CN106471831A - The method of configuration, the device of configuration and equipment - Google Patents

Abstract

The invention discloses a kind of method of configuration, the device of configuration and equipment, it is related to areas of information technology, the success rate that equipment is configured can be improved.Methods described includes：Configuration equipment and the second equipment carry out out-of-band communication first, obtain the outer key of the second equipment belt, and outer for the second equipment belt key is sent to the first equipment, so that the first equipment generates encryption key according to the outer key of the second equipment belt, then the first equipment sends according to the first signature verification key after encryption keys to the second equipment, and receive the second netkey that the second equipment sends, last first equipment generates key according to the first signature, second netkey is signed, obtain the first signing messages, and send according to the first link information after encryption keys to the second equipment, first link information includes the first signing messages and the second netkey.The present invention is applied to equipment is configured.

Description

Configuration method, configuration device and equipment technical field

The present invention relates to the field of wireless communication, in particular to a configuration method, configuration device and equipment.

Background technique

With the rapid development of wireless communication technology, the simplicity and security of wireless network connection configuration have attracted more and more attention from users. Generally, the process of configuring a wireless network connection for a device is relatively complicated, such as requiring the user to manually enter a password, which is not only cumbersome but also lacks security.

At present, a configuration method, first configures the interaction between the device and the first device, obtains the relevant information of the first device, and sends its own relevant information to the first device to realize the configuration of the first device; then configures The device interacts with the second device, obtains the relevant information of the second device, and sends its own relevant information to the second device to realize the configuration of the second device; finally, the first device configured by the configuration device and the The wireless communication is performed between the second devices configured by the configuration device, thereby avoiding relatively complicated processes such as manual input of passwords by the user.

However, when the configuration device configures the first device and the second device respectively, if in-band communication cannot be performed between the configuration device and a certain device, for example, a certain device does not support in-band communication, or the configuration device and a certain If the in-band communication modes supported by the device do not match, the above configuration process cannot be completed, resulting in a low success rate of configuring the device.

Contents of the invention

The invention provides a configuration method, configuration device and equipment, which can improve the success rate of equipment configuration.

The technical scheme adopted in the present invention is:

In the first aspect, the present invention provides a configuration method, which is applied in a configuration system, the configuration system includes a first device, a second device, and a configuration device, and an in-band configuration is performed between the configuration device and the first device. Communication, performing out-of-band communication between the configuration device and the second device; the method includes:

The first device receives the out-of-band key of the second device sent by the configuration device, and the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device;

The first device generates an encryption key according to the second device's out-of-band key, and the encryption key is used to encrypt information sent by the first device to the second device;

The first device generates a first signature generation key and a first signature verification key, the first signature generation key is used for the first device to sign, and the first signature verification key is used for Decrypting the information signed by the first device, the first signature generation key and the first signature verification key correspond to each other;

The first device receives a second network key sent by the second device, the second network key is generated by the second device, and the second network key is used by the first device to generate a shared key;

The first device signs the second network key by using a first signature generation key to obtain first signature information;

The first device sends encrypted first connection information to the second device, the first connection information includes the first signature information and the second network key, and the encrypted first connection The information is obtained by the first device encrypting the first connection information with a first key, and the first key is obtained by the first device according to the encryption key, so that the second device Acquiring and sending the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legitimate.

With reference to the first aspect, in a first possible implementation manner of the first aspect, before the first device receives the out-of-band key of the second device sent by the configuration device, the method further includes:

The first device receives a second signature verification key sent by the configuration device, the second signature verification key is generated by the configuration device, and the second signature verification key is used to sign the configuration device to decrypt the information;

The first device generates a first network key, and the first network key is used by the second device to generate a shared key;

The first device sends the first network key to the configuration device, so that the configuration device generates and sends second connection information to the first device at least according to the first network key.

With reference to the first possible implementation of the first aspect, in a second possible implementation of the first aspect, after the first device sends the first network key to the configuration device, further include: :

The first device receives the second connection information sent by the configuration device, the second connection information includes second signature information and the first network key, and the second signature information is provided by the configuration device Obtained by signing the first network key by using a second signature generation key, the second signature generation key is generated by the configuration device, and the second signature generation key is used by the configuration device to perform signature , the second signature generation key corresponds to the second signature verification key.

With reference to the second possible implementation of the first aspect, in a third possible implementation of the first aspect, after the first device sends the encrypted first connection information to the second device, further include: :

The first device sends a second message, the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information includes the first network key, so that the second device receives the second message sent by the first device, determines whether the first device is legitimate according to the second signature information carried in the second message, and at least according to the The first network key in the second signature information generates a second shared key, the second shared key is a pre-key between the first device and the second device, and the pre-shared key The key is used for handshake authentication between the first device and the second device.

In combination with the second possible implementation of the first aspect, or the third possible implementation of the first aspect, in a fourth possible implementation of the first aspect, the method further includes:

The first device generates a third network key, and the third network key is used by the second device to generate a shared key;

The first device sends the third network key to the configuration device;

The first device receives third connection information sent by the configuration device, the third connection information includes third signature information and the third network key, and the third signature information is used by the configuration device to The second signature generation key is obtained by signing the third network key;

The first device sends a third message to the second device, where the third message carries the third connection information, so that the second device obtains the third network key, and at least according to the Using the third network key to generate a new second shared key, the new second shared key is a pre-key between the first device and the second device, and the pre-key is used for A handshake authentication is performed between the first device and the second device.

With reference to the third possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the method further includes:

The first device sends an encrypted second signature verification key to the second device, and the encrypted second signature verification key is used by the first device to sign the second signature with the second key. The verification key is obtained by encrypting the second key, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key, and according to the second The signature verification key and the second signature information carried in the second message determine that the first device is legal.

With reference to the first possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, after the first device sends the encrypted first connection information to the second device, the method further includes: :

receiving, by the first device, a first message sent by the second device, where the first message carries the first connection information;

The first device determines, according to the first signature information carried in the first message, that the second device is legal.

With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the first device determines, according to the first signature information carried in the first message, that the Second devices are legal, including:

The first device determines the signature according to the first signature information carried in the first message The device that obtains the first signature information is a trusted device, and the trusted device includes the first device or the configuration device.

With reference to the sixth possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the first device determines, according to the first signature information carried in the first message, that the Second devices are legal, including:

The first device decrypts the first signature information by using the first signature verification key to obtain a decryption result;

The first device compares the decryption result with the second network key included in the first connection information;

If the decryption result matches the second network key, the first device determines that the second device is legal.

In combination with the sixth possible implementation of the first aspect, or the seventh possible implementation of the first aspect, or the eighth possible implementation of the first aspect, the ninth possible implementation of the first aspect In the method, after the first device determines that the second device is legal according to the first signature information carried in the first message, it further includes:

If it is determined that the second device is legitimate, the first device generates a first shared key based on at least the second network key, and the first shared key is a shared key between the first device and the second network key. A pre-key between devices, where the pre-key is used for handshake authentication between the first device and the second device.

With reference to the ninth possible implementation manner of the first aspect, in a tenth possible implementation manner of the first aspect, the first device generates a first shared key at least according to the second network key, specifically include:

The first device generates a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and sends the DH A shared key, or a key derived from the DH shared key, as the first shared key; or,

The first device uses Diffie-Hellman ECDH encryption based on elliptic curve cryptosystem A key generation algorithm, generating an ECDH shared key according to the private key corresponding to the first network key and the second network key, and deriving the ECDH shared key, or deriving it from the ECDH shared key The obtained key is used as the first shared key.

With reference to the first aspect, in an eleventh possible implementation manner of the first aspect, after the first device receives the out-of-band key of the second device sent by the configuration device, the method further includes:

The first device determines whether the second device stores a private key corresponding to the second device's out-of-band key;

If the second device stores a private key corresponding to the second device's out-of-band key, the first device determines that the second device is legal.

In a second aspect, the present invention provides a device for configuration, which is used for a first device, the first device is located in a configuration system, and the configuration system includes a first device, a second device, and a configuration device, and the configuration device and the configuration device In-band communication is performed between the first device, and out-of-band communication is performed between the configuration device and the second device; the device includes:

a receiving unit, configured to receive the out-of-band key of the second device sent by the configuration device, the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device;

a generating unit, configured to generate an encryption key according to the out-of-band key of the second device received by the receiving unit, and the encryption key is used to encrypt information sent by the first device to the second device;

The generation unit is further configured to generate a first signature generation key and a first signature verification key, the first signature generation key is used for the first device to sign, and the first signature verification key is used for For decrypting the information signed by the first device, the first signature generation key and the first signature verification key correspond to each other;

The receiving unit is further configured to receive a second network key sent by the second device, the second network key is generated by the second device, and the second network key is used for the first The device generates a shared key;

A signature unit, configured to use a first signature generation key to pair the first signature received by the receiving unit Sign with the second network key to obtain the first signature information;

a sending unit, configured to send encrypted first connection information to the second device, where the first connection information includes the first signature information signed by the signature unit and the second network key, the The encrypted first connection information is obtained by the first device encrypting the first connection information with a first key, and the first key is obtained by the first device according to the generated by the generating unit obtain the encryption key, so that the second device acquires and sends the first connection information to the first device, and the first connection information is used by the first device to determine whether the second device is legitimate .

In combination with the second aspect, in the first possible implementation of the second aspect,

The receiving unit is further configured to receive a second signature verification key sent by the configuration device before the receiving unit receives the out-of-band key of the second device, and the second signature verification key is provided by the Generated by the configuration device, the second signature verification key is used to decrypt the information signed by the configuration device;

The generating unit is further configured to generate a first network key, and the first network key is used by the second device to generate a shared key;

The sending unit is further configured to send the first network key generated by the generating unit to the configuration device, so that the configuration device generates and sends to the configuration device at least according to the first network key The first device sends second connection information.

In combination with the first possible implementation of the second aspect, in the second possible implementation of the second aspect,

The receiving unit is further configured to receive the second connection information sent by the configuration device after the sending unit sends the first network key, the second connection information includes the second signature information and the the first network key, the second signature information is obtained by the configuration device signing the first network key with a second signature generation key, and the second signature generation key is obtained by the configuration device The second signature generation key is used for the configuration device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.

In combination with the second possible implementation of the second aspect, the third possible implementation of the second aspect In the way of implementation,

The sending unit is further configured to send an encrypted second message, the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information Including the first network key, so that the second device receives the second message sent by the first device, and determines whether the first device according to the second signature information carried in the second message legal, and generate a second shared key at least according to the first network key in the second signature information, where the second shared key is a pre-established agreement between the first device and the second device A key, where the pre-key is used for handshake authentication between the first device and the second device.

In combination with the second possible implementation of the second aspect, or the third possible implementation of the second aspect, in the fourth possible implementation of the second aspect,

The generating unit is further configured to generate a third network key, and the third network key is used by the second device to generate a shared key;

The sending unit is further configured to send the third network key to the configuration device;

The receiving unit is further configured to receive third connection information sent by the configuration device, the third connection information includes third signature information and the third network key, and the third signature information is provided by the configuration device. Obtained by signing the third network key by using the second signature generation key;

The sending unit is further configured to send a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and generate a new second shared key at least according to the third network key, the new second shared key is a pre-key between the first device and the second device, and the pre-encrypted The key is used for handshake authentication between the first device and the second device.

In combination with the third possible implementation of the second aspect, in the fifth possible implementation of the second aspect,

The sending unit is further configured to send an encrypted second signature verification key to the second device, and the encrypted second signature verification key is paired by the first device with the second key to the The second signature verification key is encrypted, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key and The second signature verification key and the second signature information carried in the second message determine that the first device is legal.

In combination with the first possible implementation of the second aspect, in a sixth possible implementation of the second aspect,

The receiving unit is further configured to receive a first message sent by the second device, where the first message carries the first connection information;

The device also includes: a determination unit;

The determining unit is configured to determine that the second device is legal according to the first signature information carried in the first message.

In combination with the sixth possible implementation of the second aspect, in the seventh possible implementation of the second aspect,

The determining unit is specifically configured to, according to the first signature information carried in the first message, determine whether the device that signed the first signature information is a trusted device, and the trusted device is the first signature information. device or the configuration device.

With reference to the sixth possible implementation of the second aspect, in an eighth possible implementation of the second aspect, the device further includes: a decryption unit and a comparison unit;

The decryption unit is configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result;

The comparison unit is configured to compare the decryption result obtained by decrypting the decryption unit with the second network key included in the first connection information;

The determining unit is specifically configured to determine that the second device is legal when the comparing unit compares that the decryption result matches the second network key.

In combination with the sixth possible implementation of the second aspect, or the seventh possible implementation of the second aspect, or the eighth possible implementation of the second aspect, the ninth possible implementation of the second aspect way,

The generating unit is further configured to generate a first shared key at least according to the second network key when the determining unit determines that the second device is legitimate, and the first shared key is the second shared key. A pre-key between a device and the second device, where the pre-key is used for handshake authentication between the first device and the second device.

In combination with the ninth possible implementation of the second aspect, in the tenth possible implementation of the second aspect,

The generation unit is specifically configured to generate a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and The DH shared key, or a key derived from the DH shared key, is used as the first shared key;

The generating unit is specifically further configured to generate the key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the first network key and the second network key, Generate an ECDH shared key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the first shared key.

In combination with the second aspect, in an eleventh possible implementation manner of the second aspect,

The determining unit is further configured to determine whether the second device stores a private key corresponding to the second device's out-of-band key;

The determining unit is further configured to determine that the second device is legal when the second device stores a private key corresponding to the second device out-of-band key.

In a third aspect, the present invention provides a device, the device is a first device, the first device is located in a configuration system, the configuration system includes a first device, a second device, and a configuration device, and the configuration device and the In-band communication is performed between the first device, and out-of-band communication is performed between the configuration device and the second device; the first device includes:

a receiver, configured to receive the out-of-band key of the second device sent by the configuration device, where the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device;

a processor, configured to generate an encrypted key according to the second device out-of-band key received by the receiver An encryption key, where the encryption key is used to encrypt information sent by the first device to the second device;

The processor is further configured to generate a first signature generation key and a first signature verification key, the first signature generation key is used for the first device to sign, and the first signature verification key is used to For decrypting the information signed by the first device, the first signature generation key and the first signature verification key correspond to each other;

The receiver is further configured to receive a second network key sent by the second device, the second network key is generated by the second device, and the second network key is used for the first The device generates a shared key;

The processor is further configured to use a first signature generation key to sign the second network key received by the receiver to obtain first signature information;

a sender, configured to send encrypted first connection information to the second device, where the first connection information includes the first signature information and the second network key signed by the processor, and The encrypted first connection information is obtained by the first device encrypting the first connection information with a first key, and the first key is obtained by the first device according to the obtain the encryption key, so that the second device acquires and sends the first connection information to the first device, and the first connection information is used by the first device to determine whether the second device is legitimate .

In combination with the third aspect, in the first possible implementation of the third aspect,

The receiver is further configured to receive a second signature verification key sent by the configuration device before the receiver receives the out-of-band key of the second device, and the second signature verification key is determined by the Generated by the configuration device, the second signature verification key is used to decrypt the information signed by the configuration device;

The processor is further configured to generate a first network key, and the first network key is used by the second device to generate a shared key;

The transmitter is further configured to send the first network key generated by the processor to the configuration device, so that the configuration device generates and sends to the configuration device at least based on the first network key The first device sends second connection information.

In combination with the first possible implementation of the third aspect, in the second possible implementation of the third aspect,

The receiver is further configured to receive the second connection information sent by the configuration device after the sender sends the first network key, where the second connection information includes the second signature information and the the first network key, the second signature information is obtained by the configuration device signing the first network key with a second signature generation key, and the second signature generation key is obtained by the configuration device The second signature generation key is used for the configuration device to perform signature, and the second signature generation key and the second signature verification key correspond to each other.

In combination with the second possible implementation of the third aspect, in the third possible implementation of the third aspect,

The sender is further configured to send an encrypted second message to the second device, the second message carries the second connection information, and the second connection information includes the second signature information, The second signature information includes the first network key, and the encrypted second message is obtained by encrypting the second message by the first device using a fourth key, and the fourth key Obtained by the first device according to the encryption key, so that the second device receives the second message sent by the first device, and according to the second signature information carried in the second message, determines the Whether the first device is legitimate, and at least generate a second shared key based on the first network key in the second signature information, the second shared key is the first device and the second A pre-key between devices, where the pre-key is used for handshake authentication between the first device and the second device.

In combination with the second possible implementation of the third aspect, or the third possible implementation of the third aspect, in the fourth possible implementation of the third aspect,

The processor is further configured to generate a third network key, where the third network key is used by the second device to generate a shared key;

The transmitter is further configured to send the third network key to the configuration device;

The receiver is further configured to receive third connection information sent by the configuration device, the third connection information includes third signature information and the third network key, and the third signature information is determined by Obtained by the configuration device signing the third network key by using the second signature generation key;

The sender is further configured to send a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and generate a new second shared key at least according to the third network key, the new second shared key is a pre-key between the first device and the second device, and the pre-encrypted The key is used for handshake authentication between the first device and the second device.

In combination with the third possible implementation of the third aspect, in the fifth possible implementation of the third aspect,

The sender is further configured to send an encrypted second signature verification key to the second device, and the encrypted second signature verification key is paired by the first device with the second key to the The second signature verification key is encrypted, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key and The second signature verification key and the second signature information carried in the second message determine that the first device is legal.

In combination with the first possible implementation of the third aspect, in the sixth possible implementation of the third aspect,

The receiver is further configured to receive a first message sent by the second device, where the first message carries the first connection information;

The processor is further configured to determine that the second device is legal according to the first signature information carried in the first message.

In combination with the sixth possible implementation of the third aspect, in the seventh possible implementation of the third aspect,

The processor is specifically configured to determine, according to the first signature information carried in the first message, whether the device that signed the first signature information is a trusted device, and the trusted device is the first device or the configuration device.

In combination with the sixth possible implementation of the third aspect, the eighth possible implementation of the third aspect In the way of implementation,

The processor is further configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result;

The processor is further configured to compare the decryption result with the second network key included in the first connection information;

The processor is specifically configured to determine that the second device is legal when the decryption result matches the second network key.

In combination with the sixth possible implementation of the third aspect, or the seventh possible implementation of the third aspect, or the eighth possible implementation of the third aspect, the ninth possible implementation of the third aspect way,

The processor is further configured to, when it is determined that the second device is legal, generate a first shared key at least according to the second network key, and the first shared key is used by the first device and the A pre-key between the second device, where the pre-key is used for handshake authentication between the first device and the second device.

In combination with the ninth possible implementation of the third aspect, in the tenth possible implementation of the third aspect,

The processor is specifically configured to generate a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and The DH shared key, or a key derived from the DH shared key, is used as the first shared key;

The processor is further configured to, according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the first network key and the second network key, Generate an ECDH shared key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the first shared key.

In combination with the third aspect, in the eleventh possible implementation manner of the third aspect,

The processor is further configured to determine whether the second device stores a private key corresponding to the out-of-band key of the second device;

The processor is further configured to determine that the second device is legal when the second device stores a private key corresponding to the second device out-of-band key.

