[go: up one dir, main page]

AU2019261211B2 - System and method for establishing secure communication - Google Patents

System and method for establishing secure communication Download PDF

Info

Publication number
AU2019261211B2
AU2019261211B2 AU2019261211A AU2019261211A AU2019261211B2 AU 2019261211 B2 AU2019261211 B2 AU 2019261211B2 AU 2019261211 A AU2019261211 A AU 2019261211A AU 2019261211 A AU2019261211 A AU 2019261211A AU 2019261211 B2 AU2019261211 B2 AU 2019261211B2
Authority
AU
Australia
Prior art keywords
server
gateway
data
devices
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
AU2019261211A
Other versions
AU2019261211A1 (en
Inventor
Kim KYUNG WAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Skylab Networks Pte Ltd
Original Assignee
Skylab Networks Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Skylab Networks Pte Ltd filed Critical Skylab Networks Pte Ltd
Publication of AU2019261211A1 publication Critical patent/AU2019261211A1/en
Application granted granted Critical
Publication of AU2019261211B2 publication Critical patent/AU2019261211B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Algebra (AREA)
  • Bioethics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

There is provided a system and a method for establishing secure communication between communication devices for providing connectivity and management of devices thereof. There is disclosed a system and method for managing data and devices securely and remotely that enable integration with various platforms and protocols. Also disclosed is secure device enrolment and authentication for rapid deployment and management of large number of remote devices in remote locations.

