Patent Application
20160234678
This disclosure relates to configuring a wireless device to operate in a wireless network.
The Internet of Things (IoT) is becoming more and more dominant and opens a new era for simple objects to connect to the Internet. One part of enabling a given device to connect to a local network is the step of on-boarding the given device to the local network. Various approaches have been developed to facilitate such initial connection to the local network. Users desire an easy-to-use solution that is full proof and as much as possible seamless. Yet, while making it seamless, security should not be compromised. The combination of these two goals can make this a challenging task.
This disclosure relates to configuring a wireless device to operate in a wireless network.
As one example, a method includes sending a request in a secure wireless network from a first device. The request includes a predetermined information element indicating the first device is capable of implementing a peer configuration method. In response to receiving a reply that includes the predetermined information element from at least one other device, which is already operating in the wireless network, the method also includes establishing a secure channel between the first device and the other device. The method also includes receiving at the first device network configuration data via the secure channel, the network configuration data sufficient to enable the first device to connect to the wireless network.
As another example, a wireless device can include a transceiver to wirelessly communicate data. The device can also include memory to store data and instructions and a processor to access the memory and execute the instructions for performing a method. The instructions can include a configuration manager that sends a request via the transceiver in a wireless network. The request includes a predetermined configuration information element to indicate that the wireless device is configured to implement a peer configuration method. The configuration manager can establish a secure wireless communications channel with another wireless device in response to receiving a reply from the other wireless device. The configuration manager can also employ network information received via the secure wireless communications channel to connect the wireless device in the wireless network.
As yet another example, another method includes receiving at a given device a wireless request that includes a predetermined configuration information element indicating a source device that provided the wireless request is configured to implement a peer configuration method. The method also includes providing a wireless response from the given device in response the wireless request. The wireless response includes the predetermined configuration information element to indicate that the given device is also configured to implement the peer configuration method. The method also includes establishing a secure wireless channel between the given device and the source device and sending network information from the given device to the source device via the secure channel to enable the source device to connect with the wireless network.
This disclosure relates to configuring a wireless device to operate in a wireless network. For example, a plurality of devices can be configured to implement a peer configuration method that enables a new device to obtain configuration information from another device that is already connected to operate in a wireless network. The already connected device can be referred to as a trusted agent. The new device announces its presence to one or more trusted agent, such as by transmitting a probe request that includes a predetermined information element identifying the new device as being configured to implement the peer configuration method. After mutual authentication for implementing the peer configuration method, the new device and the trusted agent can establish a secure wireless channel (e.g., via asymmetric cryptography). The trusted agent can then provide network access credentials to the new device via the secure wireless link to enable the new device to operate in the wireless network. In some examples, the process can be initiated and completed in the absence of user intervention. In other examples, user input can be required to complete the configuration process for the new device, such as by sending a message that requires confirmation by the user.
The systems and methods disclosed herein thus can provide a secure approach to facilitate connecting devices to a wireless local network. The approach further can be power efficient since the process is triggered by the new device avoiding the need to run power hungry background processes. If desired, devices can be programmed to provide closed loop feedback to confirm success or failure for connecting the new device in the wireless network.
In the example of
Referring back to
Once the wireless devices 12 and 14 have established the prescribed relationship exists between the wireless devices (e.g., both being peer-configuration-capable devices), the devices 12 and 14 can create a peer-to-peer connection over a secure channel demonstrated at 24. The secure channel 24 can be implemented according to an asymmetrical cryptography scheme. In order to establish the secure communication channel 24, each of the wireless devices can exchange packets containing cryptographic keys according to a common cryptographic scheme. As one example, the cryptographic scheme can be implemented based on an elliptic curve Diffie-Hellman (ECDHE)-elliptic curve digital signature algorithm (ECDSA) key exchange according to a pre-programmed root certificate operating on the wireless device 12. The ECDHE-ECDSA cryptography provides an asymmetric cryptography protocol based on algorithms that require two separate keys, stored at and used by the devices 12 and 14. For example, the key exchange between the devices 12 and 14 can be implemented through another information element that is added to a management frame wireless communicated between the devices, such as in another probe request and/or associated probe response. The exchange can be utilized to create a multi-bit shared key for communicating authentic and secure data packets via the secure channel 24 between the devices 12 and 14. It is understood that each of the devices 12 and 14 could implement other cryptography schemes, such as including another public-key cryptography or symmetric-key cryptography.
