal.
  • the in-secure application on the first terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
  • the second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected.
  • the first terminal may prompt the wireless network provider by using a credential sending interface.
  • the wireless network provider may trigger a sending instruction to carry the network identifier and the first credential information on a credential sending interface provided by the first terminal.
  • the first terminal sends the network identifier and the first credential information to the second terminal in response to the sending instruction.
  • the network identifier of the wireless network may be that the first terminal obtains the network identifier of the default setting and provides the network identifier on the credential sending interface, or may be manually input by the wireless network provider on the credential sending interface.
  • the wireless network provider sends the network identifier of the wireless network to the second terminal together with the first credential information by using the first terminal, so that the second terminal can directly and automatically connect to the wireless network when using the first credential information.
  • the user of the second terminal does not need to manually click on the wireless network corresponding to the network identifier from the plurality of wireless network names on the second terminal (for example, in the "setting" of the second terminal), and then perform the wireless network. connection.
  • the network identifier of the wireless network may be a display name of the wireless network.
  • the network identifier of the wireless network may be a Service Set Identifier (SSID) of the wireless network.
  • SSID Service Set Identifier
  • the first terminal may send the first credential information to the second terminal by using a point-to-point wireless communication technology without networking.
  • the first terminal may send the first credential information to the second terminal by using a near field communication NFC (Near Field Commutation) technology
  • the second terminal may receive the first sent by the first terminal by using a near field communication NFC technology.
  • Voucher information The first credential information is transmitted by the NFC technology, and the first terminal and the second terminal only need to be close to each other to implement the transmission of the first credential information.
  • the first credential information such as Bluetooth technology, may also be sent between the first terminal and the second terminal by using other point-to-point wireless communication technologies.
  • the Bluetooth transmission also needs to search and configure the connection between the terminals in advance, and the credential information can be sent only after the connection is successful, and the NFC technology only needs to be close to each other to transmit the credential information. Therefore, it is more convenient and convenient to use the NFC technology for the transmission of the voucher information.
  • the NFC technology is transmitted, the distance between the terminal devices is very close and needs to be close to each other, so the transmission of the voucher information is not easily intercepted by the outside, and the transmission process is also relatively safe. .
  • the use of the NFC technology to transmit the credential information between the terminals is a preferred solution.
  • the embodiment of the present invention does not limit the manner of transmitting the credential information, and may also adopt other point-to-point technologies such as Bluetooth technology.
  • Wireless communication technology performs the transmission of credential information.
  • the second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal.
  • a terminal receives a certificate or a file
  • the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send.
  • the second terminal may directly store the first credential information from the system memory of the second terminal in the second The secure storage area of the terminal without having to temporarily store it in other traditional storage locations within the second terminal.
  • the first credential information is temporarily stored in the traditional storage location in the second terminal, the first credential information may be read or copied by the unsecure application on the second terminal, and the first credential information is from the second terminal system.
  • the memory is directly stored in the secure storage area of the second terminal, so that the unsecure application on the second terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
  • the secure storage area may be different from the traditional hard disk storage, and the secure storage area may be a separate storage area in the terminal.
  • the voucher information is not stored in the form of a file in the storage area, but the voucher information can only be stored in the form of data. Therefore, a file management tool having a file scanning function (for example, a RE file manager, an ES file browser, etc.)
  • the voucher information cannot be viewed by scanning, so the data stored in the area is invisible to the user and cannot be copied.
  • the storage area can only be accessed using a specific interface provided by the system, and any storage-related API cannot access the storage area.
  • the secure storage area in which the credential information is stored in the terminal is more secure than the conventional hard disk storage.
  • the secure storage area may also be a non-hardware Android system keystore, a Windows system system storage area, and a hardware security chip, etc., which may be used to implement the function of the secure storage area. Since the first credential information is stored in the secure storage area, the first credential information is not scanned by the file management tool, and cannot be accessed by the API related to the file operation, thereby preventing the first credential information from being leaked on the second terminal. So that the security of the first voucher information is better protected. It should be noted here that the secure storage area described above does not only refer to the secure storage area of the second terminal, and the secure storage area of the first terminal also has the same function.
  • the first credential information may be encrypted and then stored in the secure storage area.
  • the second terminal reads the encrypted first credential information from the secure storage area, the encrypted first credential information needs to be decrypted first, and then the decrypted first credential information is used to connect to the wireless network.
  • the second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  • the second terminal may determine the wireless network corresponding to the network identifier and send a connection request to the access point of the wireless network, so as to be connected through the access point of the wireless network. wireless network.
  • the mentioned wireless network may be any feasible wireless communication technology.
  • Wireless networks of different wireless communication technologies correspond to different kinds of credential information. Therefore, there are many possible types of credential information mentioned in this embodiment.
  • the wireless network adopts a Wireless LAN Authentication and Privacy Infrastructure (WAPI) mode the first credential information may be WAPI certificate data.
  • the wireless network adopts the WIFI mode and the encryption mode is WPA/WPA2PSK
  • the first credential information may be a password.
  • the first credential information may include CA certificate data and other credential parameters, where the other credential parameters include, for example, a specific EAP method (eg, PEAP, TLS, TTLS, PWD, etc.), Phase 2 authentication (eg MSCHAPV2, GTC), identity, anonymous identity, password, etc.
  • a specific EAP method eg, PEAP, TLS, TTLS, PWD, etc.
  • Phase 2 authentication eg MSCHAPV2, GTC
  • identity anonymous identity, password, etc.
  • the manner in which the first credential information is processed when the first terminal connects to the wireless network may be different.
  • the second terminal may directly store the credential information itself and use the credential information itself to connect to the wireless network, or the second terminal may directly use the credential information. Connect to the wireless network itself.
  • the second terminal may install the certificate, that is, store the certificate data and connect to the wireless network using the certificate data.
  • the first credential information includes the certificate data
  • the first credential information is stored in the secure storage area of the second terminal in step 204, and the second terminal may be based on the certificate identifier set for the credential data
  • the certificate data is subjected to naming processing.
  • the storing manner of step 204 is specifically: storing the certificate data subjected to the naming process in a secure storage area of the second terminal.
  • the method of the step 205 is specifically to connect the wireless network corresponding to the network identifier by using the certificate data in the secure storage area.
  • the certificate data may be WAPI certificate data, corresponding to the WAPI network connection mode, or may be WIFI certificate data, corresponding to the WIFI network connection mode.
  • a certificate used by a wireless network to connect to a network is usually a set of certificates containing multiple certificate data.
  • the WAPI certificate data used for networking refers to a set of WAPI certificate data.
  • a set of WAPI certificate data in the embodiment of the present invention includes user certificate data, issuer certificate data, and user private key.
  • the second terminal can name the WAPI certificate data, that is, set a certificate name, that is, a certificate identifier, for the WAPI certificate data.
  • the user certificate data, the issuer certificate data, and the user private key in the WAPI certificate data all contain the same certificate identifier.
  • a set of WAPI certificate data for networking is named, wherein the user certificate data is set to "WAPI_USRCERT_NAME1", the issuer certificate data is set to "WAPI_CACERT_NAME1", and the user private key is set. Is set to "WAPI_USRPKEY_NAME1".
  • the naming of the three certificate data in a set of WAPI certificate data includes the certificate identifier "NAME1". Therefore, when searching for WAPI certificate data, the second terminal only needs to find the certificate identifier "NAME1" to obtain a complete set of WAPI certificate data.
  • the certificate identifier may be an identifier set by the user.
  • the user can input the certificate identifier on the certificate naming interface provided by the second terminal and trigger the installation of the certificate.
  • the second terminal names the certificate data according to the input certificate identifier.
  • the certificate identification may be automatically assigned or generated by the second terminal. Specifically, when the certificate needs to be installed, the second terminal may display the automatically assigned or generated certificate identifier to the user, and automatically trigger the installation of the certificate after naming the certificate data according to the automatically assigned or generated certificate identifier.
  • the second terminal may use the certificate data to connect to the wireless network, that is, a manual connection mode, or the second terminal may automatically use the certificate data connection to connect the second terminal.
  • Wireless network that is, automatic connection.
  • the certificate data to be used may be found by the second terminal based on the certificate identifier manually selected by the user.
  • the network connection mode of step 205 is that the second terminal enumerates the certificate identifiers of all the certificate data in the secure storage area in response to the manual connection instruction, and reads the corresponding certificate based on the certificate identifier manually selected by the user. Data is connected to the wireless network using the read certificate data.
  • the certificate data to be used may be automatically found by the second terminal.
  • the network connection manner of step 205 is that the second terminal queries the certificate data for connecting to the wireless network in the secure storage area in response to the automatic connection instruction, and uses the queried certificate data. Connect to the wireless network.
  • the second terminal when the second terminal self-query the certificate data for networking in the secure storage area, the second terminal first needs to read the secure storage area. All the WAPI certificate data in the internal storage is temporarily stored in the memory, and then associated with the external wireless access point AP.
  • the identity of the local ASU (Authentication Service Unit) in the packet is obtained. Field, then traverse all WAPI certificate data previously read, and obtain the "holder name", "issuer name” and “serial number” from the issuer certificate data in each set of WAPI certificate data, and use The three pieces of information constitute "identity” information.
  • the set of WAPI certificate data is used for network connection.
  • the second terminal needs to first read the certificate data in the secure storage area and temporarily store it in the memory, and obtain the “local ASU” in the authentication activation packet. After the "identity" field, traversing the certificate data from memory to obtain the “identity” information will greatly reduce the time spent, thereby avoiding the authentication activation packet failure.
  • the second terminal 120 can cooperate with other modules using the certificate management module 122 to implement storage and use of the certificate data.
  • the application module 121 can invoke the certificate installation interface of the certificate management module 122 and provide Interface parameters of the certificate installation interface.
  • the interface parameters may include user certificate data, issuer certificate data, and user private key in the WAPI certificate data.
  • the certificate installation interface of the certificate management module 122 opens the certificate naming interface, and displays the default certificate identifier on the certificate naming interface. Alternatively, the user can modify the certificate identifier on the certificate naming interface.
  • the certificate installation interface of the certificate management module 122 After the certificate installation interface of the certificate management module 122 obtains the user certificate data, the issuer certificate data, and the user private key from the interface parameters, the user certificate data and the issuer certificate are determined according to the default certificate identifier or the certificate identifier entered on the certificate naming interface. Data and user private keys are named. Then, the certificate management module 122 calls the storage module 123, and the storage module 123 stores the naming processed certificate data in the secure storage area according to the naming rules of the certificate management module 122, thereby completing the certificate installation process.
  • the network connection module 124 invokes the certificate enumeration interface of the certificate management module 122 to enumerate and present the certificate identifiers of all the certificate data in the secure storage area, after the user selects the target certificate identifier.
  • the network connection module 124 calls the storage module 123 to find the certificate data in the secure storage area that matches the target certificate identifier, and then the network connection module 124 connects to the wireless network based on the wireless network driver and using the found certificate data. .
  • the certificate naming interface is provided by the certificate management module 122 running at the system layer, rather than by the application module 121 running at the application layer.
  • the certificate naming interface provided by the certificate management module of the system layer is usually not controlled by the unsafe application of the application layer and maliciously operated, so as to prevent the unsafe application of the application layer from maliciously inputting the name for certificate installation or certificate deletion on the naming interface.
  • the terminal of the embodiment of the present invention is based on the Android Android system, and the network configuration interface of the network connection module 124 may not need to add a new class, but may By modifying Android's original WLAN network configuration interface (including modifying the WifiConfiguration class and its subclass KeyMgmt), it can achieve the purpose of compatibility with WAPI, and can also provide two different networking modes: manual connection and automatic connection.
  • some member variables can be added under the WifiConfiguration class, so that the member variables include wapiPskType, wapiPsk, wapiCertSelMode, and wapiCertSel.
  • wapiPskType is used to describe the key type of WAPI pre-shared key
  • wapiPsk is used to describe the content of WAPI pre-shared key
  • wapiCertSelMode is used to describe the selection mode of WAPI certificate
  • wapiCertSel is used to describe the WAPI certificate selected in manual mode.
  • the certificate identifier; the new wapiCertSelMode and wapiCertSel correspond to the case of using the WAPI certificate for networking
  • wapiPskType and wapiPsk correspond to the case of using the key to connect to the network.
  • the network connection module needs to implement automatic connection and manual connection two different networking modes for the key mode, it is necessary to add some member variables to the WifiConfiguration class. It includes a member variable describing the key selection mode and a member variable describing the identity of the selected key in the manual mode.
  • each of the other modules that call the storage module 123 are run as different users, and different user identities have different operation rights.
  • a module running as the system user can install a certificate for the terminal, delete the certificate data installed in the terminal, and enumerate the certificate identifier, but cannot read the certificate data in the terminal; run as the wlan user.
  • the module can perform the operation of reading the certificate data and obtaining the certificate identifier for the certificate in the terminal.
  • the certificate management module 122 runs as the system user
  • the network connection module 124 runs as the wlan user.
  • the certificate management module 122 calls the storage module 123 to install the certificate data for the terminal, and can also call the storage module 123 to perform the certificate data installed in the terminal.
  • the certificate identifier of the certificate is deleted and enumerated, but the storage module 123 cannot be called to read the certificate data in the terminal; and the network connection module 124 can call the storage module 123 to read the certificate data and the certificate identifier in the terminal, but cannot call the storage.
  • Module 123 deletes the certificate data and installs the certificate data.
  • the certificate installation interface, the certificate deletion interface, and the certificate identification enumeration interface of the certificate management module 122 may adopt the Andriod system.
  • the Intent mechanism is designed. Specifically, an Activity can be preset in the system, and a related Intent Action is defined.
  • the related Intent Action includes: "com.wapi.certificate.INSTALL" for installing WAPI certificate data, used to enumerate the certificate identifier "com .wapi.certificate.GET_ALIASES”, "com.wapi.certificate.DELETE” for deleting WAPI certificate data.
  • the application module 121 or the application APP of the built-in application module 121 can send a corresponding Intent Action to the preset activity in the system, and the Activity performs the operation of installing the certificate data, deleting the certificate data or enumerating the certificate identifier according to the corresponding Intent Action.
  • the application module 121 or the application APP of the built-in application module 121 sends the relevant parameters by using the putExtra function of the Intent, and the preset activity in the system acquires the parameters sent by the application module 121 or the application APP of the built-in application module 121 through the getExtras function of the Intent.
  • the definition of related parameters is shown in Table 1.
  • the Activity determines whether the certificate identifier is duplicated with the alias of the installed certificate data. If it is repeated, the user is prompted to re-edit.
  • the Activity obtains the certificate identifier finally confirmed by the user through the interactive interface, the operation of installing the WAPI certificate is performed. Then, the corresponding return value is set by the setResult function of the Activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is successfully installed or failed.
  • the return value set by the setResult function when installing the certificate data is defined as follows:
  • the return value of 1 means the installation was successful, and a return value of 0 means the installation failed.
  • the deletion operation fails; at the same time, the corresponding return value is set by the setResult function of the Activity; if it is, the Activity pops up an interactive interface, allowing the user to confirm whether to delete the set of certificate data, after the user confirms the deletion, The deletion operation is performed, and the corresponding return value is set by the setResult function of the activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is deleted successfully or failed this time.
  • the return value set by the setResult function when deleting the certificate data is defined as follows: the return value 1 indicates that the certificate is successfully deleted, and the return value 0 indicates that the certificate deletion failed.
  • the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, and the naming of the credential information (here, the certificate data) can use the default name generated by the terminal, and the installation of the certificate can be automatically performed by the terminal. Installation, and the terminal automatically queries the certificate data used for networking and automatically makes a network connection.
  • the first terminal 110 can cooperate with other modules by using the certificate management module 112 to implement the certificate data.
  • the embodiment in which the first terminal 110 specifically stores and uses the certificate data is the same as the embodiment in which the second terminal 120 specifically stores and uses the certificate data, and the certificate management of the first terminal 110 and the second terminal 120 is as described above.
  • the design mechanism of modules, storage modules, and network connection modules is also the same, and will not be described here.
  • FIG. 3 a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown.
  • the device is configured in the first terminal, and the device may include, for example, an application module 301;
  • the application module 301 is configured to send a first credential download request to the server, in response to the instruction for requesting the network credential for the second terminal, to receive the first credential information sent by the server in the case that the user identity verification succeeds, and Transmitting, by the first terminal system memory, the first credential information and the network identifier of the wireless network to be connected to the second terminal; or
  • the application module 301 is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • the application module 301 is further configured to send the first credential information and the network identifier to the second terminal by using a point-to-point wireless communication technology that does not require networking.
  • the device further includes: a storage module 303 and a network connection module 304;
  • the storage module 303 is configured to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
  • the network connection module 304 is configured to connect to the wireless network by using the second credential information stored in the secure storage area.
  • the second credential information includes certificate data, and correspondingly, as shown in FIG. 5, the apparatus further includes: a certificate management module 302;
  • the certificate management module 302 is configured to: before storing the second credential information directly from the first terminal system memory in the secure storage area of the first terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 303 is called to store the certificate data subjected to the naming process directly from the first terminal system memory in the secure storage area of the first terminal.
  • the certificate management module 302 is further configured to use the certificate identifier to perform naming processing for each part of the data included in the certificate data, so that each part of the data included in the certificate data has the same certificate identifier.
  • the partial data includes user certificate data, issuer certificate data, and a user private key.
  • each module that invokes the storage module 303 runs as a different user, and different user identities correspond to different operation rights;
  • the certificate management module 302 runs as the system user, and the operation authority includes: calling the storage module 303 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 303 to read the certificate data;
  • the network connection module 304 runs as the wlan user, and the operation authority includes: calling the storage module 303 to read the certificate data and the certificate identifier, but cannot invoke the storage module 303 to install and delete the certificate data.
  • the certificate management module 302 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 302 when the storage module 303 is invoked to install, delete, and enumerate the certificate data.
  • the interface is designed using the Intent mechanism of Android, including:
  • the application module 301 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
  • the network connection module 304 is further configured to:
  • the certificate management module 302 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 303 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read The certificate data retrieved is connected to the wireless network.
  • the network connection module 304 in response to the automatic connection instruction, invokes the storage module 303 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
  • the network connection module 304 is configured to invoke the storage module 303 to read WAPI certificate data in the secure storage area;
  • the network connection module 304 is configured to associate with the wireless access point AP, receive the authentication activation packet sent by the wireless access point AP, and obtain an identity field of the local authentication service unit ASU in the authentication activation packet.
  • the network connection module 304 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
  • the network connection module 304 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
  • the network configuration interface of the network connection module 304 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
  • a member variable describing the key type of the pre-shared key a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
  • the network configuration interface of the network connection module 304 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
  • the modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
  • the certificate management module, the storage module and the network connection module located in the first terminal have different functions for storing and using the second credential information when the second credential information is used for networking.
  • the certificate management module, the storage module and the network connection module located in the second terminal described above, in the different implementation manners for storing and using the first credential information when the first credential information is used for networking. The functions that are available are not described here.
  • the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network, so that the first terminal can
  • the voucher information of the wireless network is obtained without manual input by the user, so that the voucher information can be used to connect to the wireless network. It can be seen that, in the process of connecting the wireless network to the first terminal, not only the manual input of the voucher information is saved. The user operation simplifies the user operation, and the credential information does not need to be publicly announced, thereby avoiding leakage of credential information of the wireless network and improving the security of the wireless network.
  • FIG. 6 a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown.
  • the device is configured in the second terminal, and the device may include, for example, an application module 601, a storage module 603, and a network connection module 604;
  • the application module 601 is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is an instruction that the first terminal requests to apply for a network credential for the second terminal. And downloading from the server and sending to the second terminal;
  • the storage module 603 is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
  • the network connection module 604 is configured to connect the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  • the application module 601 is further configured to receive the first credential information and the network identifier sent by the first terminal by using a point-to-point wireless communication technology that does not require networking.
  • the first credential information includes certificate data; correspondingly, as shown in FIG. 7, the apparatus further includes: a certificate management module 602;
  • the certificate management module 602 is configured to: before storing the first credential information directly from the second terminal system memory in the secure storage area of the second terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 603 is called to store the certificate data subjected to the naming process directly from the second terminal system memory in the secure storage area of the second terminal.
  • the certificate management module 602 is further configured to perform naming processing for each part of the data included in the certificate data by using the certificate identifier, so that each part of the data included in the certificate data has the same certificate identifier.
  • the partial data includes user certificate data, issuer certificate data, and a user private key.
  • each module that invokes the storage module 603 runs as a different user, and different user identities correspond to different operation rights;
  • the certificate management module 602 runs as the system user, and the operation authority includes: calling the storage module 603 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 603 to read the certificate data;
  • the network connection module 604 is operated as a wlan user, and the operation authority includes: calling the storage module 603 to read the certificate data and the certificate identifier, but the storage module 603 cannot be called to install and delete the certificate data.
  • the certificate management module 602 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 602 when the storage module 603 is invoked to install, delete, and enumerate the certificate data.
  • the interface is designed using the Intent mechanism of Android, including:
  • the application module 601 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
  • the network connection module 604 is further configured to:
  • the certificate management module 602 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 603 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read.
  • the certificate data retrieved is connected to the wireless network.
  • the network connection module 604 in response to the automatic connection instruction, invokes the storage module 603 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
  • the network connection module 604 is configured to invoke the storage module 603 to read WAPI certificate data in the secure storage area;
  • the network connection module 604 is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet.
  • the network connection module 604 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
  • the network connection module 604 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
  • the network configuration interface of the network connection module 604 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
  • a member variable describing the key type of the pre-shared key a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
  • the network configuration interface of the network connection module 604 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
  • the modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
  • the certificate management module, the storage module, and the network connection module located in the second terminal when using the first credential information for networking, have different implementations of the storage and use of the first credential information.
  • the function refer to the above description, and details are not described herein again.
  • the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, so that the credential information can be used to connect to the wireless network.
  • the credential information can be used to connect to the wireless network.
  • the application module 111 in the first terminal 110 shown in FIG. 1 can be built in the first terminal 110 not only when the terminal is shipped, but also built in the third-party application APP.
  • the third-party application APP in which the application module 111 is built is acquired from the outside by the user, and is installed in the terminal to perform the operation of networking. Therefore, the embodiment of the present invention further provides an application APP, configured in the first terminal, where the application APP includes: an application module,
  • the application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
  • the application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
  • the first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal;
  • the first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  • the application module is further configured to invoke the storage module of the first terminal to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
  • the application module is further configured to invoke a network connection module of the first terminal to connect to the wireless network by using the second credential information stored in the secure storage area.
  • the second credential information includes certificate data; correspondingly, before the second credential information is directly stored in the first terminal system security storage area from the first terminal system memory, the application module further uses Calling the certificate management module of the first terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the first terminal to be named.
  • the certificate data is directly stored in the first terminal system's secure storage area from the first terminal system memory.
  • the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the first terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
  • the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the first terminal to enumerate the secure storage area.
  • the certificate identifier of all the certificate data, and the storage module invoking the first terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
  • the application APP configured in the first terminal provided by the embodiment of the present invention has the same function as the application module 111 shown in FIG. 1 and has the application as shown in FIG. 3, 4, and 5. The same functions of the module are not described here.
  • the application module 121 in the second terminal 120 shown in FIG. 1 can be built in the second terminal 120 not only when the terminal is shipped from the factory, but also built in the third-party application APP, and externally by the user.
  • the third-party application APP with the application module 121 built therein is obtained and installed in the terminal to perform the networked operation. Therefore, the embodiment of the present invention further provides an application APP, configured in the second terminal, where the application APP includes: an application module,
  • the application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
  • the application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
  • the application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
  • the first credential information includes certificate data; correspondingly, before the first credential information is directly stored in the second terminal system memory from the second terminal's secure storage area, the application module further uses Calling the certificate management module of the second terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the second terminal to be named.
  • the certificate data is directly stored in the second terminal system memory in the secure storage area of the second terminal.
  • the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the second terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
  • the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the second terminal to enumerate the secure storage area.
  • the certificate identifier of all the certificate data, and the storage module invoking the second terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
  • the application APP configured in the second terminal provided by the embodiment of the present invention has the same function as the application module 121 shown in FIG. 1 and has the same application module as shown in FIG. The function is not repeated here.
  • the system embodiment since it basically corresponds to the method embodiment, it can be referred to the partial description of the method embodiment.
  • the system embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • the code can be implemented by a non-transitory computer readable storage medium, and when the instructions in the storage medium are executed by the processor of the terminal, the terminal is caused.
  • the various embodiments of the present invention can be carried out while being understood and carried out by those skilled in the art without departing from the invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in the present invention are a credential information processing method and apparatus for network connection, and an application (APP). The method comprises: in response to an instruction for applying for a network credential for a second terminal, a first terminal sends a first credential downloading request to a server; the first terminal receives first credential information sent by the server; and the second terminal receives the first credential information sent directly by the first terminal from a system memory of the first terminal and a network identifier of a wireless network to be connected, the second terminal stores the first credential information directly into a secure storage region of the second terminal from a system memory of the second terminal, and the second terminal connects a wireless network corresponding to the network identifier by using the first credential information in the secure storage region.