Description

SYSTEM AND METHOD FOR ESTABLISHING SECURE COMMUNICATION FIELD OF THE INVENTION
The present invention relates to the field of data network communications and in particular,
the establishment of secured communication for providing connectivity between
communication devices.
BACKGROUND TO THE INVENTION
As the market and ecosystem of users, devices, Internet of Things (IoT) and number of
mobile transactions grows, security threats will increase concomitantly, and large-scale
security breaches will become more imminent. A related problem is how one can securely
register a device so that only authorised devices are registered in the network. While these
IoT devices and gateway devices provide a lot of valuable information, the lack of an easy
and secure way for data collection and transportation would prove to be of limited use in
establishing communication.
Furthermore, when communicating with multiple other entities, the management of various
credentials could be complex and resource consuming. This could be particularly
unfavourable in a resource-constrained environment, such as IoT ecosystem where up to a
billion devices (e.g. sensors, and actuators) are connected to the ecosystem.
Due to the interconnectivity of devices via the Internet or network and the scale of such IoT
ecosystems, security remains one of the main concerns in the adoption of IoT technologies.
Each device in the ecosystem could be a potential entry point to hackers accessing business
critical information or personal data. The advent of big data and big security breaches have
only further compounded consumer's concerns about the security and trustworthiness of a
distributed heterogeneous IoT system.
As a result, there is a need for a system and method for managing secure communication to
overcome at least in part some of the aforementioned disadvantages, one or more difficulties
of the prior art, or to at least provide a useful alternative. In particular, it is desired to provide a system and a method for managing secure communication remotely between communication devices for providing secure and centralised management of devices and data gathered/collected.
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present disclosure as it existed before the priority date of each of the appended claims.
SUMMARY OF THE INVENTION
Throughout this document, unless otherwise indicated to the contrary, the terms, "comprising", "consisting of, and the like, are to be construed as non-exhaustive, or in another words, as meaning "meaning but not limited to".
Security and scalability are essential considerations for adopting an Internet of Things (IoT) system. In some instances, aggregating the massive amount of data between the sensors and
actuators that are connected to the system and processing to enable processing of these data.
In highly-dispersed IoT environments, the management, and security of these sensors and
actuators are critical for mass deployment. In addition, each of these IoT devices may have
requirements for different protocols, translating and transferring data between systems of
different communications protocols.
Advantageously, the present invention provides a central device management solution that
integrates with various platforms and protocols for secure device enrolment and
authentication, thereby supporting and authenticating the numerous connected devices.
Embodiments of the invention are advantageously for providing centralised solution to enrol,
manage, orchestrate and monitor all devices and data gathered from these devices. Further
embodiments provide gateway devices that are equipped with strong wireless backhaul
support, thereby enabling the easy yet secure collection and transportation of IoT device data.
In accordance with a first aspect of the present invention, there is provided a method for
managing secure communication remotely between a device coupled to a gateway and a
server, the method comprising: generating, by the server, a unique identifier by: obtaining a device identifier by decrypting encrypted data received from the gateway; validating the device identifier using a database of the server; and generating the unique identifier based on the validation of the device identifier; authorizing, by the server, the gateway for communicating with the server based on the unique identifier; providing, by the server, a credential token associated with the gateway for use in communications between the gateway and the server; generating, by the server, a key associated with the device for communicating between the device and the server; authorizing, by the gateway, the device for communicating with the server based on a generated key associated with the device; accessing, by the server, data from the device based on the generated key; and managing, by the server, the communication between the device and the server remotely.
Preferably, generating the unique identifier further comprises validating and storing the device identifier.
Preferably, a plurality of devices couple to the gateway.
Preferably, the server is in communication with a plurality of gateways.
Preferably, the server comprises a pool of the unique identifiers.
Preferably, the coupling of the device and the gateway is provided by physical ports or wireless communication.
Preferably, data transmitted by the gateway is encrypted.
Preferably, creating and storing a decryption key associated with the gateway that is accessible to the server.
Preferably, the gateway requests the server for issuance of a new credential token if the credential token is inactive.
Preferably, the unique identifier of the gateway is generated from a medium access control (MAC) address and a product identifier (ID).
In accordance with a second aspect of the present invention, there is provided a system for managing secure communication remotely between a device coupled to a gateway and a server, the system comprising:
the server comprising:
a processor; and
a data management module configured to:
generate a unique identifier by: obtaining a device identifier by decrypting encrypted data received from the gateway; validating the device identifier using a database of the server; and generating the unique identifier based on the validation of the device identifier;
authorize a gateway based on the unique identifier;