The configuration manager 18 can in turn provide network information to the wireless device 12 via the secure channel sufficient to provision the wireless device 12 to connect with and operate in the wireless network 20. For example, the network information can include a network name (e.g., SSID), the network password and any additional metadata that can be utilized by the wireless device 12 to provide for secure communication by the device within the wireless network 20.
In some examples, such as to increase security, prior to the wireless device 14 providing the network information to the wireless device 12, the already-connected wireless device 14 can send a confirmation request to an authorized user of the network for approval to add the new device into the network 20. The confirmation request can be provided over the network 20. As an example, the confirmation request can be provided from the wireless device 14 directly or through a corresponding web service, such as email, instant messaging, text messaging or the like. In response to a user input from the authorized user confirming that the wireless device 12 is approved to connect with the wireless network 20, the wireless device 14 can then provide the network information via the secure channel to the wireless device 12.
Additionally or alternatively, as a further security measure, the wireless device 12 can provide a connection notification to one or more authorized user (e.g., the same or a different user to which the confirmation request was sent) that informs the user that the device 12 has successfully connected to the network 20. The connection notification from the new wireless device 12 can thus provide a positive acknowledgement to inform the authorized user of the successful completion of the overall configuration process. After the network information has been provided to the new wireless device 12, the wireless devices 12 and 14 can tear down the secure channel 24 thereby leaving each of the wireless devices connected with the wireless network 20. Additionally, if for some reason the new device 12 cannot connect to the network 20 (e.g., failure to establish a network connection), the configuration manager 18 of the new device can be programmed employ the secure communications channel 24 to notify the already-connected device 14 about the failure. Each device further may be manually configured in response to a user input, such as by connecting it to a computer or other terminal device. The notification via the secure link 24 can also include information identifying one or more reasons for the failure (e.g., one or more predefined reason codes).
As one example, each of the wireless devices 12 and 14 can be implemented as part of a distributed system (e.g., a home automation and/or burglar system), such as corresponding to sensors associated with different parts of a home or other facility. For instance, one of the wireless devices 12 can be a motion detector that can be provide an indication of sensed conditions via the network 20 to a system processor also part of the wireless network. Other devices can implement switches to detect the opening and closing of a circuit such as associated with the opening and closing of a door. Other examples of wireless devices can be configured for other automation functions, such as may include sensing and/or controls of various household devices. In still other examples, the wireless devices can be implemented as part of a vehicle, such as a car, boat, recreational vehicle or the like to implement various automation or sensing features as are known in the art. These functions are provided by of example and the potential applications are up to the user.
In the example, of
The configuration manager 60, for example, can employ configuration data 62 for implementing the configuration method. The operation implemented by the configuration manager 60 can depend on configuration state of the system 50, which can be stored as part of the configuration data 62. An example of configuration data 62 is demonstrated in
The configuration data 62 can include configuration state data 70 that specifies a state of the communication control system 50 that can be utilized to implement the third configuration method. For example, the configuration state 70 can include the following states pre-configured, connecting, connected, configuring and/or post-configured. Thus according to the respective state of a given device, a recipient of a given message containing such state information can respond accordingly, such as by providing a message or implementing a prescribed function, as disclosed herein. The configuration data 62 can also include a device identifier 72 that can uniquely identify a name for the wireless device operating in a corresponding wireless network.
The configuration data 62 can also include a configuration information element 74. The configuration information element 74 can include a predetermined identifier (e.g., a proprietary token) indicating that the wireless device supports the peer configuration technology. Additionally, in some examples, a wireless device operating in the post-configured state (as defined by its configuration data 62) can further be enabled or disabled as to whether the device is operative to provision one or more pre-configured wireless devices to operate in a network. For example, a manufacturer or a service provider can program one or more wireless devices to control which specific devices are programmed to implement certain post-configured controls for provisioning other wireless devices. If enabled, the configuration manager can cause the post-configured wireless device to send the configuration information element in a response message in response to receiving a request message from another wireless device that also includes the configuration information element.
The configuration data 62 can also include network credential 76 to specify network access credentials needed to connect in a wireless network. As mentioned, a network credentials can include an SSID, network password or other information that should be passed to the new device to enable operation within the wireless network. For example, additional information that may be included are the device name, owner information or other proprietary information that the manufacturer or user may wish to include to facilitate provisioning wireless devices in a seamless and secure manner.
Referring back to
By way of further example, the communication control system 50 can send a management frame, such as a probe request, probe response or other type of management frame according to the wireless communication protocol being implemented. The management frame can include one or more information elements, such as including the information element 80.