Description

用于网络连接的凭证信息的处理方法、装置和应用APPMethod, device and application APP for processing credential information for network connection
本申请要求于2017年3月1号提交中国专利局、申请号为201710117743.0、发明名称为“用于网络连接的凭证信息的处理方法、装置和应用APP”的中国专利申请的优先权,以及,于2017年3月14号提交中国专利局、申请号为201710150249.4、发明名称为“用于网络连接的凭证信息的处理方法、装置和应用APP”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application filed on March 1, 2017, the Chinese Patent Office, the application number is 201710117743.0, and the invention is entitled "Processing method, device and application APP for credential information for network connection", and Priority of the Chinese Patent Application filed on March 14, 2017, the Chinese Patent Office, Application No. 201710150249.4, entitled "Processing Method, Apparatus and Application APP for Voucher Information for Network Connections", the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本发明涉及通信技术领域,特别是涉及一种用于网络连接的凭证信息的处理方法、装置和应用APP。The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an application APP for processing credential information for network connection.
背景技术Background technique
在终端接入无线网络时,通常需要向无线网络提供连网的凭证信息,在凭证信息验证正确的情况下才会允许终端接入。例如,对于无线保真(Wireless Fidelity,简称WIFI)技术的无线网络以及支持WIFI技术的终端,终端可以利用无线网络的网络名称和连接密码请求连接上所述网络名称对应的无线网络,在输入的连接密码验证通过之后允许终端接入所述无线网络。When the terminal accesses the wireless network, it is usually required to provide the networked credential information to the wireless network, and the terminal access is allowed only when the credential information is verified correctly. For example, for a wireless network of Wireless Fidelity (WIFI) technology and a terminal supporting WIFI technology, the terminal can use the network name and connection password of the wireless network to request to connect to the wireless network corresponding to the network name, at the input. After the connection password is verified, the terminal is allowed to access the wireless network.
然而,在终端需要连接到其他的无线网络时,无线网络提供者需要向终端的用户公布用于连接无线网络的凭证信息,终端的用户则需要手动在终端上输入凭证信息。例如,用户X的家中提供了无线网络,即用户X是无线网络提供者,当用户Y来到用户X家中,想要将用户Y的手机连接到用户X家中的无线网络时,首先用户X要将无线网络的名称和连接密码告知用户Y,然后用户Y打开手机中的“设置”并在“设置”中的多个无线网络的名称中选择用户X家的无线网络的网络名称进行点击,出现网络连接界面后手动输入连接密码进行网络连接,并且当连接密码过于复杂或冗长时,用户Y不仅不便于记忆而且输入也会很繁琐。可见,一方面,在终端连接到无线网络的过程中用户操作较为不便,另一方面,无线网络的凭证信息对外公布还会导致安全存在隐患。However, when the terminal needs to connect to other wireless networks, the wireless network provider needs to announce the credential information for connecting to the wireless network to the user of the terminal, and the user of the terminal needs to manually input the credential information on the terminal. For example, user X provides a wireless network in the home, that is, user X is a wireless network provider. When user Y comes to user X and wants to connect user Y's mobile phone to the wireless network in user X's home, first user X wants Tell the user Y the name and connection password of the wireless network, then user Y opens "Settings" in the phone and selects the network name of the wireless network of the user X in the name of multiple wireless networks in "Settings" to click After the network connection interface, the connection password is manually input to make a network connection, and when the connection password is too complicated or lengthy, the user Y is not only inconvenient to remember but the input is also cumbersome. It can be seen that, on the one hand, the user operation is inconvenient in the process of connecting the terminal to the wireless network; on the other hand, the voucher information of the wireless network is publicly announced, which may lead to security risks.
发明内容Summary of the invention
本发明所要解决的技术问题是,提供一种用于网络连接的凭证信息的处理方法、装置和应用APP,以使得终端能够在无需用户手动输入的情况下获得无线网络的凭证信息并使用凭证信息进行连网,不仅使得用户的连网操作得以简化和方便,而且也避免用于连网的凭证信息对外公布,提高用户使用无线网络的安全性。The technical problem to be solved by the present invention is to provide a method, a device and an application APP for processing credential information for network connection, so that the terminal can obtain credential information of the wireless network and use credential information without manual input by the user. Networking not only simplifies and facilitates the user's networking operations, but also avoids the disclosure of credential information for networking, improving the security of users using wireless networks.
第一方面,本发明实施例提供了一种用于网络连接的凭证信息的处理方法,该方法包括:In a first aspect, an embodiment of the present invention provides a method for processing credential information for a network connection, where the method includes:
第一终端响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,其中,所述第一凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;The first terminal sends a first credential download request to the server, in response to the instruction to apply for the network credential for the second terminal, where the first credential download request carries the user identity information of the first terminal, where the user identity The information is used by the server to perform user identity verification on the first terminal;
所述第一终端接收所述服务器在所述用户身份验证成功的情况下发送的第一凭证信 息;Receiving, by the first terminal, the first credential information sent by the server in the case that the user identity verification succeeds;
第二终端接收第一终端从第一终端***内存中直接发送的第一凭证信息以及待连接的无线网络的网络标识;The second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected;
所述第二终端将接收的所述第一凭证信息从第二终端***内存中直接存储在所述第二终端的安全存储区;The second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal;
所述第二终端使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
第二方面,本发明实施例提供了一种用于网络连接的凭证信息的处理装置,配置于第一终端,所述装置包括:应用模块;In a second aspect, an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a first terminal, where the device includes: an application module;
所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
第三方面,本发明实施例提供了一种用于网络连接的凭证信息的处理装置,配置于第二终端,所述装置包括:应用模块、存储模块和网络连接模块;In a third aspect, an embodiment of the present invention provides a processing device for credential information for a network connection, which is configured in a second terminal, where the device includes: an application module, a storage module, and a network connection module;
所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
所述存储模块,用于将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The storage module is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
所述网络连接模块,用于使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The network connection module is configured to connect, by using the first credential information in the secure storage area, a wireless network corresponding to the network identifier.
第四方面,本发明实施例提供了一种应用APP,配置于第一终端,所述应用APP包括:应用模块,In a fourth aspect, an embodiment of the present invention provides an application APP, which is configured in a first terminal, where the application APP includes: an application module,
所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
第五方面,本发明实施例提供了一种应用APP,配置于第二终端,所述应用APP包括:应用模块,In a fifth aspect, an embodiment of the present invention provides an application APP, configured in a second terminal, where the application APP includes: an application module,
所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
所述应用模块,还用于调用第二终端的存储模块将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
所述应用模块,还用于调用第二终端的网络连接模块使用存储在所述安全存储区的所述第一凭证信息连接所述网络标识对应的无线网络。The application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
与现有技术相比,本发明具有以下优点:Compared with the prior art, the present invention has the following advantages:
采用本发明实施例的技术方案,当第二终端需要使用凭证信息连接无线网络时,具有该无线网络的凭证申请权限的第一终端可以向服务器请求下载连接该无线网络的凭证信息,并将凭证信息与该无线网络的网络标识都发送给第二终端,这样第二终端就可以在无需手动输入的情况下获得连网的凭证信息与该无线网络的网络标识,并且使用凭证信息连接到网络标识对应的无线网络。可见,在第二终端连接无线网络的过程中,不仅节省了手动输入凭证信息的操作,使得连网操作得以简化,而且凭证信息无需向使用第二终端连网的用户公布,从而避免用于连接无线网络的凭证信息对外公布,提高无线网络的安全性。According to the technical solution of the embodiment of the present invention, when the second terminal needs to use the credential information to connect to the wireless network, the first terminal having the voucher application right of the wireless network may request the server to download the credential information of the connection to the wireless network, and the voucher The information and the network identifier of the wireless network are sent to the second terminal, so that the second terminal can obtain the networked credential information and the network identifier of the wireless network without manual input, and use the credential information to connect to the network identifier. Corresponding wireless network. It can be seen that, in the process of connecting the wireless network to the second terminal, not only the operation of manually inputting the credential information is saved, the networking operation is simplified, and the credential information does not need to be advertised to the user connected to the second terminal, thereby avoiding being used for connection. The voucher information of the wireless network is announced to improve the security of the wireless network.
附图说明DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is a few embodiments described in the present application, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例中一个示例性应用场景的示意图;FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention; FIG.
图2为本发明实施例中一种用于网络连接的凭证信息的处理方法的流程示意图;2 is a schematic flowchart of a method for processing credential information used for network connection according to an embodiment of the present invention;
图3为本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图;3 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention;
图4为本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图;4 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention;
图5为本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图;FIG. 5 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention; FIG.
图6为本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图;FIG. 6 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention;
图7为本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图。FIG. 7 is a schematic structural diagram of a device for processing credential information for network connection according to an embodiment of the present invention.
具体实施方式detailed description
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present application. It is a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
发明人发现,为了使得终端能够连接到无线网络,无线网络提供者需要将用于连接无线网络的凭证信息告知终端的用户,然后终端的用户在终端上手动输入或安装所述凭证信息后,才能将终端连接上所述无线网络。但是,一方面,用户需要记忆用于连接无线网络的凭证信息(例如密码),并将其手动输入到终端的无线网络连接界面上,可见用户操作较 为繁琐;另一方面,无线网络提供者需要向使用终端连接无线网络的其他用户公布连网的凭证信息,而在公布时极易造成凭证信息的泄露,当凭证信息被恶意用户获取时,恶意用户有可能借此攻击无线网络,可见,无线网络的安全性存在隐患。The inventor has found that in order to enable the terminal to connect to the wireless network, the wireless network provider needs to inform the user of the terminal of the credential information for connecting to the wireless network, and then the user of the terminal manually inputs or installs the credential information on the terminal. Connect the terminal to the wireless network. However, on the one hand, the user needs to memorize the credential information (such as a password) used to connect to the wireless network, and manually input it to the wireless network connection interface of the terminal, which shows that the user operation is cumbersome; on the other hand, the wireless network provider needs The network credential information is advertised to other users who use the terminal to connect to the wireless network, and the voucher information is easily leaked when being published. When the credential information is obtained by a malicious user, the malicious user may attack the wireless network, visible, wireless There are hidden dangers in the security of the network.
在本发明实施例中,假设无线网络提供者使用第一终端,则第一终端具有无线网络的凭证申请权限,也即,第一终端提供的用户身份信息可以被服务器验证通过,从而能够从服务器下载得到连网的凭证信息。当其他用户想要使用第二终端连接无线网络时,无线网络提供者可以使用第一终端向服务器请求下载连网的凭证信息,并将无线网络的网络标识与连网的凭证信息都发送给第二终端,这样第二终端就可以在无需手动输入的情况下获得无线网络的网络标识和凭证信息,并使用该凭证信息连接到该网络标识对应的无线网络。可见,在第二终端连接无线网络的过程中,不仅节省了用户在第二终端上手动输入凭证信息的操作,使得连网操作得以简化,而且无线网络提供者也无需将凭证信息告知使用第二终端连网的用户,从而避免连网的凭证信息对外公布,减少了由于凭证信息泄露而使恶意用户获得凭证信息并借此攻击无线网络的可能性,提高了无线网络的安全性。In the embodiment of the present invention, if the wireless network provider uses the first terminal, the first terminal has the voucher application right of the wireless network, that is, the user identity information provided by the first terminal can be verified by the server, so that the server can be obtained from the server. Download the networked voucher information. When other users want to use the second terminal to connect to the wireless network, the wireless network provider can use the first terminal to request the server to download the networked credential information, and send the network identifier of the wireless network and the networked credential information to the first The second terminal, so that the second terminal can obtain the network identifier and credential information of the wireless network without manual input, and use the credential information to connect to the wireless network corresponding to the network identifier. It can be seen that, in the process of connecting the wireless network to the second terminal, not only the operation of manually inputting the credential information by the user on the second terminal is saved, the network connection operation is simplified, and the wireless network provider does not need to inform the credential information to use the second. The user connected to the terminal avoids the network information of the network to be advertised, which reduces the possibility that the malicious user obtains the credential information and attacks the wireless network due to the leakage of the credential information, thereby improving the security of the wireless network.
参考图1,图1是本发明实施例中一个示例性应用场景的示意图。其中,第一终端110可以通过无线接入点AP(也可称为无线路由器)与服务器130进行交互,第一终端110可以与第二终端120进行交互。示例性的,第一终端110例如可以包括应用模块111、证书管理模块112、存储模块113和网络连接模块114;第二终端120例如可以包括应用模块121、证书管理模块122、存储模块123和网络连接模块124。Referring to FIG. 1, FIG. 1 is a schematic diagram of an exemplary application scenario in an embodiment of the present invention. The first terminal 110 can interact with the server 130 through a wireless access point AP (also referred to as a wireless router), and the first terminal 110 can interact with the second terminal 120. For example, the first terminal 110 may include, for example, an application module 111, a certificate management module 112, a storage module 113, and a network connection module 114. The second terminal 120 may include, for example, an application module 121, a certificate management module 122, a storage module 123, and a network. Connection module 124.
作为一种示例,第一终端110可以只包含应用模块111,应用模块111可以响应于为其他终端(在本发明实施例中指第二终端)申请连网凭证的指令而向服务器发送第一凭证下载请求,所述为其他终端申请连网凭证的指令可以是第一终端110生成的,也可以是第二终端120生成的并通过应用模块121发送给第一终端110。其中,所述第一凭证下载请求中携带第一终端110提供的用户身份信息。服务器130可以根据所述用户身份信息对第一终端110进行用户身份验证,并在第一终端110的用户身份验证成功的情况下向第一终端110发送第一凭证信息。第一终端110可以通过应用模块111接收所述第一凭证信息,并将第一凭证信息以及待连接的无线网络的网络标识发送给第二终端120。第二终端120可以只包含应用模块121、存储模块123和网络连接模块124,第二终端120通过应用模块121接收所述第一凭证信息和所述网络标识,通过存储模块123将所述第一凭证信息存储在第二终端120的安全存储区,并通过网络连接模块124使用存储在第二终端120的安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。其中,所述网络标识可以在第一终端110向第二终端120发送第一凭证信息的发送界面上由无线网络提供者手动输入;或者,也可以在第一终端110向第二终端120发送第一凭证信息的发送界面上,由第一终端110默认设置生成所述网络标识。其中,所述发送界面显示于第一终端110上。As an example, the first terminal 110 may only include an application module 111, and the application module 111 may send the first credential download to the server in response to an instruction to apply for a network credential for another terminal (in the embodiment of the present invention) The request, the instruction for applying for the network connection credential for the other terminal may be generated by the first terminal 110, or may be generated by the second terminal 120 and sent to the first terminal 110 by the application module 121. The first credential download request carries the user identity information provided by the first terminal 110. The server 130 may perform user identity verification on the first terminal 110 according to the user identity information, and send the first credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful. The first terminal 110 may receive the first credential information through the application module 111, and send the first credential information and the network identifier of the wireless network to be connected to the second terminal 120. The second terminal 120 may include only the application module 121, the storage module 123, and the network connection module 124. The second terminal 120 receives the first credential information and the network identifier through the application module 121, and the first The voucher information is stored in the secure storage area of the second terminal 120, and is connected to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area of the second terminal 120 by the network connection module 124. The network identifier may be manually input by the wireless network provider on the sending interface that the first terminal 110 sends the first credential information to the second terminal 120; or the first terminal 110 may send the first terminal 120 to the second terminal 120. The network identifier is generated by the first terminal 110 by default on the sending interface of the credential information. The sending interface is displayed on the first terminal 110.
作为另一种示例,第一终端110的应用模块111还可以响应于为本终端(在本发明实施例中指第一终端)申请连网凭证的指令而向服务器发送第二凭证下载请求,其中,所述第二凭证下载请求中携带第一终端110提供的用户身份信息。相应的,第一终端110除了包含应用模块111之外,还包括:存储模块113和网络连接模块114。服务器130根据所述用户身份信息对第一终端110进行用户身份验证,并在第一终端110的用户身份验证成功的情况下向第一终端110发送第二凭证信息。第一终端110通过应用模块111接收所述第二凭证信息,通过存储模块113将第二凭证信息存储在第一终端110的安全存储区,并通 过网络连接模块114使用第一终端110的安全存储区内的所述第二凭证信息连接无线网络。As another example, the application module 111 of the first terminal 110 may further send a second credential download request to the server in response to an instruction of the terminal (in the embodiment of the present invention, the first terminal) to apply for the network credential, where The second credential download request carries the user identity information provided by the first terminal 110. Correspondingly, the first terminal 110 includes a storage module 113 and a network connection module 114 in addition to the application module 111. The server 130 performs user identity verification on the first terminal 110 according to the user identity information, and sends the second credential information to the first terminal 110 if the user identity verification of the first terminal 110 is successful. The first terminal 110 receives the second credential information through the application module 111, stores the second credential information in the secure storage area of the first terminal 110 through the storage module 113, and uses the secure storage of the first terminal 110 through the network connection module 114. The second credential information in the zone is connected to the wireless network.
以上示例中,用于连接无线网络的凭证信息可以是网络连接密码,此种情况普遍适用于WIFI网络环境,也可以适用于WAPI预共享密钥类型的网络环境,其可以使得第二终端在连接无线网络时,网络提供者无需向第二终端的使用者公布连网的凭证信息(如网络连接密码),从而避免凭证信息泄露而对无线网络的安全带来潜在危险;同时,第二终端的使用者无需在第二终端上手动输入连网的凭证信息(如网络连接密码)就能够完成网络连接,从而提高了终端连网的便捷性。In the above example, the credential information used to connect to the wireless network may be a network connection password, which is generally applicable to the WIFI network environment, and may also be applicable to a WAPI pre-shared key type network environment, which may enable the second terminal to be connected. In the case of a wireless network, the network provider does not need to disclose the networked credential information (such as a network connection password) to the user of the second terminal, thereby avoiding the leakage of the credential information and posing a potential danger to the security of the wireless network; The user can complete the network connection without manually inputting the networked credential information (such as the network connection password) on the second terminal, thereby improving the convenience of the terminal networking.
