Electronic devices, their control methods, programs, and storage media

The communication device's control mechanism allows for selecting a secure wireless direct connection method based on security settings, ensuring WPA3 compliance for enhanced security in wireless direct connections.

JP2026095125APending Publication Date: 2026-06-10CANON KK

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
CANON KK
Filing Date
2024-11-29
Publication Date
2026-06-10

AI Technical Summary

Technical Problem

Communication devices using the WFD R1 standard may not guarantee support for the more secure WPA3 security protocol, leading to potential security vulnerabilities in wireless direct connections, while WFD R2 requires support for WPA3, necessitating a mechanism to set a wireless direct connection method according to security settings.

Method used

A communication device is provided with a control mechanism to select a connection method that offers higher security settings, enabling connection via a first connection method that supports WPA3 when high-level security is configured.

Benefits of technology

Enables setting a wireless direct connection method based on security settings, ensuring secure communication by utilizing WPA3 when necessary, thereby enhancing security in wireless direct connections.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026095125000001_ABST
    Figure 2026095125000001_ABST
Patent Text Reader

Abstract

The appropriate connection method must be determined according to the security settings of the communication device. [Solution] The communication device has a communication unit that performs wireless communication. The communication device connects to an external device by the communication means using either a first connection method that can provide a connection with a higher security level than the second connection method, or the second connection method. Security settings can also be configured. Furthermore, if a high security level is set, the communication device controls itself so that the first connection method is selected as the connection method for connecting to the external device.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to an electronic device, a control method thereof, a program, and a storage medium.

Background Art

[0002] In recent years, with the increase in the amount of data to be communicated, the development of communication technologies such as wireless LAN (Local Area Network) has been promoted. As the main communication standards for wireless LAN, the IEEE (Institute of Electrical and Electronic Engineers) 802.11 standard series is known. The IEEE 802.11 standard series includes IEEE 802.11a / b / g / n / ac / ax standards, etc. For example, in the latest IEEE 802.11ax standard, by using OFDMA (Orthogonal Frequency-Division Multiple Access), high peak throughput of up to 9.6 gigabits per second (Gbps) and a technology for improving the communication speed in a congested situation are standardized. OFDMA is an abbreviation for Orthogonal Frequency-Division Multiple Access.

[0003] On the other hand, the Wi-Fi Alliance has formulated a program for authenticating wireless LAN devices. For example, the WFD standard that defines a procedure for establishing a communication link between wireless LAN stations (STAs) by exchanging communication parameters between the STAs without going through an access point (AP) has been formulated. WFD is an abbreviation for Wi-Fi Direct (registered trademark).

[0004] Also, the Wi-Fi Aware standard, which is a standard for discovering services provided by a device, has been formulated. For example, in Patent Document 1, there is a description of detecting a communication terminal using the provisions of the Wi-Fi Aware standard.

[0005] Communication devices may have the function of establishing a communication link in accordance with the Wi-Fi Direct (WFD) standard. For example, communication devices mutually detect the presence of a communication partner according to the detection procedure specified in the WFD standard and execute a connection procedure with the detected communication device. For example, a communication device may detect the presence of another communication device using a detection method that uses a Probe Request frame. This detection method is used in a communication standard or connection method called WFD R1. On the other hand, a communication device may detect the presence of another communication device using a detection method that uses a Service Discovery frame. This detection method is used in a communication standard or connection method called WFD R2. Security protocols used in the WFD connection procedure include WPA (Wi-Fi Protected Access), WPA2, and WPA3, and parameters are exchanged during the connection procedure to determine which security protocol to use. [Prior art documents] [Patent Documents]

[0006] [Patent Document 1] Japanese Patent Publication No. 2019-201427 [Overview of the Initiative] [Problems that the invention aims to solve]

[0007] As a security protocol, WFD R1 only needs to support WPA2; support for the more secure WPA3 is not mandatory. Therefore, communication using WPA3 is not guaranteed with communication partners connected via WFD R1. In contrast, WFD R2 requires support for WPA3. Thus, the security protocols that can be used may differ depending on the connection method. For this reason, communication devices need to determine the connection method that allows them to adopt the appropriate security protocol according to their security settings.

[0008] In view of the above problems, the present invention aims to provide a mechanism for setting a wireless direct connection method according to security settings. [Means for solving the problem]

[0009] To achieve the above objective, according to one aspect of the present invention, a communication means for performing wireless communication, A first control means that connects to an external device by the communication means using either the first connection method, which can provide a connection with a higher level of security than the second connection method, or the second connection method. A means of configuring security settings, The system includes a second control means that, when a high level security setting is configured by the setting means, controls the selection of the first connection method as the connection method for connecting to an external device. A communication device characterized by the above is provided. [Effects of the Invention]

[0010] According to the present invention, it is possible to set a wireless direct connection method according to the security settings of the communication device. [Brief explanation of the drawing]

[0011] [Figure 1] This figure shows an example of a system configuration. [Figure 2] This diagram shows an example of an MFP configuration. [Figure 3] This figure shows an example of the display on the operation display unit of an MFP. [Figure 4] This diagram shows the configuration of a mobile terminal device. [Figure 5] This is a diagram showing the configuration of an access point. [Figure 6] This is a sequence diagram illustrating the connection process of the conventional WFD standard. [Figure 7] This is a sequence diagram illustrating the connection process for the new WFD standard. [Figure 8] This figure shows an example of the security settings screen displayed on the MFP's operation display unit. [Figure 9] It is a diagram showing an example of the display of a wireless direct setting screen on the operation display unit of the MFP. [Figure 10A] It is a diagram showing an example of the display of a mobile portal screen on the operation display unit of the MFP. [Figure 10B] It is a diagram showing an example of the display of a mobile portal screen on the operation display unit of the MFP. [Figure 11] It is a flowchart for setting the operation version of WFD.

Embodiments for Carrying Out the Invention

[0012] Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. Note that the following embodiments do not limit the invention according to the claims. Although a plurality of features are described in the embodiments, not all of these plurality of features are essential for the invention, and the plurality of features may be arbitrarily combined. Further, in the accompanying drawings, the same or similar configurations are denoted by the same reference numerals, and duplicate descriptions are omitted.

[0013] Note that this embodiment is merely an example, and specific examples of components, processing steps, display screens, etc. are not intended to limit the scope of the present invention thereto without special description.

[0014] (System Configuration) FIG. 1 shows a configuration example of the system according to this embodiment. This system is, for example, a wireless communication system in which a plurality of communication devices can communicate with each other wirelessly. In the example of FIG. 1, as communication devices, it includes a portable terminal device 104, an MFP 100, an AP 101 which is an access point, a DHCP server 103, and a network 110. The portable terminal device 104 is a device having a wireless communication function such as a wireless LAN. Hereinafter, the wireless LAN may be referred to as WLAN in some cases. The portable terminal device 104 can be a personal information terminal such as a PDA (Personal Digital Assistant), a mobile phone (smartphone), a digital camera, a personal computer, or the like.

[0015] The MFP100 is a printing device having a printing function, and may further have a reading function (scanner), a FAX function, and a telephone function. Also, the MFP100 of the present embodiment has a communication function capable of wireless communication with the mobile terminal device 104. In the present embodiment, the case where the MFP100 is used is described as an example, but it is not limited thereto. For example, a scanner device, a projector, a mobile terminal, a smartphone, a notebook PC, a tablet terminal, a PDA, a digital camera, a music playback device, a television, a smart speaker, etc., each having a communication function, may be used instead of the MFP100. Note that MFP is an acronym for Multi Function Peripheral (multifunction peripheral device).

[0016] The AP101 is provided separately (externally) from the mobile terminal device 104 and the MFP100 and operates as a WLAN base station device. A communication device having a WLAN communication function can communicate in the infrastructure mode of the WLAN via the AP101. Hereinafter, the access point may be referred to as "AP" in some cases. Also, the infrastructure mode may be referred to as the "wireless infrastructure mode" in some cases. The AP101 performs wireless communication with a communication device that has been permitted to connect to the self-device (authenticated), and relays the wireless communication between the communication device and other communication devices. Also, the AP101 can be connected to, for example, a wired communication network and relay the communication between a communication device connected to the wired communication network and other communication devices wirelessly connected to the AP101.

[0017] The DHCP server 103 connects to the MFP 100 via AP 101 and network 110, and provides services to the MFP 100 by responding to requests from the MFP 100. In Figure 1, the DHCP server 103 is described as being connected as a separate device from AP 101, but AP 101 may also have DHCP server functionality. The DNS server 105 connects to the MFP 100 and mobile terminal device 104 via AP 101 and network 110, and provides name resolution services by responding to requests from the MFP 100 and mobile terminal device 104. Here, network 110 may be the internet, a closed network within a company, or a mobile phone network.