The information element 80 can also include a predetermined configuration code 84 that is stored as static or derived data (e.g., in configuration information element 74). For instance, the configuration code 84 may be a proprietary static code to inform mutually configured other devices that the sender of the message containing the information element 80 is configured to implement the peer configuration method. The information element 80 can also include an indication of the information element state (IE_STATE) shown at 88. The information element state data 88, for example, specifies the current state or status of the information element according to the configuration state (e.g., configuration state data 70 of
As one example, the configuration state machine 90 can implement logic to transition among the various states which generally will vary depending upon whether the device implementing the state machine is in the pre-configured state or post-configured state. Thus, in the example of
The configuration manager 60 also includes a communication processor 98 that is configured to control communications from a wireless device. As disclosed herein, the communications related to the peer configuration method can include requests or responses. Thus the communication processor 98 can implement a messaging engine 100 to send a management frame, such as a probe request or probe response (e.g., communicated by the transmitter portion of transceiver 52). Additionally, as part of a request or response, the messaging engine 100 can include a corresponding information element in each management frame that is sent from a given wireless device to indicate the device implements the peer configuration method. The communication processor 98 can also include a message analyzer 102 to process messaged received (e.g., by receiver portion of transceiver 52) at the wireless device from other wireless devices. The communication processor 98 further can control the mode of communication and the channel over which the communication is sent depending on the configuration state data 70 (
For example, the configuration state machine 90 for a pre-configured device is in the pre-configured state and thus the pre-configured controls 92 implement the corresponding peer configuration method. The pre-configured controls 92 can include instructions programmed to search for another wireless device that implements the peer configuration method, to connect to the other wireless device for establishing a secure communication channel and to configure the wireless device to connect with the wireless network based upon the network information provided from the other wireless device.
By way of further example, for a pre-configured wireless device the communication processor 98 can employ the messaging engine 100 to initiate the search by sending a probe request over a wireless communication channel according to wireless protocol. The message analyzer 102 can parse information received via the transceiver 52 to determine if a response from another wireless device contains a configuration information element indicating that the other wireless device implementing the peer configuration method. The communication processor 98 can in turn employ encryption control 64 to establish a clear communication channel between devices. Once the secure channel is established the device already configured can provide the network information to enable the pre-configured wireless device to operate in the wireless network.
In some examples, the wireless network can include a plurality of post-configured wireless devices and adapted to implement the peer configuration method. The pre-configured device can evaluate the responses if the responses are received and select one of the wireless devices based upon a ranking of the devices. For example, the pre-configured controls 92 can evaluate information provided in probe responses and select one of the responding peer device for establishing a secure connection based on one or more factors. Additionally, there can be multiple pre-configured devices (e.g., devices 12), which can be configured concurrently or sequentially for network operation. For instance, multiple preconfigured devices can be simultaneously configured by different pre-configured devices without interfering with one another (since communication obeys medium access rules).
As mentioned, the pre-configured controls or other methods implemented in the configuration manager 60 can rank the responding post-configured devices according to which of the plurality of devices has a greater reserve power available. Additionally or alternatively, signal strength can be utilized as a basis for selecting which peer wireless device to connect with over a secure communication channel. Additionally, if multiple access points are available, the pre-configured control 92 further can select a given peer wireless device based on the received signal strength between the access point and the pre-configured wireless device, such that the pre-configured wireless device will be connected with the access point with which it has the greatest signal strength. As further example, a manual selection (e.g., in response to a user input selection) based on device public name that is predefined, which can be utilized for configuring each of the pre-configured devices (e.g., one-by-one). Those skilled in the art will understand and appreciate that a combination of these and/or other criteria can be utilized by a pre-configured wireless device to select which of the plurality of post-configured wireless devices for connecting as part of the peer configuration method.