provide a credential token associated with the gateway for use in communications between the gateway and the server;
generate a key for the device that is authorized to communicate with the server; and
manage communication between the server and the device; and
the gateway comprising:
a processor;
a communication interface for receiving and sending data from the device; and
a network module configured to:
provide the unique identifier for communicating with the server;
receive the credential token for communicating with the server; and
authorize the device for communicating with the server based on the generated key associated with the device;
wherein the server, the gateway, connects to the device, obtains data from the device and sends the data to the server via the communication interface to manage the data received from the device remotely.
Preferably, the server comprises a pool of the unique identifiers.
Preferably, the server is in communication with a plurality of gateways.
Preferably, the device is coupled to the gateway by physical ports or wireless communication.
Preferably, wherein data transmitted by the gateway is encrypted.
Preferably, the gateway is configured to create and store a decryption key that is accessible to the server device.
Preferably, the gateway requests the server for issuance of a new credential token if the credential token is inactive.
Preferably, the unique identifier of the gateway is generated from a medium access control (MAC) address and a product identifier (ID).Preferably, the system is configured for adopting and integrating by the server and/or the one or more devices.
Preferably, the system is configured to provide centralized management of the one or more devices remotely.
Preferably, a network communication means is configured to allow transmission between the server and the device.
The embodiments of the present invention have at least the following advantages:
1. According to embodiments, there is provided a secure and centralized means for device enrolment and authentication to ensure all devices that are connected are authenticated, making every data in the network trusted and secure. Furthermore, device enrolment and authentication are easy to use and does not require re registration with the system admin.
2. According to embodiments, there is provided an overall device management system,
for supporting centrally all devices connected via the gateway, including secure device
enrolment, registration and authorisation for end user devices which are connected to
the gateway, thereby ensuring secure communication between the system entities. The
system enables remote controlling of these end user devices by sending commands to
the gateway device.
3. According to embodiments, there is provided a system for easy integration with Internet of Things (IoT) devices, which allows interoperability to securely gather/transfer data and is advantageous for convenient connection to the network. Furthermore, the system supports multiple device types, from gateways, sensors, servers, and network equipment.
Other aspects and advantages of the invention will become apparent to those skilled in the art from a review of the ensuing description, which proceeds with reference to the following illustrative drawings of various embodiments of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will now be described, by way of illustrative example only, with reference to the accompanying drawings, of which:
Figure 1 is a block diagram of the system for managing secure communication remotely for providing connectivity between communication devices in accordance with an embodiment of the present invention.
Figure 2 is architectural diagram depicting the software structure of the data management device in the system of Figure 1.
Figure 3 is a flow chart depicting steps for registering a gateway device with the data management device.
Figure 4 is a block diagram depicting the developments for data encryption prior to device registration.
Figure 5 is a flow chart depicting steps for authorizing a sub-device to manage secure
communication in the network.
DETAILED DESCRIPTION OF THE EMBODIMENTS
Particular embodiments of the present invention will now be described with reference to the
accompanying drawings. The terminology used herein is for the purpose of describing
particular embodiments only and is not intended to limit the scope of the present invention.
Additionally, unless defined otherwise, all technical and scientific terms used herein have the same meanings as commonly understood by one of ordinary skill in the art to which this invention belongs.
The use of the singular forms "a", an", and "the" include both singular and plural referents unless the context clearly indicates otherwise.
The use of "or", "/", means "and/or" unless stated otherwise. Furthermore, the use of the terms "including" and "having" as well as other forms of those terms, such as "includes", "included", "has", and "have" are not limiting.
The use of the term "wirelessly" includes 3G, 4G, 5G, Wi-Fi, and any other kinds of wireless connection.
The use of the term "sub-device" includes any device that can connect wirelessly to a network and have the ability to transmit data e.g. IoT devices. Sub device sub devices may be heterogeneous devices relative to operation and or communications protocols.
In accordance with an aspect of the present invention, there is provided a system 100 for managing secure communication remotely between communication devices. The system 100 comprises a data management device 102 and a gateway device 104. The data management
device 102 is connected to the gateway device 104 via a communication means. The data
management device 102, the gateway device 104 and the sub-devices 106 interconnect to
enable transfer of data between the devices via the communication means (see Figure 1).
The system 100 is directed towards an upstream to downstream data integration and
technology solution that advantageously provides ease of integration of gateway devices 104,
which is capable of supporting a wide range of machine to machine protocols, supports a
variety of standard network protocols, along with strong wireless backhaul support make it
easy to collect and transport the IoT device data. Furthermore, the system 100 provides a