作为又一种示例,在所述第一凭证信息是证书数据的情况下,第二终端120除了包含应用模块121、存储模块123和网络连接模块124之外,还可以包括证书管理模块122。证书管理模块122可以用于在第一凭证信息被存储在第二终端120的安全存储区之前,根据为证书数据设置的证书标识,对所述证书数据进行命名处理,以及调用存储模块123将经过命名处理的所述证书数据存储在第二终端120的安全存储区。As a further example, in a case where the first credential information is certificate data, the second terminal 120 may further include a certificate management module 122 in addition to the application module 121, the storage module 123, and the network connection module 124. The certificate management module 122 may be configured to: before the first credential information is stored in the secure storage area of the second terminal 120, perform naming processing on the certificate data according to the certificate identifier set for the certificate data, and invoke the storage module 123 to pass the The certificate data of the naming process is stored in the secure storage area of the second terminal 120.
同样地,在所述第二凭证信息是证书数据的情况下,第一终端110除了包含应用模块111、存储模块113和网络连接模块114之外,还可以包括证书管理模块112。证书管理模块112可以用于在第二凭证信息被存储在第一终端110的安全存储区之前,根据为证书数据设置的证书标识,对所述证书数据进行命名处理,以及调用存储模块113将经过命名处理的所述证书数据存储在第一终端110的安全存储区。Similarly, in a case where the second credential information is certificate data, the first terminal 110 may further include a certificate management module 112 in addition to the application module 111, the storage module 113, and the network connection module 114. The certificate management module 112 may be configured to perform naming processing on the certificate data according to the certificate identifier set for the certificate data before the second credential information is stored in the secure storage area of the first terminal 110, and call the storage module 113 to pass the The certificate data of the naming process is stored in a secure storage area of the first terminal 110.
其中,在第一终端110中,应用模块111通常运行在应用层,而证书管理模块112、存储模块113和网络连接模块114运行在***层。同样地,在第二终端120中,应用模块121通常运行在应用层,而证书管理模块122、存储模块123和网络连接模块124运行在***层。不论是应用模块111还是应用模块121,其既可以在终端出厂时就内置在终端中,也可以在终端出厂后,由用户从外部获取并安装在终端中。其中,应用模块111或应用模块121可以作为第三方应用(Application,APP)在终端中运行,即包含有应用模块111或应用模块121的第三方应用APP可被安装到终端上,以方便终端执行连网的操作。当然,应用模块111和应用模块121也可以运行在***层,运行在***层的应用模块111和应用模块121是在终端出厂时就内置在终端中的。Wherein, in the first terminal 110, the application module 111 generally runs at the application layer, and the certificate management module 112, the storage module 113, and the network connection module 114 operate at the system layer. Likewise, in the second terminal 120, the application module 121 typically runs at the application layer, while the certificate management module 122, the storage module 123, and the network connection module 124 operate at the system layer. Whether it is the application module 111 or the application module 121, it may be built in the terminal when the terminal is shipped from the factory, or may be acquired by the user from the outside and installed in the terminal after the terminal is shipped from the factory. The application module 111 or the application module 121 can be run in the terminal as a third-party application (Application, APP), that is, the third-party application APP including the application module 111 or the application module 121 can be installed on the terminal to facilitate the terminal to execute. Networked operation. Of course, the application module 111 and the application module 121 can also run at the system layer, and the application module 111 and the application module 121 running at the system layer are built in the terminal when the terminal is shipped from the factory.
这里需要说明的是,运行在所述应用层的模块,其可以由用户从外部获取并安装在终端上,也可以被用户从终端上卸载;运行在所述***层的模块,是内置在终端***中的,无法被用户卸载。并且,即使是运行在***层的各个模块,其具有的操作权限也可以不同。What needs to be explained here is a module running at the application layer, which can be acquired by the user from the outside and installed on the terminal, or can be uninstalled by the user from the terminal; the module running at the system layer is built in the terminal. In the system, it cannot be uninstalled by the user. Moreover, even if each module running at the system level has different operating rights.
本领域技术人员可以理解,图1所示的示意图仅是本发明的实施方式可以在其中得以实现的一个示例。本发明实施方式的适用范围不受到该示意图任何方面的限制。Those skilled in the art will appreciate that the schematic diagram shown in Figure 1 is merely one example in which embodiments of the present invention may be implemented. The scope of application of the embodiments of the present invention is not limited by any aspect of the schematic.
下面结合附图,通过实施例来详细说明本发明的各种可能的实施方式。Various possible embodiments of the present invention will be described in detail below by way of embodiments with reference to the accompanying drawings.
参考图2,示出了本发明实施例中一种用于网络连接的凭证信息的处理方法的流程示意图。在本实施例中,所述方法包括以下步骤:Referring to FIG. 2, a flow chart of a method for processing credential information for network connection in an embodiment of the present invention is shown. In this embodiment, the method includes the following steps:
201、第一终端响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求。201. The first terminal sends a first credential download request to the server in response to the instruction to apply for the network credential for the second terminal.
其中,所述第一凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对第一终端进行用户身份验证。The first credential download request carries user identity information of the first terminal, and the user identity information is used by the server to perform user identity verification on the first terminal.
具体实现时,例如第一终端提供的凭证下载界面上包含有“为本终端申请连网凭证”以及“为其他终端申请连网凭证”两个操作选项。无线网络提供者可以在所述凭证下载界 面上选中“为其他终端申请连网凭证”的操作选项,然后触发为其他终端申请连网凭证的指令,在本发明实施例中是指为第二终端申请连网凭证的指令。示例性的,在所述凭证下载界面上,无线网络提供者可以输入用户名和密码作为第一终端的用户身份信息,还可以输入所述服务器的互联网协议(Internet Protocol,简称IP)地址以及端口号,还可以选择“为本终端申请连网凭证”的操作选项或“为其他终端申请连网凭证”的操作选项,当然,在步骤201中,无线网络提供者在所述凭证下载界面上选择的是“为其他终端申请连网凭证”的操作选项。第一终端基于无线网络提供者在该凭证下载界面上的操作,生成携带有所述用户身份信息的第一凭证下载请求并向所述服务器发送。所述服务器响应于所述第一凭证下载请求,可以获取所述用户身份信息并根据所述用户身份信息对第一终端进行用户身份验证。In a specific implementation, for example, the voucher download interface provided by the first terminal includes two operation options: “application for network connection voucher for the terminal” and “application for network connection voucher for other terminals”. The wireless network provider can select an operation option of "application for networking credentials for other terminals" on the voucher download interface, and then trigger an instruction to apply for networking credentials for other terminals, which is referred to as a second terminal in the embodiment of the present invention. An instruction to apply for a networked certificate. Exemplarily, on the voucher download interface, the wireless network provider can input the user name and password as the user identity information of the first terminal, and can also input the Internet Protocol (IP) address and port number of the server. You can also select the operation option of "Apply Networking Credential for this terminal" or the operation option of "Apply Networking Credential for Other Terminals". Of course, in step 201, the wireless network provider selects on the credential download interface. It is an operation option of "Requesting Networking Credentials for Other Terminals". The first terminal generates a first credential download request carrying the user identity information based on an operation of the wireless network provider on the credential download interface and transmits the request to the server. The server may obtain the user identity information and perform user identity verification on the first terminal according to the user identity information in response to the first credential download request.
其中,在所述用户身份信息包括用户名和密码的情况下,所述服务器对第一终端的用户身份验证方式例如可以是,所述服务器验证用户名和密码是否合法且相匹配。若用户名和密码合法且相匹配,则第一终端的用户身份验证成功。Wherein, in the case that the user identity information includes a user name and a password, the user identity verification manner of the server to the first terminal may be, for example, the server verifies whether the username and password are legal and match. If the username and password are legal and match, the user authentication of the first terminal is successful.
202、第一终端接收所述服务器在对第一终端的用户身份验证成功的情况下发送的第一凭证信息。202. The first terminal receives the first credential information sent by the server in the case that the user identity verification of the first terminal is successful.
具体实现时,若第一终端的用户身份验证成功,则所述服务器可以生成或获取(例如向证书颁发服务器获取)所述第一凭证信息并向第一终端发送,从而第一终端就可以接收到所述服务器发送的第一凭证信息。其中,第一终端的用户身份信息的验证成功与否,可以作为所述服务器生成或获取所述第一凭证信息的依据。In a specific implementation, if the user identity verification of the first terminal is successful, the server may generate or acquire (for example, obtain the first credential information from the certificate issuing server) and send the first credential information to the first terminal, so that the first terminal can receive The first credential information sent to the server. The verification of the user identity information of the first terminal is successful, and may be used as a basis for the server to generate or obtain the first credential information.
在一些实施方式中,为了保证第一凭证信息在网络传输过程中的安全性,在第一终端与所述服务器之间的传输过程中可以对第一凭证信息进行加密。具体地,步骤202可以包括:第一终端接收所述服务器在第一终端的用户身份验证成功的情况下发送的第一加密信息;第一终端对第一加密信息进行解密得到所述第一凭证信息。其中,所述第一加密信息是由所述服务器对第一凭证信息进行加密得到的。所述第一凭证信息的加密可以采用任意一种可行的加密方式,本实施例对此不做限定。In some embodiments, in order to ensure the security of the first credential information in the network transmission process, the first credential information may be encrypted during the transmission process between the first terminal and the server. Specifically, the step 202 may include: the first terminal receives the first encrypted information that is sent by the server when the user identity verification of the first terminal is successful; and the first terminal decrypts the first encrypted information to obtain the first credential. information. The first encrypted information is obtained by encrypting the first credential information by the server. The encryption of the first credential information may be performed by any feasible encryption method, which is not limited in this embodiment.
可以理解的是,在一般情况下,若一个终端接收到证书或文件时,会将证书或文件存放在该终端内,当需要将证书或文件发送给其他终端时,该终端再从本地的存储位置上获取该证书或文件进行发送。然而,在第一终端上可能存在不安全的应用,若不安全的应用在第一终端上获取到所述第一凭证信息,则无线网络的安全性可能会受到威胁。为了防止第一凭证信息在第一终端上泄露,在一些实施方式中,第一终端在接收到第一凭证信息之后,可以将第一凭证信息从第一终端的***内存中直接发送给第二终端,而不必将其存放在第一终端内的其他存储位置。由于将第一凭证信息暂时存放在第一终端内的传统存储位置,可能导致第一凭证信息被第一终端上的不安全应用读取或复制,而将第一凭证信息从第一终端的***内存中直接发送给第二终端,可以避免第一终端上的不安全应用读取或复制所述第一凭证信息。因此,所述第一凭证信息的安全能够得到更好的保障。It can be understood that, in a general case, if a terminal receives a certificate or a file, the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send. However, there may be an unsecure application on the first terminal. If the unsecured application obtains the first credential information on the first terminal, the security of the wireless network may be threatened. In order to prevent the first credential information from being leaked on the first terminal, in some embodiments, after receiving the first credential information, the first terminal may send the first credential information directly from the system memory of the first terminal to the second The terminal does not have to be stored in other storage locations within the first terminal. Because the first credential information is temporarily stored in the traditional storage location in the first terminal, the first credential information may be read or copied by the unsecure application on the first terminal, and the first credential information is from the system of the first terminal. The in-secure application on the first terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
203、第二终端接收第一终端从第一终端***内存中直接发送的第一凭证信息以及待连接的无线网络的网络标识。203. The second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected.
具体实现时,在第一终端接收到所述第一凭证信息之后,第一终端可以通过凭证发送界面提示无线网络提供者。无线网络提供者可以在第一终端提供的凭证发送界面上触发携带所述网络标识和所述第一凭证信息的发送指令。第一终端响应于该发送指令向第二终端 发送所述网络标识和第一凭证信息。其中,无线网络的网络标识,可以是第一终端获取默认设置的网络标识并提供到凭证发送界面上,或者,也可以是无线网络提供者在凭证发送界面上手动输入。In a specific implementation, after the first terminal receives the first credential information, the first terminal may prompt the wireless network provider by using a credential sending interface. The wireless network provider may trigger a sending instruction to carry the network identifier and the first credential information on a credential sending interface provided by the first terminal. The first terminal sends the network identifier and the first credential information to the second terminal in response to the sending instruction. The network identifier of the wireless network may be that the first terminal obtains the network identifier of the default setting and provides the network identifier on the credential sending interface, or may be manually input by the wireless network provider on the credential sending interface.
可以理解的是,无线网络提供者通过第一终端将无线网络的网络标识与第一凭证信息一起向第二终端发送,从而使得第二终端在使用第一凭证信息连接无线网络时,可以直接自动选择所述网络标识对应的无线网络进行连接。在此过程中,第二终端的用户也无需在第二终端上(例如第二终端的“设置”中)从众多的无线网络名称中手动点击选择所述网络标识对应的无线网络,然后再进行连接。其中,所述无线网络的网络标识可以是所述无线网络的显示名称。例如,所述无线网络的网络标识可以是所述无线网络的服务集标识(Service Set Identifier,简称SSID)。It can be understood that the wireless network provider sends the network identifier of the wireless network to the second terminal together with the first credential information by using the first terminal, so that the second terminal can directly and automatically connect to the wireless network when using the first credential information. Select the wireless network corresponding to the network identifier to connect. In this process, the user of the second terminal does not need to manually click on the wireless network corresponding to the network identifier from the plurality of wireless network names on the second terminal (for example, in the "setting" of the second terminal), and then perform the wireless network. connection. The network identifier of the wireless network may be a display name of the wireless network. For example, the network identifier of the wireless network may be a Service Set Identifier (SSID) of the wireless network.
作为一种示例,第一终端可以采用无需组网的点对点无线通信技术向第二终端发送第一凭证信息。优选地,所述第一终端可以采用近场通信NFC(Near Field Commucation)技术向第二终端发送第一凭证信息,所述第二终端可以采用近场通信NFC技术接收第一终端发送的第一凭证信息。通过NFC技术传输所述第一凭证信息,所述第一终端与所述第二终端只需相互靠近就可以实现第一凭证信息的传输。当然,所述第一终端与所述第二终端之间也可以采用其他点对点无线通信技术发送所述第一凭证信息,例如蓝牙技术。但是蓝牙传输还需要提前在终端之间进行搜索和配置连接,连接成功后才能发送凭证信息,而NFC技术只需要终端之间相互接近就可以传输凭证信息。因此,凭证信息的传输采用NFC技术是更加方便快捷的;同时,NFC技术传输时,终端设备之间的距离非常近,需要相互靠近,因此凭证信息的传输不易被外界截获,传输过程也较为安全。As an example, the first terminal may send the first credential information to the second terminal by using a point-to-point wireless communication technology without networking. Preferably, the first terminal may send the first credential information to the second terminal by using a near field communication NFC (Near Field Commutation) technology, and the second terminal may receive the first sent by the first terminal by using a near field communication NFC technology. Voucher information. The first credential information is transmitted by the NFC technology, and the first terminal and the second terminal only need to be close to each other to implement the transmission of the first credential information. Certainly, the first credential information, such as Bluetooth technology, may also be sent between the first terminal and the second terminal by using other point-to-point wireless communication technologies. However, the Bluetooth transmission also needs to search and configure the connection between the terminals in advance, and the credential information can be sent only after the connection is successful, and the NFC technology only needs to be close to each other to transmit the credential information. Therefore, it is more convenient and convenient to use the NFC technology for the transmission of the voucher information. At the same time, when the NFC technology is transmitted, the distance between the terminal devices is very close and needs to be close to each other, so the transmission of the voucher information is not easily intercepted by the outside, and the transmission process is also relatively safe. .
这里需要说明的是,本发明各个实施例中,在终端之间采用NFC技术传输凭证信息是优选方案,但是本发明实施例并不对传输凭证信息的方式进行限制,也可以采用蓝牙技术等其他点对点无线通信技术进行凭证信息的传输。It should be noted that, in various embodiments of the present invention, the use of the NFC technology to transmit the credential information between the terminals is a preferred solution. However, the embodiment of the present invention does not limit the manner of transmitting the credential information, and may also adopt other point-to-point technologies such as Bluetooth technology. Wireless communication technology performs the transmission of credential information.
204、所述第二终端将接收的所述第一凭证信息从第二终端***内存中直接存储在所述第二终端的安全存储区。204. The second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal.
可以理解的是,在一般情况下,若一个终端接收到证书或文件时,会将证书或文件存放在该终端内,当需要将证书或文件发送给其他终端时,该终端再从本地的存储位置上获取该证书或文件进行发送。然而,在第二终端上可能存在不安全的应用,若不安全的应用在第二终端上获取到所述第一凭证信息,则无线网络的安全性可能会受到威胁。为了防止第一凭证信息在第二终端上泄露,在一些实施方式中,第二终端在接收到第一凭证信息之后,可以将第一凭证信息从第二终端的***内存中直接存储在第二终端的安全存储区,而不必将其暂时存放在第二终端内的其他传统的存储位置。由于将第一凭证信息暂时存放在第二终端内的传统存储位置,可能导致第一凭证信息被第二终端上的不安全应用读取或复制,而将第一凭证信息从第二终端的***内存中直接存储在第二终端的安全存储区,可以避免第二终端上的不安全应用读取或复制所述第一凭证信息。因此,所述第一凭证信息的安全能够得到更好的保障。It can be understood that, in a general case, if a terminal receives a certificate or a file, the certificate or file is stored in the terminal, and when the certificate or file needs to be sent to other terminals, the terminal then stores from the local device. Get the certificate or file at the location to send. However, there may be an unsecure application on the second terminal. If the unsecured application obtains the first credential information on the second terminal, the security of the wireless network may be threatened. In order to prevent the first credential information from being leaked on the second terminal, in some embodiments, after receiving the first credential information, the second terminal may directly store the first credential information from the system memory of the second terminal in the second The secure storage area of the terminal without having to temporarily store it in other traditional storage locations within the second terminal. Because the first credential information is temporarily stored in the traditional storage location in the second terminal, the first credential information may be read or copied by the unsecure application on the second terminal, and the first credential information is from the second terminal system. The memory is directly stored in the secure storage area of the second terminal, so that the unsecure application on the second terminal can be prevented from reading or copying the first credential information. Therefore, the security of the first credential information can be better protected.