From the perspective of the configuration manager 60 that is implemented in the post-configured wireless device (described in the previous example as the already connected device), the post-configured device can also implement the post-configuration control 94 of the state machine and the communications processor 98 to communicate information to enable the pre-configured wireless device to operate in the wireless network. For example, the analyzer 102 parses the probe request from the pre-configured device and detects the configuration information element. In response to detecting the configuration information element, the configuration manager 60 employs the messaging engine 100 in the communication processor 98 of the post-configured device to issue a probe response that includes a corresponding information element, such as the information element 80 demonstrated in
To help understand the flow of information between the pre-configured wireless device and a post-configured wireless device,
As an example, in response to activation and operating in a pre-configured state (e.g., configuration state 70 of
At 166, the pre-configured device 152 can provide a pre-programmed root certificate that is stored in memory of the device (e.g., part of the encryption data 66 of
In some examples, for additional security before sending the network information, the post-configured device 154 can send a request to the user 160 that may be connected to the network directly or via a corresponding service (e.g., email, text message, instant message or the like) that is accessible via the network 156. The user 160 thus can interact with a user interface to issue a confirmation response 176 in response to the confirmation request 174. In response to the post-configured device 154 receiving the confirmation response 176, the device 154 can issue the network information to the pre-configured device 152. In the absence of receiving an affirmative response confirming that the user has approved the new device to be connected in the wireless network, the post-configured device 154 can either not respond or send another message instructions to the pre-configured device 152, such as including instructions that it is not authorized to proceed.
As yet another example, in response to receiving the network information at 172, the pre-configured device 152 can provide a notification 178 to the user 160 via the network or associated services similar to the confirmation request 174. The notification provided at 178 can inform the user that the pre-configured device 152 has been successfully configured to operate in the wireless network and thus is connected to the access point 156 via an encrypted wireless protocol such as disclosed herein. If, for some reason, the connection to the wireless network fails, the pre-configured device can send a failure notification to the second device to via the secure wireless communications channel (e.g., identifying the failure as well as one or more reasons). Thus, the notification can provide feedback for closed loop operation.
One or more other wireless devices can send a response to the request, which response is received at 206. The response received at 206, for example, can be a probe response issued in response to the request or perhaps unsolicited by the other wireless device. At 208, if more than one response is received at 206, the method can include evaluating the responses and selecting one of a plurality of different post-configured device for peer communications. As disclosed herein, the selection can be based on signal strength of the wireless devices and its access point and/or one or more other factors such as power reserves of each of the respective devices. This can help avoid burdening devices with low power reserves as well as help ensure the device implementing the method will connect to the access point having the highest signal strength.
At 210, a secure communication channel can be established between the pre-configured wireless device implemented at the method 200 and the device that was selected at 208. For instance, the secure communication channel 210 can be established using an asymmetrical cryptographic scheme such as disclosed herein. At 212, network information can be received via the secure communication channel. The network information can be stored in memory of the device (e.g., memory 56). At 214, the wireless device can employ the network information to connect with the wireless network and thereby be operational. At 214, the wireless device can enter its post-configured state.
Following sending the response at 254, the device can receive a cryptographic key from another wireless device at 256. In response to the key received at 256, at 258, a message can be sent back to the sender including a corresponding cryptographic key. The exchange of keys at 256 and 258 thus can be utilized to authenticate the wireless devices sending the respective keys. Upon authentication, at 260, a secure communication channel can be established between the wireless devices. In some examples, the method 250 can include requesting confirmation from the owner at 262. The confirmation request can required that the owner or other authorized user approve providing network information to add the new device in the wireless network.
At 264, a determination can be made whether approval has been received from the owner. If the owner provides approval in response to the request at 262, the method 200 can proceed to 266 in which the network information can be sent to the other device via the secured channel that was established at 260. If approval is not received or is not received within a predetermined time period, the method can proceed from 264 and end at 268. In some cases, a notification can be provided to the new device to indicate that approval is not received and that network information is not being provided. In such a situation, the new device can restart the peer configuration method in the pre-configured state. In other examples, the method 200 can be implemented as to not require owner confirmation, such that the method can proceed from 260 to 266 directly.
What have been described above are examples. It is, of course, not possible to describe every conceivable combination of components or methodologies, but one of ordinary skill in the art will recognize that many further combinations and permutations are possible. Accordingly, the disclosure is intended to embrace all such alterations, modifications, and variations that fall within the scope of this application, including the appended claims. As used herein, the term “includes” means includes but not limited to, the term “including” means including but not limited to. The term “based on” means based at least in part on. Additionally, where the disclosure or claims recite “a,” “an,” “a first,” or “another” element, or the equivalent thereof, it should be interpreted to include one or more than one such element, neither requiring nor excluding two or more such elements.
This application claims the benefit of U.S. Provisional Patent Application 62/114490 filed on Feb. 10, 2015, and entitled WIFI CLONE CONFIG, the entirety of which is incorporated herein by reference.
| Number | Date | Country | |
|---|---|---|---|
| 62114490 | Feb 2015 | US |