In a fourth aspect, the present invention provides a configuration method, which is applied to a configuration system, the configuration system includes a first device, a second device, a configuration device, and a third device, the configuration device and the first device In-band communication between the configuration device and the second device, out-of-band communication between the configuration device and the third device, in-band communication between the configuration device and the third device, the first device has configured the second device Two devices; the method comprising:

The third device receives the first signature verification key and the first network key sent by the configuration device, the first signature verification key is generated by the first device and sent to the configuration device, the The first signature verification key is used to decrypt the information signed by the first device, the first network key is generated by the first device and sent to the configuration device, and the first network key is used to generating a shared key at the second device;

The third device receives a first message sent by the second device, the first message carries first connection information, the first connection information includes first signature information and a peer network key, and the first Signature information is obtained by the first device using a first signature generation key to sign the second network key, the first signature generation key is generated by the first device, and the first signature generation key Used for the first device to sign, the first signature generation key and the first signature verification key correspond to each other, the second network key is generated by the second device, and the first The second network key is used by the first device or the third device to generate a shared key;

The third device determines whether the peer network key is valid according to the first network key;

If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.

With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the third device determines whether the peer network key is legal according to the first network key, specifically including:

The third device determines whether the peer network key is a trusted network key, where the trusted network key includes the first network key.

With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the first connection information further includes a second network key;

The third device determines whether the second device is legitimate according to the first signature information, specifically including:

The third device decrypts the first signature information by using the first signature verification key to obtain a decryption result;

The third device compares the decryption result with the second network key;

If the decryption result matches the second network key, the third device determines that the second device is legal.

With reference to the second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, after the third device determines that the second device is legal, further includes:

The third device generates a third shared key at least according to the second network key, and the third shared key is a pre-key for handshake authentication between the third device and the second device .

With reference to the third possible implementation of the fourth aspect, in a fourth possible implementation of the fourth aspect, the third device generates a third shared key at least according to the second network key, specifically include:

The third device generates a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and uses the DH shared key key, or a key derived from the DH shared key as the third shared key, and the fourth network key is used by the second device to generate a shared key; or,

The third device generates an ECDH shared secret according to the private key corresponding to the fourth network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem. key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the third shared key.

With reference to the fourth aspect, in a fifth possible implementation manner of the fourth aspect, the method further includes:

The third device generates a fourth network key, and the fourth network key is used by the second device to generate a shared key;

The third device sends the fourth network key to the configuration device.

With reference to the fifth possible implementation of the fourth aspect, in a sixth possible implementation of the fourth aspect, after the third device sends the fourth network key to the configuration device, further include :

The third device receives fourth connection information sent by the configuration device, the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information is used by the configuration device to The second signature generation key is obtained by signing the fourth network key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key is used for the The configuration device performs signature, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key corresponds to the second signature verification key.

With reference to the sixth possible implementation manner of the fourth aspect, in a seventh possible implementation manner of the fourth aspect, after the third device receives the fourth connection information sent by the configuration device, further include:

The third device sends a fourth message to the second device, the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that the second The device receives the fourth message sent by the third device, and determines whether the third device is legal according to the fourth signature information carried in the fourth message and the second signature verification key, and the The second signature verification key is sent to the second device when the first device configures the second device.

In a fifth aspect, the present invention provides a device for configuring a third device, the third device is located in a configuration system, and the configuration system includes a first device, a second device, a configuration device and a third device, the In-band communication is performed between the configuration device and the first device, out-of-band communication is performed between the configuration device and the second device, and in-band communication is performed between the configuration device and the third device. The first device has configured the second device; the apparatus includes:

a receiving unit, configured to receive the first signature verification key and the first network key sent by the configuration device, the first signature verification key is generated by the first device and sent to the configuration device, the The first signature verification key is used to decrypt the information signed by the first device, the first network key is generated by the first device and sent to the configuration device, and the first network key is used to generating a shared key at the second device;

The receiving unit is further configured to receive a first message sent by the second device, the first message carries first connection information, and the first connection information includes first signature information and a peer network key, The first signature information is obtained by the first device signing the second network key with a first signature generation key, the first signature generation key is generated by the first device, and the first signature generating a key for the first device to sign, the first signature generating key and the first signature verification key correspond to each other, the second network key is generated by the second device, The second network key is used by the first device or the third device to generate a shared key;

a determining unit, configured to determine whether the peer network key is legal according to the first network key received by the receiving unit;

The determining unit is further configured to determine whether the second device is legal according to the first signature information received by the receiving unit when the peer network key is legal.

In combination with the fifth aspect, in the first possible implementation of the fifth aspect,

The determining unit is specifically configured to determine whether the peer network key is a trusted network key, and the trusted network key includes the first network key.

In combination with the fifth aspect, in the second possible implementation of the fifth aspect,

The first connection information received by the receiving unit further includes a second network key;

The device also includes: a decryption unit and a comparison unit;

The decryption unit is configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result;

The comparison unit is configured to compare the decryption result obtained by decrypting the decryption unit with the second network key;

The determining unit is specifically configured to determine that the second device is legal when the comparing unit compares that the decryption result matches the second network key.

With reference to the second possible implementation manner of the fifth aspect, in a third possible implementation manner of the fifth aspect, the device further includes: a generating unit;

The generating unit is configured to generate a third shared key at least according to the second network key received by the receiving unit, and the third shared key is a link between the third device and the second device The pre-key for handshake authentication.

In combination with the third possible implementation of the fifth aspect, in the fourth possible implementation of the fifth aspect,

The generating unit specifically includes generating a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and converting the DH A shared key, or a key derived from the DH shared key, is used as the third shared key, and the fourth network key is used by the second device to generate a shared key; or,

The generating unit specifically includes generating an ECDH key according to the private key corresponding to the fourth network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem. share a key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the third shared key.

In combination with the fifth aspect, in a fifth possible implementation of the fifth aspect,

The generating unit is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key;

The device also includes: a sending unit;

The sending unit is configured to send the fourth network key generated by the generating unit to the configuration device.

In combination with the fifth possible implementation of the fifth aspect, in the sixth possible implementation of the fifth aspect,

The receiving unit is further configured to receive fourth connection information sent by the configuration device, the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information obtained by the configuration device signing the fourth network key with a second signature generation key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second The signature generation key is used for the configuration device to sign, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key and the second signature verification key are used to decrypt the information signed by the configuration device. The keys correspond to each other.

In combination with the sixth possible implementation of the fifth aspect, in the seventh possible implementation of the fifth aspect,

The sending unit is further configured to send a fourth message to the second device, the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that the The second device receives the fourth message sent by the third device, and determines whether the third device is legitimate according to the fourth signature information carried in the fourth message and the second signature verification key , the second signature verification key is sent to the second device when the second device is configured by the first device.

In a sixth aspect, the present invention provides a device, the device is a third device, and the third device is located in a configuration system, and the configuration system includes a first device, a second device, a configuration device and a third device, wherein The configuration device performs in-band communication with the first device, the configuration device performs out-of-band communication with the second device, and the configuration device performs out-of-band communication with the third device. Internal communication, the first device has configured the second device; the third device includes:

a receiver, configured to receive the first signature verification key and the first network key sent by the configuration device, the first signature verification key is generated by the first device and sent to the configuration device, the The first signature verification key is used to decrypt the information signed by the first device, the first network key is generated by the first device and sent to the configuration device, and the first network key is used to generating a shared key at the second device;

The receiver is further configured to receive a first message sent by the second device, the first message carries first connection information, and the first connection information includes first signature information and a peer network key, The first signature information is generated by the first device using the first signature to generate a key for the second network The first signature generation key is generated by the first device, the first signature generation key is used for the first device to perform signatures, and the first signature generation key is the same as The first signature verification keys correspond to each other, the second network key is generated by the second device, and the second network key is used by the first device or the third device to generate a shared key;

a processor, configured to determine whether the peer network key is legal according to the first network key received by the receiver;

The processor is further configured to determine whether the second device is legal according to the first signature information received by the receiver when the peer network key is legal.

In combination with the sixth aspect, in the first possible implementation of the sixth aspect,

The processor is specifically configured to determine whether the peer network key is a trusted network key, where the trusted network key includes the first network key.

In combination with the sixth aspect, in the second possible implementation of the sixth aspect,

The first connection information received by the receiver further includes a second network key;

The processor is further configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result;

The processor is further configured to compare the decryption result obtained by decryption with the second network key;

The processor is specifically configured to determine that the second device is legal when the decryption result matches the second network key.

In combination with the second possible implementation of the sixth aspect, in the third possible implementation of the sixth aspect,

The processor is configured to generate a third shared key at least according to the second network key received by the receiver, and the third shared key is between the third device and the second device The pre-key for handshake authentication.

In combination with the third possible implementation of the sixth aspect, in the fourth possible implementation of the sixth aspect,

The processor specifically includes generating a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and converting the DH A shared key, or a key derived from the DH shared key, is used as the third shared key, and the fourth network key is used by the second device to generate a shared secret; or

The processor specifically includes, according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the fourth network key and the second network key, to generate an ECDH key. share a key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the third shared key.

In combination with the sixth aspect, in the fifth possible implementation of the sixth aspect,

The processor is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key;

The third device also includes: a transmitter;

The sender is configured to send the fourth network key generated by the processor to the configuration device.

In combination with the fifth possible implementation of the sixth aspect, in the sixth possible implementation of the sixth aspect,

The receiver is further configured to receive fourth connection information sent by the configuration device, the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information is provided by the configuration device. The device signs the fourth network key by using a second signature generation key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key Used for the configuration device to sign, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key and the second signature verification key are mutually correspond.

In combination with the sixth possible implementation of the sixth aspect, in the seventh possible implementation of the sixth aspect,

The sender is further configured to send a fourth message to the second device, where the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that The second device receives the fourth message sent by the third device, and according to the fourth signature information carried in the fourth message and the second signature verification key, determines that the third device Whether it is legal or not, the second signature verification key is sent to the second device when the first device configures the second device.

The configuration method, configuration device, and equipment provided by the present invention firstly configure the equipment to perform out-of-band communication with the second equipment, obtain the out-of-band key of the second equipment, and send the out-of-band key of the second equipment to the first equipment, so that the first device generates an encryption key according to the out-of-band key of the second device, and then the first device generates a first signature generation key and a first signature verification key, and receives the second network key sent by the second device, Finally, the first device generates a key according to the first signature, signs the second network key, obtains the first signature information, and sends the first connection information encrypted according to the encryption key to the second device. The first connection information includes The first signature information and the second network key. Compared with currently configuring the first device and the second device separately through the configuration device, the present invention obtains the out-of-band key of the second device through out-of-band communication between the configuration device and the second device, and transfers the second device The out-of-band key is sent to the first device, enabling communication between the first device and the second device, so that the first device can configure the second device, that is, when the configuration device and the second device cannot communicate with each other For in-band communication, for example, if a certain device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a certain device, the first device can configure the second device, thereby improving the configuration efficiency of the device. Success rate.

According to the configuration method, configuration device and equipment provided by the present invention, when the first device has configured the second device, the configuration device first sends the first signature verification key and the first network key to the third device, and the first signature verification key The key and the first network key are generated by the first device and sent to the configuration device, and then the second device sends a first message carrying the first connection information to the third device, and the first connection information includes the first signature information and the Finally, the third device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information. Compared with currently configuring the first device and the second device separately through the configuration device, the present invention configures the second device through the first device according to the out-of-band key of the second device, and the out-of-band key of the second device is determined by the configuration between the device and the second device and the configuration device sends the first signature verification key and the first network key to the third device, and the second device sends the first connection information to the third device. Key to determine whether the peer network key in the first connection information is legal, and determine whether the first signature information in the first connection information is legal according to the first signature verification key, so that the configured The second device is configured to the third device, that is, the third device configures the second device, thereby improving the success rate of device configuration.

Description of drawings

In order to more clearly illustrate the present invention or the technical solutions in the prior art, the accompanying drawings that need to be used in the description of the present invention or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are only the present invention. For some embodiments of the present invention, those skilled in the art can also obtain other drawings according to these drawings without paying creative efforts.

FIG. 1 is a schematic diagram of a system architecture of a configuration system in an embodiment of the present invention;

FIG. 2 is a flowchart of a method configured in an embodiment of the present invention;

Fig. 3 is a method flow chart of another configuration in the embodiment of the present invention;

FIG. 4 is a schematic diagram of a system architecture of another configuration system in an embodiment of the present invention;

Fig. 5 is a method flow chart of another configuration in the embodiment of the present invention;

Fig. 6 is a method flow chart of another configuration in the embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a device configured in an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of another configuration of the device in the embodiment of the present invention;

Fig. 9 is a schematic structural diagram of the first device in the embodiment of the present invention;

FIG. 10 is a schematic structural diagram of another configuration of the device in the embodiment of the present invention;

Fig. 11 is a schematic structural diagram of another configuration of the device in the embodiment of the present invention;

Fig. 12 is a schematic structural diagram of a third device in an embodiment of the present invention.

detailed description

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, those of ordinary skill in the art All other embodiments obtained under the premise of making creative work belong to the protection scope of the present invention.

The technical solutions provided by the embodiments of the present invention are applied to a configuration system. The system architecture of the present invention is shown in FIG. 1 , and the configuration system includes a first device, a second device, and a configuration device. Wherein, in-band communication can be performed between the configuration device and the first device, and out-of-band communication can be performed between the configuration device and the second device.

The embodiment of the present invention provides a configuration method, which can improve the success rate of device configuration. As shown in FIG. 2, the method includes:

201. The first device receives the out-of-band key of the second device sent by the configuration device.

Wherein, the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device.

For the embodiment of the present invention, the first device supports in-band communication, and can perform in-band communication with the configuration device, and can also perform in-band communication with the second device. In the embodiment of the present invention, the first device may specifically be: a wireless access point (English full name: Access Point, English abbreviation: AP), a smart terminal, a wearable device, or a smart home device. Among them, smart terminals include mobile phones, mobile tablets, tablets and computers, etc., and wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads, etc. , smart homes include smart TVs, smart speakers, smart refrigerators, smart washing machines, smart air conditioners, smart lamps, smart curtains and smart alarms.

For the embodiment of the present invention, the configuration device is used to configure the device, or assist the device to configure other devices. In this embodiment of the present invention, the configuration device may be an external configuration device or an internal configuration device, which is not limited in this embodiment of the present invention. Wherein, the external configuration device can be a wireless device with a rich UI and relatively powerful computing capability, for example, the external configuration device can be a smart phone, a smart tablet, smart glasses or a smart watch, etc., or it can be a Other devices; the internal configuration device can also be a set of application modules integrated in the hardware unit, and can interact with other devices through the UI provided by the hardware unit. For example, the internal configuration device can be a configuration integrated in the wireless AP unit, at this time, the configuration The unit can realize the input during the configuration process through the input module of the wireless AP, and realize the output during the configuration process through the output module of the wireless AP, that is, the input module of the configuration unit is considered to be the input module of the wireless AP, and the output module of the configuration unit is the wireless AP output module.

For the embodiment of the present invention, in-band communication refers to a communication method with a relatively long communication distance, and out-of-band communication refers to a communication method with a relatively short communication distance. Specifically, the in-band communication can be: Bluetooth, Bluetooth Low Energy, Wireless Fidelity (English full name: Wireless Fidelity, English abbreviation: Wi-Fi), ZigBee (a low-power LAN protocol based on the IEEE802.15.4 standard), Ultra Broadband (English full name: Ultra Wide Band, English abbreviation: UWB) or wireless gigabit (English full name: Wireless Gigabit, English abbreviation: WiGig), etc.; out-of-band communication can be: radio frequency identification (English full name: Radio Frequency Identification, English Abbreviation: RFID), near field communication (English full name: Near Field Communication, English abbreviation: NFC), infrared, laser, ultrasonic, capacitive screen short-distance transmission, optical identification or acoustic identification, etc.

For example, when the way of out-of-band communication between the configuration device and the second device is optical identification, the second device first provides a QR code containing the second device’s out-of-band key; then the configuration device scans the The two-dimensional code is decoded to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires verification information according to the verification information material.

For another example, when the way of out-of-band communication between the configured device and the second device is acoustic recognition, the second device first plays the verification information material through its own acoustic module, and then configures the device to listen to the verification information material; finally configures the device according to The verification information material obtains verification information and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device obtains verification information according to the verification information material.

For the embodiment of the present invention, both out-of-band communication and in-band communication are relative concepts, and are not limited to the above-mentioned examples of out-of-band communication and in-band communication. Any other communication methods with relatively short distances can be considered as out-of-band communication. Communication methods with a relatively long distance can be considered as in-band communication. For example, Bluetooth has a shorter communication distance than Wi-Fi. Therefore, when Wi-Fi is used as in-band communication, Bluetooth can be used as out-of-band communication.

It should be noted that the embodiment of the present invention is not limited to the out-of-band communication between the above-mentioned configuration device and the second device, and any other method that can realize the communication between the configuration device and the second device is applicable to the embodiment of the present invention, for example , in-band communication can be performed between the configuration device and the second device.

For the embodiment of the present invention, the verification information material and the verification information may be mutually converted through a specific encoding and decoding method, or may be the same information, which is not limited in the embodiment of the present invention. Among them, when the mutual conversion between the verification information material and the verification information is required, the mutual conversion can be realized directly through base64/32/16 (64/32/16 hexadecimal) encoding; or first through base64/32/16 Coding, and then through the abstract syntax notation (English full name: Abstract Syntax Notation One, English abbreviation: ASN.1) coding method, to achieve mutual conversion.

Optionally, after step 201, the method may further include: the first device determines whether the out-of-band key of the second device is valid.

Optionally, the first device may determine whether the second device's out-of-band key is legitimate by determining whether the second device stores a private key corresponding to the second device's out-of-band key. Specifically, if the second device stores a private key corresponding to the second device's out-of-band key, the first device determines that the second device is legal. Wherein, the private key corresponding to the out-of-band key of the second device corresponds to the out-of-band key of the second device.

For the embodiment of the present invention, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are asymmetric keys, the private key corresponding to the out-of-band key of the second device is a private key, The out-of-band key of the second device is a public key; or, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are symmetric keys, the corresponding The private key is the same as the second device out-of-band key.

202. The first device generates an encryption key according to the out-of-band key of the second device.

For this embodiment of the present invention, the out-of-band key of the second device may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention.

Optionally, when the out-of-band key of the second device is a symmetric key, the first device may directly use the out-of-band key of the second device as an encryption key.

Alternatively, when the second device's out-of-band key is an asymmetric key, the first device first generates a pair of asymmetric temporary keys, which are the first device's temporary private key and the first device's temporary public key, and then An encryption key is generated according to the temporary private key of the first device and the out-of-band key of the second device.

For the embodiment of the present invention, after the first device generates the temporary private key of the first device and the temporary public key of the first device, it can send the temporary public key of the first device to the second device, so that the second device can obtain the temporary public key of the first device. key, and generate a second encryption key according to the temporary public key of the first device and the private key corresponding to the locally stored out-of-band key of the second device. Wherein, the second encryption key is used to decrypt the encrypted information of the first device.

It should be noted that those skilled in the art can understand that the encryption key generated by the first device based on the temporary private key of the first device and the out-of-band key of the second device, and the encryption key generated by the second device based on the temporary public key of the first device and the second The second encryption key generated by the private key corresponding to the out-of-band key of the device is the same.

For this embodiment of the present invention, the encryption key is used to encrypt information sent by the first device to the second device.

Specifically, the first device can directly encrypt the information to be sent to the second device according to the encryption key; the first device can also first convert the encryption key to obtain the converted encryption key, and then according to The encryption key for encrypting the information to be sent to the second device.