在本发明实施例中,所述安全存储区可以不同于传统的硬盘存储,该安全存储区可以是终端内单独的一块存储区域。一方面,该存储区域内不会以文件的形式存储凭证信息,而只能以数据的形式存储凭证信息,因此,具有文件扫描功能的文件管理工具(例如RE文件管理器、ES文件浏览器等)无法通过扫描查看到凭证信息,所以对用户来说存储在该 区域内的数据是不可见的,无法拷贝。另一方面,该存储区域只能使用***提供的特定接口进行访问,任何与文件操作相关的API都无法访问该存储区域。因此,本发明实施例中将凭证信息存储在终端内的安全存储区较传统的硬盘存储更安全。所述安全存储区也可以是非硬件方面的安卓***的keystore,Windows***的***存储区等,以及硬件方面的安全芯片等,都可以用来实现安全存储区的功能。由于第一凭证信息存储在所述安全存储区中,第一凭证信息不会被文件管理工具扫描到,也不能被文件操作相关的API访问到,从而防止第一凭证信息在第二终端上泄露,使得第一凭证信息的安全得到更好的保障。这里需要说明的是,以上描述的安全存储区,不仅仅指第二终端的安全存储区,第一终端的安全存储区也具有同样的功能。In the embodiment of the present invention, the secure storage area may be different from the traditional hard disk storage, and the secure storage area may be a separate storage area in the terminal. On the one hand, the voucher information is not stored in the form of a file in the storage area, but the voucher information can only be stored in the form of data. Therefore, a file management tool having a file scanning function (for example, a RE file manager, an ES file browser, etc.) The voucher information cannot be viewed by scanning, so the data stored in the area is invisible to the user and cannot be copied. On the other hand, the storage area can only be accessed using a specific interface provided by the system, and any storage-related API cannot access the storage area. Therefore, in the embodiment of the present invention, the secure storage area in which the credential information is stored in the terminal is more secure than the conventional hard disk storage. The secure storage area may also be a non-hardware Android system keystore, a Windows system system storage area, and a hardware security chip, etc., which may be used to implement the function of the secure storage area. Since the first credential information is stored in the secure storage area, the first credential information is not scanned by the file management tool, and cannot be accessed by the API related to the file operation, thereby preventing the first credential information from being leaked on the second terminal. So that the security of the first voucher information is better protected. It should be noted here that the secure storage area described above does not only refer to the secure storage area of the second terminal, and the secure storage area of the first terminal also has the same function.
作为一种示例,为了使得第一凭证信息更加安全,第一凭证信息可以加密之后再存储到所述安全存储区。而第二终端从所述安全存储区中读取加密的第一凭证信息时,需要先对加密的第一凭证信息进行解密,再使用解密的第一凭证信息连接无线网络。As an example, in order to make the first credential information more secure, the first credential information may be encrypted and then stored in the secure storage area. When the second terminal reads the encrypted first credential information from the secure storage area, the encrypted first credential information needs to be decrypted first, and then the decrypted first credential information is used to connect to the wireless network.
205、所述第二终端使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。205. The second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
具体实现时,所述第二终端在接收到网络标识和第一凭证信息之后,可以确定网络标识对应的无线网络并向无线网络的接入点发送连接请求,以便通过无线网络的接入点连接无线网络。In a specific implementation, after receiving the network identifier and the first credential information, the second terminal may determine the wireless network corresponding to the network identifier and send a connection request to the access point of the wireless network, so as to be connected through the access point of the wireless network. wireless network.
在本实施例中,所提及的无线网络可以是任意一种可行的无线通信技术。不同无线通信技术的无线网络对应于不同种类的凭证信息,因此,本实施例所提及的凭证信息有多种可能的类型。例如,若所述无线网络采用无线局域网鉴别和保密基础结构(Wireless LAN Authentication and Privacy Infrastructure,简称WAPI)模式,所述第一凭证信息可以是WAPI证书数据。又如,若所述无线网络采用WIFI模式且加密方式为WPA/WPA2PSK,所述第一凭证信息可以是密码。再如,若所述无线网络采用WIFI模式且加密方式为802.1×EAP,所述第一凭证信息可以包括CA证书数据和其他凭证参数,其中,所述其他凭证参数例如包括特定的EAP方法(如PEAP、TLS、TTLS、PWD等)、阶段2身份验证(如MSCHAPV2、GTC)、身份、匿名身份、密码等。In this embodiment, the mentioned wireless network may be any feasible wireless communication technology. Wireless networks of different wireless communication technologies correspond to different kinds of credential information. Therefore, there are many possible types of credential information mentioned in this embodiment. For example, if the wireless network adopts a Wireless LAN Authentication and Privacy Infrastructure (WAPI) mode, the first credential information may be WAPI certificate data. For another example, if the wireless network adopts the WIFI mode and the encryption mode is WPA/WPA2PSK, the first credential information may be a password. For example, if the wireless network adopts the WIFI mode and the encryption mode is 802.1×EAP, the first credential information may include CA certificate data and other credential parameters, where the other credential parameters include, for example, a specific EAP method (eg, PEAP, TLS, TTLS, PWD, etc.), Phase 2 authentication (eg MSCHAPV2, GTC), identity, anonymous identity, password, etc.
可以理解的是,对于不同种类的所述第一凭证信息,第一终端连接所述无线网络时对所述第一凭证信息的处理方式可能不同。It can be understood that, for different kinds of the first credential information, the manner in which the first credential information is processed when the first terminal connects to the wireless network may be different.
作为一种示例,若所述第一凭证信息是密码等不属于证书的凭证信息,第二终端可以直接存储凭证信息本身并使用凭证信息本身连接无线网络,或者,第二终端可以直接使用凭证信息本身连接无线网络。As an example, if the first credential information is credential information that does not belong to the certificate, the second terminal may directly store the credential information itself and use the credential information itself to connect to the wireless network, or the second terminal may directly use the credential information. Connect to the wireless network itself.
作为另一种示例,若所述第一凭证信息是WAPI证书、CA证书等证书时,第二终端可以将证书安装,即将证书数据进行存储并使用证书数据连接无线网络。具体地,若所述第一凭证信息包括证书数据,则在步骤204将第一凭证信息存储在第二终端的安全存储区之前,第二终端可以根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理。相应地,步骤204的存储方式具体在于,将经过命名处理的所述证书数据存储在第二终端的安全存储区。步骤205的使用方式具体在于,使用所述安全存储区内的所述证书数据连接所述网络标识对应的无线网络。As another example, if the first credential information is a certificate such as a WAPI certificate or a CA certificate, the second terminal may install the certificate, that is, store the certificate data and connect to the wireless network using the certificate data. Specifically, if the first credential information includes the certificate data, the first credential information is stored in the secure storage area of the second terminal in step 204, and the second terminal may be based on the certificate identifier set for the credential data, The certificate data is subjected to naming processing. Correspondingly, the storing manner of step 204 is specifically: storing the certificate data subjected to the naming process in a secure storage area of the second terminal. The method of the step 205 is specifically to connect the wireless network corresponding to the network identifier by using the certificate data in the secure storage area.
其中,所述证书数据可以是WAPI证书数据,对应于WAPI连网模式,也可以是WIFI证书数据,对应于WIFI连网模式等。而一个无线网络用于连网的证书通常是一套证书,包 含多个证书数据。本发明实施例中,用于连网的WAPI证书数据指的是一套WAPI证书数据。例如,本发明实施例中的一套WAPI证书数据包括用户证书数据、颁发者证书数据、用户私钥。为了使得连接无线网络时WAPI证书数据能够更加方便地被查找出来,第二终端可以为一套WAPI证书数据进行命名处理,也就是为WAPI证书数据设置一个证书名称即证书标识。经过命名处理后,WAPI证书数据中的用户证书数据、颁发者证书数据、用户私钥都包含有同一个证书标识。The certificate data may be WAPI certificate data, corresponding to the WAPI network connection mode, or may be WIFI certificate data, corresponding to the WIFI network connection mode. A certificate used by a wireless network to connect to a network is usually a set of certificates containing multiple certificate data. In the embodiment of the present invention, the WAPI certificate data used for networking refers to a set of WAPI certificate data. For example, a set of WAPI certificate data in the embodiment of the present invention includes user certificate data, issuer certificate data, and user private key. In order to make the WAPI certificate data more convenient to be found when connecting to the wireless network, the second terminal can name the WAPI certificate data, that is, set a certificate name, that is, a certificate identifier, for the WAPI certificate data. After the naming process, the user certificate data, the issuer certificate data, and the user private key in the WAPI certificate data all contain the same certificate identifier.
例如,当以NAME1作为证书标识,将用于连网的一套WAPI证书数据进行命名处理后,其中用户证书数据被设置为“WAPI_USRCERT_NAME1”,颁发者证书数据被设置为“WAPI_CACERT_NAME1”,用户私钥被设置为“WAPI_USRPKEY_NAME1”。此时,一套WAPI证书数据中的三个证书数据的命名中都含有证书标识“NAME1”。因此,后续在查找WAPI证书数据时,第二终端只需要查找出证书标识“NAME1”就可以得到一套完整的WAPI证书数据。For example, when NAME1 is used as the certificate identifier, a set of WAPI certificate data for networking is named, wherein the user certificate data is set to "WAPI_USRCERT_NAME1", the issuer certificate data is set to "WAPI_CACERT_NAME1", and the user private key is set. Is set to "WAPI_USRPKEY_NAME1". At this time, the naming of the three certificate data in a set of WAPI certificate data includes the certificate identifier "NAME1". Therefore, when searching for WAPI certificate data, the second terminal only needs to find the certificate identifier "NAME1" to obtain a complete set of WAPI certificate data.
作为一种示例,在对证书数据进行命名处理时,证书标识可以是用户设置的标识。具体地,在需要安装证书时,用户可以在第二终端提供的证书命名界面上输入证书标识并触发证书的安装。第二终端按照输入的证书标识为证书数据命名。As an example, when naming the certificate data, the certificate identifier may be an identifier set by the user. Specifically, when the certificate needs to be installed, the user can input the certificate identifier on the certificate naming interface provided by the second terminal and trigger the installation of the certificate. The second terminal names the certificate data according to the input certificate identifier.
作为另一种示例,证书标识可以是第二终端自动分配或生成的。具体地,在需要安装证书时,所述第二终端可以将自动分配或生成的证书标识显示给用户,并按照自动分配或生成的证书标识为证书数据命名后自动触发证书的安装。As another example, the certificate identification may be automatically assigned or generated by the second terminal. Specifically, when the certificate needs to be installed, the second terminal may display the automatically assigned or generated certificate identifier to the user, and automatically trigger the installation of the certificate after naming the certificate data according to the automatically assigned or generated certificate identifier.
在本实施例中,所述第二终端可以在用户手动操作下使用所述证书数据连接所述无线网络,即手动连接方式,或者所述第二终端也可以自动使用所述证书数据连接所述无线网络,即自动连接方式。In this embodiment, the second terminal may use the certificate data to connect to the wireless network, that is, a manual connection mode, or the second terminal may automatically use the certificate data connection to connect the second terminal. Wireless network, that is, automatic connection.
在手动连接方式中,所要使用的证书数据可以是第二终端基于用户手动选择的证书标识而查找出来的。具体地,步骤205的网络连接方式在于,所述第二终端响应于手动连接指令,枚举出所述安全存储区内所有证书数据的证书标识,基于用户手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In the manual connection mode, the certificate data to be used may be found by the second terminal based on the certificate identifier manually selected by the user. Specifically, the network connection mode of step 205 is that the second terminal enumerates the certificate identifiers of all the certificate data in the secure storage area in response to the manual connection instruction, and reads the corresponding certificate based on the certificate identifier manually selected by the user. Data is connected to the wireless network using the read certificate data.
在自动连接方式中,所要使用的证书数据可以是第二终端自动查找出来的。具体地,步骤205的网络连接方式在于,所述第二终端响应于自动连接指令,在所述安全存储区内自行查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络。In the automatic connection mode, the certificate data to be used may be automatically found by the second terminal. Specifically, the network connection manner of step 205 is that the second terminal queries the certificate data for connecting to the wireless network in the secure storage area in response to the automatic connection instruction, and uses the queried certificate data. Connect to the wireless network.
具体地,以WAPI证书数据为例(注:其他类型的证书数据同理),第二终端在安全存储区内自行查询用于连网的证书数据时,第二终端首先需要读取安全存储区内的所有的WAPI证书数据暂存于内存中,之后与外部无线接入点AP进行关联,当收到AP发送的鉴别激活分组时,取得该分组中的“本地ASU(鉴别服务单元)的身份”字段,随后遍历之前读取的所有的WAPI证书数据,从每一套WAPI证书数据中的颁发者证书数据中取得“持有者名称”、“颁发者名称”和“序列号”,并利用该三部分信息组成“身份”信息,当确定来自某套WAPI证书数据的“身份”信息与鉴别激活分组中的“本地ASU的身份”字段相匹配,则使用该套WAPI证书数据进行网络连接。Specifically, taking the WAPI certificate data as an example (note: other types of certificate data are the same), when the second terminal self-query the certificate data for networking in the secure storage area, the second terminal first needs to read the secure storage area. All the WAPI certificate data in the internal storage is temporarily stored in the memory, and then associated with the external wireless access point AP. When receiving the authentication activation packet sent by the AP, the identity of the local ASU (Authentication Service Unit) in the packet is obtained. Field, then traverse all WAPI certificate data previously read, and obtain the "holder name", "issuer name" and "serial number" from the issuer certificate data in each set of WAPI certificate data, and use The three pieces of information constitute "identity" information. When it is determined that the "identity" information from a certain set of WAPI certificate data matches the "identity of the local ASU" field in the authentication activation packet, the set of WAPI certificate data is used for network connection.
这里需要说明的是,由于AP发送的鉴别激活分组具有时效性,因此第二终端需要首先读取安全存储区中的证书数据并暂存于内存中,当获取到鉴别激活分组中的“本地ASU的身份”字段后,再从内存中遍历证书数据以获取“身份”信息就会极大的减少所花费的 时间,从而避免鉴别激活分组失效。It should be noted that, because the authentication activation packet sent by the AP is time-sensitive, the second terminal needs to first read the certificate data in the secure storage area and temporarily store it in the memory, and obtain the “local ASU” in the authentication activation packet. After the "identity" field, traversing the certificate data from memory to obtain the "identity" information will greatly reduce the time spent, thereby avoiding the authentication activation packet failure.
对于所述第一凭证信息包括证书数据的情况,基于图1所示的第二终端120,第二终端120可以使用证书管理模块122与其他模块配合,以实现对证书数据的存储和使用。For the case where the first credential information includes certificate data, based on the second terminal 120 shown in FIG. 1, the second terminal 120 can cooperate with other modules using the certificate management module 122 to implement storage and use of the certificate data.
以WAPI证书数据为例(注:其他类型的证书数据同理),第二终端120通过应用模块121接收所述第一凭证信息之后,应用模块121可以调用证书管理模块122的证书安装接口并提供证书安装接口的接口参数,接口参数可以包括WAPI证书数据中的用户证书数据、颁发者证书数据、用户私钥。证书管理模块122的证书安装接口打开证书命名界面,在证书命名界面上显示默认的证书标识,或者,也可以由用户在证书命名界面上修改证书标识。证书管理模块122的证书安装接口从接口参数中获得用户证书数据、颁发者证书数据和用户私钥之后,根据默认的证书标识或者在证书命名界面上输入的证书标识对用户证书数据、颁发者证书数据和用户私钥进行命名处理。然后,证书管理模块122调用存储模块123,存储模块123按照证书管理模块122的命名规则将命名处理后的证书数据存储到安全存储区,从而完成证书安装过程。Taking the WAPI certificate data as an example (Note: other types of certificate data are similar), after the second terminal 120 receives the first credential information through the application module 121, the application module 121 can invoke the certificate installation interface of the certificate management module 122 and provide Interface parameters of the certificate installation interface. The interface parameters may include user certificate data, issuer certificate data, and user private key in the WAPI certificate data. The certificate installation interface of the certificate management module 122 opens the certificate naming interface, and displays the default certificate identifier on the certificate naming interface. Alternatively, the user can modify the certificate identifier on the certificate naming interface. After the certificate installation interface of the certificate management module 122 obtains the user certificate data, the issuer certificate data, and the user private key from the interface parameters, the user certificate data and the issuer certificate are determined according to the default certificate identifier or the certificate identifier entered on the certificate naming interface. Data and user private keys are named. Then, the certificate management module 122 calls the storage module 123, and the storage module 123 stores the naming processed certificate data in the secure storage area according to the naming rules of the certificate management module 122, thereby completing the certificate installation process.
在证书安装完成之后,若采用手动连接方式,则网络连接模块124调用证书管理模块122的证书枚举接口枚举并呈现安全存储区中所有证书数据的证书标识,在用户选择了目标证书标识之后,网络连接模块124调用存储模块123在安全存储区中查找出命名与目标证书标识相匹配的证书数据,然后网络连接模块124基于无线网络驱动程序并使用查找出的证书数据连接到所述无线网络。After the certificate installation is completed, if the manual connection mode is adopted, the network connection module 124 invokes the certificate enumeration interface of the certificate management module 122 to enumerate and present the certificate identifiers of all the certificate data in the secure storage area, after the user selects the target certificate identifier. The network connection module 124 calls the storage module 123 to find the certificate data in the secure storage area that matches the target certificate identifier, and then the network connection module 124 connects to the wireless network based on the wireless network driver and using the found certificate data. .
这里需要说明的是,所述证书命名界面是由运行在***层的证书管理模块122提供,而不是由运行在应用层的应用模块121提供。由***层的证书管理模块提供的证书命名界面,通常无法被应用层的不安全应用控制并恶意操作,避免应用层的不安全应用在命名界面上恶意输入名称进行证书安装或证书删除的操作。It should be noted here that the certificate naming interface is provided by the certificate management module 122 running at the system layer, rather than by the application module 121 running at the application layer. The certificate naming interface provided by the certificate management module of the system layer is usually not controlled by the unsafe application of the application layer and maliciously operated, so as to prevent the unsafe application of the application layer from maliciously inputting the name for certificate installation or certificate deletion on the naming interface.
以WAPI证书数据为例(注:其他类型的证书数据同理),本发明实施例的终端在采用安卓Android***的基础上,网络连接模块124的网络配置接口可以不必新增类,而是可以通过修改Android原本的WLAN网络配置接口(包括修改WifiConfiguration类及其子类KeyMgmt),就可以达到兼容WAPI的目的,并且也能够提供手动连接和自动连接两种不同的连网方式。具体地,WifiConfiguration类下可以新增一些成员变量,使成员变量包括wapiPskType、wapiPsk、wapiCertSelMode和wapiCertSel。其中,wapiPskType用于描述WAPI预共享密钥的密钥类型、wapiPsk用于描述WAPI预共享密钥的内容、wapiCertSelMode用于描述WAPI证书的选择模式、wapiCertSel用于描述手动模式下所选择的WAPI证书的证书标识;新增的wapiCertSelMode、wapiCertSel对应于使用WAPI证书进行连网的情况,wapiPskType、wapiPsk对应于使用密钥连网的情况。KeyMgmt类下可以新增WAPI_PSK和WAPI_CERT,即新增用于描述WAPI预共享密钥类型的定义以及用于描述WAPI证书类型的定义。例如,可以在KeyMgmt类下新增:public static final int WAPI_PSK=190;public static final int WAPI_CERT=191。Taking the WAPI certificate data as an example (Note: other types of certificate data are the same), the terminal of the embodiment of the present invention is based on the Android Android system, and the network configuration interface of the network connection module 124 may not need to add a new class, but may By modifying Android's original WLAN network configuration interface (including modifying the WifiConfiguration class and its subclass KeyMgmt), it can achieve the purpose of compatibility with WAPI, and can also provide two different networking modes: manual connection and automatic connection. Specifically, some member variables can be added under the WifiConfiguration class, so that the member variables include wapiPskType, wapiPsk, wapiCertSelMode, and wapiCertSel. Among them, wapiPskType is used to describe the key type of WAPI pre-shared key, wapiPsk is used to describe the content of WAPI pre-shared key, wapiCertSelMode is used to describe the selection mode of WAPI certificate, and wapiCertSel is used to describe the WAPI certificate selected in manual mode. The certificate identifier; the new wapiCertSelMode and wapiCertSel correspond to the case of using the WAPI certificate for networking, and wapiPskType and wapiPsk correspond to the case of using the key to connect to the network. WAPI_PSK and WAPI_CERT can be added under the KeyMgmt class, that is, a definition for describing the WAPI pre-shared key type and a definition for describing the WAPI certificate type. For example, you can add under the KeyMgmt class: public static final int WAPI_PSK=190; public static final int WAPI_CERT=191.