[0018] (External configuration of the MFP) Figure 2(a) shows an example of the external configuration of the MFP100. The MFP100 includes, for example, a document tray 201, a document cover 202, a paper input slot 203, a paper output slot 204, and an operation display unit 205. The document tray 201 is a platform on which the document to be scanned is placed. The document cover 202 is a cover that holds down the document placed on the document tray 201 and prevents light from the light source that illuminates the document during scanning from leaking to the outside. The paper input slot 203 is an input slot that can accommodate paper of various sizes. The paper output slot 204 is an output slot for discharging paper after printing is complete. Paper set in the paper input slot 203 is transported to the printing unit one sheet at a time, and after printing is performed in the printing unit, it is discharged from the paper output slot 204. The operation display unit 205 is configured to include keys such as character input keys, cursor keys, select keys, and cancel keys, as well as LEDs and LCDs, and is configured to accept user input for activating various functions and setting various settings as an MFP. The operation display unit 205 may also be configured to include a touch panel display. The MFP 100 has a wireless communication function via WLAN, and although it does not necessarily need to be visible from the outside, it is configured to include a wireless communication antenna 206 for this wireless communication. Like the mobile terminal device 104, the MFP 100 can also perform wireless communication via WLAN in the 2.4GHz, 5GHz, and 6GHz frequency bands.

[0019] (MFP configuration) Figure 2(b) shows an example configuration of the MFP100. The MFP100 consists of a main board 211 that performs the main control of the device itself, and a wireless unit 226 which is a communication module that performs WLAN communication using at least one common antenna. The MFP100 also includes a modem 229 for wired communication, for example. The main board 211 consists of, for example, a CPU 212 (central processing unit), ROM 213, RAM 214, non-volatile memory 215, image memory 216, read control unit 217, data conversion unit 218, read unit 219, and code decoding unit 221. The main board 211 also includes, for example, a printing unit 222, a paper feeding unit 223, a print control unit 224, and an operation display unit 220. These functional units within the main board 211 are interconnected via a system bus 230 managed by the CPU 212. Furthermore, the main board 211 and the wireless unit 226 are connected, for example, via a dedicated bus 225, and the main board 211 and the modem 229 are connected, for example, via a bus 228.

[0020] The CPU 212 is a system control unit including at least one processor, and controls the entire MFP 100. In one example, the processing of the MFP 100 described below is realized by the CPU 212 executing a program stored in the ROM 213. Dedicated hardware may be provided for each process. The ROM 213 stores control programs and embedded OS programs that the CPU 212 executes. In this embodiment, the CPU 212 performs software control such as scheduling and task switching by executing each control program stored in the ROM 213 under the management of the embedded OS, which is also stored in the ROM 213.

[0021] RAM214 is composed of SRAM or the like. RAM214 stores data such as program control variables, user-registered settings, and MFP100 management data. RAM214 can also be used as a buffer for various work. Non-volatile memory 215 is composed of memory such as flash memory and continues to store data even when the MFP100 is powered off. Image memory 216 is composed of memory such as DRAM. Image memory 216 stores image data received via the wireless unit 226 and image data processed by the code decoding processing unit 221. Note that the memory configuration of MFP100 is not limited to the above configuration. The data conversion unit 218 performs analysis of various data formats and conversion from image data to print data.

[0022] The reading control unit 217 controls the reading unit 219 (for example, a CIS (contact image sensor)) to optically read the document placed on the document table 201. The reading control unit 217 converts the image obtained by optically reading the document into electrical image data (image signal) and outputs it. At this time, the reading control unit 217 may perform various image processing such as binarization and halftone processing before outputting the image data.

[0023] The operation display unit 220 is the same as the operation display unit 205 described with reference to Figure 2(a), and performs functions such as displaying information on the display based on display control by the CPU 212 and generating signals in response to user operations.

[0024] The encoding and decoding processing unit 221 performs encoding and decoding processing, as well as scaling processing, for image data (JPEG, PNG, etc.) handled by the MFP100.

[0025] The paper feed unit 223 holds paper for printing. The paper feed unit 223 can supply the set paper under the control of the print control unit 224. The paper feed unit 223 may include multiple paper feed units to hold multiple types of paper in one device, and the print control unit 224 can control which paper feed unit to use for feeding.

[0026] The print control unit 224 applies various image processing to the image data to be printed, such as smoothing, print density correction, and color correction, and outputs the processed image data to the print unit 222. The print unit 222 is configured to perform, for example, inkjet printing, and ejects ink supplied from the ink tanks from the print head to record an image on a recording medium such as paper. The print unit 222 may also be configured to perform other printing processes such as electrophotography. Furthermore, the print control unit 224 can periodically read information from the print unit 222 and update status information, including the remaining amount of ink in the ink tanks and the status of the print head, which is stored in the RAM 214.

[0027] The wireless unit 226 is a unit capable of providing WLAN communication functionality, and can provide similar functionality to, for example, a combination of the WLAN unit 401 of the mobile terminal device 104. That is, the wireless unit 226 converts data into packets according to the WLAN standard and transmits the packets to other devices, and also restores packets from other external devices to their original data and outputs it to the CPU 212. The wireless unit 226 is capable of communication as a station compliant with the IEEE 802.11 standard series. In particular, it is capable of communication as a station compliant with IEEE 802.11a / b / g / n / ac / ax. Hereafter, a station may be referred to as an STA.

[0028] The wireless unit 226 supports IEEE 802.11ax, i.e., Wi-Fi 6 (trademark), and can perform processing compliant with IEEE 802.11ax. In other words, the MFP100 can perform processing as an STA that supports (complies with) OFDMA, or as an STA that supports (complies with) TWT, or both. OFDMA stands for Orthogonal Frequency-Division Multiple Access. TWT stands for Target Wake Time. Because it supports TWT, the timing of data communication from the base station to the STA is adjusted. The wireless unit 226 (MFP100), acting as an STA, switches its communication function to sleep mode when there is no need to wait for signal reception. This reduces power consumption. The wireless unit 226 also supports Wi-Fi 6E (trademark). In other words, it can communicate in the 6GHz band (5.925GHz~7.125GHz). The 6GHz band does not have the same frequency bands where Dynamic Frequency Selection (DFS), which exists in the 5GHz band, is performed. Therefore, communication in the 6GHz band does not experience communication interruptions due to DFS waiting time, and a more comfortable communication experience can be expected. Although processing compliant with IEEE802.11ax is performed here, the mobile terminal device 104 and MFP100 may operate in compliance with other standards in the IEEE802.11 series. For example, they may be compliant with standards later than IEEE802.11be.

[0029] Furthermore, the mobile terminal device 104 and MFP 100 are capable of P2P (WLAN) communication based on WFD, and the wireless unit 226 has software access point (soft AP) functionality or group owner functionality. That is, the wireless unit 226 can build a P2P communication network and determine the channel to be used for P2P communication. WFD here is based on the standard developed by the Wi-Fi Alliance. The wireless unit 226 can also operate as a WFD client.

[0030] (MFP operation display) Figure 3 schematically shows an example of the screen display on the display (touch panel display) included in the operation display unit 220 of the MFP100. Figure 3(a) is an example of the home screen displayed when the MFP100 is powered on and no operations such as printing or scanning are being performed (idle state, standby state). In Figure 3(a), display items (menu items) corresponding to copy, scan, and cloud are displayed. Cloud is a menu item related to cloud functions that utilize internet communication. By selecting any of the menu items through key operations or touch panel operations, the MFP100 can start executing the corresponding settings or functions. The MFP100 can seamlessly display a screen different from Figure 3(a) by accepting key operations or touch panel operations on the home screen of Figure 3(a).

[0031] Figure 3(b) shows an example of another part of the home screen, which is a screen that can be accessed by performing an operation to display other pages of the home screen (such as sliding left or right) from the state shown in Figure 3(a). In Figure 3(b), display items (menu items) corresponding to communication settings, print, and photos are shown. When any of these menu items is selected, the function corresponding to the selected menu item, namely the print function, mobile portal function, or communication settings, is executed.

[0032] Figure 3(c) shows an example of the communication settings menu screen displayed when communication settings are selected in the screen shown in Figure 3(b). The communication settings menu screen displays the following menu items (options): "Wireless LAN," "Wired LAN," "Wireless Direct," "Bluetooth," and "Common." "Wireless LAN," "Wired LAN," and "Wireless Direct" are menu items for LAN settings, and from these items, users can configure settings such as wired connection settings, enabling / disabling wireless infrastructure mode, and enabling / disabling P2P modes such as WFD and soft AP mode. If the "Wireless LAN" item is selected and wireless LAN is enabled by the user, wireless infrastructure mode is enabled. If the "Wireless Direct" item is selected and wireless direct is enabled by the user, P2P (WLAN) mode is enabled. In addition, a common settings menu for each connection type is also displayed on this screen. Furthermore, from this screen, the user can configure settings such as the wireless LAN frequency band and frequency channel.