For the embodiment of the present invention, the way the first device converts the encryption key may be to convert the encryption key directly through the base64/32/16 encoding method to obtain the converted encryption key; it may also first pass the base64 /32/16 to encode, and then convert the encryption key through the ASN.1 encoding method to obtain the converted encryption key.

For the embodiment of the present invention, when the first device encrypts the information to be sent to the second device according to the converted encryption key, the second device encrypts the first device according to the converted second encryption key. information is decrypted. Specifically, the second device first converts the second encryption key in the same conversion manner as that of the first device to obtain the converted second encryption key, and then according to the converted second encryption key, converts the first The encrypted information of the device is decrypted.

203. The first device generates a first signature generation key and a first signature verification key.

Wherein, the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for the first device to sign, and the first signature verification key is used for signing information of the first device For decryption, the first signature generation key and the first signature verification key correspond to each other.

Optionally, after step 203, the method may further include: the first device sends the encrypted first signature verification key to the second device. Wherein, the encrypted first signature verification key is obtained by the first device by encrypting the first signature verification key with a third key, and the third key is obtained by the first device according to the encryption key.

For this embodiment of the present invention, the first device may directly use the encryption key as the third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature verification key; A device may first convert the encryption key to obtain the converted encryption key as the third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature Verify key.

For this embodiment of the present invention, the first device generates a pair of signature keys, which are respectively the first signature verification key and the first signature generation key. Wherein, the first signature verification key is used to send to other devices, so that other devices can decrypt the information signed by the first device through the first signature verification key; the first signature generation key is used by the first device to sign.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

204. The first device receives the second network key sent by the second device.

Wherein, the second network key is generated by the second device, and the second network key is used by the first device to generate a shared key.

It should be noted that this embodiment of the present invention is not limited to the first device generating a shared key based on the second network key, and any other device that can communicate with the second device can generate a shared key based on the second network key .

For this embodiment of the present invention, the second network key may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention. In the embodiment of the present invention, when the second network key is an asymmetric key, the second network key may be a Diffie-Hellman (English full name: Diffie-Hellman, English abbreviation: DH) public key; It is the Diffie Herman (English abbreviation: ECDH) public key based on Elliptic Curve Cryptosystems (English full name: Elliptic Curve Cryptosystems, English abbreviation: ECC); it can also be the X coordinate or Y coordinate of the ECDH public key.

For this embodiment of the present invention, the second network key may also be a result obtained by further encoding the key. For example, the second network key is the result obtained by directly encoding the DH key through base64/32/16, or it can also be obtained by first encoding the DH key through base64/32/16 and then encoding it through ASN.1 The result can also be the result obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key can be first encoded through base64/32/16, and then through ASN. 1 to encode the result.

205. The first device signs the second network key by using the first signature generation key to obtain first signature information.

Wherein, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, and the first signature generation key and the first signature verification key correspond to each other.

206. The first device sends the encrypted first connection information to the second device.

Wherein, the first connection information includes the first signature information and the second network key, and the encrypted first connection information is obtained by encrypting the first connection information by the first device using the first key, and the first key is obtained by the first The device is derived from the encryption key.

For the embodiment of the present invention, the first device may directly use the encryption key as the first key, and encrypt the first connection information according to the first key to obtain the encrypted first signature verification key; the first device Alternatively, the encryption key may be converted first to obtain the converted encryption key as the first key, and the first connection information may be encrypted according to the first key to obtain the encrypted first signature verification key.

For the embodiment of the present invention, the connection information may specifically include: network identification information, peer network key information, network key information to be configured, configuration device identification information, and configuration device signature information.

Further, the first device sends the first connection information to the second device, so that the second device obtains and sends the first connection information to the first device, and the first connection information is used by the first device to determine whether the second device is legitimate.

The configuration method provided by the embodiment of the present invention firstly configures the device to perform out-of-band communication with the second device, obtains the out-of-band key of the second device, and sends the out-of-band key of the second device to the first device, so that the first device The device generates an encryption key according to the out-of-band key of the second device, then the first device generates a first signature generation key and a first signature verification key, and receives the second network key sent by the second device, and finally the first device Generate a key according to the first signature, sign the second network key, obtain the first signature information, and send the first connection information encrypted according to the encryption key to the second device, the first connection information includes the first signature information and a second network key. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention obtains the out-of-band key of the second device through out-of-band communication between the configuration device and the second device, and transfers the second device The two-device out-of-band key is sent to the first device, enabling communication between the first device and the second device, so that the first device can configure the second device, that is, when the configuration device and the second device cannot When performing in-band communication, for example, if a certain device does not support in-band communication, or the configured device does not match the in-band communication mode supported by a certain device, the first device can configure the second device to improve the performance of the device. configuration success rate.

As a specific description of the method shown in Figure 2, the embodiment of the present invention provides another configuration method, as shown in Figure 3, the method includes:

301. The first device receives the second signature verification key sent by the configuration device.

For the embodiment of the present invention, the first device supports in-band communication, and can perform in-band communication with the configuration device, and can also perform in-band communication with the second device. In the embodiment of the present invention, the first device may specifically be: a wireless AP, a smart terminal, a wearable device, or a smart home device, and the like. Among them, smart terminals include mobile phones, mobile tablets, tablets and computers, etc., and wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads, etc. , smart home includes smart TV, smart Smart speakers, smart refrigerators, smart washing machines, smart air conditioners, smart lamps, smart curtains and smart alarms, etc.

For the embodiment of the present invention, the configuration device is used to configure the device, or assist the device to configure other devices. In this embodiment of the present invention, the configuration device may be an external configuration device or an internal configuration device, which is not limited in this embodiment of the present invention. Among them, the external configuration device can be a wireless device with a rich user interface (English full name: User Interface, English abbreviation: UI) and relatively powerful computing capabilities. For example, the external configuration device can be a smart phone, a smart tablet, smart glasses or a smart phone. Watches, etc., can also be other devices with related application units installed; internal configuration devices can also be a set of application modules integrated in the hardware unit, and can interact with other devices through the UI provided by the hardware unit, for example , the internal configuration device can be a configuration unit integrated in the wireless AP, the configuration unit can realize the input during the configuration process through the input unit of the wireless AP, and realize the output during the configuration process through the output unit of the wireless AP.

Wherein, the second signature verification key is generated by the configuration device, and the second signature verification key is used to decrypt the information signed by the configuration device. In the embodiment of the present invention, the configuration device generates a pair of signature keys, which are respectively the second signature verification key and the second signature generation key. Wherein, the second signature verification key is used to send to other devices, so that other devices can decrypt the information signed by the second device through the second signature verification key; the second signature generation key is used to configure the device to perform sign.

For this embodiment of the present invention, the second signature verification key may be referred to by C-sign-key1, and the second signature generation key may be referred to by C-sign-key2. In this embodiment of the present invention, A is used to identify the first device, B is used to identify the second device, C is used to identify the configuration device, sign is used to indicate a signature (Signature), key is used to indicate a key, and key1 is used to indicate The verification key, key2 is used to represent the generated key, net is used to represent the network (network), pub is used to represent the public (public), and priv is used to represent the private (private).

It should be noted that the embodiments of the present invention are not limited to the above-mentioned identification methods for each device and each key, and any other methods that can be used to identify devices or keys are applicable to this Invention Example.

302. The first device generates a first network key.

Wherein, the first network key is used by the second device to generate a shared key. In this embodiment of the present invention, the first network key may be referred to as A-net-pub.

It should be noted that this embodiment of the present invention is not limited to the second device generating a shared key based on the first network key, and any other device that can communicate with the first device can generate a shared key based on the first network key .

For this embodiment of the present invention, the first network key may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention. In the embodiment of the present invention, when the first network key is an asymmetric key, the first network key may be DH; it may also be an ECDH public key; it may also be the X coordinate or Y coordinate of the ECDH public key.

For this embodiment of the present invention, the first network key may also be a result obtained by further encoding the key. For example, the first network key is the result obtained by directly encoding the DH key through base64/32/16, or it can also be obtained by first encoding the DH key through base64/32/16 and then encoding it through ASN.1 The result can also be the result obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key can be first encoded through base64/32/16, and then through ASN. 1 to encode the result.

303. The first device sends the first network key to the configuration device.

Further, the first device sends the first network key to the configuration device, so that the configuration device generates and sends the second connection information to the first device at least according to the first network key.

304. The first device receives the second connection information sent by the configuration device.

Wherein, the second connection information includes the second signature information and the first network key, the second signature information is obtained by the configuration device signing the first network key with the second signature generation key, and the second signature generation key is obtained by the configuration Generated by the device, the second signature generation key is used to configure the device for signing, and the second signature generation key corresponds to the second signature verification key. In this embodiment of the present invention, the second connection information may be referred to as Connector2, and the second signature information may be referred to as signature2.

For the embodiment of the present invention, when the second signature generation key and the second signature verification key are asymmetric keys, the second signature generation key is the corresponding private key, and the second signature verification key is the corresponding public key; or, when the second signature generation key and the second signature verification key are symmetric keys, the second signature generation key is the same as the second signature verification key.

For the embodiment of the present invention, the connection information may specifically include: a network identifier, a peer network key, a network key to be configured, a configuration device identifier, and a signature of the configuration device. In the embodiment of the present invention, the specific form of connection information may be:

Among them, netID is used to represent the network identifier of the network that the device to be configured is configured to join or to be configured to create; PeerKey is used to represent the network key of the peer device to which the device to be configured is configured to connect. In the embodiment of the present invention, when the PeerKey is Wildcard (wildcard), it means that the device to be configured can be connected to all devices in the network.

For this embodiment of the present invention, the second connection information constructed by the configuration device may specifically be:

Wherein, the Service Set Identifier (English full name: Service Set Identifier, English abbreviation: SSID) is a network identifier, and when the first device is a wireless AP, netID is the SSID of the wireless AP; wildcard is a wildcard, and when peerKey is wildcard, Indicates that the first device can communicate with the network All devices connected; C-id is the identification information of the configuration device.

For the embodiment of the present invention, the device can be configured according to Digital Signature Algorithm (English full name: Digital Signature Algorithm, English abbreviation: DSA), Elliptic Curve Digital Signature Algorithm (English full name: Elliptic Curve Digital Signature Algorithm, English abbreviation: ECDSA) or RSA (English abbreviation: ECDSA) Rivest-Shamir-Adleman) and other signature algorithms, according to C-sign-key2, A-net-pub is signed to obtain signature2.

For this embodiment of the present invention, the configuration device may also sign A-net-pub and other items according to C-sign-key2 according to signature algorithms such as DSA, ECDSA, or RSA, to obtain signature2. Wherein, other items may be any one or any combination of SSID, wildcard and C-id.

For this embodiment of the present invention, the configuration device can also first convert C-sign-key2, and then according to DSA, ECDSA or RSA and other signature algorithms, according to the converted C-sign-key2, to A-net-pub, or A-net-pub -net-pub and other items are signed to get signature2.

For the embodiment of the present invention, when the configuration device acquires the out-of-band key of the second device through out-of-band communication with the second device, it can construct the corresponding connection information and send it to the first device, so that the first device can obtain Second device out-of-band key. At this point, the connection information for configuring the device structure can be as follows:

Among them, the peerKey of Connector2' is B-id-pub, which is the out-of-band key of the second device.

It should be noted that the embodiment of the present invention is not limited to the above-mentioned method in which the configuration device sends the second device out-of-band key to the first device through Connector2', any other method that can realize the configuration device sending the second device out-of-band key to the first device The mode of the key is applicable to the implementation of the present invention Example.

For example, the configuration device may directly encrypt the out-of-band key of the second device, and send the encrypted out-of-band key of the second device to the first device. Specifically, the configuration device may carry indication information in the message sent to the first device, and the indication information is used for the first device to indicate that the message carries the out-of-band key of the second device, so that the first device receives the second device out-of-band key and execute the corresponding process.

305. The first device receives the out-of-band key of the second device sent by the configuration device.

Wherein, the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device. In this embodiment of the present invention, the out-of-band key of the second device may be referred to by B-id-pub.

For the embodiment of the present invention, out-of-band communication refers to a communication method with a relatively short communication distance, and in-band communication refers to a communication method with a relatively long communication distance. Specifically, in-band communication can be: Bluetooth, Bluetooth low energy consumption, Wi-Fi, ZigBee, UWB, WiGig, etc.; out-of-band communication can be: RFID, NFC, infrared, laser, ultrasonic, capacitive screen transmission, optical identification or Acoustic identification, etc.

For example, when the way of out-of-band communication between the configuration device and the second device is optical identification, the second device first provides a QR code containing the second device’s out-of-band key; then the configuration device scans the The two-dimensional code is decoded to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires verification information according to the verification information material.

For another example, when the way of out-of-band communication between the configured device and the second device is acoustic recognition, the second device first plays the verification information material through its own acoustic module, and then configures the device to listen to the verification information material; finally configures the device according to The verification information material obtains verification information and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device obtains verification information according to the verification information material.

For the embodiment of the present invention, the verification information material and the verification information may be mutually converted through a specific encoding and decoding method, or may be the same information, which is not limited in the embodiment of the present invention. Among them, when the mutual conversion between the verification information material and the verification information is required, the mutual conversion can be realized directly through the base64/32/16 encoding method; it can also be first encoded through base64/32/16, and then encoded through ASN.1 way to achieve mutual conversion.

For the embodiment of the present invention, the out-of-band key of the second device may be a DH public key, or an ECDH public key, or it may be the X coordinate or Y coordinate of the ECDH public key, or it may be the X coordinate or Y of the ECDH public key coordinate.

For this embodiment of the present invention, the out-of-band key of the second device may also be a result obtained by further encoding the public key. For example, the out-of-band key of the second device can be the result of directly encoding the DH public key through base64/32/16, or it can be the result of first encoding the DH public key through base64/32/16 and then through ASN.1 The result obtained by encoding can also be the result obtained by directly encoding the X coordinate of the ECDH public key through base64/32/16, or the Y coordinate of the ECDH public key is first encoded through base64/32/16, and then The result of encoding via ASN.1.

Optionally, after step 305, the method may further include: the first device determines whether the out-of-band key of the second device is valid.

Specifically, the first device determines whether the second device stores the private key corresponding to the second device's out-of-band key, and if the second device stores the private key corresponding to the second device's out-of-band key, the first device determines that the second The private key corresponding to the legitimate second device out-of-band key of the device corresponds to the second device out-of-band key. In this embodiment of the present invention, the private key corresponding to the out-of-band key of the second device may be referred to by B-id-priv.

For the embodiment of the present invention, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are asymmetric keys, the private key corresponding to the out-of-band key of the second device is a private key, The out-of-band key of the second device is a public key; or, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are symmetric keys, the corresponding The private key is the same as the second device out-of-band key.

306. The first device generates an encryption key according to the out-of-band key of the second device.

For this embodiment of the present invention, the out-of-band key of the second device can be a symmetric key, or a The symmetric key is not limited in this embodiment of the present invention.

Optionally, when the out-of-band key of the second device is a symmetric key, the first device may directly use the out-of-band key of the second device as an encryption key.

Alternatively, when the second device's out-of-band key is an asymmetric key, the first device first generates a pair of asymmetric temporary keys, which are the first device's temporary private key and the first device's temporary public key, and then An encryption key is generated according to the temporary private key of the first device and the out-of-band key of the second device.

For the embodiment of the present invention, after the first device generates the temporary private key of the first device and the temporary public key of the first device, it can send the temporary public key of the first device to the second device, so that the second device can obtain the temporary public key of the first device. key, and generate a second encryption key according to the temporary public key of the first device and the private key corresponding to the locally stored out-of-band key of the second device. Wherein, the second encryption key is used to decrypt the encrypted information of the first device.

It should be noted that those skilled in the art can understand that the encryption key generated by the first device based on the temporary private key of the first device and the out-of-band key of the second device, and the encryption key generated by the second device based on the temporary public key of the first device and the second The second encryption key generated by the private key corresponding to the out-of-band key of the device is the same.

For this embodiment of the present invention, the encryption key is used to encrypt information sent by the first device to the second device.

Specifically, the first device can directly encrypt the information to be sent to the second device according to the encryption key; the first device can also first convert the encryption key to obtain the converted encryption key, and then according to The encryption key for encrypting the information to be sent to the second device.

For the embodiment of the present invention, the way the first device converts the encryption key may be to convert the encryption key directly through the base64/32/16 encoding method to obtain the converted encryption key; it may also first pass the base64 /32/16 to encode, and then convert the encryption key through the ASN.1 encoding method to obtain the converted encryption key.

For the embodiment of the present invention, when the first device encrypts the information to be sent to the second device according to the converted encryption key, the second device encrypts the first device according to the converted second encryption key. information is decrypted. Specifically, the second device first follows the same In the same conversion manner, the second encryption key is converted to obtain a converted second encryption key, and then the encrypted information of the first device is decrypted according to the converted second encryption key.

307. The first device generates a first signature generation key and a first signature verification key.

Wherein, the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for the first device to sign, and the first signature verification key is used for signing information of the first device For decryption, the first signature generation key and the first signature verification key correspond to each other.

Optionally, after step 307, the method may further include: the first device sends the encrypted first signature verification key to the second device. Wherein, the encrypted first signature verification key is obtained by the first device by encrypting the first signature verification key with a third key, and the third key is obtained by the first device according to the encryption key.

For this embodiment of the present invention, the first device may directly use the encryption key as the third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature verification key; A device may first convert the encryption key to obtain the converted encryption key as the third key, and encrypt the first signature verification key according to the third key to obtain the encrypted first signature Verify key.

For this embodiment of the present invention, the first device generates a pair of signature keys, which are respectively the first signature verification key and the first signature generation key. Wherein, the first signature verification key is used to send to other devices, so that other devices can decrypt the information signed by the first device through the first signature verification key; the first signature generation key is used by the first device to sign. In this embodiment of the present invention, the first signature verification key may be referred to by A-sign-key1, and the first signature generation key may be referred to by A-sign-key2.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

Optionally, after step 307, it may further include: the first device sends the encrypted After the second signature verification key. Wherein, the encrypted second signature verification key is obtained by the first device by using the second key to encrypt the second signature verification key, and the second key is obtained by the first device according to the encryption key.

For this embodiment of the present invention, the first device may directly use the encryption key as the second key, and encrypt the second signature verification key according to the second key to obtain the encrypted first signature verification key; A device may first convert the encryption key to obtain the converted encryption key as the second key, and encrypt the second signature verification key according to the second key to obtain the encrypted first signature Verify key.

It should be noted that the second key obtained by the first device according to the encryption key may be the same as or different from the third key obtained by the first device according to the encryption key, which is not limited in this embodiment of the present invention. .

Further, the first device sends the second signature verification key to the second device, so that the second device receives the second signature verification key, and verifies the key according to the second signature and the second signature carried in the second message information to determine that the first device is legitimate.

308. The first device receives the second network key sent by the second device.

Wherein, the second network key is generated by the second device, and the second network key is used by the first device to generate a shared key. In this embodiment of the present invention, the second network key may be referred to by B-net-pub.

It should be noted that this embodiment of the present invention is not limited to the first device generating a shared key based on the second network key, and any other device that can communicate with the second device can generate a shared key based on the second network key .

For this embodiment of the present invention, the second network key may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention. In the embodiment of the present invention, when the second network key is an asymmetric key, the second network key can be a DH public key; it can also be an ECDH public key; it can also be the X coordinate or Y coordinate of the ECDH public key .