central device enrolment and authentication by ensuring that all connected devices 106 are
authenticated.
Referring to Figure 2, there is provided the architectural diagram of the data management
device 102 supporting a network of devices and applications in accordance to an
embodiment of the present invention. A plurality of devices and IoT applications may have
connection to a communication network.
The gateway 104 (or provided as a computerized gateway device) is adapted to be in communication with one or more sub-devices 106 such as sensors, wireless communication devices having sensor or data for transmission onto a larger network. The gateway device 104 may receive data from the sub-devices 106. The gateway device 104 comprises a communication interface for interfacing with the sub-devices 104 and protocols to gather and/or transfer data which may be analysed and processed for further operations. The gateway 104 comprises a processor to process messages from sub-devices 106 in a network.
The gateway 104 enables various components of a distributed system to communicate. The
gateway device 104 enables interoperability between applications and protocols that run on
different operating systems.
The gateway device 104 is adapted to receive data from sub-devices 106 according to several
different protocols. When the sub-device 106 pushes data to the gateway device 106, the
gateway device 104 may access a device 106 and fetch characterization data from the sub
device 106. Characterization data describes protocol specific workflow, interface type etc.
which may be required for the sub device 106 and application communicating to the gateway
104. The gateway 104 may observe a request/response to fetch or retrieve data from each
accessible device 106. The gateway 104 gathers data and transmits to destination through an
embedded middleware, providing technology integration for platform and protocol support.
Advantageously, the gateway 104 enables scaling efficiently and rapidly to support devices
106 while keeping costs relatively low.
The gateway device 106 routes data to the data management module 102. The data
management module 102 receives data received over the network from registered gateway
devices 106. The data management module 102 receives and manages the data. The data
management module 102 may receive data from devices 106 according to several different
protocols. The data management module 102 comprises a multi-protocol middleware
platform to gather and integrate the data. The data management module 102 comprises a
processor to process the data. In an example, data may be processed and analysed by
transporting securely to an IoT platform cloud. The data management module 102 may
enable this data readily available for any type of processing, for example, through Machine
to-Machine (M2M) and application interfaces that support configuration management,
device status management, ID management and device authentication.
In another embodiment, the data management module 102 unifies all IoT applications by providing a unified communication channel with support of different device types such as sensors, PLC and machinery equipment for support Machine-to-Machine (M2M) interface.
In a further embodiment, the data management module 102 supervises and safeguards data from security threats. The data management module 102 implements real-time service level agreement (SLA) management for all gateway devices 104 and sub-devices 106 that are connected to the network. The data management module 102 comprises a data gathering platform that provides for potential for software growth in managing and processing distributed data. The data management module 102 may enable secure delivery of both structured and unstructured data. The data management module 102 may store any type of data without restrictions on data structure or format.
In one example, the data management module enables internet-connected devices 106 to the
Cloud and allows applications in the Cloud to interact with the internet-connected devices.
The devices report their state by publishing messages in JSON format on MQTT topic.
When a message is published on an MQTT topic, the message is sent to the server MQTT
broker, which is responsible for sending all messages published on an MQTT topic to all
devices subscribed to that topic. The devices can also report the DDS protocol.
The communication between a device and the data management module is protected through
the use of x.509 certificates, which is advantageously widely accepted in Internet
applications. The data management module provides a certificate for the device. When the
device is deactivated, the data management module may revoke a certificate of that device.
The device will be disconnected to MQTT broker.
In accordance with another aspect of the present invention, there is provided a method for
managing secure communication between communication devices for providing
connectivity and management of devices thereof. The method comprises central device
enrolment, registration, authentication and authorization. The method includes the following
steps:
Step 1: Device registration, wherein credentials are presented from the gateway device 104
to the data management module 102.
Step 2: The data management module authorizes the gateway device 104 when the proper credentials are presented. If the proper credentials are not presented, authorization is not enabled by the data management module 102.
Step 3: An authorized gateway device 104 registers other sub-devices 106 that are connected to the network, so as to enable 2-way communication between the data management module 102 and the gateway device 104 securely.
Device Registration
Referring to Figure 3, device registration is carried out centrally with the data management module, in which the gateway device that wishes to communicate securely with the data management module carries out a registration request to the data management module 302.
The gateway registers with the data management module by providing a Device ID. Using the Device ID, the gateway sends the encrypted data to the server through REST API 302. The data management module decrypts the Device ID 304. The Device ID is a combination of MAC and Product ID. The API server validates Device ID with its database to determine whether there is an existing Device ID 306. If there is an existing Device ID, the server retrieves a token from the database for the gateway 308. If there is no existing Device ID in the database, the server may show an error 310 but may nonetheless generate a token for the gateway device. The gateway device receives and stores the Device ID and token 312.