[0033] (External configuration of a mobile terminal device) Figure 4(a) shows an example of the external configuration of the mobile terminal device 104. In this embodiment, as an example, the case where the mobile terminal device 104 is a general-purpose smartphone is shown. The mobile terminal device 104 is composed of, for example, a display unit 402, an operation unit 403, and a power key 404. The display unit 402 is a display that includes, for example, an LCD (Liquid Crystal Display) type display mechanism. The display unit 402 may also display information using, for example, an LED (Light Emitting Diode). In addition to or instead of the display unit 402, the mobile terminal device 104 may also have a function to output information by voice. The operation unit 403 is composed of hard keys such as keys and buttons, a touch panel, etc., for detecting user operations. In this example, since the information display on the display unit 402 and the reception of user operations by the operation unit 403 are performed using a common touch panel display, the display unit 402 and the operation unit 403 are realized by a single device. In this case, for example, button icons or a software keyboard are displayed using the display function of the display unit 402, and the operation reception function of the operation unit 403 detects when the user touches these areas. Alternatively, the display unit 402 and the operation unit 403 may be separated, with separate hardware for display and hardware for operation reception. The power key 404 is a hard key for receiving user input to turn the power of the mobile terminal device 104 on or off.

[0034] The mobile terminal device 104 does not necessarily need to be visible from its external appearance, but it has a WLAN unit 401 that provides WLAN communication functionality. The WLAN unit 401 is configured to perform data (packet) communication in a WLAN system compliant with, for example, the IEEE 802.11 standard series (IEEE 802.11a / b / g / n / ac / ax, etc.). It is also capable of communication as an AP compatible with Wi-Fi Agile Multiband (trademark). However, it is not limited to this, and the WLAN unit 401 may be capable of performing communication in WLAN systems compliant with other standards. In this example, the WLAN unit 401 is assumed to be capable of communication in the 2.4GHz, 5GHz, and 6GHz frequency bands. Furthermore, the WLAN unit 401 is assumed to be capable of performing WFD-based communication, communication in soft AP mode, communication in wireless infrastructure mode, etc. The operation in these modes will be described later.

[0035] (Configuration of mobile terminal devices) Figure 4(b) shows an example of the configuration of a mobile terminal device 104. In one example, the mobile terminal device 104 has a main board 411 that performs the main control of the device itself, and a WLAN unit 429 that performs WLAN communication. The main board 411 includes, for example, a CPU 412, ROM 413, RAM 414, image memory 415, data conversion unit 416, telephone unit 417, GPS 419, camera unit 421, non-volatile memory 422, data storage unit 423, speaker unit 424, and power supply unit 425. Here, CPU is an acronym for Central Processing Unit, ROM for Read Only Memory, RAM for Random Access Memory, and GPS for Global Positioning System. The mobile terminal device 104 also includes a display unit 420 and an operation unit 418. These functional units within the main board 411 are interconnected via a system bus 628 managed by the CPU 412. Furthermore, the main board 411 and the WLAN unit 429 (the aforementioned WLAN unit 401) are connected, for example, via a dedicated bus 426.

[0036] The CPU 412 is a system control unit including at least one processor, and controls the entire mobile terminal device 104. In one example, the processing of the mobile terminal device 104 described below is realized by the CPU 412 executing a program stored in the ROM 413. Dedicated hardware may be provided for each process. The ROM 413 stores control programs and embedded operating system (OS) programs that the CPU 412 executes. In this embodiment, the CPU 412 performs software control such as scheduling and task switching by executing each control program stored in the ROM 413 under the management of the embedded OS, which is also stored in the ROM 413.

[0037] RAM 414 is composed of SRAM (Static RAM) or the like. RAM 414 stores data such as program control variables, user-registered settings, and management data for the mobile terminal device 104. RAM 414 can also be used as a buffer for various tasks. Image memory 415 is composed of memory such as DRAM (Dynamic RAM). Image memory 415 temporarily stores image data received via the WLAN unit 429 and image data read from the data storage unit 423 for processing by the CPU 412. Non-volatile memory 422 is composed of memory such as flash memory, and continues to store data even when the power to the mobile terminal device 104 is turned off. Note that the memory configuration of the mobile terminal device 104 is not limited to the above configuration. For example, image memory 415 and RAM 414 may be shared, or data backup may be performed using the data storage unit 423. In this embodiment, DRAM is given as an example of image memory 415, but other storage media such as hard disks or non-volatile memory may be used.

[0038] The data conversion unit 416 performs data analysis of various formats and data conversions such as color conversion and image conversion. The telephone unit 417 controls the telephone line and processes the voice data input and output via the speaker unit 424 to enable telephone communication. The GPS 419 receives radio waves transmitted from satellites and acquires location information such as the current latitude and longitude of the mobile terminal device 104.

[0039] The camera unit 421 has the function of electronically recording and encoding images input through the lens. Image data obtained by imaging with the camera unit 421 is stored in the data storage unit 423. The speaker unit 424 has the function of inputting or outputting sound for telephone functions, and also controls functions such as alarm notifications. The power supply unit 425 is, for example, a portable battery and controls the power supply to the device. Power states include, for example, a battery-dead state where there is no remaining battery power, a power-off state where the power key 404 is not pressed, a normal startup state, and a power-saving state where the device is running but power-saving.

[0040] The display unit 420 is the same as the display unit 402 described with reference to Figure 4(a), and, based on the control of the CPU 412, displays various input operations, the operating status of the MFP 100, and the status status. The operation unit 418 is the same as the operation unit 403 described with reference to Figure 4(a), and, upon receiving a user operation, performs control such as generating an electrical signal corresponding to that operation and outputting it to the CPU 412.

[0041] The mobile terminal device 104 uses a WLAN unit 429 to perform wireless communication and communicate data with other devices such as the MFP 100. The WLAN unit 429 converts data into packets and transmits them to other devices. The WLAN unit 429 also restores packets from external devices back to their original data and outputs it to the CPU 412. The WLAN unit 429 is a unit that enables communication compliant with WLAN standards. The WLAN unit 429 can operate in parallel in at least two communication modes, including wireless infrastructure mode and P2P (WLAN) mode. The frequency bands used in these communication modes may be limited by the hardware functions and performance.

[0042] (Access point configuration) Figure 5 is a block diagram showing the configuration of AP101, which has wireless LAN access point functionality. It consists of a main board 510 that controls AP101, a wireless LAN unit 516, a wired LAN unit 518, and operation buttons 520.

[0043] The microprocessor-type CPU 511 located on the main board 510 operates according to the control program stored in the ROM-type program memory 513, which is connected via the internal bus 512, and the contents of the RAM-type data memory 514. The CPU 511 performs wireless LAN communication with other communication terminal devices by controlling the wireless LAN unit 516 through the wireless LAN communication control unit 515. The CPU 511 also performs wired LAN communication with other communication terminal devices by controlling the wired LAN unit 518 through the wired LAN communication control unit 517. The CPU 511 can accept user input via the operation buttons 520 by controlling the operation control circuit 519. The CPU 511 includes at least one processor.

[0044] The AP101 also includes an interference wave detection unit 521 and a channel changing unit 522. The interference wave detection unit 521 performs interference wave detection processing when wireless communication is being performed in a band where DFS (Dynamic Frequency Selection) is implemented. The channel changing unit 522 performs channel changing processing when an interference wave is detected while wireless communication is being performed in a band where DFS is implemented, and when it is necessary to immediately switch to an available channel.

[0045] (P2P communication method) Next, we will outline the P2P (WLAN) communication method, which allows devices to communicate directly wirelessly with each other without the need for an external access point. P2P (WLAN) communication can be implemented using multiple methods; for example, a communication device can support multiple modes for P2P (WLAN) communication and selectively use one of these modes to perform P2P communication (WLAN).

[0046] Two P2P modes are assumed: • Soft AP mode • Wi-Fi Direct (WFD) mode A communication device capable of performing P2P communication may be configured to support at least one of these modes. On the other hand, a communication device capable of performing P2P communication is not required to support all of these modes, but may be configured to support only some of them.

[0047] A communication device with WFD communication capabilities (for example, a mobile terminal device 104) receives user input via its control panel, thereby calling a (possibly dedicated) application to implement its communication functionality. The communication device then displays a UI (user interface) screen provided by the application to prompt user input, and can perform WFD communication based on the received user input.

[0048] ● Soft AP mode In soft AP mode, a communication device (e.g., mobile terminal device 104) acts as a client requesting various services. The other communication device (e.g., MFP100) acts as a soft AP capable of performing WLAN AP functions through software configuration. The commands and parameters transmitted and received when establishing a wireless connection between the client and the soft AP only need to be those specified in the Wi-Fi® standard, so their explanation is omitted here. In addition, the MFP100 operating in soft AP mode determines the frequency band and frequency channel as the master station. Therefore, the MFP100 can select which frequency band to use from 2.4GHz, 5GHz, or 6GHz, and which frequency channel to use within that frequency band. In soft AP mode, there is no negotiation to determine roles, and compliance with the WFD standard established by the Wi-Fi Alliance is not required.

[0049] ●WFD mode The MFP100 may be configured to start permanently as the master station in WFD mode (Autonomous Group Owner). In this case, the GO Negotiation process to determine the role is unnecessary. Also, in this case, the MFP100 determines the frequency band and frequency channel as the master station. Therefore, the MFP100 can select which frequency band to use from 2.4GHz, 5GHz, or 6GHz, and which frequency channel to use within that frequency band. Alternatively, in WFD mode, the configuration may include GO Negotiation to determine which device will operate as the group owner and which as a client.