这里需要说明的是,在原有的安卓***基础上,若针对密钥模式,网络连接模块要实现自动连接以及手动连接两种不同的连网方式,则需要将WifiConfiguration类中新增一些成员变量,包括描述密钥选择模式的成员变量以及描述手动模式下所选择密钥的标识的成员变量。It should be noted that, on the basis of the original Android system, if the network connection module needs to implement automatic connection and manual connection two different networking modes for the key mode, it is necessary to add some member variables to the WifiConfiguration class. It includes a member variable describing the key selection mode and a member variable describing the identity of the selected key in the manual mode.
此外,为了提升安全性,可在第二终端120中,将每个调用存储模块123的其它模块 都以不同的用户身份运行,不同的用户身份具有不同的操作权限。例如,以system用户身份运行的模块,可为终端安装证书,也可对终端内安装的证书数据进行删除、枚举证书标识的操作,但不能读取终端内的证书数据;以wlan用户身份运行的模块,对终端内的证书可进行读取证书数据、获取证书标识的操作。例如,证书管理模块122以system用户身份运行,网络连接模块124以wlan用户身份运行,证书管理模块122调用存储模块123为终端安装证书数据,也可调用存储模块123对终端内安装的证书数据进行删除、枚举证书的证书标识,但不能调用存储模块123去读取终端内的证书数据;而网络连接模块124可调用存储模块123去读取终端内的证书数据以及证书标识,但不能调用存储模块123去删除证书数据、安装证书数据。In addition, in order to improve security, in the second terminal 120, each of the other modules that call the storage module 123 are run as different users, and different user identities have different operation rights. For example, a module running as the system user can install a certificate for the terminal, delete the certificate data installed in the terminal, and enumerate the certificate identifier, but cannot read the certificate data in the terminal; run as the wlan user. The module can perform the operation of reading the certificate data and obtaining the certificate identifier for the certificate in the terminal. For example, the certificate management module 122 runs as the system user, and the network connection module 124 runs as the wlan user. The certificate management module 122 calls the storage module 123 to install the certificate data for the terminal, and can also call the storage module 123 to perform the certificate data installed in the terminal. The certificate identifier of the certificate is deleted and enumerated, but the storage module 123 cannot be called to read the certificate data in the terminal; and the network connection module 124 can call the storage module 123 to read the certificate data and the certificate identifier in the terminal, but cannot call the storage. Module 123 deletes the certificate data and installs the certificate data.
为了使证书管理模块122能够实现对证书数据进行安装、删除以及枚举证书标识的操作,作为一种示例,证书管理模块122的证书安装接口、证书删除接口和证书标识枚举接口可以采用Andriod***的Intent机制进行设计。具体的,***中可以预置一个Activity,并定义相关的Intent Action。In order to enable the certificate management module 122 to perform the operations of installing, deleting, and enumerating the certificate data, as an example, the certificate installation interface, the certificate deletion interface, and the certificate identification enumeration interface of the certificate management module 122 may adopt the Andriod system. The Intent mechanism is designed. Specifically, an Activity can be preset in the system, and a related Intent Action is defined.
对于WAPI证书数据来说(注:其他类型的证书数据同理),相关的Intent Action包括:用于安装WAPI证书数据的“com.wapi.certificate.INSTALL”,用于枚举证书标识的“com.wapi.certificate.GET_ALIASES”,用于删除WAPI证书数据的“com.wapi.certificate.DELETE”。应用模块121或内置应用模块121的应用APP可以通过发送相应的Intent Action给***中预置的Activity,所述Activity根据相应的Intent Action执行安装证书数据,删除证书数据或枚举证书标识的操作。应用模块121或内置应用模块121的应用APP使用Intent的putExtra函数发送相关参数,***中预置的Activity通过Intent的getExtras函数获取应用模块121或内置应用模块121的应用APP发来的参数。其中,相关参数的定义如表1所示。For WAPI certificate data (Note: other types of certificate data are the same), the related Intent Action includes: "com.wapi.certificate.INSTALL" for installing WAPI certificate data, used to enumerate the certificate identifier "com .wapi.certificate.GET_ALIASES", "com.wapi.certificate.DELETE" for deleting WAPI certificate data. The application module 121 or the application APP of the built-in application module 121 can send a corresponding Intent Action to the preset activity in the system, and the Activity performs the operation of installing the certificate data, deleting the certificate data or enumerating the certificate identifier according to the corresponding Intent Action. The application module 121 or the application APP of the built-in application module 121 sends the relevant parameters by using the putExtra function of the Intent, and the preset activity in the system acquires the parameters sent by the application module 121 or the application APP of the built-in application module 121 through the getExtras function of the Intent. Among them, the definition of related parameters is shown in Table 1.
Figure PCTCN2018077364-appb-000001
Figure PCTCN2018077364-appb-000001
表1Table 1
具体的,在安装证书数据时,***中预置的Activity收到Intent后,需要进行如下操作:Specifically, when the certificate data is installed, after the preset activity in the system receives the Intent, the following operations are required:
1、通过Intent的getExtras函数获取到Bundle对象,再从Bundle对象中获取相关参数;1. Obtain the Bundle object through the Intent's getExtras function, and then obtain the relevant parameters from the Bundle object;
2、判断待安装的这套WAPI证书数据是否匹配(即判断颁发者证书数据和用户证书数 据是否属于一套),若不匹配,则本次安装失败。同时,通过该Activity的setResult函数设置相应的返回值;若匹配,则Activity弹出一个交互界面即证书命名界面,供用户为该套证书数据自定义别名即证书标识(交互界面上显示有一个默认的别名,是应用模块121或内置应用模块121的应用APP通过Intent参数传过来的,用户也可以选择直接使用该默认的别名)。需注意的是用户在交互界面上自定义证书数据的证书标识时,Activity要判断该证书标识是否与已安装的证书数据的别名重复,若重复,则提示用户重新编辑。2. Determine whether the WAPI certificate data to be installed matches (ie, determine whether the issuer certificate data and the user certificate data belong to one set). If it does not match, the installation fails. At the same time, the corresponding return value is set by the setResult function of the Activity; if it matches, the Activity pops up an interactive interface, that is, the certificate naming interface, for the user to customize the alias for the set of certificate data, that is, the certificate identifier (the interactive interface displays a default The alias, which is the application module of the application module 121 or the built-in application module 121, is transmitted through the Intent parameter, and the user may also choose to directly use the default alias. It should be noted that when the user customizes the certificate identifier of the certificate data on the interactive interface, the Activity determines whether the certificate identifier is duplicated with the alias of the installed certificate data. If it is repeated, the user is prompted to re-edit.
3、Activity通过交互界面获取到用户最终确认的证书标识后,执行WAPI证书安装的操作。然后通过Activity的setResult函数设置相应的返回值,以通知应用模块121或内置应用模块121的应用APP本次安装WAPI证书数据是成功或失败。安装证书数据时通过setResult函数设置的返回值的定义如下:3. After the Activity obtains the certificate identifier finally confirmed by the user through the interactive interface, the operation of installing the WAPI certificate is performed. Then, the corresponding return value is set by the setResult function of the Activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is successfully installed or failed. The return value set by the setResult function when installing the certificate data is defined as follows:
返回值1代表的含义安装成功,返回值0代表安装失败。The return value of 1 means the installation was successful, and a return value of 0 means the installation failed.
具体的,在删除证书数据时,***中预置的Activity收到Intent后,需要进行如下操作:Specifically, when the certificate data is deleted, after the preset activity in the system receives the Intent, the following operations are required:
1、通过Intent的getExtras函数获取到Bundle对象,再从Bundle对象中获取相关参数;1. Obtain the Bundle object through the Intent's getExtras function, and then obtain the relevant parameters from the Bundle object;
2、判断待删除的这套WAPI证书数据的别名(即证书标识)是否在已安装的证书数据的别名列表中。若不在,则本次删除操作失败;同时,通过该Activity的setResult函数设置相应的返回值;若在,则Activity弹出一个交互界面,让用户确认是否删除该套证书数据,待用户确认删除后,执行删除操作,并通过Activity的setResult函数设置相应的返回值,以告知应用模块121或内置应用模块121的应用APP本次删除WAPI证书数据是成功或失败。删除证书数据时通过setResult函数设置的返回值定义如下:返回值1代表证书删除成功,返回值0代表证书删除失败。2. Determine whether the alias (ie, the certificate identifier) of the WAPI certificate data to be deleted is in the alias list of the installed certificate data. If not, the deletion operation fails; at the same time, the corresponding return value is set by the setResult function of the Activity; if it is, the Activity pops up an interactive interface, allowing the user to confirm whether to delete the set of certificate data, after the user confirms the deletion, The deletion operation is performed, and the corresponding return value is set by the setResult function of the activity to notify the application module 121 or the application APP of the built-in application module 121 that the WAPI certificate data is deleted successfully or failed this time. The return value set by the setResult function when deleting the certificate data is defined as follows: the return value 1 indicates that the certificate is successfully deleted, and the return value 0 indicates that the certificate deletion failed.
具体的,在枚举证书标识时,***中预置的Activity收到Intent后,需要进行如下动作:Specifically, when enumerating the certificate identifier, after the preset activity in the system receives the Intent, the following actions are required:
1、用Intent的putExtra函数给调用者返回“证书标识数组”,参数格式如表2:1. Use the putExtra function of the Intent to return the "Certificate ID Array" to the caller. The parameter format is as shown in Table 2:
2、用setResult函数设置返回值,定义如下:返回值1代表枚举成功,返回值0代表枚举失败。2. Set the return value with the setResult function, defined as follows: return value 1 means the enumeration succeeds, return value 0 means the enumeration fails.
Figure PCTCN2018077364-appb-000002
Figure PCTCN2018077364-appb-000002
表2Table 2
在本实施例中,当第二终端需要使用凭证信息连接无线网络时,具有该无线网络的凭证申请权限的第一终端可以向服务器请求下载该无线网络的凭证信息并发送给第二终端,这样第二终端就可以在无需用户手动输入的情况下获得该无线网络的凭证信息,并且凭证信息(这里指的是证书数据)的命名可以使用终端生成的默认名,证书的安装可以由终端自动进行安装,以及终端自动查询用于连网的证书数据,并自动进行网络连接。可见,在第二终端连接无线网络的过程中,不仅节省了手动输入凭证信息的用户操作,使得用户操作得以简化,而且凭证信息无需向使用第二终端进行连网的用户公布,从而避免无线网络的凭证信息对外公布,提高无线网络的安全性。In this embodiment, when the second terminal needs to use the credential information to connect to the wireless network, the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, and the naming of the credential information (here, the certificate data) can use the default name generated by the terminal, and the installation of the certificate can be automatically performed by the terminal. Installation, and the terminal automatically queries the certificate data used for networking and automatically makes a network connection. It can be seen that, in the process of connecting the wireless network to the second terminal, not only the user operation of manually inputting the credential information is saved, but the user operation is simplified, and the credential information does not need to be announced to the user who uses the second terminal to connect to the network, thereby avoiding the wireless network. The voucher information is announced to improve the security of the wireless network.
这里需要说明的是,对于所述第二凭证信息包括证书数据的情况,基于图1所示的第 一终端110,第一终端110可以使用证书管理模块112与其他模块配合,以实现对证书数据的存储和使用。第一终端110对证书数据具体的存储和使用的实施方式如上所述,与第二终端120对证书数据具体的存储和使用的实施方式相同,并且第一终端110与第二终端120的证书管理模块、存储模块、网络连接模块的设计机制也相同,此处不再赘述。It should be noted that, in the case that the second credential information includes the certificate data, based on the first terminal 110 shown in FIG. 1, the first terminal 110 can cooperate with other modules by using the certificate management module 112 to implement the certificate data. Storage and use. The embodiment in which the first terminal 110 specifically stores and uses the certificate data is the same as the embodiment in which the second terminal 120 specifically stores and uses the certificate data, and the certificate management of the first terminal 110 and the second terminal 120 is as described above. The design mechanism of modules, storage modules, and network connection modules is also the same, and will not be described here.
参考图3,示出了本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图。该装置配置于第一终端,所述装置例如可以包括应用模块301;Referring to FIG. 3, a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown. The device is configured in the first terminal, and the device may include, for example, an application module 301;
所述应用模块301,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module 301 is configured to send a first credential download request to the server, in response to the instruction for requesting the network credential for the second terminal, to receive the first credential information sent by the server in the case that the user identity verification succeeds, and Transmitting, by the first terminal system memory, the first credential information and the network identifier of the wireless network to be connected to the second terminal; or
所述应用模块301,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module 301 is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
可选的,所述应用模块301,还用于采用无需组网的点对点无线通信技术向第二终端发送所述第一凭证信息以及所述网络标识。Optionally, the application module 301 is further configured to send the first credential information and the network identifier to the second terminal by using a point-to-point wireless communication technology that does not require networking.
可选的,如图4所示,所述装置进一步包括:存储模块303和网络连接模块304;Optionally, as shown in FIG. 4, the device further includes: a storage module 303 and a network connection module 304;
所述存储模块303,用于将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区;The storage module 303 is configured to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
所述网络连接模块304,用于使用存储在所述安全存储区的所述第二凭证信息连接无线网络。The network connection module 304 is configured to connect to the wireless network by using the second credential information stored in the secure storage area.
可选的,所述第二凭证信息包括证书数据,相应的,如图5,所述装置进一步包括:证书管理模块302;Optionally, the second credential information includes certificate data, and correspondingly, as shown in FIG. 5, the apparatus further includes: a certificate management module 302;
所述证书管理模块302,用于在将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区之前,根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,以及,调用所述存储模块303将经过命名处理的所述证书数据从第一终端***内存中直接存储在第一终端的安全存储区。The certificate management module 302 is configured to: before storing the second credential information directly from the first terminal system memory in the secure storage area of the first terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 303 is called to store the certificate data subjected to the naming process directly from the first terminal system memory in the secure storage area of the first terminal.
可选的,所述证书管理模块302,还用于使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。Optionally, the certificate management module 302 is further configured to use the certificate identifier to perform naming processing for each part of the data included in the certificate data, so that each part of the data included in the certificate data has the same certificate identifier. The partial data includes user certificate data, issuer certificate data, and a user private key.
可选的,调用所述存储模块303的各个模块以不同的用户身份运行,不同的用户身份对应不同的操作权限;其中,Optionally, each module that invokes the storage module 303 runs as a different user, and different user identities correspond to different operation rights;
所述证书管理模块302以system用户身份运行,其操作权限包括:调用所述存储模块303对证书数据进行安装、删除以及枚举证书标识,但无法调用所述存储模块303读取证书数据;The certificate management module 302 runs as the system user, and the operation authority includes: calling the storage module 303 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 303 to read the certificate data;
所述网络连接模块304以wlan用户身份运行,其操作权限包括:调用所述存储模块303读取证书数据和证书标识,但无法调用所述存储模块303对证书数据进行安装及删除。The network connection module 304 runs as the wlan user, and the operation authority includes: calling the storage module 303 to read the certificate data and the certificate identifier, but cannot invoke the storage module 303 to install and delete the certificate data.
可选的,所述证书管理模块302在调用所述存储模块303对证书数据进行安装、删除 以及枚举证书标识时,所述证书管理模块302的证书安装接口、证书删除接口以及证书标识枚举接口采用安卓***的Intent机制设计,包括:Optionally, the certificate management module 302 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 302 when the storage module 303 is invoked to install, delete, and enumerate the certificate data. The interface is designed using the Intent mechanism of Android, including:
在***中预置一个Activity并定义与安装证书数据、删除证书数据以及枚举证书标识相关的Intent Action;Presetting an Activity in the system and defining an Intent Action related to installing certificate data, deleting certificate data, and enumerating certificate identifiers;
所述应用模块301通过发送相关的Intent Action给所述Activity,由所述Activity根据所述Intent Action执行安装证书数据、删除证书数据或枚举证书标识的操作。The application module 301 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
可选的,所述网络连接模块304,还用于:Optionally, the network connection module 304 is further configured to:
响应于自动连接指令,调用所述存储模块303在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Responding to the automatic connection instruction, calling the storage module 303 to query certificate data for connecting to the wireless network in the secure storage area, and connecting to the wireless network by using the queried certificate data; or
响应于手动连接指令,调用所述证书管理模块302枚举出所述安全存储区内所有证书数据的证书标识,调用所述存储模块303基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In response to the manual connection instruction, the certificate management module 302 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 303 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read The certificate data retrieved is connected to the wireless network.
可选的,当所述证书数据为WAPI证书数据,所述网络连接模块304响应于自动连接指令,调用所述存储模块303在所述安全存储区内查询用于连接所述无线网络的证书数据时,Optionally, when the certificate data is WAPI certificate data, the network connection module 304, in response to the automatic connection instruction, invokes the storage module 303 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
所述网络连接模块304,用于调用所述存储模块303读取所述安全存储区内的WAPI证书数据;The network connection module 304 is configured to invoke the storage module 303 to read WAPI certificate data in the secure storage area;
所述网络连接模块304,用于与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;The network connection module 304 is configured to associate with the wireless access point AP, receive the authentication activation packet sent by the wireless access point AP, and obtain an identity field of the local authentication service unit ASU in the authentication activation packet.
所述网络连接模块304,用于通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;The network connection module 304 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
所述网络连接模块304,用于在判断所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。The network connection module 304 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
可选的,所述网络连接模块304的网络配置接口通过修改安卓***的WifiConfiguration类得到;修改后的WifiConfiguration类包括:Optionally, the network configuration interface of the network connection module 304 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
描述预共享密钥的密钥类型的成员变量、描述预共享密钥内容的成员变量、描述证书选择模式的成员变量以及描述手动模式下所选择证书的证书标识的成员变量。A member variable describing the key type of the pre-shared key, a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
可选的,当所述证书数据为WAPI证书数据时,所述网络连接模块304的网络配置接口进一步通过修改WifiConfiguration类的KeyMgmt子类得到;Optionally, when the certificate data is WAPI certificate data, the network configuration interface of the network connection module 304 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