For this embodiment of the present invention, the second network key may also be a result obtained by further encoding the key. For example, the second network key is the result of directly encoding the DH key through base64/32/16, or it can also be the result of first encoding the DH key through base64/32/16, and then The result of encoding through ASN.1 can also be the result of directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key first through base64/32/16 Encode and then encode the result through ASN.1.

309. The first device signs the second network key by using the first signature generation key to obtain first signature information.

Wherein, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, and the first signature generation key and the first signature verification key correspond to each other.

For this embodiment of the present invention, the first signature information may be referred to by signature1. Specifically, the configuration device can sign B-net-pub according to A-sign-key2 according to signature algorithms such as DSA, ECDSA, or RSA, and obtain signature1.

310. The first device sends encrypted first connection information to the second device.

Wherein, the first connection information includes the first signature information and the second network key, and the encrypted first connection information is obtained by encrypting the first connection information by the first device using the first key, and the first key is obtained by the first The device is derived from the encryption key. In this embodiment of the present invention, the first connection information may be referred to by Connector1.

For the embodiment of the present invention, the first device may directly use the encryption key as the first key, and encrypt the first connection information according to the first key to obtain the encrypted first signature verification key; the first device Alternatively, the encryption key may be converted first to obtain the converted encryption key as the first key, and the first connection information may be encrypted according to the first key to obtain the encrypted first signature verification key.

It should be noted that, between the first key obtained by the first device based on the encryption key, the third key obtained by the first device based on the encryption key, or the second key obtained by the first device based on the encryption key The keys may be the same or different, which is not limited in this embodiment of the present invention.

Further, the first device sends the encrypted first connection information to the second device, so that the second device obtains and sends the first connection information to the first device. Wherein, the first connection information is used by the first device to determine whether the second device is legitimate.

For this embodiment of the present invention, the first connection information constructed by the first device may specifically be:

Further, the first device sends the first connection information to the second device, so that the second device obtains the first network key in the first connection information, and generates a second shared key according to the first network key. Wherein, the second shared key is a pre-key for handshake authentication between the second device and the first device.

Optionally, the second device may generate a DH shared key according to the DH key generation algorithm according to the private key corresponding to the second network key and the first network key, and share the key with the DH, or share the key with the DH The key derived from the key is used as the second shared key. In this embodiment of the present invention, the second shared key may be DH (B-net-priv, A-net-pub). Wherein, the private key corresponding to the second network key may be referred to by B-net-priv.

Alternatively, the second device can also generate an ECDH shared key according to the ECDH key generation algorithm, according to the private key corresponding to the second network key, and the first network key, and use the ECDH shared key, or use the ECDH A key derived from the shared key is used as the second shared key. In this embodiment of the present invention, the second shared key may be ECDH (B-net-priv, A-net-pub).

311. The first device receives the first message sent by the second device.

Wherein, the first message carries the first connection information. In this embodiment of the present invention, the first message may be referred to by M1.

For the embodiment of the present invention, the second device carries the first connection information in the first message and sends it to the first device, so that the first device determines whether the second device is legal according to the first signature information carried in the first message.

312. The first device determines that the second device is legal according to the first signature information carried in the first message.

Optionally, step 312 may be that the first device determines, according to the first signature information carried in the first message, that the device that obtained the first signature information by signing is an authentic device. Wherein, the trusted device includes the first device or the configuration device.

Alternatively, step 312 may also be that the first device first uses the first signature verification key to decrypt the first signature information to obtain a decryption result, and then combines the decryption result with the second network encryption key included in the first connection information. The key is compared, and if the decryption result matches the second network key, the first device determines that the second device is legal.

For this embodiment of the present invention, the decryption result matches the second network key, which means that the decryption result is the same as the second network key; or, after the decryption result is converted, it is the same as the second network key; or, the second network key After the network key is converted, it is the same as the decryption result; or, the converted decryption result is the same as the converted second network key.

For the embodiment of the present invention, the way to convert the decryption result or the second network key may be to convert the decryption result or the second network key directly through base64/32/16 encoding; 32/16, and then use the ASN.1 encoding method to convert the decryption result or the second network key.

For the embodiment of the present invention, the first signature information may also be obtained by the first device signing the network key to be configured and other items in the first connection information according to the first signature generation key. Wherein, the other item is any one or any combination of the network identifier, the peer network key, and the configured device identifier in the first connection information. At this time, the decryption result matches the second network key, which means that the second network key and other items are the same as the decryption result; or, after conversion of the second network key and other items, it is the same as the decryption result; or , after converting the decryption result, it is the same as the second network key and other items; or, the converted second network key and other items are the same as the converted decryption result.

For example, when signature1 is obtained by the first device signing B-net-pub, SSID, A-net-pub and A-id according to A-sign-key2, the first device signs signature1 according to A-sign-key1 Perform decryption to obtain the decryption result, which is the same as B-net-pub, SSID, A-net-pub and A-id; or, the converted decryption result is the same as B-net-pub, SSID, A-net -pub and A-id is the same; or, the decryption result is the same as the converted B-net-pub, SSID, A-net-pub and A-id; or, the converted decryption result is the same as the converted B-net-pub , SSID, A-net-pub and A-id are the same. Specifically, if the conversion method is hash conversion, when signature1 is obtained by signing B-net-pub, SSID, A-net-pub and A-id according to A-sign-key2 by the first device , the first device decrypts signature1 according to A-sign-key1 to obtain a decryption result, which is the same as the hashed result of B-net-pub, SSID, A-net-pub and A-id.

For this embodiment of the present invention, the first connection information carried in the first message received by the first device may specifically be:

Optionally, the specific process for the first device to verify Connector1 can be as follows: First, the first device verifies whether the netID in Connector1 matches the netID in Connector2, if it matches, then continues to verify Connector1, and if it does not match, then abandons the verification. In the embodiment of the invention, the netID in Connector1 and the netID in Connector2 are both SSIDs, and the two match; then, the first device verifies whether the peerKey in Connector1 is a network key or wildcard generated by itself, and if it matches, continues to verify Connector1, If it does not match, the verification is abandoned. In the embodiment of the present invention, the peerKey in Connector1 is the network key generated by itself, so the peerKey matches; secondly, the first device verifies whether the introducer in Connector1 is a trusted device, and if so, continues to verify Connector1 , if not, give up the verification. In the embodiment of the present invention, the introducer in Connector1 is A-id, that is, its own identification information, so it is a trusted device; finally, the first device verifies whether signature1 is legal according to A-sign-key1 , if it is legal, it is determined that Connector1 is legal, and if it is not legal, the verification is given up. In the embodiment of the present invention, signature1 It is signed by the first device according to A-sign-key2, so signature1 is legal. Therefore, the first device determines that Connector1 is legal, that is, the first device determines that the second device is legal.

313. If it is determined that the second device is legal, the first device generates a first shared key at least according to the second network key.

Wherein, the first shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.

For the embodiment of the present invention, the first device can first generate a pre-shared key (English full name: Pre-Shared Key, English abbreviation: PSK) or a pairwise master key (English full name: Pairwise Master Key, English abbreviation: PMK), and then perform handshake authentication with the second device according to the PSK or PMK.

Optionally, the first device may generate a DH shared key according to the DH key generation algorithm, according to the private key corresponding to the first network key, and the second network key, and share the key with the DH, or share the key with the DH The key derived from the key is used as the first shared key. In this embodiment of the present invention, the first shared key may be DH (A-net-priv, B-net-pub). Wherein, the private key corresponding to the first network key may be referred to as A-net-priv.

Alternatively, the first device can also generate an ECDH shared key according to the ECDH key generation algorithm according to the private key corresponding to the first network key and the second network key, and use the ECDH shared key, or the ECDH A key derived from the shared key is used as the first shared key. In this embodiment of the present invention, the first shared key may be ECDH (A-net-priv, B-net-pub).

It should be noted that those skilled in the art can understand that the first shared key generated by the first device according to the private key corresponding to the first network key and the second network key corresponds to the shared key generated by the second device according to the second network key. The private key and the second shared key generated by the first network key are the same.

For the embodiment of the present invention, the first shared key generated by the first device is the same as the second shared key generated by the second device, so that handshake authentication between the first device and the second device can be implemented.

314. The first device sends a second message.

Wherein, the second message carries the second connection information, and the second connection information includes the second signature information interest. In this embodiment of the present invention, the second message may be referred to by M2.

For this embodiment of the present invention, step 314 may be: the first device sends the encrypted second message. Wherein, the encrypted second message is obtained by the first device by encrypting the second message with a fourth key, and the fourth key is obtained by the first device according to the encryption key.

For the embodiment of the present invention, the first device may directly use the encryption key as the fourth key, and encrypt the second message according to the fourth key to obtain the encrypted second message; The encryption key is converted to obtain the converted encryption key as the fourth key, and the second message is encrypted according to the fourth key to obtain the encrypted second message.

It should be noted that between the fourth key obtained by the first device based on the encryption key, the third key obtained by the first device based on the encryption key, or the second key obtained by the first device based on the encryption key The keys may be the same or different from the first key obtained by the first device according to the encryption key, which is not limited in this embodiment of the present invention.

Further, the first device sends the second message to the second device, so that the second device receives the second message sent by the first device, and determines whether the first device is legal according to the second signature information carried in the second message.

For this embodiment of the present invention, the second connection information carried in the second message received by the second device may specifically be:

Optionally, the specific process for the second device to verify Connector2 can be as follows: First, the second device verifies whether the netID in Connector2 matches the netID in Connector1, if it matches, continues to verify Connector1, and if it does not match, then abandons the verification. In the embodiment of the invention, the netID in Connector2 and the netID in Connector1 are both SSIDs, and the two match; then, The second device verifies whether the peerKey in Connector2 is the network key or wildcard generated by itself. If it matches, it continues to verify Connector2. If it does not match, it abandons the verification. In the embodiment of the present invention, the peerKey in Connector2 is wildcard, so the peerKey matches Secondly, the second device verifies whether the introducer in Connector2 is a trusted device, if so, continues to verify Connector2, if not then abandons the verification, in the embodiment of the present invention, the introducer in Connector2 is C-id, that is, the identification information of the configuration device , so it is a trusted device; finally, the second device verifies whether signature2 is legal according to C-sign-key1, if it is legal, it determines that Connector2 is legal, and if it is not legal, it abandons the verification. In the embodiment of the present invention, signature2 is configured by the device according to C- The sign-key2 is obtained by signing, so signature2 is legal. Therefore, the second device determines that Connector2 is legal, that is, the second device determines that the first device is legal.

For the embodiment of the present invention, the second device verifies whether signature2 is legal according to C-sign-key1. Specifically, the second device first decrypts the second signature information according to the second signature verification key to obtain the decryption result, and then decrypts the decrypted As a result, it is compared with the first network key included in the second connection information, and if the decryption result matches the first network key, the second device determines that the first device is legal.

For this embodiment of the present invention, the decryption result matches the first network key, which means that the decryption result is the same as the first network key; or, after the decryption result is converted, it is the same as the first network key; or, the first After the network key is converted, it is the same as the decryption result; or, the converted decryption result is the same as the converted first network key.

For the embodiment of the present invention, the way to convert the decryption result or the first network key may be to convert the decryption result or the first network key directly through base64/32/16 encoding; 32/16, and then use the ASN.1 encoding method to convert the decryption result or the first network key.

For the embodiment of the present invention, the second signature information may also be obtained by the configuration device signing the network key to be configured and other items in the second connection information according to the second signature generation key. Wherein, the other items are any one or any combination of the network identifier, the peer network key, and the configured device identifier in the second connection information. At this point, the decryption result matches the first network key, which means The first network key and other items are the same as the decryption result; or, after converting the first network key and other items, it is the same as the decryption result; or, after converting the decryption result, it is the same as the first network key and The other items are the same; or, the converted first network key and other items are the same as the converted decryption result.

For example, when signature2 is obtained by the configuration device signing A-net-pub, SSID, wildcard and C-id according to C-sign-key2, the second device decrypts signature2 according to C-sign-key1 to obtain the decryption As a result, the decryption result is the same as A-net-pub, SSID, wildcard and C-id; or, the converted decryption result is the same as A-net-pub, SSID, wildcard and C-id; or, the decryption result, It is the same as the converted A-net-pub, SSID, wildcard and C-id; or, the converted decryption result is the same as the converted A-net-pub, SSID, wildcard and C-id. Specifically, if the conversion method is hash conversion, when signature2 is obtained by the configuration device after hashing A-net-pub, SSID, wildcard, and A-id according to C-sign-key2, the second device according to C-sign-key1 decrypts signature2 to obtain the decryption result, which is the same as the hashed result of A-net-pub, SSID, wildcard and A-id.

For this embodiment of the present invention, if the second device determines that the first device is legal, the second device obtains the first network key in the second connection information, and generates a second shared key according to the first network key.

For this embodiment of the present invention, when the first device needs to update the first network key, the following steps 315 to 318 may be performed.

315. The first device generates a third network key.

Wherein, the third network key is used by the second device to generate a shared key. In the embodiment of the present invention, the third network key may be referred to as A-net-pub'.

It should be noted that the embodiment of the present invention is not limited to the second device generating a shared key based on the third network key, and any other device that can communicate with the first device can generate a shared key based on the first network key .

For this embodiment of the present invention, the third network key may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention. In the embodiment of the present invention, when the third network key is not In the case of a symmetric key, the third network key may be a DH public key; it may also be an ECDH public key; it may also be the X coordinate or the Y coordinate of the ECDH public key.

For this embodiment of the present invention, the second network key may also be a result obtained by further encoding the key. For example, the second network key is the result obtained by directly encoding the DH key through base64/32/16, or it can also be obtained by first encoding the DH key through base64/32/16 and then encoding it through ASN.1 The result can also be the result obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key can be first encoded through base64/32/16, and then through ASN. 1 to encode the result.

For this embodiment of the present invention, the third network key is a network key regenerated by the first device. In this embodiment of the present invention, after the first device completes the configuration of the second device, it can update its own network key according to a preset period, and send the updated network key to the second device, thereby improving the network key of the first device. Security of the shared key between the device and the second device.

For this embodiment of the present invention, after step 315, the method may further include: the first device generates a new first shared key according to the second network key. Wherein, the new first shared key is a pre-key for re-handshake authentication between the first device and the second device.

Optionally, the first device may generate a DH shared key according to the DH key generation algorithm, according to the private key corresponding to the third network key, and the second network key, and share the key with the DH, or share the key with the DH A key derived from the key is used as a new first shared key. In this embodiment of the present invention, the new first shared key may be DH (A-net-priv', B-net-pub).

Alternatively, the first device can also generate an ECDH shared key according to the ECDH key generation algorithm according to the private key corresponding to the third network key and the second network key, and use the ECDH shared key, or use the ECDH A key derived from the shared key is used as a new first shared key. In this embodiment of the present invention, the new first shared key may be ECDH (A-net-priv', B-net-pub).

316. The first device sends the third network key to the configuration device.

Further, the first device sends the third network key to the configuration device, so that the configuration device reconstructs the third connection information according to the third network key, and sends the third connection information to to the first device.

317. The first device receives third connection information sent by the configuration device.

Wherein, the third connection information includes third signature information and a third network key, and the third signature information is obtained by the configuration device signing the third network key by using the second signature generation key. In the embodiment of the present invention, the third connection information may be referred to as Connector3, the third signature information may be referred to as signature3, and the third network key may be referred to as A-net-pub'.

Specifically, the configuration device can sign A-net-pub' according to DSA, ECDSA or RSA and other signature algorithms according to C-sign-key2 to obtain signature3.

For this embodiment of the present invention, the third connection information constructed by the configuration device may specifically be:

Among them, the netKey in Connector3 is A-net-pub', and the signature3 in Connector3 is obtained by signing A-net-pub'.

318. The first device sends a third message to the second device.

Wherein, the third message carries the third connection information. In this embodiment of the present invention, the third message may be referred to as M3.

Further, the first device sends a third message to the second device, so that the second device obtains the third network key, and at least generates a new second shared key according to the third network key, and the new second shared key The key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.

For this embodiment of the present invention, the third connection information carried in the third message received by the second device may specifically be:

Optionally, the specific process for the second device to verify Connector3 can be as follows: First, the second device verifies whether the netID in Connector3 matches the netID in Connector1, if it matches, continues to verify Connector1, and if it does not match, then abandons the verification. In the embodiment of the invention, the netID in Connector3 and the netID in Connector1 are both SSIDs, and the two match; then, the second device verifies whether the peerKey in Connector3 is a network key or wildcard generated by itself, and if it matches, continues to verify Connector3, If it does not match, the verification will be abandoned. In the embodiment of the present invention, the peerKey in Connector3 is wildcard, so the peerKey matches; secondly, the second device verifies whether the introducer in Connector3 is a trusted device, if so, continue to verify Connector3, if not then give up Verification, in the embodiment of the present invention, the introducer in Connector3 is C-id, that is, the identification information of the configuration device, so it is a trusted device; finally, the second device verifies whether signature3 is legal according to C-sign-key1, and if it is legal, then Determine that Connector3 is legal, and if it is not legal, then give up the verification. In the embodiment of the present invention, signature3 is obtained by the configuration device signing according to C-sign-key2, so signature3 is legal. Therefore, the second device determines that Connector3 is legal, that is, the second device determines that the first One device is legal.

For this embodiment of the present invention, if the second device determines that Connector3 is legal, and the netKey in Connector3 is different from the netKey in Connector1, then the second device considers the netKey in Connector3 to be the updated network key of the first device, and according to A- net-pub', to regenerate the shared secret.

For this embodiment of the present invention, the second device generates a new second shared key according to the third network key. Wherein, the new second shared key is a pre-key for re-handshake authentication between the second device and the first device.

Optionally, the second device may generate the algorithm according to the DH key, and according to the second network key pair The corresponding private key and the third network key are used to generate a DH shared key, and the DH shared key or a key derived from the DH shared key is used as a new second shared key. In this embodiment of the present invention, the new second shared key may be DH(B-net-priv, A-net-pub').

Alternatively, the second device can also generate an ECDH shared key according to the ECDH key generation algorithm, according to the private key corresponding to the second network key, and the third network key, and use the ECDH shared key, or use the ECDH A key derived from the shared key is used as a new second shared key. In this embodiment of the present invention, the new second shared key may be ECDH (B-net-priv, A-net-pub').

It should be noted that those skilled in the art can understand that the new first shared key generated by the first device according to the private key corresponding to the third network key and the second network key is shared with the second device according to the second network key. The private key corresponding to the key and the new second shared key generated by the third network key are the same.

For the embodiment of the present invention, the new first shared key generated by the first device is the same as the new second shared key generated by the second device, and the re-handshake authentication between the first device and the second device can be realized .

It should be noted that, in this embodiment of the present invention, step 315 to step 318 are optional steps.

The configuration method provided by the embodiment of the present invention firstly configures the device to perform out-of-band communication with the second device, obtains the out-of-band key of the second device, and sends the out-of-band key of the second device to the first device, so that the first device The device generates an encryption key according to the out-of-band key of the second device, then the first device generates a first signature generation key and a first signature verification key, and receives the second network key sent by the second device, and finally the first device Generate a key according to the first signature, sign the second network key, obtain the first signature information, and send the first connection information encrypted according to the encryption key to the second device, the first connection information includes the first signature information and a second network key. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention obtains the out-of-band key of the second device through out-of-band communication between the configuration device and the second device, and transfers the second device The two-device out-of-band key is sent to the first device, enabling communication between the first device and the second device, so that the first device can configure the second device, that is, when the configuration device and the second device When in-band communication cannot be performed between devices, for example, a certain device does not support in-band communication, or the configuration device does not match the in-band communication mode supported by a certain device, the first device can configure the second device, which can improve The success rate of device configuration.