[0050] (Wireless infrastructure mode) In wireless infrastructure mode, communication devices that communicate with each other (for example, the mobile terminal device 104 and the MFP 100) are connected to an external access point (AP) that manages the network (for example, AP 101), and communication between communication devices takes place via that AP. In other words, communication between communication devices is performed via the network established by the external AP. When the mobile terminal device 104 and the MFP 100 each discover AP 101, send connection requests to AP 101, and connect, communication between these communication devices in wireless infrastructure mode via AP 101 becomes possible. Note that multiple communication devices may be connected to separate APs. In this case, data transfer between APs enables communication between communication devices. The commands and parameters sent and received during communication between each communication device via the access point can be those specified in the Wi-Fi standard, so their explanation is omitted here. Also, in this case, AP 101 determines the frequency band and frequency channel. Therefore, the AP101 can select which frequency band to use from 2.4GHz, 5GHz, or 6GHz, and which frequency channel to use within that frequency band.

[0051] Here, we will assume that there are two WFD standards: a conventional standard and a new standard. In other words, there are multiple WFD standards with different versions. The conventional WFD standard will be called WFD R1, and the new WFD standard will be called WFD R2. WFD R1 and WFD R2 differ in their methods for device discovery and parameter exchange.

[0052] (Connection processing for the conventional WFD standard) The mobile terminal 104 and MFP100 support the functionality known as Wi-Fi Direct. Wi-Fi Direct is a function that allows Wi-Fi Direct-compatible devices to establish their own Wi-Fi network without the need for an internet connection. Specifically, Wi-Fi Direct-compatible devices such as the mobile terminal 104 and MFP100 can connect directly to each other even in environments without AP101 or similar equipment.

[0053] Figure 6 is a sequence diagram of the process by which the mobile terminal device 104 and the MFP 100 connect in accordance with the WFD standard. Here, the processing sequence for WFD R1 is shown. In this sequence, the processing performed by each device is realized by the CPU of each device reading various programs stored in the memory such as ROM into RAM and executing them.

[0054] For example, the mobile terminal device 104 and MFP 100 begin processing a sequence when they receive a WFD start command from the user. Upon receiving the WFD start command from the user, the mobile terminal device 104 and MFP 100 search for the other device by repeatedly switching between the Listen state and the Search state. There may be a period before these states in which each channel is scanned. In the Listen state, for example, channel 1 in 2.4 GHz is selected and awaits Probe Request frames from other communication devices. In the Search state, Probe Request frames are sent while switching between frequency channels (e.g., channel 1, channel 6, channel 11) and awaits Probe Response frames.

[0055] In S601, the mobile terminal device 104 sends a Probe Request frame to search for a WFD communication device. By sending a Probe Request frame, it searches for the other device being searched. Here, the searching communication device is the mobile terminal device 104, and the other device being searched is the MFP 100. The Probe Request frame has the WFD attribute (P2P IE), which identifies the target of the search as a WFD communication device.

[0056] In S602, when MFP100 receives a Probe Request frame, it transmits a Probe Response frame. The mobile terminal device 104 detects MFP100, which is the WFD communication partner, upon receiving the Probe Response frame transmitted by MFP100. Note that the Probe Request frame and Probe Response frame may include P2P IE and Multi-Link elements. Multi-Link elements may include communication parameters used for multi-link communication as defined in the IEEE 802.11be standard. This makes it possible to set up multiple links between communication devices with a single connection procedure. Thus, WFD R1 can detect the presence of other communication devices using a first search process that utilizes Probe Request / Response frames. The first search process described above is the search sequence of WFD R1.

[0057] In S603, the mobile terminal device 104 and the MFP 100 perform GO Negotiation processing. In GO Negotiation, the channel to be used for wireless communication may be determined directly. In GO Negotiation processing, the mobile terminal device 104 and the MFP 100 determine the roles of P2P group owner (GO) and P2P client by sending or receiving GO Negotiation Request / Response frames containing intent values ​​indicating the degree to which they want to become a GO. Alternatively, the MFP 100 may be configured to start permanently as a master station (GO) in WFD mode (Autonomous Group Owner). In this case, GO Negotiation processing to determine the role is unnecessary. The MFP 100 may also be configured to perform GO Negotiation processing but always operate as a GO by setting its intent value to the maximum of 15. In this case, the MFP 100 determines the frequency band and frequency channel to be used for wireless communication directly as a master station. Therefore, the MFP 100 can select whether to use the 2.4GHz or 5GHz frequency band, and which frequency channel to use within that frequency band.

[0058] In S604, the mobile terminal device 104 and the MFP 100 exchange communication parameters using WPS (Wi-Fi Protected Setup) processing. These communication parameters may include parameters used for wireless communication, such as SSID (Service Set Identifier), encryption method, encryption key, authentication method, AKM, BSSID, and MAC Address. AKM stands for Authentication and Key Management. AKM indicates the authentication protocol and key exchange algorithm used for wireless communication. For example, if AKM is "SAE," the communication parameters may include a password for connecting to an AP or GO compatible with WPA (Wi-Fi Protected Access) 3. If AKM is "psk," the communication parameters may include a PSK (Pre-Shared Key) / passphrase for connecting to an AP or GO compatible with WPA2. If AKM is "1X," it may include an ID, password, public key, etc., for connecting to an AP compatible with WPA-Enterprise. The password and PSK / passphrase are encryption keys used when performing authentication and key exchange based on WPA or IEEE 802.11. The WPS processing in S604 is the communication parameter exchange sequence for WFD R1. Furthermore, from processing S604 onwards, the channel used for communication may be changed from the channel used in S601-603.

[0059] In S605, when the MFP100 determines that it will operate as a GO, it begins transmitting a Beacon frame. The Beacon frame may contain communication parameters for communicating with the MFP100. The Beacon frame may also contain information elements and attributes as defined in the WFD standard. This allows communication devices other than the mobile terminal device 104 to detect the presence of the MFP100 and establish a direct wireless communication connection with it. For example, other communication devices can detect the presence of the MFP100 by receiving a Beacon frame containing information defined in the WFD standard.

[0060] At S606, the mobile terminal device 104 sends a Probe Request frame to perform the connection procedure with the MFP 100. At S607, upon receiving the Probe Request frame, the MFP 100 sends a Probe Response frame.

[0061] In S608, the mobile terminal device 104 transmits an Authentication frame. In S609, when the MFP 100 receives an Authentication frame, it transmits an Authentication frame.

[0062] In S610, when the mobile terminal device 104 receives an Authentication frame, it sends an Association Request frame. In S611, when the MFP 100 receives an Association Request frame, it sends an Association Response frame.

[0063] In S612, the mobile terminal device 104 and the MFP 100 perform a 4-way handshake. By performing this connection procedure, a connection is established between the mobile terminal device 104 and the MFP 100.

[0064] Furthermore, although not shown in the sequence described above, the mobile terminal device 104 and the MFP 100 may also be configured to send or receive Provision Discovery Request / Response frames. Alternatively, the processing of the mobile terminal device 104 and the MFP 100 as described above may be reversed.

[0065] (Connection process for the new WFD standard) Figure 7 is a sequence diagram of the process by which the mobile terminal device 104 and the MFP 100 connect in accordance with the WFD standard. Here, the processing sequence for WFD R2 is shown. In this sequence, the processing performed by each device is realized by the CPU of each device reading various programs stored in the memory such as ROM into RAM and executing them.

[0066] For example, the mobile terminal device 104 and the MFP 100 begin processing the sequence when they receive a WFD start command from the user. The WFD R2 search sequence performs a second search process. An example of the search procedure by the second search process is shown below. In this search procedure, each mobile terminal device 104 and MFP 100 performs processing based on whether it is a communication device on the service provider side or a communication device on the service request side, and detects other communication devices. Communication devices on the service provider side may be called Publisher, Listener, Advertiser, etc. Communication devices on the service request side may be called Subscriber, Searcher, Seeker, etc. For example, a communication device on the service request side may send a frame to detect other communication devices. Also, a communication device on the service provider side may receive and respond to frames sent by other communication devices. The role assigned to a communication device may be determined by a higher layer (service layer, etc.). Figure 7 shows an example in which the mobile terminal device 104 operates as a communication device on the service request side and the MFP 100 operates as a communication device on the service provider side. For example, the mobile terminal device 104 intermittently performs detection operations and transmits frames to detect other communication devices. In the second discovery process, the mechanism of the Wi-Fi Aware standard, for example, developed by the Wi-Fi Alliance, may be used. In other words, the frames communicated in the second discovery process may be frames defined in the Wi-Fi Aware standard. Furthermore, other service discovery protocols and methods, not limited to the Wi-Fi Aware standard, may also be used in the second discovery process.