修改后的KeyMgmt子类包括:WAPI预共享密钥类型的定义以及WAPI证书类型的定义。The modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
这里需要说明的是,位于第一终端内的证书管理模块、存储模块和网络连接模块在使用第二凭证信息进行连网时,对第二凭证信息的存储和使用的不同实施方式中所具有的功能以及具体描述,参见以上描述的位于第二终端内的证书管理模块、存储模块和网络连接模块在使用第一凭证信息进行连网时,对第一凭证信息的存储和使用的不同实施方式中所具有的功能,此处不再赘述。It should be noted that the certificate management module, the storage module and the network connection module located in the first terminal have different functions for storing and using the second credential information when the second credential information is used for networking. For the function and the specific description, refer to the certificate management module, the storage module and the network connection module located in the second terminal described above, in the different implementation manners for storing and using the first credential information when the first credential information is used for networking. The functions that are available are not described here.
在本实施例中,当第一终端需要使用凭证信息连接无线网络时,具有该无线网络的凭证申请权限的第一终端可以向服务器请求下载该无线网络的凭证信息,这样第一终端就可以在无需用户手动输入的情况下获得该无线网络的凭证信息,从而也就能够使用该凭证信 息连接到该无线网络,可见,在第一终端连接无线网络的过程中,不仅节省了手动输入凭证信息的用户操作,使得用户操作得以简化,而且凭证信息无需对外公布,从而避免无线网络的凭证信息泄露,提高无线网络的安全性。In this embodiment, when the first terminal needs to use the credential information to connect to the wireless network, the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network, so that the first terminal can The voucher information of the wireless network is obtained without manual input by the user, so that the voucher information can be used to connect to the wireless network. It can be seen that, in the process of connecting the wireless network to the first terminal, not only the manual input of the voucher information is saved. The user operation simplifies the user operation, and the credential information does not need to be publicly announced, thereby avoiding leakage of credential information of the wireless network and improving the security of the wireless network.
参考图6,示出了本发明实施例中一种用于网络连接的凭证信息的处理装置的结构示意图。该装置配置于第二终端,所述装置例如可以包括应用模块601、存储模块603和网络连接模块604;Referring to FIG. 6, a schematic structural diagram of a processing apparatus for credential information for network connection in an embodiment of the present invention is shown. The device is configured in the second terminal, and the device may include, for example, an application module 601, a storage module 603, and a network connection module 604;
所述应用模块601,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module 601 is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is an instruction that the first terminal requests to apply for a network credential for the second terminal. And downloading from the server and sending to the second terminal;
所述存储模块603,用于将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The storage module 603 is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
所述网络连接模块604,用于使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The network connection module 604 is configured to connect the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
可选的,所述应用模块601,还用于采用无需组网的点对点无线通信技术接收第一终端发送的所述第一凭证信息以及所述网络标识。Optionally, the application module 601 is further configured to receive the first credential information and the network identifier sent by the first terminal by using a point-to-point wireless communication technology that does not require networking.
可选的,所述第一凭证信息包括证书数据;相应的,如图7,所述装置进一步包括:证书管理模块602;Optionally, the first credential information includes certificate data; correspondingly, as shown in FIG. 7, the apparatus further includes: a certificate management module 602;
所述证书管理模块602,用于在将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区之前,根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,以及,调用所述存储模块603将经过命名处理的所述证书数据从第二终端***内存中直接存储在第二终端的安全存储区。The certificate management module 602 is configured to: before storing the first credential information directly from the second terminal system memory in the secure storage area of the second terminal, according to the certificate identifier set for the certificate data, The certificate data is subjected to naming processing, and the storage module 603 is called to store the certificate data subjected to the naming process directly from the second terminal system memory in the secure storage area of the second terminal.
可选的,所述证书管理模块602,还用于使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。Optionally, the certificate management module 602 is further configured to perform naming processing for each part of the data included in the certificate data by using the certificate identifier, so that each part of the data included in the certificate data has the same certificate identifier. The partial data includes user certificate data, issuer certificate data, and a user private key.
可选的,调用所述存储模块603的各个模块以不同的用户身份运行,不同的用户身份对应不同的操作权限;其中,Optionally, each module that invokes the storage module 603 runs as a different user, and different user identities correspond to different operation rights;
所述证书管理模块602以system用户身份运行,其操作权限包括:调用所述存储模块603对证书数据进行安装、删除以及枚举证书标识,但无法调用所述存储模块603读取证书数据;The certificate management module 602 runs as the system user, and the operation authority includes: calling the storage module 603 to install, delete, and enumerate the certificate data, but cannot invoke the storage module 603 to read the certificate data;
所述网络连接模块604以wlan用户身份运行,其操作权限包括:调用所述存储模块603读取证书数据和证书标识,但无法调用所述存储模块603对证书数据进行安装及删除。The network connection module 604 is operated as a wlan user, and the operation authority includes: calling the storage module 603 to read the certificate data and the certificate identifier, but the storage module 603 cannot be called to install and delete the certificate data.
可选的,所述证书管理模块602在调用所述存储模块603对证书数据进行安装、删除以及枚举证书标识时,所述证书管理模块602的证书安装接口、证书删除接口以及证书标识枚举接口采用安卓***的Intent机制设计,包括:Optionally, the certificate management module 602 enumerates the certificate installation interface, the certificate deletion interface, and the certificate identifier of the certificate management module 602 when the storage module 603 is invoked to install, delete, and enumerate the certificate data. The interface is designed using the Intent mechanism of Android, including:
在***中预置一个Activity并定义与安装证书数据、删除证书数据以及枚举证书标识相关的Intent Action;Presetting an Activity in the system and defining an Intent Action related to installing certificate data, deleting certificate data, and enumerating certificate identifiers;
所述应用模块601通过发送相关的Intent Action给所述Activity,由所述Activity根据所述Intent Action执行安装证书数据、删除证书数据或枚举证书标识的操作。The application module 601 sends the related Intent Action to the Activity, and the Activity performs the operations of installing the certificate data, deleting the certificate data, or enumerating the certificate identifier according to the Intent Action.
可选的,所述网络连接模块604,还用于:Optionally, the network connection module 604 is further configured to:
响应于自动连接指令,调用所述存储模块603在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Responding to the automatic connection instruction, calling the storage module 603 to query certificate data for connecting to the wireless network in the secure storage area, and connecting to the wireless network by using the queried certificate data; or
响应于手动连接指令,调用所述证书管理模块602枚举出所述安全存储区内所有证书数据的证书标识,调用所述存储模块603基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In response to the manual connection instruction, the certificate management module 602 is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module 603 is called to read the corresponding certificate data based on the manually selected certificate identifier, and use the read. The certificate data retrieved is connected to the wireless network.
可选的,当所述证书数据为WAPI证书数据,所述网络连接模块604响应于自动连接指令,调用所述存储模块603在所述安全存储区内查询用于连接所述无线网络的证书数据时,Optionally, when the certificate data is WAPI certificate data, the network connection module 604, in response to the automatic connection instruction, invokes the storage module 603 to query, in the secure storage area, certificate data for connecting to the wireless network. Time,
所述网络连接模块604,用于调用所述存储模块603读取所述安全存储区内的WAPI证书数据;The network connection module 604 is configured to invoke the storage module 603 to read WAPI certificate data in the secure storage area;
所述网络连接模块604,用于与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;The network connection module 604 is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet.
所述网络连接模块604,用于通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;The network connection module 604 is configured to obtain identity information of the WAPI certificate data by traversing the read WAPI certificate data;
所述网络连接模块604,用于在判断所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。The network connection module 604 is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate used to connect to the wireless network. data.
可选的,所述网络连接模块604的网络配置接口通过修改安卓***的WifiConfiguration类得到;修改后的WifiConfiguration类包括:Optionally, the network configuration interface of the network connection module 604 is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
描述预共享密钥的密钥类型的成员变量、描述预共享密钥内容的成员变量、描述证书选择模式的成员变量以及描述手动模式下所选择证书的证书标识的成员变量。A member variable describing the key type of the pre-shared key, a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
可选的,当所述证书数据为WAPI证书数据时,所述网络连接模块604的网络配置接口进一步通过修改WifiConfiguration类的KeyMgmt子类得到;Optionally, when the certificate data is WAPI certificate data, the network configuration interface of the network connection module 604 is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
修改后的KeyMgmt子类包括:WAPI预共享密钥类型的定义以及WAPI证书类型的定义。The modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
这里需要说明的是,位于第二终端内的证书管理模块、存储模块和网络连接模块在使用第一凭证信息进行连网时,对第一凭证信息的存储和使用的不同实施方式中所具有的功能,参见以上描述,此处不再赘述。It should be noted that the certificate management module, the storage module, and the network connection module located in the second terminal, when using the first credential information for networking, have different implementations of the storage and use of the first credential information. For the function, refer to the above description, and details are not described herein again.
在本实施例中,当第二终端需要使用凭证信息连接无线网络时,具有该无线网络的凭证申请权限的第一终端可以向服务器请求下载该无线网络的凭证信息并发送给第二终端,这样第二终端就可以在无需用户手动输入的情况下获得该无线网络的凭证信息,从而也就能够使用该凭证信息连接到该无线网络,可见,在第二终端连接无线网络的过程中,不仅节省了手动输入凭证信息的用户操作,从而使得用户操作得以简化,而且凭证信息无需向使用第二终端进行连网的用户公布,从而避免无线网络的凭证信息对外公布,提高无线网络的安全性。In this embodiment, when the second terminal needs to use the credential information to connect to the wireless network, the first terminal having the voucher application right of the wireless network may request the server to download the voucher information of the wireless network and send the voucher information to the second terminal, so that The second terminal can obtain the credential information of the wireless network without manual input by the user, so that the credential information can be used to connect to the wireless network. It can be seen that, in the process of connecting the second terminal to the wireless network, not only the saving is achieved. The user operation of manually inputting the credential information, so that the user operation is simplified, and the credential information does not need to be advertised to the user who uses the second terminal to connect to the network, thereby preventing the voucher information of the wireless network from being publicized and improving the security of the wireless network.
在本发明实施例中,如图1所示的第一终端110内的应用模块111,其不仅可以在终端出厂时就内置在第一终端110中,而且也可以内置在第三方应用APP上,由用户从外部获取内置有应用模块111的第三方应用APP,并将其安装在终端中执行连网的操作。因此,本发明实施例还提供了一种应用APP,配置于第一终端,所述应用APP包括:应用模块,In the embodiment of the present invention, the application module 111 in the first terminal 110 shown in FIG. 1 can be built in the first terminal 110 not only when the terminal is shipped, but also built in the third-party application APP. The third-party application APP in which the application module 111 is built is acquired from the outside by the user, and is installed in the terminal to perform the operation of networking. Therefore, the embodiment of the present invention further provides an application APP, configured in the first terminal, where the application APP includes: an application module,
所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
可选的,所述应用模块,还用于调用第一终端的存储模块将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区;Optionally, the application module is further configured to invoke the storage module of the first terminal to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
所述应用模块,还用于调用第一终端的网络连接模块使用存储在所述安全存储区的所述第二凭证信息连接无线网络。The application module is further configured to invoke a network connection module of the first terminal to connect to the wireless network by using the second credential information stored in the secure storage area.
可选的,所述第二凭证信息包括证书数据;相应的,在将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区之前,所述应用模块还用于调用第一终端的证书管理模块,执行根据为所述证书数据设置的证书标识对所述证书数据进行命名处理的操作,以便所述证书管理模块调用第一终端的存储模块将经过命名处理的所述证书数据从第一终端***内存中直接存储在第一终端的安全存储区。Optionally, the second credential information includes certificate data; correspondingly, before the second credential information is directly stored in the first terminal system security storage area from the first terminal system memory, the application module further uses Calling the certificate management module of the first terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the first terminal to be named. The certificate data is directly stored in the first terminal system's secure storage area from the first terminal system memory.
可选的,所述应用模块,还用于调用第一终端的网络连接模块响应于自动连接指令后执行网络连接操作,以便所述网络连接模块调用第一终端的存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Optionally, the application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the first terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
所述应用模块,还用于调用第一终端的网络连接模块响应于手动连接指令后执行网络连接操作,以便所述网络连接模块调用第一终端的证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,以及调用第一终端的存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。The application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the first terminal to enumerate the secure storage area. The certificate identifier of all the certificate data, and the storage module invoking the first terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
这里需要说明的是,本发明实施例提供的配置于第一终端的应用APP,其具有如图1所示的应用模块111同样的功能,以及具有如图3、4、5中所示的应用模块同样的功能,此处不再赘述。It should be noted that the application APP configured in the first terminal provided by the embodiment of the present invention has the same function as the application module 111 shown in FIG. 1 and has the application as shown in FIG. 3, 4, and 5. The same functions of the module are not described here.
同样的,如图1所示的第二终端120内的应用模块121,其不仅可以在终端出厂时就内置在第二终端120中,而且也可以内置在第三方应用APP上,由用户从外部获取内置有应用模块121的第三方应用APP,并将其安装在终端中执行连网的操作。因此,本发明实施例还提供了一种应用APP,配置于第二终端,所述应用APP包括:应用模块,Similarly, the application module 121 in the second terminal 120 shown in FIG. 1 can be built in the second terminal 120 not only when the terminal is shipped from the factory, but also built in the third-party application APP, and externally by the user. The third-party application APP with the application module 121 built therein is obtained and installed in the terminal to perform the networked operation. Therefore, the embodiment of the present invention further provides an application APP, configured in the second terminal, where the application APP includes: an application module,
所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
所述应用模块,还用于调用第二终端的存储模块将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
所述应用模块,还用于调用第二终端的网络连接模块使用存储在所述安全存储区的所述第一凭证信息连接所述网络标识对应的无线网络。The application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
可选的,所述第一凭证信息包括证书数据;相应的,在将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区之前,所述应用模块还用于调用第二终端的证书管理模块,执行根据为所述证书数据设置的证书标识对所述证书数据进行命名处理的操作,以便所述证书管理模块调用第二终端的存储模块将经过命名处理的所述证书数据从第二终端***内存中直接存储在第二终端的安全存储区。Optionally, the first credential information includes certificate data; correspondingly, before the first credential information is directly stored in the second terminal system memory from the second terminal's secure storage area, the application module further uses Calling the certificate management module of the second terminal, performing an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the storage module of the second terminal to be named. The certificate data is directly stored in the second terminal system memory in the secure storage area of the second terminal.
可选的,所述应用模块,还用于调用第二终端的网络连接模块响应于自动连接指令后执行网络连接操作,以便所述网络连接模块调用第二终端的存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Optionally, the application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes the storage module of the second terminal in the secure storage area. Querying the certificate data for connecting to the wireless network, and connecting to the wireless network by using the queried certificate data; or
所述应用模块,还用于调用第二终端的网络连接模块响应于手动连接指令后执行网络连接操作,以便所述网络连接模块调用第二终端的证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,以及调用第二终端的存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。The application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the second terminal to enumerate the secure storage area. The certificate identifier of all the certificate data, and the storage module invoking the second terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
这里需要说明的是,本发明实施例提供的配置于第二终端的应用APP,其具有如图1所示的应用模块121同样的功能,以及具有如图6、7中所示的应用模块同样的功能,此处不再赘述。It should be noted that the application APP configured in the second terminal provided by the embodiment of the present invention has the same function as the application module 121 shown in FIG. 1 and has the same application module as shown in FIG. The function is not repeated here.
需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply such entities or operations. There is any such actual relationship or order between them. The terms "including", "comprising" or "comprising" or "comprising" are intended to include a non-exclusive inclusion, such that a process, method, article, or device that comprises a plurality of elements includes not only those elements but also other items not specifically listed Elements, or elements that are inherent to such a process, method, item, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device that comprises the element.
对于***实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的***实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本发明实施例的各个模块以及应用APP中,能够以代码实现的均可以依附于一种非临时性计算机可读存储介质,当所述存储介质中的指令由终端的处理器执行时,使得终端能够执行本发明的各个实施例,同时本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。For the system embodiment, since it basically corresponds to the method embodiment, it can be referred to the partial description of the method embodiment. The system embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. In each module and application APP of the embodiments of the present invention, the code can be implemented by a non-transitory computer readable storage medium, and when the instructions in the storage medium are executed by the processor of the terminal, the terminal is caused. The various embodiments of the present invention can be carried out while being understood and carried out by those skilled in the art without departing from the invention.
以上所述仅是本申请的具体实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。The above description is only a specific embodiment of the present application, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present application. It should be considered as the scope of protection of this application.