The technical solutions provided by the embodiments of the present invention are applied to configuration systems. The system architecture of the present invention is shown in Figure 4. The configuration system includes a first device, a second device, a configuration device, and a third device. In-band communication between devices, out-of-band communication between the configuration device and the second device, in-band communication between the configuration device and the third device, the first device has configured the second device.

An embodiment of the present invention provides a configuration method that can improve the success rate of device configuration. As shown in FIG. 5, the method includes:

501. The third device receives the first signature verification key and the first network key sent by the configuration device.

For the embodiment of the present invention, the third device supports in-band communication, and can perform in-band communication with the configuration device, and can also perform in-band communication with the second device. In the embodiment of the present invention, the third device may specifically be: a wireless AP, a smart terminal, a wearable device, or a smart home device, and the like. Among them, smart terminals include mobile phones, mobile tablets, tablets and computers, etc., and wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads, etc. , smart homes include smart TVs, smart speakers, smart refrigerators, smart washing machines, smart air conditioners, smart lamps, smart curtains and smart alarms.

For the embodiment of the present invention, the configuration device is used to configure the device, or assist the device to configure other devices. In this embodiment of the present invention, the configuration device may be an external configuration device or an internal configuration device, which is not limited in this embodiment of the present invention. Wherein, the external configuration device can be a wireless device with a rich UI and relatively powerful computing capability, for example, the external configuration device can be a smart phone, a smart tablet, smart glasses or a smart watch, etc., or it can be a Other devices; the internal configuration device can also be a set of application modules, integrated in the hardware unit, and can interact with other devices through the UI provided by the hardware unit, For example, the internal configuration device can be a configuration unit integrated in the wireless AP. The configuration unit can realize input during the configuration process through the input unit of the wireless AP, and realize output during the configuration process through the output unit of the wireless AP.

For this embodiment of the present invention, the first device has configured the second device. Specifically, first configure the device to obtain the out-of-band key of the second device through out-of-band communication with the second device, and send it to the first device; then perform in-band communication between the first device and the second device to realize The first device configures the second device.

For the embodiment of the present invention, out-of-band communication refers to a communication method with a relatively short communication distance, and in-band communication refers to a communication method with a relatively long communication distance. Specifically, in-band communication can be: Bluetooth, Bluetooth Low Energy, Wi-Fi, ZigBee, UWB, WiGig, etc.; out-of-band communication can be: RFID, NFC, infrared, laser, ultrasonic, capacitive screen short-distance transmission, optical identification or acoustic identification, etc.

For example, when the way of out-of-band communication between the configuration device and the second device is optical identification, the second device first provides a QR code containing the second device’s out-of-band key; then the configuration device scans the The two-dimensional code is decoded to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires verification information according to the verification information material.

For another example, when the way of out-of-band communication between the configured device and the second device is acoustic recognition, the second device first plays the verification information material through its own acoustic module, and then configures the device to listen to the verification information material; finally configures the device according to The verification information material obtains verification information and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device obtains verification information according to the verification information material.

It should be noted that the embodiment of the present invention is not limited to the out-of-band communication between the above-mentioned configuration device and the second device, and any other method that can realize the communication between the configuration device and the second device is applicable to the embodiment of the present invention, for example , in-band communication can be performed between the configuration device and the second device.

For the embodiment of the present invention, the verification information material and the verification information may be mutually converted through a specific encoding and decoding method, or may be the same information, which is not limited in the embodiment of the present invention. Among them, when the mutual conversion between the verification information material and the verification information is required, the mutual conversion can be realized directly through the base64/32/16 encoding method; it can also be first encoded through base64/32/16, and then encoded through ASN.1 way to achieve mutual conversion.

For the embodiment of the present invention, the first signature verification key is generated by the first device and sent to the configuration device, the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device Generated and sent to the configuration device, the first network key is used by the second device to generate a shared key.

It should be noted that this embodiment of the present invention is not limited to the second device generating a shared key based on the first network key, and any other device that can communicate with the first device can generate a shared key based on the first network key .

For this embodiment of the present invention, the first network key may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention. In the embodiment of the present invention, when the first network key is an asymmetric key, the second network key can be a DH public key; it can also be an ECDH public key; it can also be the X coordinate or Y coordinate of the ECDH public key .

For this embodiment of the present invention, the second network key may also be a result obtained by further encoding the key. For example, the second network key is the result obtained by directly encoding the DH key through base64/32/16, or it can also be obtained by first encoding the DH key through base64/32/16 and then encoding it through ASN.1 The result can also be the result obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key can be first encoded through base64/32/16, and then through ASN. 1 to encode the result.

502. The third device receives the first message sent by the second device.

Wherein, the first message carries the first connection information, and the first connection information includes the first signature information and the peer network key, and the first signature information is generated by the first device using the first signature generation key to the second network key. The signature is obtained, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, the first signature generation key and the first signature verification key correspond to each other, the second network key is generated by the second device, and the second network key is used by the first device or the third device to generate a shared key.

It should be noted that this embodiment of the present invention is not limited to the above-mentioned first device or third device generating a shared key according to the second network key, and any other device that can communicate with the second device can Generate a shared secret.

503. The third device determines whether the peer network key is valid according to the first network key.

Wherein, the fourth network key is generated by the third device.

Specifically, the third device may determine whether the peer network key is a trusted network key, thereby determining whether the peer network key is legal. Wherein, the trusted network key is the first network key or the fourth network key.

For this embodiment of the present invention, when the first device has configured the second device, the trusted network key is the first network key; or, when the third device configures the second device, the trusted network key is the fourth network key .

504. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information.

For this embodiment of the present invention, the first connection information may further include the second network key.

Specifically, the third device may decrypt the first signature information according to the first signature verification key to obtain a decryption result, and compare the decryption result with the second network key. If the keys match, the third device determines that the second device is legitimate.

In the configuration method provided by the embodiment of the present invention, when the first device has configured the second device, the configuration device first sends the first signature verification key and the first network key, the first signature verification key and the second device to the third device. A network key is generated by the first device and sent to the configuration device, and then the second device sends the first message carrying the first connection information to the third device, and the first connection information includes the first signature information and the peer network key , and finally the third device determines whether the peer network key is legal according to the first network key, and if the peer network key is legal, the third device determines whether the second device is legal according to the first signature information. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention uses the first device to configure the second device according to the second device's out-of-band key. The device performs configuration, and the out-of-band key of the second device is obtained through out-of-band communication between the configuration device and the second device, and the configuration device sends the first signature verification key and the first network key to the third device, and the second The device sends the first connection information to the third device, so that the third device can determine whether the peer network key in the first connection information is legal according to the first network key, and determine the first Whether the first signature information in the connection information is legal, so that the second device that has been configured by the first device can be configured to the third device, that is, the third device can configure the second device, and the success rate of device configuration can be improved.

As a specific description of the method shown in Figure 5, the embodiment of the present invention provides another configuration method, as shown in Figure 6, the method includes:

601. The third device receives the first signature verification key and the first network key sent by the configuration device.

For the embodiment of the present invention, the third device supports in-band communication, and can perform in-band communication with the configuration device, and can also perform in-band communication with the second device. In the embodiment of the present invention, the third device may specifically be: a wireless AP, a smart terminal, a wearable device, or a smart home device, and the like. Among them, smart terminals include mobile phones, mobile tablets, tablets and computers, etc., and wearable devices include smart glasses, smart watches, smart bracelets, smart rings, smart necklaces, smart shoes, smart hats, smart helmets, smart clothes and smart knee pads, etc. , smart homes include smart TVs, smart speakers, smart refrigerators, smart washing machines, smart air conditioners, smart lamps, smart curtains and smart alarms.

For the embodiment of the present invention, the configuration device is used to configure the device, or assist the device to configure other devices. In this embodiment of the present invention, the configuration device may be an external configuration device or an internal configuration device, which is not limited in this embodiment of the present invention. Wherein, the external configuration device can be a wireless device with a rich UI and relatively powerful computing capability, for example, the external configuration device can be a smart phone, a smart tablet, smart glasses or a smart watch, etc., or it can be a Other devices; the internal configuration device can also be a set of application modules integrated in the hardware unit, and can interact with other devices through the UI provided by the hardware unit. For example, the internal configuration device can be a configuration integrated in the wireless AP unit, the configuration unit can be The input in the configuration process can be realized through the input unit of the wireless AP, and the output in the configuration process can be realized through the output unit of the wireless AP.

For this embodiment of the present invention, the first device has configured the second device. Specifically, first configure the device to obtain the out-of-band key of the second device through out-of-band communication with the second device, and send it to the first device; then perform in-band communication between the first device and the second device to realize The first device configures the second device.

For the embodiment of the present invention, out-of-band communication refers to a communication method with a relatively short communication distance, and in-band communication refers to a communication method with a relatively long communication distance. Specifically, in-band communication can be: Bluetooth, Bluetooth Low Energy, Wi-Fi, ZigBee, UWB, WiGig, etc.; out-of-band communication can be: RFID, NFC, infrared, laser, ultrasonic, capacitive screen short-distance transmission, optical identification or acoustic identification, etc.

For example, when the way of out-of-band communication between the configuration device and the second device is optical identification, the second device first provides a QR code containing the second device’s out-of-band key; then the configuration device scans the The two-dimensional code is decoded to obtain the verification information material; finally, the configuration device obtains the verification information according to the verification information material and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that The first device acquires verification information according to the verification information material.

For another example, when the way of out-of-band communication between the configured device and the second device is acoustic recognition, the second device first plays the verification information material through its own acoustic module, and then configures the device to listen to the verification information material; finally configures the device according to The verification information material obtains verification information and sends it to the first device, or the configuration device directly sends the verification information material to the first device, so that the first device obtains verification information according to the verification information material.

It should be noted that the embodiment of the present invention is not limited to the out-of-band communication between the above-mentioned configuration device and the second device, and any other method that can realize the communication between the configuration device and the second device is applicable to the embodiment of the present invention, for example , in-band communication can be performed between the configuration device and the second device.

For the embodiment of the present invention, between the verification information material and the verification information, a specific The encoding and decoding modes are mutually converted, and may also be the same information, which is not limited in this embodiment of the present invention. Among them, when the mutual conversion between the verification information material and the verification information is required, the mutual conversion can be realized directly through the base64/32/16 encoding method; it can also be first encoded through base64/32/16, and then encoded through ASN.1 way to achieve mutual conversion.

Wherein, the first signature verification key is generated by the first device and sent to the configuration device, the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the The device is configured, and the first network key is used by the second device to generate a shared key.

It should be noted that this embodiment of the present invention is not limited to the second device generating a shared key based on the first network key, and any other device that can communicate with the first device can generate a shared key based on the first network key .

For this embodiment of the present invention, the first signature verification key may be referred to by A-sign-key1, and the first network key may be referred to by A-net-pub. In this embodiment of the present invention, A is used to identify the first device, B is used to identify the second device, C is used to identify the configuration device, D is used to identify the third device, sign is used to indicate a signature (Signature), and key is used to Represents the key, key1 is used to represent the verification key, key2 is used to represent the generated key, net is used to represent the network (network), pub is used to represent the public (public), and priv is used to represent the private (private).

It should be noted that the embodiments of the present invention are not limited to the above-mentioned identification methods for each device and each key, and any other methods that can be used to identify devices or keys are applicable to the embodiments of the present invention.

For this embodiment of the present invention, the first device generates a pair of signature keys, which are respectively the first signature verification key and the first signature generation key. Wherein, the first signature verification key is used to send to other devices, so that other devices can decrypt the information signed by the first device through the first signature verification key; the first signature generation key is used to configure the device to perform sign.

For this embodiment of the present invention, the first network key may be a symmetric key or an asymmetric key, which is not limited in this embodiment of the present invention. In the embodiment of the present invention, when the first network key is an asymmetric key, the first network key can be a DH public key; it can also be an ECDH public key; it can also be the X coordinate or Y coordinate of the ECDH public key .

For this embodiment of the present invention, the first network key may also be a result obtained by further encoding the key. For example, the first network key is the result obtained by directly encoding the DH key through base64/32/16, or it can also be obtained by first encoding the DH key through base64/32/16 and then encoding it through ASN.1 The result can also be the result obtained by directly encoding the X coordinate of the ECDH key through base64/32/16, or the Y coordinate of the ECDH key can be first encoded through base64/32/16, and then through ASN. 1 to encode the result.

602. The third device generates a fourth network key.

Wherein, the fourth network key is used by the second device to generate a shared key. In this embodiment of the present invention, the fourth network key may be referred to as D-net-pub.

It should be noted that this embodiment of the present invention is not limited to the second device generating a shared key based on the fourth network key, and any other device that can communicate with the third device can generate a shared key based on the fourth network key .

603. The third device sends the fourth network key to the configuration device.

604. The third device receives fourth connection information sent by the configuration device.

Wherein, the fourth connection information includes the fourth signature information and the fourth network key, the fourth signature information is obtained by the configuration device using the second signature generation key to sign the fourth network key, the second signature generation key and the The second signature verification key is generated by the configuration device. The second signature generation key is used to configure the device to sign. The second signature verification key is used to decrypt the information signed by the configuration device. The second signature generation key is the same as the second signature The verification keys correspond to each other. In the embodiment of the present invention, the fourth connection information can be referred to as Connector4, the fourth signature information can be referred to as signature4, the second signature verification key can be referred to as C-sign-key1, and the second signature generation The key can be referred to by C-sign-key2.

For the embodiment of the present invention, the configuration device generates a pair of signature keys, which are respectively the second signature verification key and the second signature generation key. Wherein, the second signature verification key is used to send to other devices, so that other devices can decrypt the information signed by the second device through the second signature verification key; the second signature generation key is used to configure the device to perform sign.

For the embodiment of the present invention, when the second signature generation key and the second signature verification key are When using an asymmetric key, the second signature generation key is the corresponding private key, and the second signature verification key is the corresponding public key; or, when the second signature generation key and the second signature verification key are symmetric key, the second signature generation key is the same as the second signature verification key.

For the embodiment of the present invention, the connection information may specifically include: network identification information, peer network key information, network key information to be configured, configuration device identification information, and configuration device signature information. In the embodiment of the present invention, the specific form of connection information may be:

Among them, netID is used to represent the network identifier of the network that the device to be configured is configured to join or to be configured to create; PeerKey is used to represent the network key of the peer device to which the device to be configured is configured to connect. In the embodiment of the present invention, when the PeerKey is Wildcard (wildcard), it means that the device to be configured can be connected to all devices in the network.

For this embodiment of the present invention, the fourth connection information constructed by the configuration device may specifically be:

Wherein, SSID is a network identifier, and when the first device is a wireless AP, netID is the SSID of the wireless AP; wildcard is a wildcard, and when peerKey is wildcard, it means that the first device can be connected to all devices in the network; C-id To configure the identification information of the device.

Specifically, the configuration device can use signature algorithms such as DSA, ECDSA, or RSA, according to C-sign-key2, sign D-net-pub to get signature4.

For the embodiment of the present invention, the configuration device can also sign D-net-pub and other items according to DSA, ECDSA or RSA and other signature algorithms according to C-sign-key2 to obtain signature4. Wherein, other items may be any one or any combination of SSID, wildcard and C-id.

For this embodiment of the present invention, the configuration device can also first convert C-sign-key2, and then according to DSA, ECDSA or RSA and other signature algorithms, according to the converted C-sign-key2, to A-net-pub, or A-net-pub -net-pub and other items are signed to get signature4.

605. The third device sends a fourth message to the second device.

Wherein, the fourth message carries fourth connection information, and the fourth connection information includes fourth signature information. In this embodiment of the present invention, the fourth message may be referred to by M4.

Further, the third device sends a fourth message to the second device, so that the second device receives the fourth message sent by the third device, and according to the fourth signature information carried in the fourth message and the second signature verification key , to determine whether the third device is legitimate, and send the second signature verification key to the second device when the first device configures the second device.

For this embodiment of the present invention, the fourth connection information carried in the fourth message received by the second device may specifically be:

Optionally, the specific process for the second device to verify Connector4 can be as follows: First, the second device verifies the netID in Connector4, whether it matches the netID in Connector1, if it matches, then continue to verify Connector1, if it does not match, then give up verification, in this In the embodiment of the invention, the netID in Connector4 and the netID in Connector1 are both SSIDs, and the two match; then, The second device verifies whether the peerKey in Connector4 is the network key or wildcard generated by itself, if it matches, then continue to verify Connector4, if it does not match, then give up verification, in the embodiment of the present invention, the peerKey in Connector4 is wildcard, so peerKey matches Secondly, whether the introducer in the second device verification Connector4 is a trusted device, if so, continue to verify Connector4, if not then give up the verification, in the embodiment of the present invention, the introducer in Connector4 is C-id, that is, the identification information of the configuration device , so it is a trusted device; finally, the second device verifies whether signature4 is legal according to C-sign-key1, if it is legal, it determines that Connector4 is legal, and if it is not legal, it abandons the verification. In the embodiment of the present invention, signature2 is configured by the device according to C- The sign-key2 is obtained by signing, so signature4 is legal. Therefore, the second device determines that Connector4 is legal, that is, the second device determines that the first device is legal.

For this embodiment of the present invention, the second device verifies whether signature4 is legal according to C-sign-key1. Specifically, the second device first decrypts the fourth signature information according to the second signature verification key to obtain the decryption result, and then decrypts the decrypted As a result, it is compared with the fourth network key included in the fourth connection information, and if the decryption result matches the fourth network key, the second device determines that the third device is legal.

For this embodiment of the present invention, the decryption result matches the fourth network key, which means that the decryption result is the same as the fourth network key; or, after the decryption result is converted, it is the same as the fourth network key; or, the fourth network key After the network key is converted, it is the same as the decryption result; or, the converted decryption result is the same as the converted fourth network key.

For the embodiment of the present invention, the way to convert the decryption result or the fourth network key may be to convert the decryption result or the fourth network key directly through base64/32/16 encoding; 32/16, and then use the ASN.1 encoding method to convert the decryption result or the fourth network key.

For the embodiment of the present invention, the fourth signature information may also be obtained by the configuration device signing the network key to be configured and other items in the fourth connection information according to the second signature generation key. Wherein, the other items are any one or any combination of the network identifier, the peer network key, and the configured device identifier in the fourth connection information. At this time, the decryption result matches the fourth network key, which means The fourth network key and other items are the same as the decryption result; or, after converting the fourth network key and other items, it is the same as the decryption result; or, after converting the decryption result, it is the same as the fourth network key and Other items are the same; or, the converted fourth network key and other items are the same as the converted decryption result.

For example, when signature4 is obtained by the configuration device signing D-net-pub, SSID, wildcard and C-id according to C-sign-key2, the second device decrypts signature4 according to C-sign-key1 to obtain the decryption As a result, the decryption result is the same as D-net-pub, SSID, wildcard and C-id; or, the converted decryption result is the same as D-net-pub, SSID, wildcard and C-id; or, the decryption result, It is the same as the converted D-net-pub, SSID, wildcard and C-id; or, the converted decryption result is the same as the converted D-net-pub, SSID, wildcard and C-id. Specifically, if the conversion method is hash conversion, when signature4 is obtained by the configuration device after hashing D-net-pub, SSID, wildcard, and C-id according to C-sign-key2, the second device obtains it according to C-sign-key1 decrypts signature4 to obtain the decryption result, which is the same as the hashed result of D-net-pub, SSID, wildcard and C-id.