[0067] In S701, the mobile terminal device 104 transmits a Service Discovery frame to search for a WFD communication device. Here, we assume that the Service Discovery is transmitted on channel 6 of 2.4GHz. By transmitting the Service Discovery frame, the mobile terminal device 104 searches for the other device being searched. Here, we assume that the searching communication device is the mobile terminal device 104 and the other device being searched is the MFP 100. The Service Discovery frame has the WFD attribute, which identifies the target of the search as a WFD communication device.

[0068] In S702, when MFP100 receives a Service Discovery frame, it transmits a Service Discovery frame. The Service Discovery frame transmitted here may be called an SDF Follow-up. Upon receiving the Service Discovery frame, the mobile terminal device 104 detects MFP100, which is the WFD communication partner. The second search process described above is the search sequence for WFD R2. Because the first search process of WFD R1 and the second search process of WFD R2 use different methods, a communication device that only supports WFD R1 cannot be searched using the WFD R2 method. Conversely, a communication device that only supports WFD R2 cannot be searched using the WFD R1 method.

[0069] In S703, the mobile terminal device 104 sends a request using a Bootstrapping Request frame. This request concerns the method for exchanging communication parameters. Using this frame, the mobile terminal device 104 can notify the MFP 100 of the exchange methods it can execute from among, for example, button presses, PIN codes, passphrases, QR codes (registered trademarks), NFC tags, etc. For example, if the mobile terminal device 104 can execute the exchange method using a QR code, it can indicate at least whether it can display or read QR codes. Also, if the mobile terminal device 104 can execute the exchange method using a passphrase, it can indicate whether it can use either a string or a number, or both. Furthermore, if the mobile terminal device 104 can execute the exchange method using a passphrase, it can indicate at least whether it can display or input passphrases. In addition, the mobile terminal device 104 can indicate whether it can use a button press as a trigger for exchanging communication parameters. The information that the mobile terminal device 104 can notify is not limited to these.

[0070] In S704, the MFP100 responds to a request using a Bootsstrapping Request frame by sending a response to the mobile terminal device 104 using a Bootsstrapping Response frame. For example, the MFP100 may select an exchange method that it can execute from among the exchange methods included in the request from the mobile terminal device 104 and send a response containing information that identifies that exchange method. If there is no exchange method that the MFP100 can execute among the exchange methods included in the request, it may send a response containing information indicating that.

[0071] In S705, bootstrapping is performed using an exchange method for exchanging communication parameters determined between communication devices, and the exchange of communication parameters is executed. For example, MFP100 displays a QR code, and the mobile terminal device 104 reads the QR code to exchange communication parameters. The bootstrapping process in S705 is the communication parameter exchange sequence for WFD R2.

[0072] In S706, mutual authentication can be performed using PASN authentication. PASN is an abbreviation for Preassociation Security Negotiation. Communication parameters for using PASN may include the public key of each communication device. Communication parameters for using PASN may be exchanged using methods not specified in the WFD standard, such as Bluetooth. Alternatively, a temporary network including an AP may be configured, and the communication devices may obtain the communication parameters by connecting to that network. In PASN, the mobile terminal device 104 and the MFP 100 may perform GO Negotiation processing. In GO Negotiation, the channel to be used for wireless communication may be determined directly. In GO Negotiation processing, the roles of P2P group owner (GO) and P2P client are determined. In addition, the MFP 100 may be set to start permanently as the master station in WFD mode (Autonomous Group Owner). In this case, GO Negotiation processing to determine roles is unnecessary. The MFP 100 may perform GO Negotiation processing by setting its intent value to the maximum of 15, but may always operate as the MFP 100. In this case, the MFP100, acting as the master station, directly determines the frequency band and frequency channel to be used for wireless communication. Therefore, the MFP100 can select which frequency band to use from 2.4GHz, 5GHz, or 6GHz, and which frequency channel to use within that frequency band. In WFD R1, the frequency bands that could be used for direct wireless communication were 2.4GHz and 5GHz, but in WFD R2, in addition to 2.4GHz and 5GHz, 6GHz can also be used for direct wireless communication. Also, unlike R1, WFD R2 determines the role after exchanging communication parameters. From processing S707 onwards, the channel used for communication may be changed from the channel used in S701-706.

[0073] In S707, when the MFP100 determines that it will operate as a GO, it begins transmitting a Beacon frame. The Beacon frame may contain communication parameters for communicating with the MFP100. The Beacon frame may also contain information elements and attributes as defined in the WFD standard. This allows communication devices other than the mobile terminal device 104 to detect the presence of the MFP100 and establish a connection with it. For example, other communication devices can detect the presence of the MFP100 by receiving a Beacon frame containing information defined in the WFD standard.

[0074] At S708, the mobile terminal device 104 sends a Probe Request frame to perform the connection procedure with the MFP 100. At S709, when the MFP 100 receives the Probe Request frame, it sends a Probe Response frame.

[0075] In S710, the mobile terminal device 104 transmits an Authentication frame. In S711, when the MFP 100 receives an Authentication frame, it transmits an Authentication frame.

[0076] In S712, when the mobile terminal device 104 receives an Authentication frame, it sends an Association Request frame. In S713, when the MFP 100 receives an Association Request frame, it sends an Association Response frame.

[0077] In S714, the mobile terminal device 104 and the MFP 100 perform a 4-way handshake. By performing this connection procedure, a connection is established between the mobile terminal device 104 and the MFP 100.

[0078] The processing configurations for the mobile terminal device 104 and MFP 100 described above may be reversed. Furthermore, whether a device is WFD R1 compatible or WFD R2 compatible can be indicated in the P2P IE.

[0079] ●Security settings in MFP The following describes the security settings in the MFP100 of this embodiment and the security management corresponding to those settings. In this specification, the term "wireless direct connection" refers to a connection using wireless communication compliant with the WFD standard, and includes WFD R1 and WFD R2. Communication using a wireless direct connection is sometimes referred to as wireless direct communication. WFD R1 supports WPA and WPA2 as wireless LAN security protocols, but WPA3 is not necessarily supported. On the other hand, WFD R2 supports WPA2 and WPA3 as wireless LAN security protocols. WPA3 is a security protocol with higher encryption strength and key security compared to WPA and WPA2. For example, WPA3-personal generates a different PMK (Pairwise Master Key) for each connection from a PSK (Pre-Shared Key). This prevents data decryption by reconnecting even if the password is leaked or cracked. The security protocol includes, for example, the specification of the authentication method and the encryption method (encryption algorithm), and is sometimes referred to as the encryption method.

[0080] Figure 8 schematically shows an example of the security settings screen display on the display (touch panel display) included in the operation display unit 220 of the MFP100. Figure 8(a) is an example of the common settings menu screen that is displayed when common settings are selected in the communication settings screen shown in Figure 3(c). The common settings menu screen displays the menu item "Security Settings".

[0081] Figure 8(b) shows an example of the security settings menu screen displayed when security settings are selected in the common settings screen shown in Figure 8(a). The security settings menu screen displays "Security Policy Settings" and "Recommended Security Settings" as menu items (options).

[0082] Figure 8(c) shows an example of the security policy settings screen displayed when security policy settings are selected in the security settings screen of Figure 8(b). A security policy is a basic policy regarding information security determined for each office, applicable to personal computers (PCs), server equipment, and communication devices such as multifunction printers and printers connected to an office network. Here, server equipment includes server equipment such as file servers and authentication servers. A security administrator, for example, might set a security policy such as "prohibit the use of weak encryption" as one item in the security policy settings for strengthening security, and configure it on the communication device. This prohibits the use of weak encryption in order to meet the security standards specified in NIST SP800-57. Weak encryption, in other words, is encryption with a low security level. Specifically, encryption with a low security level is, for example, encryption that uses an encryption key with a key length of 1024 bits or less for communication. When the security policy "prohibit the use of weak encryption" is applied to a communication device, the communication device will not be able to communicate using encryption keys and certificates that violate that security policy. In this embodiment, security policy settings are applied to communications such as TLS (Transport Layer Security), IPSec, Kerberos, S / MIME, and SNMPv3. Specifically, if a security policy is set to "prohibit the use of weak encryption," then in at least one of the aforementioned communications, the use of encryption keys with a key length of 1024 bits or less for public-key cryptography (RSA / DSA / DH) is prohibited. The content of the prohibited communications is not limited to the above-described form. For example, it may be a form in which communications using low-security encryption methods are prohibited. Specifically, for example, if a security policy is set to "prohibit the use of weak encryption," communications using encryption methods such as RC2, RC4, and DES as symmetric-key cryptography may be prohibited. In this form, for example, even if a security policy is set to "prohibit the use of weak encryption," communications using encryption methods such as 3DES and AES may be permitted.

[0083] On the security policy settings screen, users can configure whether to "allow" or "prohibit" the use of weak encryption. For WFD connection settings, setting the use of weak encryption to "prohibit" is treated as a "high" security setting, or a high level of security setting. Here, "high level" means higher than the security setting that allows the use of weak encryption, and can be rephrased as a specific level. When a high-level security setting is applied, a security policy is applied that prohibits the use of WFD R1, which may not be able to establish a WPA3 connection (a security protocol compatible with high levels), and only allows WFD R2, which can establish a connection using WPA3. In other words, if a security policy of "prohibiting the use of weak encryption" is applied to a communication terminal, the communication terminal will apply controls to restrict the use of weak encryption in both TLS and WFD communication.