The Device ID is combined MAC address, product ID, a static devicelD key is generated based on the following (Figure 4):
- Step 1: a string of 16 bytes, Deviceld_1
- Product ID: Sky Lab device identifier, a string of 10 bytes
- Mac Address: the hardware address of first Ethernet interface, string of 6 bytes
- Step 2: encrypt (Deviceld_1)= Deviceld_2, a string of 44 bytes base on AES algorithms, and encode base64
- Step 3: encode Deviceld(2)=> final DevicelD (mix of Deviceld(2) and 3 last bytes of Mac address and combine with the encrypt key version)
The gateway device sends the encrypted data to the server through REST API.
The server decrypts the data, verifies and stores all decrypted information such as: product id, MAC address. In addition, the server generates a unique device identifier and token in response to the agent. The gateway may use this token for authentication when calling the REST API on the server through https. The server uses Json Web Token (jwt).
Using the approaches above, the registration capability enables identification of devices that are deployed in the network, for device registration, maintenance, scalability, and other functions.
Device Authorization
Referring to Figure 5, communication between the data management module and the device may be carried out via X.509 certificate. This is to confirm the gateway can communicate with the data management module. If there is no certificate, the gateway may request Device certificate API for X.509 certificate through HTTPS 302. In response to the request, the Device certificate may be issued by PKI server as part of the authorization/authentication process 304/306.
Once authorized, the data management module issues the certificate 304. The certificate may be delivered to the gateway via REST API protocol over HTTPS. The certificate may also protect the communication between an authorized sub-device and the data management module, which advantageously enables only trusted devices to communicate and send data.
Upon successful authentication, the authorized gateway may register for sub-devices that are already connected. In other embodiments, the gateway may register other new sub devices that request connection.
For a sub-device that wishes to communicate with the data management module, the gateway obtains and checks for a X.509 certificate 308. If there is there is a valid certificate, secure communication may be established between the sub-device and the data management module. If there is no certificate of the device, the gateway makes a request for a certificate 310; validate the token to determine if the device is authorized; checks the status of the certificate to determine if the certificate is issued; and check the validity/expiry of the certificate.
When a sub-device is deactivated, the data management module may revoke a certificate of that device. The device will then be disconnected to MQTT broker. In the case of certificate expiry or revocation, the gateway may request for issuance of a new certificate from the data management module.
In other embodiments, authorization may be carried out manually or automatically when the gateway makes a registration request to the data management module. In some instances,
security association for an application may be configured by a user. For manual authorization
involving a user, the gateway awaits authorization. In this case, the user may obtain a
generated QR code which may be authorized by the server. Upon obtaining authorization,
the data management module may issue x.509 certificate for the gateway.
Data Visualization
An authorized gateway device may push data that has been collected from registered sub
devices to a platform on the data management module for visualizing the data. For example,
the data management module may comprise a web portal for visualising the transmitted data.
This advantageously enables pipelining and processing of the data from the devices.
Device Management
The system provides support to many types of devices, from sensors to gateways to servers
and network equipment to enable central management of connected devices remotely and
securely. Advantageously, the system provides interoperability between systems and can
support scalability to build a device ecosystem.
The data management module also enables control of the gateway remotely, for example:
send command (lock, unlock, restart, etc.), set configuration, update firmware, etc. A user
of the data management system may lock devices that have compromised security. Locked
devices will not be accessible to the gateway command-line interface (CLI). For example,
settings may be configured to lock the device automatically after three failed attempts to
login to the gateway or other back up functions. Advantageously, user permissions and
device auditing may be achieved efficiently and conveniently.
The data management module enables deactivating end user devices remotely. Devices may
be deactivated to prevent devices from sending data to the server, or for further processing.
A user may be informed and can deactivate a device from the data management module in the event where abnormal data or behaviour may be observed.
The gateway may be encrypted for security. This prevents theft of data, in the event where parts of the gateway device be missing. In this case, a passphrase for decryption may be used. This passphrase may be randomly generated when the gateway device is first installed.
The working environment of the gateway device may be encrypted. Encryption may be carried out using binary files, libraries, log files, configuration files, and the like to ensure security of files during transmission.
It would be further appreciated that although the invention covers individual embodiments, it also includes combinations of the embodiments discussed. For example, the features described in one embodiment is not being mutually exclusive to a feature described in another embodiment, and may be combined to form yet further embodiments of the invention.