For this embodiment of the present invention, if the second device determines that Connector4 is legal, and the netKey in Connector4 is different from the netKey in Connector1, then the second device considers the netKey in Connector4 to be an updated network key, and according to D-net-pub , to regenerate the shared secret.

For this embodiment of the present invention, the second device generates the fourth shared key according to the fourth network key. Wherein, the fourth shared key is a pre-key for handshake authentication between the third device and the first device.

Optionally, the second device may generate a DH shared key according to the DH key generation algorithm, according to the private key corresponding to the second network key, and the fourth network key, and share the key with DH, or share the key with DH A key derived from the key is used as the fourth shared key. In this embodiment of the present invention, the fourth shared key may be DH (B-net-priv, D-net-pub).

Alternatively, the second device can also generate an ECDH shared key according to the ECDH key generation algorithm according to the private key corresponding to the second network key and the fourth network key, and use the ECDH shared key, or use the ECDH A key derived from the shared key is used as the fourth shared key. In this embodiment of the present invention, the fourth shared key may be ECDH (B-net-priv, D-net-pub).

606. The third device receives the first message sent by the second device.

Wherein, the first message carries the first connection information, and the first connection information includes the first signature information and the peer network key, and the first signature information is generated by the first device using the first signature generation key to the second network key. The signature is obtained, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, the first signature generation key and the first signature verification key correspond to each other, the second network The key is generated by the second device, and the second network key is used by the first device or the third device to generate a shared key. In this embodiment of the present invention, the first message can be referred to by M1, the first connection information can be referred to by Connector1, the first signature information can be referred to by signature1, and the second network key can be referred to by B-net- pub to refer to.

For this embodiment of the present invention, the first connection information constructed by the first device may specifically be:

Optionally, after step 606, it may also include: first, the third device verifies the netID in Connector1, whether it matches the netID in Connector4, if it matches, continues to verify Connector1, and if it does not match, then abandons the verification. In the embodiment of the present invention , the netID in Connector1 and the netID in Connector4 are both SSIDs, and they match.

607. The third device determines whether the peer network key is valid according to the first network key.

Optionally, step 607 may be that the third device determines whether the peer network key is a trusted network key. Wherein, the trusted network key includes the first network key or the fourth network key. Specifically, when the first device has configured the second device, the trusted network key is the first network key; or, when the third device has configured the second device, the trusted network key is the fourth network key.

Specifically, the third device verifies whether the peerKey in Connector1 is A-net-pub or D-net-pub or wildcard, if it matches, then continue to verify Connector1, if not match, then give up verification, in the embodiment of the present invention, the peerKey in Connector1 is A-net-pub, so the peerKey matches.

Optionally, after step 607, it may also include: the third device verifies whether the introducer in Connector1 is a trusted device, if so, continues to verify Connector1, and if not, gives up the verification. In the embodiment of the present invention, the introducer in Connector1 is A -id is its own identification information, so it is a trusted device.

608. The third device decrypts the first signature information by using the first signature verification key to obtain a decryption result.

Specifically, the third device verifies whether signature1 is legal according to A-sign-key1, and if it is legal, it determines that Connector1 is legal; The signature is obtained, so signature1 is legal. Therefore, the third device determines that Connector1 is legal, that is, the third device determines that the second device is legal.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

609. The third device compares the decryption result with the second network key.

For this embodiment of the present invention, the first connection information may further include the second network key.

610. If the decryption result matches the second network key, the third device determines that the second device is legal.

For this embodiment of the present invention, the decryption result matches the second network key, which means that the decryption result is the same as the second network key; or, after the decryption result is converted, it is the same as the second network key; or, the second network key After the network key is converted, it is the same as the decryption result; or, the converted decryption result is the same as the converted second network key.

For the embodiment of the present invention, the way to convert the decryption result or the second network key may be to convert the decryption result or the second network key directly through base64/32/16 encoding. It can also be encoded by base64/32/16 first, and then converted by the ASN.1 encoding method to the decryption result or the second network key.

For the embodiment of the present invention, the first signature information may also be obtained by the first device signing the network key to be configured and other items in the first connection information according to the first signature generation key. Wherein, the other item is any one or any combination of the network identifier, the peer network key, and the configured device identifier in the first connection information. At this time, the decryption result matches the second network key, which means that the second network key and other items are the same as the decryption result; or, after conversion of the second network key and other items, it is the same as the decryption result; or , after converting the decryption result, it is the same as the second network key and other items; or, the converted second network key and other items are the same as the converted decryption result.

For example, when signature1 is obtained by the first device signing B-net-pub, SSID, A-net-pub and A-id according to A-sign-key2, the third device signs signature1 according to A-sign-key1 Perform decryption to obtain the decryption result, which is the same as B-net-pub, SSID, A-net-pub and A-id; or, the converted decryption result is the same as B-net-pub, SSID, A-net -pub and A-id are the same; or, the decryption result is the same as the converted B-net-pub, SSID, A-net-pub and A-id; or, the converted decryption result is the same as the converted B-net-pub net-pub, SSID, A-net-pub and A-id are the same. Specifically, if the conversion method is hash conversion, when signature1 is obtained by signing B-net-pub, SSID, A-net-pub and A-id according to A-sign-key2 by the first device , the first device decrypts signature1 according to A-sign-key1 to obtain a decryption result, which is the same as the hashed result of B-net-pub, SSID, A-net-pub and A-id.

611. The third device generates a third shared key at least according to the second network key.

Wherein, the third shared key is a pre-key for handshake authentication between the third device and the second device.

Optionally, the third device generates a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and uses the DH shared key, Or a key derived from the DH shared key is used as the third shared key. Among them, the first The four network keys are used by the second device to generate a shared key. In this embodiment of the present invention, the third shared key may be DH (D-net-priv, B-net-pub). Wherein, the private key corresponding to the fourth network key may be D-net-priv.

It should be noted that this embodiment of the present invention is not limited to the second device generating a shared key based on the fourth network key, and any other device that can communicate with the third device can generate a shared key based on the fourth network key .

Alternatively, the third device generates an ECDH shared key according to the private key corresponding to the fourth network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, The ECDH shared key, or a key derived from the ECDH shared key is used as the third shared key. In this embodiment of the present invention, the third shared key may be ECDH (D-net-priv, B-net-pub).

It should be noted that those skilled in the art can understand that the third shared key generated by the third device according to the private key corresponding to the fourth network key and the second network key corresponds to the shared key generated by the second device according to the second network key. The private key and the fourth shared key generated by the fourth network key are the same.

For the embodiment of the present invention, the third shared key generated by the third device is the same as the fourth shared key generated by the second device, so that handshake authentication between the third device and the second device can be implemented.

In the configuration method provided by the embodiment of the present invention, when the first device has configured the second device, the configuration device first sends the first signature verification key and the first network key, the first signature verification key and the second device to the third device. A network key is generated by the first device and sent to the configuration device, and then the second device sends the first message carrying the first connection information to the third device, and the first connection information includes the first signature information and the peer network key , and finally the third device determines whether the peer network key is legal according to the first network key, and if the peer network key is legal, the third device determines whether the second device is legal according to the first signature information. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention uses the first device to configure the second device according to the out-of-band key of the second device, and the out-of-band key of the second device Obtained by out-of-band communication between the configuration device and the second device, and the configuration device sends the first signature verification key and the first network key to the third device key, the second device sends the first connection information to the third device, so that the third device can determine whether the peer network key in the first connection information is legal according to the first network key, and verify the key according to the first signature , to determine whether the first signature information in the first connection information is legal, so that the second device that has been configured by the first device can be configured to the third device, that is, the third device can configure the second device, and the configuration of the device can be improved. success rate.

Further, as an implementation of the methods shown in FIG. 2 and FIG. 3 , an embodiment of the present invention also provides a configuration device, the device can be located in the first device, the first device is located in the configuration system, and the configuration system includes the first device , the second device and the configuration device, in-band communication between the configuration device and the first device, out-of-band communication between the configuration device and the second device, the device can be used to configure the second device, as shown in Figure 7 As shown, the device includes: a receiving unit 71 , a generating unit 72 , a sending unit 73 , and a signature unit 74 .

The receiving unit 71 is configured to receive the out-of-band key of the second device sent by the configuration device.

Wherein, the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device.

The generating unit 72 is configured to generate an encryption key according to the out-of-band key of the second device received by the receiving unit 71 .

Wherein, the encryption key is used to encrypt the information sent by the first device to the second device.

The generation unit 72 is further configured to generate a first signature generation key and a first signature verification key.

Wherein, the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for the first device to sign, and the first signature verification key is used for signing information of the first device For decryption, the first signature generation key and the first signature verification key correspond to each other.

The receiving unit 71 is further configured to receive the second network key sent by the second device.

Wherein, the second network key is generated by the second device, and the second network key is used by the first device to generate a shared key.

The signature unit 74 is configured to use the first signature generation key to sign the second network key received by the receiving unit 71 to obtain first signature information.

Wherein, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, and the first signature generation key and the first signature verification key correspond to each other.

A sending unit 73, configured to send the encrypted first connection information to the second device.

Wherein, the first connection information includes the first signature information signed by the signature unit 74 and the second network key, the encrypted first connection information is obtained by the first device using the first key to encrypt the first connection information, and the second A key is obtained by the first device according to the encryption key generated by the generating unit 72, so that the second device obtains and sends the first connection information to the first device, and the first connection information is used by the first device to determine whether the second device is legitimate .

Further, so that the second device acquires the first connection information.

The receiving unit 71 is further configured to receive the second signature verification key sent by the configuration device before the receiving unit 71 receives the out-of-band key of the second device.

Wherein, the second signature verification key is generated by the configuration device, and the second signature verification key is used to decrypt the information signed by the configuration device.

The generating unit 72 is also configured to generate a first network key.

Wherein, the first network key is used by the second device to generate a shared key.

The sending unit 73 is further configured to send the first network key generated by the generating unit 72 to the configuration device.

Further, the configuration device generates and sends the second connection information to the first device at least according to the first network key.

The receiving unit 71 is further configured to receive the second connection information sent by the configuration device after the sending unit 73 sends the first network key.

Wherein, the second connection information includes the second signature information and the first network key, the second signature information is obtained by the configuration device signing the first network key with the second signature generation key, and the second signature generation key is obtained by the configuration Generated by the device, the second signature generation key is used to configure the device for signing, and the second signature generation key corresponds to the second signature verification key.

For the embodiment of the present invention, when the second signature generation key and the second signature verification key are asymmetric keys, the second signature generation key is the corresponding private key, and the second signature verification key is the pair corresponding public key. Or, when the second signature generation key and the second signature verification key are symmetric keys, the second signature generation key is the same as the second signature verification key.

The sending unit 73 is also configured to send the second message.

Wherein, the second message carries second connection information, and the second connection information includes second signature information.

Further, the second device receives the second message sent by the first device, and determines whether the first device is legal according to the second signature information carried in the second message, and at least according to the first network password in the second signature information key to generate a second shared key, the second shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.

The generating unit 72 is further configured to generate a third network key.

Wherein, the third network key is used by the second device to generate a shared key.

The sending unit 73 is further configured to send the third network key to the configuration device.

The receiving unit 71 is further configured to receive third connection information sent by the configuration device.

Wherein, the third connection information includes third signature information and a third network key, and the third signature information is obtained by the configuration device signing the third network key by using the second signature generation key.

The sending unit 73 is further configured to send the encrypted third message to the second device.

Wherein, the encrypted second signature verification key is obtained by the first device according to the encryption key, and the third message carries the third connection information.

Further, so that the second device obtains the third network key, and at least generates a new second shared key according to the third network key, and the new second shared key is a communication between the first device and the second device. A pre-key, the pre-key is used for handshake authentication between the first device and the second device.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

The sending unit 73 is further configured to send the encrypted second signature verification key to the second device.

Wherein, the encrypted second signature verification key is obtained by the first device by using the second key to encrypt the second signature verification key, and the second key is obtained by the first device according to the encryption key.

Further, the second device receives the second signature verification key, and determines that the first device is legal according to the second signature verification key and the second signature information carried in the second message.

The receiving unit 71 is further configured to receive the first message sent by the second device.

Further, as shown in FIG. 8 , the device may further include: a determining unit 81 .

Wherein, the first message carries the first connection information.

The determining unit 81 is configured to determine that the second device is legal according to the first signature information carried in the first message.

The determining unit 81 is specifically configured to determine, according to the first signature information carried in the first message, whether the device that obtained the first signature information by signing is a trusted device.

Wherein, the trusted device is the first device or the configuration device.

Optionally, the device further includes: a decryption unit 82 and a comparison unit 83 .

The decryption unit 82 is configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result.

The comparison unit 83 is configured to compare the decryption result obtained by the decryption unit 82 with the second network key included in the first connection information.

The determining unit 81 is specifically configured to determine that the second device is legal when the comparing unit 83 compares the decryption result with the second network key.

The generating unit 72 is further configured to generate the first shared key at least according to the second network key when the determining unit 81 determines that the second device is legitimate.

Wherein, the first shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.

The generation unit 72 is specifically configured to generate a DH shared key according to the Diffie-Hellman DH key generation algorithm, according to the private key corresponding to the first network key, and the second network key, and use the DH shared key, Or a key derived from the DH shared key is used as the first shared key.

The generation unit 72 is specifically also used for Diffie-Hellman based on the elliptic curve cryptosystem The ECDH key generation algorithm generates an ECDH shared key according to the private key corresponding to the first network key and the second network key, and uses the ECDH shared key, or a key derived from the ECDH shared key, as The first shared secret.

The determining unit 81 is further configured to determine whether the second device stores a private key corresponding to the second device's out-of-band key.

Wherein, the private key corresponding to the out-of-band key of the second device corresponds to the out-of-band key of the second device.

For the embodiment of the present invention, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are asymmetric keys, the private key corresponding to the out-of-band key of the second device is a private key, The second device out-of-band key is a public key. Or, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are symmetric keys, the private key corresponding to the out-of-band key of the second device is the same as the out-of-band key of the second device .

The determining unit 81 is further configured to determine that the second device is legal when the second device stores a private key corresponding to the second device's out-of-band key.

The configuration device provided by the embodiment of the present invention first configures the device to perform out-of-band communication with the second device, obtains the out-of-band key of the second device, and sends the out-of-band key of the second device to the first device, and then the first device generating a first signature generation key and a first signature verification key, and receiving a second network key generated by the second device sent by the second device, and finally the first device generates a key according to the first signature generated by the first device, Sign the second network key to obtain first signature information, and send first connection information including the first signature information and the second network key to the second device. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention obtains the out-of-band key of the second device through out-of-band communication between the configuration device and the second device, and transfers the second device The two-device out-of-band key is sent to the first device, enabling communication between the first device and the second device, so that the first device can configure the second device, that is, when the configuration device and the second device cannot When performing in-band communication, for example, if a certain device does not support in-band communication, or the configured device does not match the in-band communication mode supported by a certain device, the first device can configure the second device to improve the performance of the device. configuration success rate.

It should be noted that for other corresponding descriptions corresponding to each unit in the configured device provided in the embodiment of the present invention, reference may be made to the corresponding descriptions in FIG. 2 and FIG. 3 , and details are not repeated here.

Furthermore, the embodiment of the present invention also provides a device, the device is the first device, the first device is located in the configuration system, the configuration system includes the first device, the second device and the configuration device, the configuration device and the first device In-band communication is performed between one device, and out-of-band communication is performed between the configuration device and a second device. As shown in FIG. 9 , the first device includes: a receiver 91 , a processor 92 , and a transmitter 93 .

The receiver 91 is configured to receive the out-of-band key of the second device sent by the configuration device.

Wherein, the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device.

The processor 92 is configured to generate an encryption key according to the out-of-band key of the second device received by the receiver 91.

Wherein, the encryption key is used to encrypt the information sent by the first device to the second device.

The processor 92 is also configured to generate a first signature generation key and a first signature verification key.

Wherein, the first signature generation key and the first signature verification key are generated by the first device, the first signature generation key is used for the first device to sign, and the first signature verification key is used for signing information of the first device For decryption, the first signature generation key and the first signature verification key correspond to each other.

The receiver 91 is further configured to receive the second network key sent by the second device.

Wherein, the second network key is generated by the second device, and the second network key is used by the first device to generate a shared key.

The processor 92 is further configured to use the first signature generation key to sign the second network key received by the receiver 91 to obtain first signature information.

Wherein, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, and the first signature generation key and the first signature verification key correspond to each other.

The sender 93 is configured to send the encrypted first connection information to the second device.

Wherein, the first connection information includes the first signature information signed by the processor 92 and the second network The encrypted first connection information is obtained by the first device by encrypting the first connection information with the first key, and the first key is obtained by the first device according to the encryption key generated by the processor 92 .

Further, so that the second device obtains and sends the first connection information to the first device, the first connection information is used by the first device to determine whether the second device is legitimate.

The receiver 91 is further configured to receive the second signature verification key sent by the configuration device before the receiver 91 receives the out-of-band key of the second device.

Wherein, the second signature verification key is generated by the configuration device, and the second signature verification key is used to decrypt the information signed by the configuration device.

The processor 92 is further configured to generate a first network key.

Wherein, the first network key is used by the second device to generate a shared key.

It should be noted that there may be one or more processors 92 in the first device, and this embodiment of the present invention uses one as an example for description, and other embodiments may be understood with reference to this.

The sender 93 is further configured to send the first network key generated by the processor 92 to the configuration device.

Further, the configuration device generates and sends the second connection information to the first device at least according to the first network key.

The receiver 91 is further configured to receive the second connection information sent by the configuration device after the sender 93 sends the first network key.

Wherein, the second connection information includes the second signature information and the first network key, the second signature information is obtained by the configuration device signing the first network key with the second signature generation key, and the second signature generation key is obtained by the configuration Generated by the device, the second signature generation key is used to configure the device for signing, and the second signature generation key corresponds to the second signature verification key.

For the embodiment of the present invention, when the second signature generation key and the second signature verification key are asymmetric keys, the second signature generation key is the corresponding private key, and the second signature verification key is the corresponding public key; or, when the second signature generation key and the second signature verification key are symmetric keys, the second signature generation key is the same as the second signature verification key.

The sender 93 is also used to send the second message.

Wherein, the second message carries the second connection information, and the second connection information includes the second signature information interest.

Further, so that the second device receives the second message sent by the first device, determines whether the first device is legitimate according to the second signature information carried in the second message, and at least according to the first network key in the second signature information A second shared key is generated, where the second shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.

The processor 92 is further configured to generate a third network key.

Wherein, the third network key is used by the second device to generate a shared key.

The sender 93 is further configured to send the third network key to the configuration device.

The receiver 91 is further configured to receive third connection information sent by the configuration device.

Wherein, the third connection information includes third signature information and a third network key, and the third signature information is obtained by the configuration device signing the third network key by using the second signature generation key.

The sender 93 is further configured to send the third message to the second device.

Wherein, the third message carries the third connection information.

Further, so that the second device obtains the third network key, and at least generates a new second shared key according to the third network key, and the new second shared key is a communication between the first device and the second device. A pre-key, the pre-key is used for handshake authentication between the first device and the second device.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

The sender 93 is further configured to send the encrypted second signature verification key to the second device.