[0084] When a security policy is set that includes prohibiting the use of weak encryption, WFD is controlled to prevent the use of wireless connections that do not support security protocols with a security level corresponding to high security settings. In this example, a security protocol using strong encryption that meets the criteria recommended in NIST SP800-57 is a security protocol with a predetermined level of security that corresponds to high security settings, or a higher level. A connection method (e.g., WFD R2) that can use the relevant protocol (e.g., WPA3) is a connection method that corresponds to high security settings. Specifically, in order to control the use of security protocols that do not correspond to high security settings, connection methods other than WPA3 may be excluded from the user's choice of connection method. Note that while NIST SP800-57 is referred to here as the criterion for high and low security levels, other standards may also be used as criteria.

[0085] Figure 8(d) shows an example of the recommended security settings screen displayed when the recommended security settings are selected in Figure 8(b).

[0086] The Recommended Security Settings screen allows you to select the environment type in which the MFP100 is installed ("Company Intranet," "Direct Internet Connection," "Internet Restriction," "Work from Home," "Public Space," or "High-Confidentiality Information Management"), and configure settings accordingly in one go. Table 1 shows examples of environment types and their respective setting values. Settings marked as "Optional" in Table 1 do not apply the on / off settings defined according to the selected environment type and will not change from their current values. In this embodiment, for example, the settings executed on the Recommended Security Settings screen will be applied to communications such as TLS, IPSec, Kerberos, S / MIME, and SNMPv3.

[0087] [Table 1]

[0088] An internal company intranet is assumed to be a typical office environment where many people gather and use the internet to access some cloud services. It has the largest number of connected devices compared to other environments. In such an environment, a managed firewall is typically in place at the boundary with the external network, and access is restricted to employees only. A balanced approach is used, combining security measures at the user environment level with security measures at each individual terminal.

[0089] Direct internet connection assumes an environment where an internet connection is established in order to use cloud services. Since the connected information device, in this example the MFP100, connects to the server providing the cloud service via the internet, encryption of the communication path is essential.

[0090] An internet-blocking network is designed for environments where internet connectivity is blocked as a network topology, due to reasons such as the use of outdated protocols. The number of connected information devices is relatively small. By implementing robust security measures on the user environment side, the level of security measures required on the terminal side can be reduced.

[0091] "Working from home" refers to a home network designed for remote work, where a small-scale LAN used within the home is used directly for remote work. The number of connected information devices is the smallest. Assuming that security measures on the user's network cannot be relied upon as much, it is necessary to implement a balanced approach to security measures on the terminal side.

[0092] Public spaces are defined as open spaces where a large number of people come and go and share a network. This includes airport lounges and co-working spaces that are open to guests, and are used under less stringent entry restrictions. The number of connected information devices is relatively large. Security measures implemented by the user environment should not be relied upon, and security measures should be implemented on the device side, even if it means sacrificing some functionality.

[0093] High-security management is a typical office environment where access is restricted. The information devices that can connect are also restricted. In other words, the "high-security management" environment type is one where access to the MFP100 is restricted. In such an environment, a managed firewall is typically installed at the boundary with the external network.

[0094] For WFD connection settings, "Direct Internet Connection" and "High Confidentiality Management," which have restrictions on the information devices that can be connected, are treated as having a "High" security setting. If a high level of security setting is in place, that is, if either of the two environment types, "Direct Internet Connection" or "High Confidentiality Management," is set, the use of WFD R1 will be prohibited, similar to the setting "Prohibit Weak Encryption." In this example, both environment types are set to a high level of security, but any one of them may be used. As mentioned above, a security policy that prohibits the use of weak encryption is also a high level of security setting, and if either this or the environment type setting mentioned above is at a high level, the security setting can be considered high level.

[0095] WFD R1 requires support for WPA and WPA2, while WPA3 support is optional. WFD R2 requires support for WPA2 and WPA3, but does not support WPA. Therefore, when the security setting is "high," the use of WFD R1 is prohibited, and connections using WPA2 are suppressed in the WFD R2 connection process, thereby limiting WFD connections to connections using WPA3. On the other hand, if the security setting is determined to be not "high," WFD R1 can be used as the connection method. A security setting not being "high" means that the use of weak encryption in the security policy setting is "allowed," and the environment type setting is neither "direct internet connection" nor "high confidentiality management." In that case, even if WFD R2 is used, the security protocol is not limited to WPA3, so connections using WPA or WPA2 are possible. In the environment type setting, a setting that is not a high-level security setting (i.e., a low-level security setting) is an environment type setting that is neither "direct internet connection" nor "high confidentiality management." The security policy settings selected in Figure 8(c) and the environment type settings selected on the screen in Figure 8(d) are stored, for example, in non-volatile memory 215 and referenced by the CPU 212 during the processing shown in Figure 11, which will be described later.

[0096] Figure 9 schematically shows an example of the display of the wireless direct setting screen on the display (touch panel display) included in the operation display unit 220 of the MFP100. Figure 9(a) is an example of the menu screen displayed when wireless direct is selected in the communication setting screen of Figure 3(c). On the wireless direct mode setting screen, you can set whether to use "Wi-Fi Direct" or "Access Point Mode" which conform to the Wi-Fi Direct standard for wireless direct.

[0097] Figure 9(b) shows an example of the operating version setting displayed when "Wi-Fi Direct" is selected in the wireless direct settings screen shown in Figure 9(a). The Wi-Fi Direct settings screen allows you to set whether to use WFD R1 or WFD R2 as the version or connection method.

[0098] Figure 9(c) shows an example of the operating version setting displayed when "Wi-Fi Direct" is selected on the wireless direct settings screen in Figure 9(a) and high-level security settings are enabled, i.e., when the use of WFD R1 is prohibited. The WFD R1 setting is grayed out and the button is disabled so that it cannot be selected. As mentioned above, high-level security settings include, for example, when the use of weak encryption is prohibited on the security policy settings screen in Figure 8(c), or when Internet connection or high-security information management is set on the environment type settings screen in Figure 8(d).

[0099] ●WFD connection procedure Figures 10A and 10B schematically show an example of the mobile portal screen display on the display (touch panel display) included in the operation display unit 220 of the MFP100. Figure 10A(a) is an example of the mobile portal screen display shown when the mobile portal function is selected in Figure 3(b). Pressing the start button executes the wireless direct connection process according to the wireless direct mode. In WFD mode, the WFD connection process of the version corresponding to the operation version setting is executed.

[0100] Figure 10A(b) shows an example of the screen displayed when the connection process is started in WFD mode. The connection destination can be determined by selecting the mobile terminal device to connect to from the device list 1001. Pressing the Exit button terminates the WFD mode connection process.

[0101] Figure 10A(c) shows the screen displayed when the connection process is initiated on WFD R1 and a connection request is received from the mobile terminal device 104 during the GO Negotiation process. Pressing "Yes" allows the connection and executes the subsequent processing sequence. Pressing "No" terminates the WFD connection process.

[0102] Figures 10B(d1) to (d3) show examples of screens displayed when connection processing is initiated on WFD R2 and communication parameters are exchanged, determined by the communication of Bootstrapping Request and Bootstrapping Response with the mobile terminal device 104. In Figure 10A(b), either a device is selected from the device list 1001, or a Bootstrapping Request is received from the mobile terminal device 104, and one of the communication parameter exchange screens is displayed once the method of exchanging communication parameters with the mobile terminal device 104 is determined. Depending on the determined communication parameter exchange method, one of the screens shown in Figures 10B(d1) to (d3) is displayed. Figure 10B(d1) is the screen where the MFP 100 displays a QR code (registered trademark), Figure 10B(d2) is the screen where the MFP displays a PIN code, and Figure 10B(d3) is the screen where the PIN code is entered on the MFP. In Figures 10B(d1) and (d2), the user enters the QR code (registered trademark) or PIN code displayed on the respective screen using the mobile terminal 104, or in Figure 10B(d3), the user enters the PIN using the MFP 100.

[0103] Figure 10B(e) shows an example of the screen displayed when the authentication process for WFD connection processing is initiated. In WFD R1, this screen is displayed by selecting the mobile terminal device to connect from the device list in Figure 10A(b), or by pressing "Yes" in Figure 10A(c). In WFD R2, this screen is displayed in Figure 10B(d) after the exchange of communication parameters is complete.

[0104] Figure 10B(f) shows an example of the screen displayed when the WFD connection process is completed.

[0105] ● Wireless direct setup and connection processing Figure 11(a) is a flowchart showing how the MFP100 sets the WFD operating version. In this flowchart, the processes performed by each device are realized by the CPU 212 loading various programs stored in the memory, such as the ROM 213, of the MFP100 communication device into the RAM 214 and executing them. When Wireless Direct is selected on the screen shown in Figure 3(c) and the mode setting screen shown in Figure 9(a) is displayed, the process shown in Figure 11 begins.