Claims (20)

1. A method for managing secure communication remotely between a device coupled to a gateway and a server, the method comprising:
generating, by the server, a unique identifier by: obtaining a device identifier by decrypting encrypted data received from the gateway; validating the device identifier using a database of the server; and generating the unique identifier based on the validation of the device identifier;
authorizing, by the server, the gateway for communicating with the server based on the unique identifier;
providing, by the server, a credential token associated with the gateway for use in communications between the gateway and the server;
generating, by the server, a key associated with the device for communicating between the device and the server;
authorizing, by the gateway, the device for communicating with the server based on a generated key associated with the device;
accessing, by the server, data from the device based on the generated key; and
managing, by the server, the communication between the device and the server remotely.
2. The method according to claim 1, wherein a plurality of devices couple to the gateway.
3. The method according to any of the preceding claims, wherein the server is in communication with a plurality of gateways.
4. The method according to any of the preceding claims, wherein the server comprises a pool of the unique identifiers.
5. The method according to any of the preceding claims, wherein the coupling of the device and the gateway is provided by physical ports or wireless communication.
6. The method according to any of the preceding claims, wherein data transmitted by the gateway is encrypted.
7. The method according to claim 6, further comprising creating and storing a decryption key associated with the gateway that is accessible to the server.
8. The method according to any of the preceding claims, wherein the gateway requests the server for issuance of a new credential token if the credential token is inactive.
9. The method according to any of the preceding claims, wherein the unique identifier of the gateway is generated from a medium access control (MAC) address and a product identifier (ID).
10. A system for managing secure communication remotely between a device coupled to a gateway and a server, the system comprising:
the server comprising:
a processor; and
a data management module configured to:
generate a unique identifier by: obtaining a device identifier by decrypting encrypted data received from the gateway; validating the device identifier using a database of the server; and generating the unique identifier based on the validation of the device identifier;
authorize a gateway based on the unique identifier;
provide a credential token associated with the gateway for use in communications between the gateway and the server;
generate a key for the device that is authorized to communicate with the server; and
manage communication between the server and the device; and
the gateway comprising:
a processor; a communication interface for receiving and sending data from the device; and a network module configured to: provide the unique identifier for communicating with the server; receive the credential token for communicating with the server; and authorize the device for communicating with the server based on the generated key associated with the device; wherein the server, the gateway, connects to the device, obtains data from the device and sends the data to the server via the communication interface to manage the data received from the device remotely.
11. The system according to claim 10, wherein the server comprises a pool of the unique
identifiers.
12. The system according to any of claims 10 to 11, wherein the server is in
communication with a plurality of gateways.
13. The system according to any of claims 10 to 12, wherein the device is coupled to the
gateway by physical ports or wireless communication.
14. The system according to any of claims 10 to 13, wherein data transmitted by the
gateway is encrypted.
15. The system according to claim 14, wherein the gateway is configured to create and
store a decryption key that is accessible to the server device.
16. The system according to any of claims 10 to 15, wherein the gateway requests the
server for issuance of a new credential token if the credential token is inactive.
17. The system according to any of claims 10 to 16, wherein the unique identifier of the
gateway is generated from a medium access control (MAC) address and a product identifier
(ID).
18. The system according to any of claims 10 to 17, wherein the system is configured for
adopting and integrating by the server and/or the one or more devices.
19. The system according to claim 18, wherein the system is configured to provide centralized management of the one or more devices remotely.
20. The system according to any of claims 10 to 19, further comprising a network communication means configured to allow transmission between the server and the device.
MOTT Broker Queue
Devices
HTTPS Data Processing
Security loT Applications REST Api DBMS
Object Storage
Users Web Application NoSQL
FIGURE 1
deviceid 1 (16 B)
product id (10 B) mac addr (6B)
15 0 1 2 3 4 5 S 7 8 S 10 11 12 13 14 0 2 2 3 4 5
deviceid_2 (22 B)
0 2 3 4 5 6 7 S 9 10 11 12 13 14 15 16 17 $8 19 20 21
deviceid_3 (25 B)
deviceid_21 (6.5) deviceid 22 (6. B) deviceid 23 (6 S) this deviceid 24 (48) ma
0 1 2 3 4 5 S 7 8 9 10 11 $2 13 14 15 $6 $7 is 19 20 21 22 23 24
0 1 2 3 4 5 01 2 3 4 5 0 1 2 3
FIGURE 2
INCORPORATED BY REFERENCE (RULE 20.6)
Start
Register to
DLC
DLC issue Device get/store Authorization Yes certificate certificate
Yes
No
Device ask new Expire/revoke No certificate Yes certificate
No
Communicate End 2-way between DLC-Device
FIGURE 3
INCORPORATED BY REFERENCE (RULE 20.6)
Start
IGX encrypt data
REST API
DLC decrypt data
Data Validation Yes Generate Token
No T
Error
End
FIGURE 4
INCORPORATED BY REFERENCE (RULE 20.6)
AU2019261211A 2018-04-27 2019-04-27 System and method for establishing secure communication Active AU2019261211B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SG10201803575X 2018-04-27
SG10201803575X 2018-04-27
PCT/SG2019/050235 WO2019209184A1 (en) 2018-04-27 2019-04-27 System and method for establishing secure communication