Wherein, the encrypted second signature verification key is obtained by the first device by using the second key to encrypt the second signature verification key, and the second key is obtained by the first device according to the encryption key.

Further, the second device receives the second signature verification key, and determines that the first device is legal according to the second signature verification key and the second signature information carried in the second message.

The receiver 91 is further configured to receive the first message sent by the second device.

Wherein, the first message carries the first connection information.

The processor 92 is further configured to determine that the second device is legal according to the first signature information carried in the first message.

The processor 92 is specifically configured to determine, according to the first signature information carried in the first message, whether the device that signed the first signature information is a trusted device.

Wherein, the trusted device is the first device or the configuration device.

The processor 92 is further configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result.

The processor 92 is further configured to compare the decryption result with the second network key included in the first connection information.

The processor 92 is specifically configured to determine that the second device is legal when the decryption result matches the second network key.

The processor 92 is further configured to generate the first shared key according to the second network key when it is determined that the second device is legitimate.

Wherein, the first shared key is a pre-key between the first device and the second device, and the pre-key is used for handshake authentication between the first device and the second device.

The processor 92 is further configured to generate a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and to generate the DH shared key, Or a key derived from the DH shared key is used as the first shared key.

The processor 92 is further configured to generate an ECDH shared key according to the private key corresponding to the first network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, The ECDH shared key, or a key derived from the ECDH shared key is used as the first shared key.

The processor 92 is specifically configured to determine whether the second device stores a private key corresponding to the out-of-band key of the second device.

Wherein, the private key corresponding to the out-of-band key of the second device corresponds to the out-of-band key of the second device.

For the embodiment of the present invention, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are asymmetric keys, the private key corresponding to the out-of-band key of the second device is a private key, The out-of-band key of the second device is a public key; or, when the private key corresponding to the out-of-band key of the second device and the out-of-band key of the second device are symmetric keys, the corresponding The private key is the same as the second device out-of-band key.

The processor 92 is specifically further configured to determine that the second device is legal when the second device stores the private key corresponding to the second device's out-of-band key.

The device provided by the embodiment of the present invention, specifically the first device, first configures the device to perform out-of-band communication with the second device, obtains the out-of-band key of the second device, and sends the out-of-band key of the second device to the first device, so that the first device generates an encryption key according to the out-of-band key of the second device, and then the first device generates a first signature generation key and a first signature verification key, and receives the second network key sent by the second device, Finally, the first device generates a key according to the first signature, signs the second network key, obtains the first signature information, and sends the first connection information encrypted according to the encryption key to the second device. The first connection information includes The first signature information and the second network key. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention obtains the out-of-band key of the second device through out-of-band communication between the configuration device and the second device, and transfers the second device The two-device out-of-band key is sent to the first device, enabling communication between the first device and the second device, so that the first device can configure the second device, that is, when the configuration device and the second device cannot When performing in-band communication, for example, if a certain device does not support in-band communication, or the configured device does not match the in-band communication mode supported by a certain device, the first device can configure the second device to improve the performance of the device. configuration success rate.

It should be noted that for other corresponding descriptions corresponding to the components in the first device provided in the embodiment of the present invention, reference may be made to the corresponding descriptions in FIG. 2 or FIG. 3 , and details are not repeated here.

Furthermore, as an implementation of the methods shown in Figures 5 and 6, an embodiment of the present invention also provides a configuration device, which can be located in the third device, the third device is located in the configuration system, and the configuration system includes the first device , the second device, the configuration device and the third device, in-band communication between the configuration device and the first device, out-of-band communication between the configuration device and the second device, configuration In-band communication is performed between the device and the third device, the first device has configured the second device, and the device can be used to configure the second device, as shown in Figure 10, the device includes: a receiving unit 101, a determining unit 102.

The receiving unit 101 is configured to receive the first signature verification key and the first network key sent by the configuration device.

Wherein, the first signature verification key is generated by the first device and sent to the configuration device, the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the The device is configured, and the first network key is used by the second device to generate a shared key.

The receiving unit 101 is further configured to receive a first message sent by the second device, the first message carries first connection information, the first connection information includes first signature information and a peer network key, and the first signature information is generated by the first The device uses the first signature generation key to sign the second network key, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, and the first signature generation key Corresponding to the first signature verification key, the second network key is generated by the second device, and the second network key is used by the first device or the third device to generate a shared key.

The determining unit 102 is configured to determine whether the peer network key is valid according to the first network key received by the receiving unit 101 .

The determining unit 102 is further configured to determine whether the second device is legal according to the first signature information received by the receiving unit 101 when the peer network key is legal.

The determining unit 102 is specifically configured to determine whether the peer network key is a trusted network key.

Wherein, the trusted network key includes the first network key.

The first connection information received by the receiving unit 101 also includes a second network key.

Further, as shown in FIG. 11 , the device further includes: a decryption unit 111 and a comparison unit 112 .

The decryption unit 111 is configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result.

The comparison unit 112 is used to decrypt the decryption result obtained by the decryption unit 111, and the second network Keys are compared.

The determining unit 102 is specifically configured to determine that the second device is legal when the comparing unit 112 compares the decryption result with the second network key.

Optionally, the device further includes: a generating unit 113 .

The generating unit 113 is configured to generate a third shared key at least according to the second network key received by the receiving unit 101 .

Wherein, the third shared key is a pre-key for handshake authentication between the third device and the second device.

The generation unit 113 specifically includes generating a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and using the DH shared key, or The key derived from the DH shared key is used as the third shared key, and the fourth network key is used by the second device to generate the shared key. or,

The generation unit 113 specifically includes generating an ECDH shared key according to the private key corresponding to the fourth network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, and The ECDH shared key, or a key derived from the ECDH shared key is used as the third shared key.

The generating unit 113 is further configured to generate a fourth network key.

Wherein, the fourth network key is used by the second device to generate a shared key.

Optionally, the device further includes: a sending unit 114 .

The sending unit 114 is configured to send the fourth network key generated by the generating unit 113 to the configuration device.

The receiving unit 101 is further configured to receive fourth connection information sent by the configuration device.

Wherein, the fourth connection information includes the fourth signature information and the fourth network key, the fourth signature information is obtained by the configuration device using the second signature generation key to sign the fourth network key, the second signature generation key and the The second signature verification key is generated by the configuration device. The second signature generation key is used to configure the device to sign. The second signature verification key is used to decrypt the information signed by the configuration device. The second signature generation key is the same as the second signature The verification keys correspond to each other.

For the embodiment of the present invention, when the second signature generation key and the second signature verification key are asymmetric keys, the second signature generation key is the corresponding private key, and the second signature verification key is the corresponding public key; or, when the second signature generation key and the second signature verification key are symmetric keys, the second signature generation key is the same as the second signature verification key.

The sending unit 114 is further configured to send a fourth message to the second device.

Wherein, the fourth message carries fourth connection information, and the fourth connection information includes fourth signature information.

Further, the second device receives the fourth message sent by the third device, and determines whether the third device is legal according to the fourth signature information carried in the fourth message and the second signature verification key, and the second signature verification key The key is sent to the second device when the first device configures the second device.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

In the configuration device provided by the embodiment of the present invention, when the first device has configured the second device, the configuration device first sends the first signature verification key and the first network key, the first signature verification key and the second device to the third device. A network key is generated by the first device and sent to the configuration device, and then the second device sends the first message carrying the first connection information to the third device, and the first connection information includes the first signature information and the peer network key , and finally the third device determines whether the peer network key is legal according to the first network key, and if the peer network key is legal, the third device determines whether the second device is legal according to the first signature information. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention uses the first device to configure the second device according to the out-of-band key of the second device, and the out-of-band key of the second device Obtained by out-of-band communication between the configuration device and the second device, and the configuration device sends the first signature verification key and the first network key to the third device, and the second device sends the first connection information to the third device, which can Realize that the third device determines whether the peer network key in the first connection information is legal according to the first network key, and determines whether the first signature information in the first connection information is legal according to the first signature verification key, thereby can The second device that has been configured by the first device is configured to the third device, that is, the third device configures the second device, thereby improving the success rate of device configuration.

It should be noted that for other corresponding descriptions corresponding to each unit in the configured device provided in the embodiment of the present invention, reference may be made to the corresponding descriptions in FIG. 5 and FIG. 6 , and details are not repeated here.

Still further, an embodiment of the present invention also provides a device, the device is a third device, the third device is located in a configuration system, and the configuration system includes a first device, a second device, a configuration device, and a third device, In-band communication between the configuration device and the first device, out-of-band communication between the configuration device and the second device, in-band communication between the configuration device and the third device, the first device has configured the second device, as shown in the figure As shown in 12 , the third device includes: a receiver 121 , a processor 122 , and a transmitter 123 .

The receiver 121 is configured to receive the first signature verification key and the first network key sent by the configuration device.

Wherein, the first signature verification key is generated by the first device and sent to the configuration device, the first signature verification key is used to decrypt the information signed by the first device, and the first network key is generated by the first device and sent to the The device is configured, and the first network key is used by the second device to generate a shared key.

The receiver 121 is further configured to receive the first message sent by the second device.

Wherein, the first message carries the first connection information, and the first connection information includes the first signature information and the peer network key, and the first signature information is generated by the first device using the first signature generation key to the second network key. The signature is obtained, the first signature generation key is generated by the first device, the first signature generation key is used for the first device to sign, the first signature generation key and the first signature verification key correspond to each other, the second network The key is generated by the second device, and the second network key is used by the first device or the third device to generate a shared key.

The processor 122 is configured to determine whether the opposite-end network key is valid according to the first network key received by the receiver 121 .

It should be noted that there may be one or more processors 122 in the third device, and this embodiment of the present invention uses one as an example for description, and other embodiments may be understood with reference to this.

The processor 122 is further configured to, when the peer network key is valid, according to the first received by the receiver 121 A signature message to determine whether the second device is legitimate.

The processor 122 is specifically configured to determine whether the peer network key is a trusted network key.

Wherein, the trusted network key includes the first network key.

The first connection information received by the receiver 121 also includes the second network key.

The processor 122 is further configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result.

The processor 122 is further configured to compare the decryption result obtained by decryption with the second network key.

The processor 122 is specifically configured to determine that the second device is legal when the decryption result matches the second network key.

The processor 122 is further configured to generate a third shared key at least according to the second network key received by the receiver 121 .

Wherein, the third shared key is a pre-key for handshake authentication between the third device and the second device.

The processor 122 specifically includes generating a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and using the DH shared key, or The key derived from the DH shared key is used as the third shared key, and the fourth network key is used by the second device to generate a shared secret. or,

The processor 122 specifically includes generating an ECDH shared key according to the private key corresponding to the fourth network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, and The ECDH shared key, or a key derived from the ECDH shared key is used as the third shared key.

The processor 122 is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key.

The sender 123 is configured to send the fourth network key generated by the processor 122 to the configuration device.

The receiver 121 is further configured to receive fourth connection information sent by the configuration device.

Wherein, the fourth connection information includes the fourth signature information and the fourth network key, and the fourth signature information The information is obtained by the configuration device using the second signature generation key to sign the fourth network key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key is used by the configuration device to perform For signing, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key corresponds to the second signature verification key.

For the embodiment of the present invention, when the second signature generation key and the second signature verification key are asymmetric keys, the second signature generation key is the corresponding private key, and the second signature verification key is the corresponding public key; or, when the second signature generation key and the second signature verification key are symmetric keys, the second signature generation key is the same as the second signature verification key.

The sender 123 is further configured to send a fourth message to the second device.

Wherein, the fourth message carries fourth connection information, and the fourth connection information includes fourth signature information.

Further, the second device receives the fourth message sent by the third device, and determines whether the third device is legal according to the fourth signature information carried in the fourth message and the second signature verification key, and the second signature verification key The key is sent to the second device when the first device configures the second device.

For the embodiment of the present invention, when the first signature generation key and the first signature verification key are asymmetric keys, the first signature generation key is the corresponding private key, and the first signature verification key is the corresponding public key; or, when the first signature generation key and the first signature verification key are symmetric keys, the first signature generation key and the first signature verification key are the same.

The device provided by the embodiment of the present invention is specifically the third device. When the first device has configured the second device, the configuration device first sends the first signature verification key and the first network key to the third device, and the first signature verification The key and the first network key are generated by the first device and sent to the configuration device, and then the second device sends a first message carrying the first connection information to the third device, and the first connection information includes the first signature information and the Finally, the third device determines whether the peer network key is legal according to the first network key. If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information. Compared with currently configuring the first device and the second device separately through the configuration device, the embodiment of the present invention uses the first device to configure the second device according to the out-of-band key of the second device, and the out-of-band key of the second device by configuring the device with the second Out-of-band communication between devices is obtained, and the configuration device sends the first signature verification key and the first network key to the third device, and the second device sends the first connection information to the third device, which can realize the third device according to the first A network key, determine whether the peer network key in the first connection information is legal, and determine whether the first signature information in the first connection information is legal according to the first signature verification key, so that the first device can be The configured second device is configured to the third device, that is, the third device configures the second device, thereby improving the success rate of device configuration.

It should be noted that for other corresponding descriptions corresponding to the components in the third device provided in the embodiment of the present invention, reference may be made to the corresponding descriptions in FIG. 5 or FIG. 6 , and details are not repeated here.

The configuration method, configuration device, and equipment provided in the embodiments of the present invention may be applicable to equipment configuration, but are not limited thereto.

Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented through computer programs to instruct related hardware, and the programs can be stored in a computer-readable storage medium. During execution, it may include the processes of the embodiments of the above-mentioned methods. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM) or a random access memory (Random Access Memory, RAM), etc.

The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. All should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (60)