[0106] In S1101, CPU212 detects that Wi-Fi Direct has been selected on the mode setting screen. If a selection of the operating version is detected, the process proceeds to S1102; otherwise, it terminates. Alternatively, S1101 can be repeated while waiting for a selection.

[0107] In S1102, the CPU 212 determines whether a high level of security settings are configured. For example, if the use of weak encryption is prohibited by the security policy settings, or if the environment type configured by the recommended security settings is "direct internet connection" or "high confidentiality management," then it is determined that a high level of security settings are configured. On the other hand, if the use of weak encryption is permitted by the security policy settings, or if the environment type configured by the recommended security settings is anything other than "direct internet connection" or "high confidentiality management," then it is determined that a high level of security settings are not configured. As mentioned above, the settings by the security policy settings and the settings by the recommended security settings are executed via the screens shown in Figures 8(c) and (d). The CPU 212 then saves information indicating the content of the settings executed via the screens shown in Figures 8(c) and (d). This determination is performed based on the content of the saved information. If the CPU 212 determines that the security setting is at a "high" level, it proceeds to S1103; otherwise, it proceeds to S1104.

[0108] In S1103, CPU212 displays a screen where only WFD R2 can be set in the Wi-Fi Direct operating version settings screen. For example, it displays a screen where the WFD R1 selection button is disabled (Figure 9(c)). In Figure 9(c), the button is grayed out to prevent selection, but it could also be hidden. In S1105, CPU212 sets the selected operating version. Since only WFD R2 can be selected in S1103, it sets WFD R2 as the operating version according to the selection. Alternatively, WFD R2 can be set as the operating version without any selection by the user.

[0109] In S1104, CPU212 displays a screen where the user can select between WFD R1 and WFD R2 for the Wi-Fi Direct operating version setting (Figure 9(b)). In S1105, CPU212 sets either WFD R1 or WFD R2, selected by the user, as the operating version. The operating version set in S1105 is saved in non-volatile memory 215 or similar. This completes the operating version selection process.

[0110] As described above, when the security setting is high, the user interface displays only connection methods that use correspondingly strong security protocols as selectable options. This excludes connection methods that may use lower security protocols from the selection options. Therefore, when a high level of security setting is enabled, it is possible to prevent situations where only lower security protocols, such as WPA or WPA2, are available.

[0111] Figure 11(b) is a flowchart showing how the MFP100 initiates the connection to the WFD. In this flowchart, the processes performed by each device are realized when the CPU212 loads various programs stored in the memory of the MFP100, such as the ROM213, into the RAM214 and executes them.

[0112] In S1106, CPU212 determines whether or not it has received a command from the user to start a Wi-Fi Direct connection. For example, a connection start command is determined when the Wireless Direct mode is set to Wi-Fi Direct on the Wireless Direct settings screen (Figure 9(a)) and the Direct Connection Start button is pressed on the Mobile Portal screen (Figure 10(a)). If a connection start command is received, the process proceeds to S1107; otherwise, the process terminates. Alternatively, S1106 may be repeated while waiting for a connection start command.

[0113] In S1107, the MCPU212 checks the Wi-Fi Direct operating version setting. If WFD R1 is set, it proceeds to S1108; if WFD R2 is set, it proceeds to S1109. The operating version is set using the procedure shown in Figure 11(a) and can be checked by referring to the operating version saved in S1105.

[0114] In S1108, the CPU 212 performs connection processing with the mobile terminal device 104 using the WFD R1. This connection processing is as shown in Figure 6. Connection with external devices such as the mobile terminal device 104 is performed, for example, by using the wireless unit 226 as the communication unit. The device to be connected to is the device selected from the device list 1001 in Figure 10A(b). When a connection request is received in S1108, the screen shown in Figure 10A(c) is displayed, and if the connection is permitted, the connection processing continues and the screen shown in Figure 10B(e) is displayed. When the connection is complete or the connection processing is canceled, the process ends. When the connection is complete, the screen shown in Figure 10B(f) is displayed.

[0115] In S1109, CPU212 determines whether the security setting is set to "high" level. If it determines that the set security setting is "high" level, it proceeds to S1110; otherwise, it proceeds to S1111. In this step, the high level determination can be made in the same way as in S1102.

[0116] In S1110, CPU212 performs connection processing with the mobile terminal device 104 using WFD R2 with the security protocol limited to WPA3. This connection processing is as shown in Figure 7. During parameter exchange for the WFD R2 connection processing, WPA and WPA2 can be excluded from the security protocols supported by MFP100, thereby limiting the connection to WPA3. The process terminates when the connection is completed or when the connection process is canceled. In S1110, if one of Figures 10B(d1) to (d2) is displayed and the user responds accordingly, the screen shown in Figure 10B(e) will appear, and when the connection is completed, the screen shown in Figure 10B(e) will be displayed.

[0117] In S1111, CPU212 performs connection processing between the mobile terminal device 104 and WFD R2. When the connection is complete, or when the connection process is canceled, the process shown in Figure 11(b) is terminated. This completes the WFD connection process.

[0118] As described above, connections can be made using encryption of a strength appropriate to the security setting level.

[0119] Figure 11(c) is a flowchart showing the process when the MFP100 changes its security settings. In this flowchart, the processes performed by each device are realized when the CPU212 loads various programs stored in the memory, such as the ROM213, of the MFP100, which is a communication device, into the RAM214 and executes them.

[0120] In S1112, CPU212 determines whether a security setting has been selected on the common settings screen shown in Figure 8(a). If it has been selected, the process proceeds to S1113; otherwise, the process terminates. Alternatively, S1112 may be repeated while waiting for the security setting to be selected.

[0121] In S1113, CPU212 accepts the user's security settings and determines whether the security settings are set to "high" level. Security settings include security policy settings and environment type settings. If the security settings are set to "high" level, the process proceeds to S1114; otherwise, the process terminates. High-level security settings include at least one of the following: a setting in the security policy settings (Figure 8(c)) that prohibits the use of weak encryption, or a setting in the environment type settings (Figure 8(d)) that is either direct internet connection or high-security information management.

[0122] In S1114, CPU212 changes the Wi-Fi Direct operating version setting to R2, and then proceeds to S1115.

[0123] In S1115, CPU212 determines whether a connection is established with the mobile terminal device 104 using WPA or WPA2 via WFD. If a connection is established using WPA or WPA2, the process proceeds to S1116; otherwise, the process terminates.

[0124] At S1116, CPU212 disconnects the WFD connection and terminates processing. The connections disconnected here include not only WFD R1 connections, but also WFD R2 connections using WPA2. In other words, when a security level higher than a predetermined level (or above a predetermined level) is set, if an external device such as a mobile terminal is connected with a security level lower than the predetermined level, that connection will be terminated.

[0125] In the above procedure, the Wi-Fi Direct operating version setting is set to R2 on S1114, so the next WDF connection will be made using R2. Also, if WPA or WPA2, which are security protocols prohibited in high-level security settings, are used for the wireless direct connection, that connection will be terminated. In this way, even when a high security level is set, a connection with a security level corresponding to that level is achieved. As an example, WPA or WPA2 connections were targeted for termination, but this invention can also apply other termination criteria, such as targeting only WPA.

[0126] Before proceeding to S1116, the system may notify the user that changing the security settings will disconnect the WFD connection and display a screen asking whether they want to revert the security settings. In this case, if the user chooses to revert the security settings, the system may revert the security settings and Wi-Fi Direct operating version settings to their original settings and terminate the process. Alternatively, before proceeding to S1113, the system may detect if the user has changed the security settings to "High" and further check whether a WFD connection is being made using WPA or WPA2. If the security settings have been changed to "High" and a WFD connection is being made using WPA or WPA2, the system may notify the user that changing the security settings will disconnect the WFD connection. This notification may display a screen asking whether they want to cancel the setting change, and if they choose to cancel, the system may terminate the process.

[0127] As a result, when a high level of security is set, it is possible to prevent the setting of connection methods that do not support high-level security settings and can only use low-security protocols. Furthermore, when establishing a new connection, a connection method that can use security protocols appropriate to the security setting level will be used, and security protocols appropriate to the security setting level will be utilized. In addition, if a connection is already established when a high-level security setting is set, the high-level security setting will be applied, and if the security protocol used by the existing connection does not support the high-level security setting, that connection will be disconnected (released). Through these actions, connections using security protocols appropriate to the high-level security setting will be possible.

[0128] As described above, the configuration and processing procedure shown in this embodiment make it possible to set the WFD connection method according to the security settings.

[0129] Furthermore, while the above describes the processing during the reception of print data, the same processing can be applied during the reception of other data different from print data, or during the transmission of other data. For example, the same processing can be applied when the reading unit 219 scans a document and transmits the scanned image (image data) to the mobile terminal device (104) via the AP.