Publications (2)

Publication Number Publication Date
AU2019261211A1 AU2019261211A1 (en) 2020-12-24
AU2019261211B2 true AU2019261211B2 (en) 2024-08-22

Family

ID=68295830

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2019261211A Active AU2019261211B2 (en) 2018-04-27 2019-04-27 System and method for establishing secure communication

Country Status (3)

Country Link
AU (1) AU2019261211B2 (en)
SG (1) SG11202010501PA (en)
WO (1) WO2019209184A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102019130067B4 (en) * 2019-11-07 2022-06-02 Krohne Messtechnik Gmbh Method for carrying out permission-dependent communication between at least one field device in automation technology and an operating device
CN113132944B (en) * 2021-04-22 2023-10-20 上海银基信息安全技术股份有限公司 Multi-path secure communication method, device, vehicle end, equipment end and medium
US11962703B2 (en) 2022-02-08 2024-04-16 International Business Machines Corporation Cooperative session orchestration

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011116713A2 (en) * 2011-04-28 2011-09-29 华为技术有限公司 Method, device and system for machine type communication (mtc) terminal communicating with network through gateway
US20120297193A1 (en) * 2010-01-29 2012-11-22 Huawei Technologies Co., Ltd. Mtc device authentication method, mtc gateway, and related device
US20130094444A1 (en) * 2011-10-13 2013-04-18 Applied Communications Sciences Automatic provisioning of an m2m device having a wifi interface
US20170164193A1 (en) * 2015-12-04 2017-06-08 Samsara Authentication of a gateway device in a sensor network
CN107276861A (en) * 2017-06-30 2017-10-20 广州创想健康信息科技有限公司 Method, server, gateway and system that bluetooth peripheral hardware is remotely accessed are provided

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120297193A1 (en) * 2010-01-29 2012-11-22 Huawei Technologies Co., Ltd. Mtc device authentication method, mtc gateway, and related device
WO2011116713A2 (en) * 2011-04-28 2011-09-29 华为技术有限公司 Method, device and system for machine type communication (mtc) terminal communicating with network through gateway
US20130094444A1 (en) * 2011-10-13 2013-04-18 Applied Communications Sciences Automatic provisioning of an m2m device having a wifi interface
US20170164193A1 (en) * 2015-12-04 2017-06-08 Samsara Authentication of a gateway device in a sensor network
CN107276861A (en) * 2017-06-30 2017-10-20 广州创想健康信息科技有限公司 Method, server, gateway and system that bluetooth peripheral hardware is remotely accessed are provided

Also Published As

Publication number Publication date
AU2019261211A1 (en) 2020-12-24
WO2019209184A1 (en) 2019-10-31
SG11202010501PA (en) 2020-11-27

Similar Documents

Publication Publication Date Title
US9772623B2 (en) Securing devices to process control systems
CN103036867B (en) Based on virtual private network services equipment and the method for mutual certification
JP7007155B2 (en) Secure process control communication
US10601823B2 (en) Machine to-machine and machine to cloud end-to-end authentication and security
CN106664311B (en) Supports differentiated and secure communications between heterogeneous electronic devices
WO2018044876A1 (en) Secure tunnels for the internet of things
CN103369667B (en) wireless communication system
AU2019261211B2 (en) System and method for establishing secure communication
US12009979B2 (en) Secure and adaptive mechanism to provision zero- touch network devices
CN113872940B (en) Access control method, device and device based on NC-Link
JP6567258B2 (en) System and method for trusted mobile communication
CN112313984A (en) Establishment of an access authorization for accessing a sub-network of a mobile radio network
JP2017152877A (en) Electronic key re-registration system, electronic key re-registration method, and program
JP4536051B2 (en) Authentication system, authentication method, authentication server, wireless LAN terminal, and program for authenticating wireless LAN terminal
US9940116B2 (en) System for performing remote services for a technical installation
JP7204534B2 (en) Communications system
JP7163206B2 (en) communication controller
JP5107823B2 (en) Authentication message exchange system and authentication message exchange method
WO2020208332A1 (en) Provisioning data on a device
EP3871374B1 (en) Method and control system for monitoring a plurality of equipment in a snmp based network
WO2010004354A1 (en) Key management in an access network

Legal Events

Date Code Title Description
FGA Letters patent sealed or granted (standard patent)