A configuration method, applied to a configuration system, the configuration system includes a first device, a second device, and a configuration device, wherein the configuration device and the first device perform in-band communication, and the performing out-of-band communication between the configuration device and the second device; the method includes: The first device receives the out-of-band key of the second device sent by the configuration device, and the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device; The first device generates an encryption key according to the second device's out-of-band key, and the encryption key is used to encrypt information sent by the first device to the second device; The first device generates a first signature generation key and a first signature verification key, the first signature generation key is used for the first device to sign, and the first signature verification key is used for Decrypting the information signed by the first device, the first signature generation key and the first signature verification key correspond to each other; The first device receives a second network key sent by the second device, the second network key is generated by the second device, and the second network key is used by the first device to generate a shared key; The first device signs the second network key by using a first signature generation key to obtain first signature information; The first device sends encrypted first connection information to the second device, the first connection information includes the first signature information and the second network key, and the encrypted first connection The information is obtained by the first device encrypting the first connection information with a first key, and the first key is obtained by the first device according to the encryption key, so that the second device Acquiring and sending the first connection information to the first device, where the first connection information is used by the first device to determine whether the second device is legitimate. The configuration method according to claim 1, wherein before the first device receives the out-of-band key of the second device sent by the configuration device, it further includes: The first device receives a second signature verification key sent by the configuration device, the second signature verification key is generated by the configuration device, and the second signature verification key is used to sign the configuration device to decrypt the information; The first device generates a first network key, and the first network key is used by the second device to generate a shared key; The first device sends the first network key to the configuration device, so that the configuration device generates and sends second connection information to the first device at least according to the first network key. The configuration method according to claim 2, wherein after the first device sends the first network key to the configuration device, further comprising: The first device receives the second connection information sent by the configuration device, the second connection information includes second signature information and the first network key, and the second signature information is provided by the configuration device Obtained by signing the first network key by using a second signature generation key, the second signature generation key is generated by the configuration device, and the second signature generation key is used by the configuration device to perform signature , the second signature generation key corresponds to the second signature verification key. The configuration method according to claim 3, wherein after the first device sends the encrypted first connection information to the second device, further comprising: The first device sends a second message, the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information includes the first network key, so that the second device receives the second message sent by the first device, determines whether the first device is legitimate according to the second signature information carried in the second message, and at least according to the The first network key in the second signature information generates a second shared key, the second shared key is a pre-key between the first device and the second device, and the pre-shared key The key is used for handshake authentication between the first device and the second device. The method for configuring according to claim 3 or 4, wherein the method further comprises: The first device generates a third network key, and the third network key is used by the second device to generate a shared key; The first device sends the third network key to the configuration device; The first device receives third connection information sent by the configuration device, the third connection information includes third signature information and the third network key, and the third signature information is used by the configuration device to The second signature generation key is obtained by signing the third network key; The first device sends a third message to the second device, where the third message carries the third connection information, so that the second device obtains the third network key, and at least according to the Using the third network key to generate a new second shared key, the new second shared key is a pre-key between the first device and the second device, and the pre-key is used for A handshake authentication is performed between the first device and the second device. The method for configuring according to claim 4, wherein the method further comprises: The first device sends an encrypted second signature verification key to the second device, and the encrypted second signature verification key is used by the first device to sign the second signature with the second key. The verification key is obtained by encrypting the second key, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key, and according to the second The signature verification key and the second signature information carried in the second message determine that the first device is legal. The configuration method according to claim 2, wherein after the first device sends the encrypted first connection information to the second device, further comprising: receiving, by the first device, a first message sent by the second device, where the first message carries the first connection information; The first device determines, according to the first signature information carried in the first message, that the second device is legal. The configuration method according to claim 7, wherein the first device determines that the second device is legal according to the first signature information carried in the first message, specifically comprising: The first device determines, according to the first signature information carried in the first message, that the device that signed the first signature information is a trusted device, and the trusted device includes the first device or the Configure the device. The configuration method according to claim 7, wherein the first device determines that the second device is legal according to the first signature information carried in the first message, specifically comprising: The first device decrypts the first signature information by using the first signature verification key to obtain a decryption result; The first device compares the decryption result with the second network key included in the first connection information; If the decryption result matches the second network key, the first device determines that the second device is legal. The configuration method according to any one of claims 7 to 9, wherein after the first device determines that the second device is legal according to the first signature information carried in the first message, further comprising: : If it is determined that the second device is legitimate, the first device generates a first shared key based on at least the second network key, and the first shared key is a shared key between the first device and the second network key. A pre-key between devices, where the pre-key is used for handshake authentication between the first device and the second device. The configuration method according to claim 10, wherein the first device generates a first shared key at least according to the second network key, specifically comprising: The first device generates a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and sends the DH A shared key, or a key derived from the DH shared key, as the first shared key; or, The first device according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the first network key, and the second network key, Generate an ECDH shared key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the first shared key. The configuration method according to claim 1, wherein after the first device receives the out-of-band key of the second device sent by the configuration device, it further includes: The first device determines whether the second device stores a private key corresponding to the second device's out-of-band key; If the second device stores a private key corresponding to the second device's out-of-band key, the first device determines that the second device is legal. A configuration method, which is applied to a configuration system, the configuration system includes a first device, a second device, a configuration device and a third device, and is characterized in that the configuration device and the first device carry out band In-band communication, performing out-of-band communication between the configuration device and the second device, performing in-band communication between the configuration device and the third device, the first device has configured the second device; The methods include: The third device receives the first signature verification key and the first network key sent by the configuration device, the first signature verification key is generated by the first device and sent to the configuration device, the The first signature verification key is used to decrypt the information signed by the first device, the first network key is generated by the first device and sent to the configuration device, and the first network key is used to generating a shared key at the second device; The third device receives a first message sent by the second device, the first message carries first connection information, the first connection information includes first signature information and a peer network key, and the first Signature information is obtained by the first device using a first signature generation key to sign the second network key, the first signature generation key is generated by the first device, and the first signature generation key Used for the first device to sign, the first signature generation key and the first signature verification key correspond to each other, the second network key is generated by the second device, and the first The second network key is used by the first device or the third device to generate a shared key; The third device determines whether the peer network key is valid according to the first network key; If the peer network key is legal, the third device determines whether the second device is legal according to the first signature information. The configuration method according to claim 13, wherein the third device determines whether the peer network key is legal according to the first network key, specifically comprising: The third device determines whether the peer network key is a trusted network key, where the trusted network key includes the first network key. The configuration method according to claim 13, wherein the first connection information further includes a second network key; The third device determines whether the second device is legitimate according to the first signature information, specifically including: The third device decrypts the first signature information by using the first signature verification key to obtain a decryption result; The third device compares the decryption result with the second network key; If the decryption result matches the second network key, the third device determines that the second device is legal. The configuration method according to claim 15, characterized in that after the third device determines that the second device is legal, it further includes: The third device generates a third shared key at least according to the second network key, and the third shared key is a pre-key for handshake authentication between the third device and the second device . The configuration method according to claim 16, wherein the third device generates a third shared key at least according to the second network key, specifically comprising: The third device generates a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and uses the DH shared key key, or a key derived from the DH shared key as the third shared key, and the fourth network key is used by the second device to generate a shared key; or, The third device follows the Diffie-Hellman ECDH key based on elliptic curve cryptosystem A generation algorithm, generating an ECDH shared key according to the private key corresponding to the fourth network key and the second network key, and deriving the ECDH shared key, or derived from the ECDH shared key key as the third shared key. The configuration method according to claim 13, wherein the method further comprises: The third device generates a fourth network key, and the fourth network key is used by the second device to generate a shared key; The third device sends the fourth network key to the configuration device. The configuration method according to claim 18, characterized in that after the third device sends the fourth network key to the configuration device, further comprising: The third device receives fourth connection information sent by the configuration device, the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information is used by the configuration device to The second signature generation key is obtained by signing the fourth network key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key is used for the The configuration device performs signature, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key corresponds to the second signature verification key. The configuration method according to claim 19, characterized in that after the third device receives the fourth connection information sent by the configuration device, it further includes: The third device sends a fourth message to the second device, the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that the second The device receives the fourth message sent by the third device, and determines whether the third device is legal according to the fourth signature information carried in the fourth message and the second signature verification key, and the The second signature verification key is sent to the second device when the first device configures the second device. A configuration device, used for a first device, the first device is located in a configuration system, and the configuration system includes a first device, a second device, and a configuration device, wherein the configuration Perform in-band communication between the configuration device and the first device, and perform out-of-band communication between the configuration device and the second device; the device includes: a receiving unit, configured to receive the out-of-band key of the second device sent by the configuration device, the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device; a generating unit, configured to generate an encryption key according to the out-of-band key of the second device received by the receiving unit, and the encryption key is used to encrypt information sent by the first device to the second device; The generation unit is further configured to generate a first signature generation key and a first signature verification key, the first signature generation key is used for the first device to sign, and the first signature verification key is used for For decrypting the information signed by the first device, the first signature generation key and the first signature verification key correspond to each other; The receiving unit is further configured to receive a second network key sent by the second device, the second network key is generated by the second device, and the second network key is used for the first The device generates a shared key; a signing unit, configured to use a first signature generation key to sign the second network key received by the receiving unit to obtain first signature information; a sending unit, configured to send encrypted first connection information to the second device, where the first connection information includes the first signature information signed by the signature unit and the second network key, the The encrypted first connection information is obtained by the first device encrypting the first connection information with a first key, and the first key is obtained by the first device according to the generated by the generating unit obtain the encryption key, so that the second device acquires and sends the first connection information to the first device, and the first connection information is used by the first device to determine whether the second device is legitimate . An apparatus according to claim 21, characterized in that, The receiving unit is further configured to receive a second signature verification key sent by the configuration device before the receiving unit receives the out-of-band key of the second device, and the second signature verification key Generated by the configuration device, the second signature verification key is used to decrypt information signed by the configuration device; The generating unit is further configured to generate a first network key, and the first network key is used by the second device to generate a shared key; The sending unit is further configured to send the first network key generated by the generating unit to the configuration device, so that the configuration device generates and sends to the configuration device at least according to the first network key The first device sends second connection information. An apparatus according to claim 22, characterized in that, The receiving unit is further configured to receive the second connection information sent by the configuration device after the sending unit sends the first network key, the second connection information includes the second signature information and the the first network key, the second signature information is obtained by the configuration device signing the first network key with a second signature generation key, and the second signature generation key is obtained by the configuration device The second signature generation key is used for the configuration device to perform signature, and the second signature generation key and the second signature verification key correspond to each other. An apparatus according to claim 23, characterized in that, The sending unit is further configured to send a second message, the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information includes the a first network key, so that the second device receives the second message sent by the first device, determines whether the first device is legitimate according to the second signature information carried in the second message, and generating a second shared key at least according to the first network key in the second signature information, where the second shared key is a pre-key between the first device and the second device, The pre-key is used for handshake authentication between the first device and the second device. Arrangement according to claim 23 or 24, characterized in that, The generating unit is further configured to generate a third network key, and the third network key is used by the second device to generate a shared key; The sending unit is further configured to send the third network key to the configuration device; The receiving unit is further configured to receive third connection information sent by the configuration device, the The third connection information includes third signature information and the third network key, and the third signature information is obtained by the configuration device using the second signature generation key to sign the third network key; The sending unit is further configured to send a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and generate a new second shared key at least according to the third network key, the new second shared key is a pre-key between the first device and the second device, and the pre-encrypted The key is used for handshake authentication between the first device and the second device. An apparatus according to claim 24, characterized in that, The sending unit is further configured to send an encrypted second signature verification key to the second device, and the encrypted second signature verification key is paired by the first device with the second key to the The second signature verification key is encrypted, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key and The second signature verification key and the second signature information carried in the second message determine that the first device is legal. An apparatus according to claim 22, characterized in that, The receiving unit is further configured to receive a first message sent by the second device, where the first message carries the first connection information; The device also includes: a determining unit; The determining unit is configured to determine that the second device is legal according to the first signature information carried in the first message. An apparatus according to claim 27, characterized in that, The determining unit is specifically configured to, according to the first signature information carried in the first message, determine whether the device that signed the first signature information is a trusted device, and the trusted device is the first signature information. device or the configuration device. The configured device according to claim 27, wherein the device further comprises: a decryption unit and a comparison unit; The decryption unit is configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result; The comparison unit is configured to compare the decryption result obtained by decrypting the decryption unit with the second network key included in the first connection information; The determining unit is specifically configured to determine that the second device is legal when the comparing unit compares that the decryption result matches the second network key. An arrangement according to any one of claims 27 to 29, wherein, The generating unit is further configured to generate a first shared key at least according to the second network key when the determining unit determines that the second device is legitimate, and the first shared key is the second shared key. A pre-key between a device and the second device, where the pre-key is used for handshake authentication between the first device and the second device. An apparatus according to claim 30, characterized in that, The generation unit is specifically configured to generate a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and The DH shared key, or a key derived from the DH shared key, is used as the first shared key; The generating unit is specifically further configured to generate the key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the first network key and the second network key, Generate an ECDH shared key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the first shared key. An apparatus according to claim 21, characterized in that, The determining unit is further configured to determine whether the second device stores a private key corresponding to the second device's out-of-band key; The determining unit is further configured to determine that the second device is legal when the second device stores a private key corresponding to the second device out-of-band key. A configuration device, used for a third device, the third device is located in a configuration system, and the configuration system includes a first device, a second device, a configuration device and a third device, and is characterized in that Therefore, in-band communication is performed between the configuration device and the first device, out-of-band communication is performed between the configuration device and the second device, and out-of-band communication is performed between the configuration device and the third device Internal communication, the first device has configured the second device; the apparatus includes: a receiving unit, configured to receive the first signature verification key and the first network key sent by the configuration device, the first signature verification key is generated by the first device and sent to the configuration device, the The first signature verification key is used to decrypt the information signed by the first device, the first network key is generated by the first device and sent to the configuration device, and the first network key is used to generating a shared key at the second device; The receiving unit is further configured to receive a first message sent by the second device, the first message carries first connection information, and the first connection information includes first signature information and a peer network key, The first signature information is obtained by the first device signing the second network key with a first signature generation key, the first signature generation key is generated by the first device, and the first signature generating a key for the first device to sign, the first signature generating key and the first signature verification key correspond to each other, the second network key is generated by the second device, The second network key is used by the first device or the third device to generate a shared key; a determining unit, configured to determine whether the peer network key is legal according to the first network key received by the receiving unit; The determining unit is further configured to determine whether the second device is legal according to the first signature information received by the receiving unit when the peer network key is legal. An apparatus according to claim 33, characterized in that, The determining unit is specifically configured to determine whether the peer network key is a trusted network key, and the trusted network key includes the first network key. An apparatus according to claim 33, characterized in that, The first connection information received by the receiving unit further includes a second network key; The device also includes: a decryption unit and a comparison unit; The decryption unit is configured to use the first signature verification key to decrypt the first signature letter The information is decrypted to obtain the decryption result; The comparison unit is configured to compare the decryption result obtained by decrypting the decryption unit with the second network key; The determining unit is specifically configured to determine that the second device is legal when the comparing unit compares that the decryption result matches the second network key. The configured device according to claim 35, further comprising: a generating unit; The generating unit is configured to generate a third shared key at least according to the second network key received by the receiving unit, and the third shared key is a link between the third device and the second device The pre-key for handshake authentication. An apparatus according to claim 36, characterized in that, The generating unit specifically includes generating a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and converting the DH A shared key, or a key derived from the DH shared key, is used as the third shared key, and the fourth network key is used by the second device to generate a shared key; or, The generating unit specifically includes generating an ECDH key according to the private key corresponding to the fourth network key and the second network key according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem. share a key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the third shared key. An apparatus according to claim 33, characterized in that, The generating unit is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key; The device also includes: a sending unit; The sending unit is configured to send the fourth network key generated by the generating unit to the configuration device. An apparatus according to claim 38, characterized in that, The receiving unit is further configured to receive fourth connection information sent by the configuration device, the The fourth connection information includes fourth signature information and the fourth network key, the fourth signature information is obtained by the configuration device signing the fourth network key with a second signature generation key, the The second signature generation key and the second signature verification key are generated by the configuration device, the second signature generation key is used for the configuration device to sign, and the second signature verification key is used for the The information signed by the configuration device is decrypted, and the second signature generation key corresponds to the second signature verification key. An apparatus according to claim 39, characterized in that, The sending unit is further configured to send a fourth message to the second device, the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that the The second device receives the fourth message sent by the third device, and determines whether the third device is legitimate according to the fourth signature information carried in the fourth message and the second signature verification key , the second signature verification key is sent to the second device when the second device is configured by the first device. A device, the device is a first device, the first device is located in a configuration system, and the configuration system includes a first device, a second device, and a configuration device, wherein the configuration device and the first In-band communication is performed between devices, and out-of-band communication is performed between the configuration device and the second device; the first device includes: a receiver, configured to receive the out-of-band key of the second device sent by the configuration device, where the out-of-band key of the second device is obtained by the configuration device through out-of-band communication with the second device; a processor, configured to generate an encryption key according to the out-of-band key of the second device received by the receiver, and the encryption key is used to encrypt information sent by the first device to the second device; The processor is further configured to generate a first signature generation key and a first signature verification key, the first signature generation key is used for the first device to sign, and the first signature verification key is used to For decrypting the information signed by the first device, the first signature generation key and the first signature verification key correspond to each other; The receiver is further configured to receive a second network key sent by the second device, and the first A second network key is generated by the second device, and the second network key is used by the first device to generate a shared key; The processor is further configured to use a first signature generation key to sign the second network key received by the receiver to obtain first signature information; a sender, configured to send encrypted first connection information to the second device, where the first connection information includes the first signature information and the second network key signed by the processor, and The encrypted first connection information is obtained by the first device encrypting the first connection information with a first key, and the first key is obtained by the first device according to the obtain the encryption key, so that the second device acquires and sends the first connection information to the first device, and the first connection information is used by the first device to determine whether the second device is legitimate . A first device as claimed in claim 41 wherein, The receiver is further configured to receive a second signature verification key sent by the configuration device before the receiver receives the out-of-band key of the second device, and the second signature verification key is determined by the Generated by the configuration device, the second signature verification key is used to decrypt the information signed by the configuration device; The processor is further configured to generate a first network key, and the first network key is used by the second device to generate a shared key; The transmitter is further configured to send the first network key generated by the processor to the configuration device, so that the configuration device generates and sends to the configuration device at least based on the first network key The first device sends second connection information. A first device as claimed in claim 42, characterized in that The receiver is further configured to receive the second connection information sent by the configuration device after the sender sends the first network key, where the second connection information includes the second signature information and the the first network key, the second signature information is obtained by the configuration device signing the first network key with a second signature generation key, and the second signature generation key is obtained by the configuration device Generated, the second signature generation key is used for the configuration device to sign, so The second signature generation key corresponds to the second signature verification key. A first device as claimed in claim 43, characterized in that The sender is further configured to send a second message, the second message carries the second connection information, the second connection information includes the second signature information, and the second signature information includes the a first network key, so that the second device receives the second message sent by the first device, determines whether the first device is legitimate according to the second signature information carried in the second message, and generating a second shared key at least according to the first network key in the second signature information, where the second shared key is a pre-key between the first device and the second device, The pre-key is used for handshake authentication between the first device and the second device. A first device as claimed in claim 43 or 44, characterized in that The processor is further configured to generate a third network key, where the third network key is used by the second device to generate a shared key; The transmitter is further configured to send the third network key to the configuration device; The receiver is further configured to receive third connection information sent by the configuration device, the third connection information includes third signature information and the third network key, and the third signature information is determined by the configuration device. Obtained by signing the third network key by using the second signature generation key; The sender is further configured to send a third message to the second device, where the third message carries the third connection information, so that the second device acquires the third network key, and generate a new second shared key at least according to the third network key, the new second shared key is a pre-key between the first device and the second device, and the pre-encrypted The key is used for handshake authentication between the first device and the second device. A first device as claimed in claim 44, characterized in that The sender is further configured to send an encrypted second signature verification key to the second device, and the encrypted second signature verification key is paired by the first device with the second key to the The second signature verification key is encrypted, and the second key is obtained by the first device according to the encryption key, so that the second device receives the second signature verification key and described The second signature verification key and the second signature information carried in the second message determine that the first device is legal. A first device as claimed in claim 42, characterized in that The receiver is further configured to receive a first message sent by the second device, where the first message carries the first connection information; The processor is further configured to determine that the second device is legal according to the first signature information carried in the first message. A first device as claimed in claim 47, characterized in that The processor is specifically configured to determine, according to the first signature information carried in the first message, whether the device that signed the first signature information is a trusted device, and the trusted device is the first device or the configuration device. A first device as claimed in claim 47, characterized in that The processor is further configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result; The processor is further configured to compare the decryption result with the second network key included in the first connection information; The processor is specifically configured to determine that the second device is legal when the decryption result matches the second network key. A first device as claimed in any one of claims 47 to 49 wherein, The processor is further configured to, when it is determined that the second device is legal, generate a first shared key at least according to the second network key, and the first shared key is used by the first device and the A pre-key between the second device, where the pre-key is used for handshake authentication between the first device and the second device. A first device as claimed in claim 50, characterized in that The processor is specifically configured to generate a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the first network key and the second network key, and The DH shared key, or a key derived from the DH shared key, as the first a shared key; The processor is further configured to, according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the first network key and the second network key, Generate an ECDH shared key, and use the ECDH shared key, or a key derived from the ECDH shared key, as the first shared key. A first device as claimed in claim 41 wherein, The processor is further configured to determine whether the second device stores a private key corresponding to the out-of-band key of the second device; The processor is further configured to determine that the second device is legal when the second device stores a private key corresponding to the second device out-of-band key. A device, the device is a third device, the third device is located in a configuration system, and the configuration system includes a first device, a second device, a configuration device and a third device, wherein the configuration device and In-band communication is performed between the first devices, out-of-band communication is performed between the configuration device and the second device, in-band communication is performed between the configuration device and the third device, and the first The device has configured the second device; the third device includes: a receiver, configured to receive the first signature verification key and the first network key sent by the configuration device, the first signature verification key is generated by the first device and sent to the configuration device, the The first signature verification key is used to decrypt the information signed by the first device, the first network key is generated by the first device and sent to the configuration device, and the first network key is used to generating a shared key at the second device; The receiver is further configured to receive a first message sent by the second device, the first message carries first connection information, and the first connection information includes first signature information and a peer network key, The first signature information is obtained by the first device signing the second network key with a first signature generation key, the first signature generation key is generated by the first device, and the first signature generating a key for the first device to sign, the first signature generating key and the first signature verification key correspond to each other, the second network key is generated by the second device, The second network key is used by the first device or the third device to generate a shared key; a processor, configured to determine whether the peer network key is legal according to the first network key received by the receiver; The processor is further configured to determine whether the second device is legal according to the first signature information received by the receiver when the peer network key is legal. A third device as claimed in claim 53 wherein, The processor is specifically configured to determine whether the peer network key is a trusted network key, where the trusted network key includes the first network key. A third device as claimed in claim 53 wherein, The first connection information received by the receiver further includes a second network key; The processor is further configured to use the first signature verification key to decrypt the first signature information to obtain a decryption result; The processor is further configured to compare the decryption result obtained by decryption with the second network key; The processor is specifically configured to determine that the second device is legal when the decryption result matches the second network key. A third device as claimed in claim 55 wherein, The processor is further configured to generate a third shared key at least according to the second network key received by the receiver, and the third shared key is a shared key between the third device and the second device. The pre-key for handshake authentication. A third device as claimed in claim 56 wherein, The processor specifically includes generating a DH shared key according to the Diffie-Hellman DH key generation algorithm according to the private key corresponding to the fourth network key and the second network key, and converting the DH A shared key, or a key derived from the DH shared key, is used as the third shared key, and the fourth network key is used by the second device to generate a shared secret; or The processor specifically includes, according to the Diffie-Hellman ECDH key generation algorithm based on the elliptic curve cryptosystem, according to the private key corresponding to the fourth network key and the second network key, to generate an ECDH key. shared key, and the ECDH shared key, or by the ECDH A key derived from the shared key is used as the third shared key. A third device as claimed in claim 53 wherein, The processor is further configured to generate a fourth network key, where the fourth network key is used by the second device to generate a shared key; The third device also includes: a transmitter; The sender is configured to send the fourth network key generated by the processor to the configuration device. A third device as claimed in claim 58 wherein, The receiver is further configured to receive fourth connection information sent by the configuration device, the fourth connection information includes fourth signature information and the fourth network key, and the fourth signature information is provided by the configuration device. The device signs the fourth network key by using a second signature generation key, the second signature generation key and the second signature verification key are generated by the configuration device, and the second signature generation key Used for the configuration device to sign, the second signature verification key is used to decrypt the information signed by the configuration device, and the second signature generation key and the second signature verification key are mutually correspond. A third device as claimed in claim 59 wherein, The sender is further configured to send a fourth message to the second device, the fourth message carries the fourth connection information, and the fourth connection information includes the fourth signature information, so that the The second device receives the fourth message sent by the third device, and determines whether the third device is legitimate according to the fourth signature information carried in the fourth message and the second signature verification key , the second signature verification key is sent to the second device when the second device is configured by the first device.