Claims (34)

  1. 一种用于网络连接的凭证信息的处理方法,其特征在于,包括:A method for processing credential information for a network connection, comprising:
    第一终端响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,其中,所述第一凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;The first terminal sends a first credential download request to the server, in response to the instruction to apply for the network credential for the second terminal, where the first credential download request carries the user identity information of the first terminal, where the user identity The information is used by the server to perform user identity verification on the first terminal;
    所述第一终端接收所述服务器在所述用户身份验证成功的情况下发送的第一凭证信息;Receiving, by the first terminal, first credential information sent by the server in case that the user identity verification succeeds;
    第二终端接收第一终端从第一终端***内存中直接发送的第一凭证信息以及待连接的无线网络的网络标识;The second terminal receives the first credential information directly sent by the first terminal from the first terminal system memory and the network identifier of the wireless network to be connected;
    所述第二终端将接收的所述第一凭证信息从第二终端***内存中直接存储在所述第二终端的安全存储区;The second terminal directly stores the received first credential information from a second terminal system memory in a secure storage area of the second terminal;
    所述第二终端使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The second terminal connects to the wireless network corresponding to the network identifier by using the first credential information in the secure storage area.
  2. 根据权利要求1所述的方法,其特征在于,所述第一终端采用无需组网的点对点无线通信技术向所述第二终端发送所述第一凭证信息以及网络标识,所述第二终端采用无需组网的点对点无线通信技术接收所述第一终端发送的所述第一凭证信息以及网络标识。The method according to claim 1, wherein the first terminal sends the first credential information and the network identifier to the second terminal by using a point-to-point wireless communication technology without networking, and the second terminal adopts The first credential information and the network identifier sent by the first terminal are received by a point-to-point wireless communication technology that does not require networking.
  3. 根据权利要求1所述的方法,其特征在于,所述第一凭证信息包括证书数据;相应的,The method of claim 1 wherein said first credential information comprises certificate data; correspondingly,
    在将所述第一凭证信息从第二终端***内存中直接存储在所述第二终端的安全存储区之前,所述方法还包括:Before the storing the first credential information directly from the second terminal system memory in the secure storage area of the second terminal, the method further includes:
    所述第二终端根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理;The second terminal performs naming processing on the certificate data according to the certificate identifier set for the certificate data;
    相应的,将所述第一凭证信息存储在所述第二终端的安全存储区为:Correspondingly, storing the first credential information in the secure storage area of the second terminal is:
    将经过命名处理的所述证书数据存储在所述第二终端的安全存储区。The certificate data subjected to the naming process is stored in a secure storage area of the second terminal.
  4. 根据权利要求3所述的方法,其特征在于,所述第二终端根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,进一步包括:The method according to claim 3, wherein the second terminal performs naming processing on the certificate data according to the certificate identifier set for the certificate data, and further includes:
    所述第二终端使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。The second terminal uses the certificate identifier to perform naming processing for each part of the data included in the certificate data, so that each part of the data included in the certificate data has the same certificate identifier; wherein each part of the data includes User certificate data, issuer certificate data, and user private key.
  5. 根据权利要求3所述的方法,其特征在于,所述第二终端使用所述第一凭证信息连接所述网络标识对应的无线网络,包括:The method according to claim 3, wherein the second terminal uses the first credential information to connect to the wireless network corresponding to the network identifier, including:
    所述第二终端响应于自动连接指令,在所述安全存储区内查询用于连接所述无线网络的证书数据;使用查询到的所述证书数据连接到所述无线网络;The second terminal queries, in the secure storage area, certificate data for connecting to the wireless network in response to an automatic connection instruction; and connects to the wireless network by using the queried certificate data;
    或者,所述第二终端响应于手动连接指令,枚举出所述安全存储区内所有证书数据的证书标识;基于手动选择的证书标识读取对应的证书数据;使用读取的所述证书数据连接到所述无线网络。Alternatively, the second terminal enumerates, according to the manual connection instruction, a certificate identifier of all certificate data in the secure storage area; reads corresponding certificate data based on the manually selected certificate identifier; and uses the read certificate data Connect to the wireless network.
  6. 根据权利要求5所述的方法,其特征在于,当所述证书数据为WAPI证书数据 时;相应的,所述第二终端在所述安全存储区内查询用于连接所述无线网络的证书数据,包括:The method according to claim 5, wherein when the certificate data is WAPI certificate data; correspondingly, the second terminal queries, in the secure storage area, certificate data for connecting to the wireless network ,include:
    所述第二终端读取所述安全存储区内的WAPI证书数据;The second terminal reads WAPI certificate data in the secure storage area;
    与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;Correlating with the wireless access point AP, receiving the authentication activation packet sent by the wireless access point AP, and obtaining an identity field of the local authentication service unit ASU in the authentication activation packet;
    通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;Obtaining identity information of the WAPI certificate data by traversing the read WAPI certificate data;
    当所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。When the identity information matches the identity field of the local authentication service unit ASU, it is determined that the WAPI certificate data corresponding to the identity information is certificate data used to connect to the wireless network.
  7. 一种用于网络连接的凭证信息的处理装置,配置于第一终端,其特征在于,所述装置包括:应用模块;A processing device for credential information for a network connection, configured in a first terminal, wherein the device comprises: an application module;
    所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
    所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
    其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  8. 根据权利要求7所述的装置,其特征在于,所述应用模块,还用于采用无需组网的点对点无线通信技术向第二终端发送所述第一凭证信息以及所述网络标识。The apparatus according to claim 7, wherein the application module is further configured to send the first credential information and the network identifier to a second terminal by using a point-to-point wireless communication technology that does not require networking.
  9. 根据权利要求7所述的装置,其特征在于,所述装置进一步包括:存储模块和网络连接模块;The device according to claim 7, wherein the device further comprises: a storage module and a network connection module;
    所述存储模块,用于将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区;The storage module is configured to store the second credential information directly from the first terminal system memory in a secure storage area of the first terminal;
    所述网络连接模块,用于使用存储在所述安全存储区的所述第二凭证信息连接无线网络。The network connection module is configured to connect to the wireless network by using the second credential information stored in the secure storage area.
  10. 根据权利要求9所述的装置,其特征在于,所述第二凭证信息包括证书数据;相应的,所述装置进一步包括:证书管理模块;The apparatus according to claim 9, wherein the second credential information comprises certificate data; and correspondingly, the apparatus further comprises: a certificate management module;
    所述证书管理模块,用于在将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区之前,根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,以及,调用所述存储模块将经过命名处理的所述证书数据从第一终端***内存中直接存储在第一终端的安全存储区。The certificate management module is configured to: before the storing the second credential information directly from the first terminal system memory in the secure storage area of the first terminal, according to the certificate identifier set for the certificate data, the certificate The data is subjected to naming processing, and the storage module is called to store the certificate data subjected to the naming process directly from the first terminal system memory in the secure storage area of the first terminal.
  11. 根据权利要求10所述的装置,其特征在于,所述证书管理模块,还用于使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。The device according to claim 10, wherein the certificate management module is further configured to perform naming processing for each part of data included in the certificate data by using the certificate identifier, so that each of the certificate data includes Part of the data has the same certificate identifier; wherein the partial data includes user certificate data, issuer certificate data, and user private key.
  12. 根据权利要求10所述的装置,其特征在于,调用所述存储模块的各个模块以 不同的用户身份运行,不同的用户身份对应不同的操作权限;其中,The device according to claim 10, wherein each module that invokes the storage module operates as a different user, and different user identities correspond to different operation rights;
    所述证书管理模块以system用户身份运行,其操作权限包括:调用所述存储模块对证书数据进行安装、删除以及枚举证书标识,但无法调用所述存储模块读取证书数据;The certificate management module runs as the system user, and the operation authority includes: calling the storage module to install, delete, and enumerate the certificate data, but cannot invoke the storage module to read the certificate data;
    所述网络连接模块以wlan用户身份运行,其操作权限包括:调用所述存储模块读取证书数据和证书标识,但无法调用所述存储模块对证书数据进行安装及删除。The network connection module runs as the wlan user, and the operation authority includes: calling the storage module to read the certificate data and the certificate identifier, but cannot invoke the storage module to install and delete the certificate data.
  13. 根据权利要求12所述的装置,其特征在于,所述证书管理模块在调用所述存储模块对证书数据进行安装、删除以及枚举证书标识时,所述证书管理模块的证书安装接口、证书删除接口以及证书标识枚举接口采用安卓***的Intent机制设计,包括:The device according to claim 12, wherein the certificate management module deletes the certificate installation interface and the certificate of the certificate management module when the storage module is called to install, delete, and enumerate the certificate data. The interface and the certificate identifier enumeration interface are designed using the Android Intent mechanism, including:
    在***中预置一个Activity并定义与安装证书数据、删除证书数据以及枚举证书标识相关的Intent Action;Presetting an Activity in the system and defining an Intent Action related to installing certificate data, deleting certificate data, and enumerating certificate identifiers;
    所述应用模块通过发送相关的Intent Action给所述Activity,由所述Activity根据所述Intent Action执行安装证书数据、删除证书数据或枚举证书标识的操作。The application module sends the related Intent Action to the Activity, and the Activity performs an operation of installing certificate data, deleting certificate data, or enumerating a certificate identifier according to the Intent Action.
  14. 根据权利要求10所述的装置,其特征在于,所述网络连接模块,还用于:The device according to claim 10, wherein the network connection module is further configured to:
    响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Responding to the automatic connection instruction, calling the storage module to query certificate data for connecting to the wireless network in the secure storage area, and connecting to the wireless network by using the queried certificate data; or
    响应于手动连接指令,调用所述证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,调用所述存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In response to the manual connection instruction, the certificate management module is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module is invoked to read the corresponding certificate data based on the manually selected certificate identifier, and the read certificate is used. The certificate data is connected to the wireless network.
  15. 根据权利要求14所述的装置,其特征在于,当所述证书数据为WAPI证书数据,所述网络连接模块响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据时,The device according to claim 14, wherein when the certificate data is WAPI certificate data, the network connection module invokes the storage module to query the secure storage area for connection in response to an automatic connection instruction. When the certificate data of the wireless network is
    所述网络连接模块,用于调用所述存储模块读取所述安全存储区内的WAPI证书数据;The network connection module is configured to invoke the storage module to read WAPI certificate data in the secure storage area;
    所述网络连接模块,用于与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;The network connection module is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet;
    所述网络连接模块,用于通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;The network connection module is configured to obtain identity information of WAPI certificate data by traversing the read WAPI certificate data;
    所述网络连接模块,用于在判断所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。The network connection module is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate data used to connect to the wireless network. .
  16. 根据权利要求14所述的装置,其特征在于,所述网络连接模块的网络配置接口通过修改安卓***的WifiConfiguration类得到;修改后的WifiConfiguration类包括:The device according to claim 14, wherein the network configuration interface of the network connection module is obtained by modifying the WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
    描述预共享密钥的密钥类型的成员变量、描述预共享密钥内容的成员变量、描述证书选择模式的成员变量以及描述手动模式下所选择证书的证书标识的成员变量。A member variable describing the key type of the pre-shared key, a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
  17. 根据权利要求16所述的装置,其特征在于,当所述证书数据为WAPI证书数据时,所述网络连接模块的网络配置接口进一步通过修改WifiConfiguration类的KeyMgmt子类得到;The device according to claim 16, wherein when the certificate data is WAPI certificate data, the network configuration interface of the network connection module is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
    修改后的KeyMgmt子类包括:WAPI预共享密钥类型的定义以及WAPI证书类型的定义。The modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
  18. 一种用于网络连接的凭证信息的处理装置,配置于第二终端,其特征在于,所述装置包括:应用模块、存储模块和网络连接模块;A processing device for credential information for a network connection, configured in a second terminal, wherein the device comprises: an application module, a storage module, and a network connection module;
    所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
    所述存储模块,用于将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The storage module is configured to directly store the first credential information from a second terminal system memory in a secure storage area of the second terminal;
    所述网络连接模块,用于使用所述安全存储区内的所述第一凭证信息连接所述网络标识对应的无线网络。The network connection module is configured to connect, by using the first credential information in the secure storage area, a wireless network corresponding to the network identifier.
  19. 根据权利要求18所述的装置,其特征在于,所述应用模块,还用于采用无需组网的点对点无线通信技术接收第一终端发送的所述第一凭证信息以及所述网络标识。The device according to claim 18, wherein the application module is further configured to receive the first credential information and the network identifier sent by the first terminal by using a point-to-point wireless communication technology that does not require networking.
  20. 根据权利要求18所述的装置,其特征在于,所述第一凭证信息包括证书数据;相应的,所述装置进一步包括:证书管理模块;The apparatus according to claim 18, wherein the first credential information comprises certificate data; and correspondingly, the apparatus further comprises: a certificate management module;
    所述证书管理模块,用于在将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区之前,根据为所述证书数据设置的证书标识,对所述证书数据进行命名处理,以及,调用所述存储模块将经过命名处理的所述证书数据从第二终端***内存中直接存储在第二终端的安全存储区。The certificate management module is configured to: before the storing the first credential information from the second terminal system memory directly in the secure storage area of the second terminal, according to the certificate identifier set for the certificate data, the certificate The data is subjected to naming processing, and the storage module is called to store the certificate data subjected to the naming process directly from the second terminal system memory in the secure storage area of the second terminal.
  21. 根据权利要求20所述的装置,其特征在于,所述证书管理模块,还用于使用所述证书标识分别为所述证书数据包含的各部分数据进行命名处理,以便所述证书数据包含的各部分数据都具有同一个证书标识;其中,所述各部分数据包括用户证书数据、颁发者证书数据以及用户私钥。The device according to claim 20, wherein the certificate management module is further configured to perform naming processing for each part of data included in the certificate data by using the certificate identifier, so that each of the certificate data includes Part of the data has the same certificate identifier; wherein the partial data includes user certificate data, issuer certificate data, and user private key.
  22. 根据权利要求20所述的装置,其特征在于,调用所述存储模块的各个模块以不同的用户身份运行,不同的用户身份对应不同的操作权限;其中,The device according to claim 20, wherein each module that invokes the storage module operates as a different user, and different user identities correspond to different operation rights;
    所述证书管理模块以system用户身份运行,其操作权限包括:调用所述存储模块对证书数据进行安装、删除以及枚举证书标识,但无法调用所述存储模块读取证书数据;The certificate management module runs as the system user, and the operation authority includes: calling the storage module to install, delete, and enumerate the certificate data, but cannot invoke the storage module to read the certificate data;
    所述网络连接模块以wlan用户身份运行,其操作权限包括:调用所述存储模块读取证书数据和证书标识,但无法调用所述存储模块对证书数据进行安装及删除。The network connection module runs as the wlan user, and the operation authority includes: calling the storage module to read the certificate data and the certificate identifier, but cannot invoke the storage module to install and delete the certificate data.
  23. 根据权利要求22所述的装置,其特征在于,所述证书管理模块在调用所述存储模块对证书数据进行安装、删除以及枚举证书标识时,所述证书管理模块的证书安装接口、证书删除接口以及证书标识枚举接口采用安卓***的Intent机制设计,包括:The device according to claim 22, wherein the certificate management module deletes the certificate installation interface and the certificate of the certificate management module when the storage module is called to install, delete, and enumerate the certificate data. The interface and the certificate identifier enumeration interface are designed using the Android Intent mechanism, including:
    在***中预置一个Activity并定义与安装证书数据、删除证书数据以及枚举证书标识相关的Intent Action;Presetting an Activity in the system and defining an Intent Action related to installing certificate data, deleting certificate data, and enumerating certificate identifiers;
    所述应用模块通过发送相关的Intent Action给所述Activity,由所述Activity根据所述Intent Action执行安装证书数据、删除证书数据或枚举证书标识的操作。The application module sends the related Intent Action to the Activity, and the Activity performs an operation of installing certificate data, deleting certificate data, or enumerating a certificate identifier according to the Intent Action.
  24. 根据权利要求20所述的装置,其特征在于,所述网络连接模块,还用于:The device according to claim 20, wherein the network connection module is further configured to:
    响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,Responding to the automatic connection instruction, calling the storage module to query certificate data for connecting to the wireless network in the secure storage area, and connecting to the wireless network by using the queried certificate data; or
    响应于手动连接指令,调用所述证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,调用所述存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。In response to the manual connection instruction, the certificate management module is invoked to enumerate the certificate identifiers of all the certificate data in the secure storage area, and the storage module is invoked to read the corresponding certificate data based on the manually selected certificate identifier, and the read certificate is used. The certificate data is connected to the wireless network.
  25. 根据权利要求24所述的装置,其特征在于,当所述证书数据为WAPI证书数据,所述网络连接模块响应于自动连接指令,调用所述存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据时,The apparatus according to claim 24, wherein when said certificate data is WAPI certificate data, said network connection module invokes said storage module to query said secure storage area for connection in response to an automatic connection instruction When the certificate data of the wireless network is
    所述网络连接模块,用于调用所述存储模块读取所述安全存储区内的WAPI证书数据;The network connection module is configured to invoke the storage module to read WAPI certificate data in the secure storage area;
    所述网络连接模块,用于与无线接入点AP进行关联,接收所述无线接入点AP发送的鉴别激活分组,取得所述鉴别激活分组中的本地鉴别服务单元ASU的身份字段;The network connection module is configured to associate with a wireless access point AP, receive an authentication activation packet sent by the wireless access point AP, and obtain an identity field of a local authentication service unit ASU in the authentication activation packet;
    所述网络连接模块,用于通过遍历读取的所述WAPI证书数据,获取WAPI证书数据的身份信息;The network connection module is configured to obtain identity information of WAPI certificate data by traversing the read WAPI certificate data;
    所述网络连接模块,用于在判断所述身份信息与所述本地鉴别服务单元ASU的身份字段相匹配时,确定所述身份信息对应的WAPI证书数据为用于连接所述无线网络的证书数据。The network connection module is configured to: when determining that the identity information matches an identity field of the local authentication service unit ASU, determine that the WAPI certificate data corresponding to the identity information is a certificate data used to connect to the wireless network. .
  26. 根据权利要求24所述的装置,其特征在于,所述网络连接模块的网络配置接口通过修改安卓***的WifiConfiguration类得到;修改后的WifiConfiguration类包括:The device according to claim 24, wherein the network configuration interface of the network connection module is obtained by modifying a WifiConfiguration class of the Android system; the modified WifiConfiguration class includes:
    描述预共享密钥的密钥类型的成员变量、描述预共享密钥内容的成员变量、描述证书选择模式的成员变量以及描述手动模式下所选择证书的证书标识的成员变量。A member variable describing the key type of the pre-shared key, a member variable describing the content of the pre-shared key, a member variable describing the certificate selection mode, and a member variable describing the certificate identifier of the selected certificate in the manual mode.
  27. 根据权利要求26所述的装置,其特征在于,当所述证书数据为WAPI证书数据时,所述网络连接模块的网络配置接口进一步通过修改WifiConfiguration类的KeyMgmt子类得到;The device according to claim 26, wherein when the certificate data is WAPI certificate data, the network configuration interface of the network connection module is further obtained by modifying a KeyMgmt subclass of the WifiConfiguration class;
    修改后的KeyMgmt子类包括:WAPI预共享密钥类型的定义以及WAPI证书类型的定义。The modified KeyMgmt subclass includes: the definition of the WAPI pre-shared key type and the definition of the WAPI certificate type.
  28. 一种应用APP,配置于第一终端,其特征在于,所述应用APP包括:应用模块,An application APP is configured in the first terminal, where the application APP includes: an application module,
    所述应用模块,用于响应于为第二终端申请连网凭证的指令,向服务器发送第一凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第一凭证信息,以及,从第一终端***内存中直接向第二终端发送所述第一凭证信息以及待连接的无线网络的网络标识;或者,The application module is configured to send a first credential download request to the server in response to the instruction for requesting the network credential for the second terminal, and receive the first credential information sent by the server in the case that the user identity verification succeeds, and Sending the first credential information and the network identifier of the wireless network to be connected directly from the first terminal system memory to the second terminal; or
    所述应用模块,用于响应于为第一终端申请连网凭证的指令,向服务器发送第二凭证下载请求,接收所述服务器在用户身份验证成功的情况下发送的第二凭证信息;The application module is configured to send a second credential download request to the server in response to the instruction for requesting the network credential for the first terminal, and receive the second credential information sent by the server if the user identity verification succeeds;
    其中,所述第一凭证下载请求或所述第二凭证下载请求中携带所述第一终端的用户身份信息,所述用户身份信息用于所述服务器对所述第一终端进行用户身份验证;所述第一凭证信息用于所述第二终端连接所述网络标识对应的无线网络;所述第二凭证信息用于所述第一终端连接无线网络。The first credential download request or the second credential download request carries the user identity information of the first terminal, where the user identity information is used by the server to perform user identity verification on the first terminal; The first credential information is used by the second terminal to connect to a wireless network corresponding to the network identifier; and the second credential information is used to connect the first terminal to a wireless network.
  29. 根据权利要求28所述的应用APP,其特征在于,The application APP according to claim 28, characterized in that
    所述应用模块,还用于调用第一终端的存储模块将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区;The application module is further configured to invoke the storage module of the first terminal to directly store the second credential information from the first terminal system memory in a secure storage area of the first terminal;
    所述应用模块,还用于调用第一终端的网络连接模块使用存储在所述安全存储区的所述第二凭证信息连接无线网络。The application module is further configured to invoke a network connection module of the first terminal to connect to the wireless network by using the second credential information stored in the secure storage area.
  30. 根据权利要求29所述的应用APP,其特征在于,所述第二凭证信息包括证书数据;相应的,在将所述第二凭证信息从第一终端***内存中直接存储在第一终端的安全存储区之前,所述应用模块还用于调用第一终端的证书管理模块,执行根据为所述证书数据设置的证书标识对所述证书数据进行命名处理的操作,以便所述证书管理模块调用第一终端的存储模块将经过命名处理的所述证书数据从第一终端***内存中直接存储在第一终端的安全存储区。The application APP according to claim 29, wherein the second credential information comprises certificate data; and correspondingly, the second credential information is directly stored in the first terminal system from the first terminal system memory. Before the storage area, the application module is further configured to invoke a certificate management module of the first terminal, and perform an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the The storage module of the terminal stores the certificate data subjected to the naming process directly from the memory of the first terminal system in the secure storage area of the first terminal.
  31. 根据权利要求30所述的应用APP,其特征在于,The application APP according to claim 30, characterized in that
    所述应用模块,还用于调用第一终端的网络连接模块响应于自动连接指令后执行网络连接操作,以便所述网络连接模块调用第一终端的存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,The application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes a storage module of the first terminal to query the security storage area for querying Connecting to the certificate data of the wireless network, using the queried certificate data to connect to the wireless network; or
    所述应用模块,还用于调用第一终端的网络连接模块响应于手动连接指令后执行网络连接操作,以便所述网络连接模块调用第一终端的证书管理模块枚举出所述安全存储区内所有证书数据的证书标识,以及调用第一终端的存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。The application module is further configured to invoke a network connection module of the first terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the first terminal to enumerate the secure storage area. The certificate identifier of all the certificate data, and the storage module invoking the first terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
  32. 一种应用APP,配置于第二终端,其特征在于,所述应用APP包括:应用模块,An application APP is configured in the second terminal, where the application APP includes: an application module,
    所述应用模块,用于接收第一终端发送的第一凭证信息以及待连接的无线网络的网络标识,所述第一凭证信息是第一终端响应于为第二终端申请连网凭证的指令而从服务器下载并向第二终端发送的;The application module is configured to receive first credential information sent by the first terminal and a network identifier of the wireless network to be connected, where the first credential information is that the first terminal responds to the instruction for applying for the network credential for the second terminal. Downloaded from the server and sent to the second terminal;
    所述应用模块,还用于调用第二终端的存储模块将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区;The application module is further configured to invoke the storage module of the second terminal to directly store the first credential information from the second terminal system memory in a secure storage area of the second terminal;
    所述应用模块,还用于调用第二终端的网络连接模块使用存储在所述安全存储区的所述第一凭证信息连接所述网络标识对应的无线网络。The application module is further configured to invoke a network connection module of the second terminal to connect to the wireless network corresponding to the network identifier by using the first credential information stored in the secure storage area.
  33. 根据权利要求32所述的应用APP,其特征在于,所述第一凭证信息包括证书数据;相应的,在将所述第一凭证信息从第二终端***内存中直接存储在第二终端的安全存储区之前,所述应用模块还用于调用第二终端的证书管理模块,执行根据为所述证书数据设置的证书标识对所述证书数据进行命名处理的操作,以便所述证书管理模块调用第二终端的存储模块将经过命名处理的所述证书数据从第二终端***内存中直接存储在第二终端的安全存储区。The application APP according to claim 32, wherein the first credential information comprises certificate data; and correspondingly, the first credential information is directly stored in the second terminal system memory from the second terminal. Before the storage area, the application module is further configured to invoke a certificate management module of the second terminal, and perform an operation of naming the certificate data according to the certificate identifier set for the certificate data, so that the certificate management module invokes the The storage module of the second terminal directly stores the certificate data subjected to the naming process from the second terminal system memory in the secure storage area of the second terminal.
  34. 根据权利要求33所述的应用APP,其特征在于,The application APP according to claim 33, wherein
    所述应用模块,还用于调用第二终端的网络连接模块响应于自动连接指令后执行网络连接操作,以便所述网络连接模块调用第二终端的存储模块在所述安全存储区内查询用于连接所述无线网络的证书数据,使用查询到的所述证书数据连接到所述无线网络;或者,The application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the automatic connection instruction, so that the network connection module invokes a storage module of the second terminal to query the secure storage area for querying Connecting to the certificate data of the wireless network, using the queried certificate data to connect to the wireless network; or
    所述应用模块,还用于调用第二终端的网络连接模块响应于手动连接指令后执行网络连接操作,以便所述网络连接模块调用第二终端的证书管理模块枚举出所述安全 存储区内所有证书数据的证书标识,以及调用第二终端的存储模块基于手动选择的证书标识读取对应的证书数据,使用读取的所述证书数据连接到所述无线网络。The application module is further configured to invoke a network connection module of the second terminal to perform a network connection operation in response to the manual connection instruction, so that the network connection module invokes a certificate management module of the second terminal to enumerate the secure storage area. The certificate identifier of all the certificate data, and the storage module invoking the second terminal reads the corresponding certificate data based on the manually selected certificate identifier, and connects to the wireless network using the read certificate data.
PCT/CN2018/077364 2017-03-01 2018-02-27 Credential information processing method and apparatus for network connection, and application (app) WO2018157782A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
KR1020197021587A KR102200936B1 (en) 2017-03-01 2018-02-27 Credential information processing method and device for network connection, and application program (APP)
EP18761355.9A EP3592017B1 (en) 2017-03-01 2018-02-27 Credential information processing method and apparatus for network connection, and application (app)
JP2019560452A JP6917474B2 (en) 2017-03-01 2018-02-27 Credential processing method, device, and application APP for network connection
US16/482,475 US11751052B2 (en) 2017-03-01 2018-02-27 Credential information processing method and apparatus for network connection, and application (APP)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201710117743 2017-03-01
CN201710117743.0 2017-03-01
CN201710150249.4A CN108696868B (en) 2017-03-01 2017-03-14 Processing method and device of credential information for network connection
CN201710150249.4 2017-03-14