[0130] Furthermore, the various controls described above, which are performed by the CPU212, may be performed by a single piece of hardware, or multiple pieces of hardware (for example, multiple processors or circuits) may share the processing to control the entire device.

[0131] Furthermore, although the present invention has been described in detail based on its preferred embodiments, the present invention is not limited to these specific embodiments, and various forms that do not depart from the spirit of the invention are also included in the present invention. Moreover, each of the embodiments described above is merely one embodiment of the present invention, and it is possible to combine each embodiment as appropriate.

[0132] Furthermore, although the above-described embodiments explained the application of the present invention to an MFP as an example, it is not limited to this example and can be applied to any wireless device that functions as an STA capable of processing requests for changing the connection destination from an AP. In other words, the present invention can be applied to personal computers, PDAs, tablet terminals, mobile phone terminals such as smartphones, music players, game consoles, e-book readers, smartwatches, and various measuring devices (sensor devices) such as thermometers and hygrometers. The present invention can also be applied to digital cameras (including still cameras, video cameras, network cameras, and security cameras), printers, scanners, and drones. The present invention can also be applied to video output devices, audio output devices (e.g., smart speakers), media streaming players, and wireless LAN adapters that can connect to USB terminals or LAN cable terminals. Video output devices include, for example, devices such as set-top boxes, which acquire (download) videos and still images from the internet specified by a URL instructed by an electronic device and output them to a display device connected via a video output terminal such as HDMI®. This enables streaming playback on the display device or mirroring display (displaying the content displayed on the electronic device on the display device as well). Furthermore, video output devices include media players such as televisions, hard disk recorders, Blu-ray recorders, and DVD recorders, as well as head-mounted displays, projectors, televisions, display devices (monitors), and signage devices. The present invention is also applicable to Wi-Fi-connected devices known as smart home appliances, such as air conditioners, refrigerators, washing machines, vacuum cleaners, ovens, microwave ovens, lighting fixtures, heating appliances, and cooling appliances.

[0133] The above description explained a configuration in which settings considered to be high-level security settings consist of two configurations: one that prohibits the use of weak encryption through security policy settings, and another that sets the environment type to "Direct Internet Connection" or "High Confidentiality Management" through recommended security settings. However, the configuration is not limited to this, and settings considered to be high-level security settings may consist of only one of the above two, or other settings different from the above two.

[0134] (Other embodiments) The present invention can also be realized by supplying a program that implements one or more of the functions of the above-described embodiments to a system or device via a network or storage medium, and by having one or more processors in the computer of that system or device read and execute the program. It can also be realized by a circuit (e.g., an ASIC) that implements one or more functions.

[0135] ●Summary of Embodiments The above embodiments can be summarized as follows: (Item 1) A means of communication that performs wireless direct communication, A first control means that connects to an external device by the communication means using either the first connection method, which can provide a connection with a higher level of security than the second connection method, or the second connection method. A means of configuring security settings, The system includes a second control means that, when a high level security setting is configured by the setting means, controls the selection of the first connection method as the connection method for connecting to an external device. A communication device characterized by the following features. (Item 2) A communication device as described in item 1, It further has a user interface means, The second control means controls the screen for selecting the connection method to be displayed on the user interface means so that the second connection method cannot be selected. A communication device characterized by the following features. (Item 3) A communication device as described in item 1 or 2, When the high level is set by the setting means, if the connection to the external device is a connection with a security level lower than a predetermined level, the second control means disconnects the connection. A communication device characterized by the following features. (Item 4) A communication device as described in item 3, When the high level is set by the setting means, if the connection to the external device is a connection with a security level lower than a predetermined level, the second control means further sets the first connection method as the connection method for connecting to the external device. A communication device characterized by the following features. (Item 5) A communication device as described in item 3 or 4, The aforementioned low-security-level connection refers to a connection that does not use WPA (Wi-Fi Protected Access) 3, which conforms to the Wi-Fi Direct standard, as its security protocol. A communication device characterized by the following features. (Item 6) A communication device described in any one of items 1 to 5, The aforementioned communication means performs wireless communication compliant with the Wi-Fi Direct standard. A communication device characterized by the following features. (Item 7) A communication device as described in item 6, The first connection method is Wi-Fi Direct R2. The second connection method is Wi-Fi Direct R1. A communication device characterized by the following features. (Item 8) A communication device described in any one of items 1 to 7, The security settings configured by the aforementioned configuration means include security policy settings that prohibit the use of weak encryption. The second control means controls the selection of the first connection method so that the security setting is set to high level when the setting means has set a security policy that prohibits the use of weak encryption. A communication device characterized by the following features. (Item 9) A communication device as described in any one of items 1 to 8, The security settings configured by the setting means include settings for the communication environment type, The second control means controls the selection of the first connection method by setting the security setting to high level when the environment type is set to an environment with restrictions on the devices to be connected by the setting means. A communication device characterized by the following features. (Item 10) A communication device as described in item 9, The environment with restrictions on connected devices includes an environment where the communication device is directly connected to the internet, and a highly secure environment where access to the communication device is restricted, or either of these. A communication device characterized by the following features. (Item 11) A communication device described in any one of items 1 to 10, In the first connection method described above, WPA3 can be used as the encryption method. The second connection method described above uses WPA or WPA2 as the encryption method. A communication device characterized by the following features. (Item 12) A program for causing a computer to function as a communication device as described in any one of items 1 through 11. (Item 13) A control method for a communication device having a communication means for performing wireless direct communication, a first control means, a setting means, and a second control means, The first control means connects to an external device via the communication means using either the first connection method or the second connection method, which can provide a connection with a higher security level than the second connection method. The aforementioned setting means includes a setting step for setting security settings, The second control means includes a second control step that controls the first connection method to be selected as the connection method for connecting to an external device when a high level security setting is set in the setting step. A method for controlling a communication device, characterized by the features described above.

[0136] The present invention is not limited to the embodiments described above, and various modifications and variations are possible without departing from the spirit and scope of the invention. Accordingly, claims are attached to disclose the scope of the invention. [Explanation of symbols]

[0137] 100 MFP, 101 AP, 103 DHCP server, 104 Mobile terminal device, 105 DNS server

Claims

1. A means of communication that performs wireless direct communication, A first control means that connects to an external device by the communication means using either the first connection method, which can provide a connection with a higher level of security than the second connection method, or the second connection method. A means of configuring security settings, The system includes a second control means that, when a high level security setting is configured by the setting means, controls the selection of the first connection method as the connection method for connecting to an external device. A communication device characterized by the following features.

2. A communication device according to claim 1, It further has a user interface means, The second control means controls the screen for selecting the connection method to be displayed on the user interface means so that the second connection method cannot be selected. A communication device characterized by the following features.

3. A communication device according to claim 1, When the high level is set by the setting means, if the connection to the external device is a low-security-level connection that does not correspond to the high level, the second control means disconnects the connection. A communication device characterized by the following features.

4. A communication device according to claim 3, When the high level is set by the setting means, if the connection to the external device is a low-security-level connection that does not correspond to the high level, the second control means further sets the first connection method as the connection method for connecting to the external device. A communication device characterized by the following features.

5. A communication device according to claim 3, The aforementioned low-security-level connection refers to a connection that does not use WPA (Wi-Fi Protected Access) 3, which conforms to the Wi-Fi Direct standard, as its security protocol. A communication device characterized by the following features.

6. A communication device according to claim 1, The aforementioned communication means performs wireless communication compliant with the Wi-Fi Direct standard. A communication device characterized by the following features.

7. A communication device according to claim 6, The first connection method is Wi-Fi Direct R2, The second connection method is Wi-Fi Direct R1. A communication device characterized by the following features.

8. A communication device according to claim 1, The security settings configured by the aforementioned configuration means include security policy settings that prohibit the use of weak encryption. The second control means controls the selection of the first connection method so that the security setting is set to high level when the setting means has set a security policy that prohibits the use of weak encryption. A communication device characterized by the following features.

9. A communication device according to claim 1, The security settings configured by the setting means include settings for the communication environment type, The second control means controls the selection of the first connection method by setting the security setting to high level when the environment type is set to an environment with restrictions on the devices to be connected by the setting means. A communication device characterized by the following features.

10. A communication device according to claim 9, The environment with restrictions on connected devices includes an environment where the communication device is directly connected to the internet, and a highly secure environment where access to the communication device is restricted, or either of these. A communication device characterized by the following features.

11. A communication device according to claim 1, In the first connection method described above, WPA3 can be used as the encryption method. The second connection method described above uses WPA or WPA2 as the encryption method. A communication device characterized by the following features.

12. A program for causing a computer to function as a communication device according to any one of claims 1 to 11.

13. A control method for a communication device having a communication means for performing wireless direct communication, a first control means, a setting means, and a second control means, The first control means connects to an external device via the communication means using either the first connection method or the second connection method, which can provide a connection with a higher security level than the second connection method. The aforementioned setting means includes a setting step for setting security settings, The second control means includes a second control step that controls the first connection method to be selected as the connection method for connecting to an external device when a high level is set as the security setting in the setting step. A method for controlling a communication device, characterized by the features described above.