Publications (1)

Publication Number Publication Date
WO2018157782A1 true WO2018157782A1 (en) 2018-09-07

Family

ID=63369805

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077364 WO2018157782A1 (en) 2017-03-01 2018-02-27 Credential information processing method and apparatus for network connection, and application (app)

Country Status (1)

Country Link
WO (1) WO2018157782A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020088673A (en) * 2018-11-28 2020-06-04 Necプラットフォームズ株式会社 Radio communication device, communication system and setting information provision program
US11405216B2 (en) * 2020-05-07 2022-08-02 Adp, Inc. System for authenticating verified personal credentials

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026197A (en) * 2010-12-31 2011-04-20 东莞宇龙通信科技有限公司 Method and device for acquiring WAPI (wireless LAN authentication and privacy infrastructure) digital certificate
CN103220669A (en) * 2012-01-19 2013-07-24 ***通信集团公司 Share method, system, server, terminal and gateway management server of private wireless local area network (WLAN)
CN105636030A (en) * 2016-01-29 2016-06-01 北京小米移动软件有限公司 Method and device for sharing access point
US20160261587A1 (en) * 2012-03-23 2016-09-08 Cloudpath Networks, Inc. System and method for providing a certificate for network access
CN105959971A (en) * 2016-06-30 2016-09-21 维沃移动通信有限公司 WiFi password sharing method and mobile terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026197A (en) * 2010-12-31 2011-04-20 东莞宇龙通信科技有限公司 Method and device for acquiring WAPI (wireless LAN authentication and privacy infrastructure) digital certificate
CN103220669A (en) * 2012-01-19 2013-07-24 ***通信集团公司 Share method, system, server, terminal and gateway management server of private wireless local area network (WLAN)
US20160261587A1 (en) * 2012-03-23 2016-09-08 Cloudpath Networks, Inc. System and method for providing a certificate for network access
CN105636030A (en) * 2016-01-29 2016-06-01 北京小米移动软件有限公司 Method and device for sharing access point
CN105959971A (en) * 2016-06-30 2016-09-21 维沃移动通信有限公司 WiFi password sharing method and mobile terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3592017A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020088673A (en) * 2018-11-28 2020-06-04 Necプラットフォームズ株式会社 Radio communication device, communication system and setting information provision program
US11405216B2 (en) * 2020-05-07 2022-08-02 Adp, Inc. System for authenticating verified personal credentials

Similar Documents

Publication Publication Date Title
EP3592017B1 (en) Credential information processing method and apparatus for network connection, and application (app)
US10667131B2 (en) Method for connecting network access device to wireless network access point, network access device, and application server
CN109286932B (en) Network access authentication method, device and system
CN108551675B (en) Application client, server and corresponding Portal authentication method
US8769612B2 (en) Portable device association
US9674173B2 (en) Automatic certificate enrollment in a special-purpose appliance
US8099761B2 (en) Protocol for device to station association
US11765164B2 (en) Server-based setup for connecting a device to a local area network
WO2022111187A1 (en) Terminal authentication method and apparatus, computer device, and storage medium
US10045212B2 (en) Method and apparatus for providing provably secure user input/output
US20230112606A1 (en) Device enrollment in a unified endpoint management system over a closed network
WO2018157782A1 (en) Credential information processing method and apparatus for network connection, and application (app)
US9231932B2 (en) Managing remote telephony device configuration
US9143510B2 (en) Secure identification of intranet network
JP4775154B2 (en) COMMUNICATION SYSTEM, TERMINAL DEVICE, PROGRAM, AND COMMUNICATION METHOD
US10756899B2 (en) Access to software applications
CN113746779A (en) Digital certificate installation method and equipment
US20230199489A1 (en) Peer-to-peer secure communication system, apparatus, and method
WO2024028291A1 (en) Certificate from server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18761355

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20197021587

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2019560452

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018761355

Country of ref document: EP

Effective date: 20191001