[go: up one dir, main page]

WO2016055697A1 - Local trust creation and verification device - Google Patents

Local trust creation and verification device Download PDF

Info

Publication number
WO2016055697A1
WO2016055697A1 PCT/FI2015/050665 FI2015050665W WO2016055697A1 WO 2016055697 A1 WO2016055697 A1 WO 2016055697A1 FI 2015050665 W FI2015050665 W FI 2015050665W WO 2016055697 A1 WO2016055697 A1 WO 2016055697A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
devices
entities
information
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/FI2015/050665
Other languages
French (fr)
Inventor
Pasi Hyttinen
Pekka Teppola
Janne T. KERÄNEN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
VTT Technical Research Centre of Finland Ltd
Original Assignee
VTT Technical Research Centre of Finland Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by VTT Technical Research Centre of Finland Ltd filed Critical VTT Technical Research Centre of Finland Ltd
Publication of WO2016055697A1 publication Critical patent/WO2016055697A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • the present invention concerns electronic devices in the context of authentication systems. Particularly, however not exclusively, the invention pertains to a device for generating and verifying authentication situations in a physical environment and to a method for determining the authenticity of a number of devices and entities according to their ID in- formation.
  • the objective of the embodiments of the present invention is to at least alleviate one or more of the aforementioned drawbacks evident in the prior art arrangements particularly in the context of devices for generating and verifying authentication situations.
  • the objective is generally achieved with a device and a method in accordance with the present invention by scanning and obtaining ID information in a physical environment from a number of various devices, such as sensors, and/or entities and determining the authenticity of said devices and entities based on predetermined comparison data and decision logic and further on communicating said determined authenticity to an external device or entity.
  • One of the advantageous features of the present invention is that it allows for large scale automation of verifying authentication situations. These situations may comprise a myriad of different settings, operations and activities created by e.g. users, processes, current use, process parameters, input and output materials, etc. in various locations.
  • Another one of the advantageous features of the present invention is that even though the authentication is mostly physical environment -specific the invention itself is not limited to function in any particular location, which allows for the device to be utilized in and configured for different locations and authentication situations.
  • Further advantageous feature of the present invention is that it allows for real-time remote monitoring and control of multiple local authentication situations. For example, authentication situations may be generated and verified locally in-situ in different locations, such as in parts of a factory or a commercial building, which situations are then monitored and controlled on, or in accordance to, a remote and external entity, such as a server. This allows for remote and centralized controlling of many situations constituting for example a whole factory's or a building's authentication needs. Further on, the invention subsequently allows for improved monitoring and automation of process control, operations and diagnostics.
  • an electronic device comprising:
  • At least one sensing entity configured to scan and obtain ID information, preferably wirelessly, from a number of devices and/or entities
  • connection means configured to at least transmit information towards a number of remote entities, optionally a remote server or a cloud computing system, -a processing entity, arranged to collect ID information via said at least one sensing entity, and further on arranged to determine the trust state of said devices and/or entities by comparing said collected ID information to predetermined comparison data according to predetermined decision logic, and further on configured to create a reference code based on the trust state and to send said code, utilizing the connection means, to an external entity via connection means.
  • the trust state refers to an authentication situation wherein a number of devices and/or entities with individual ID values are detected in a physical environment, or a zone, covered (by means of scanning and obtaining) by the electronic device.
  • the value of the trust state is a result of the ID information (comprising the ID values) authenticity, i.e. whether the set of ID values obtained from the devices and/or entities match the comparison data (a corresponding set of values on a database).
  • the reference code may comprise pseudorandom code.
  • the reference code may comprise hash code.
  • the sensing entity may comprise a number of sensors and/or reader devices.
  • the sensing entity may be integrated in the device or it may be remotely, such as wirelessly or by-wire, connected to the device.
  • the device may of course comprise a plurality of sensing entities.
  • the sensing entity is capable of at least scanning and obtaining ID information from a number of devices and/or entities, optionally wirelessly.
  • the device is arranged to connect and/or send information, such as the reference code, to or receive information from, an external server or a cloud computing entity.
  • the device may be also arranged to comprise connection means capable to receive information, such as code, commands or control parameters, from a number of remote entities, such as remote server or cloud computing entities.
  • connection means capable to receive information, such as code, commands or control parameters, from a number of remote entities, such as remote server or cloud computing entities.
  • the device may be arranged to send and/or receive information, such as code, commands or control parameters, to and/or from a remote device or entity.
  • the processing entity may be arranged to signal and/or communicate whenever a determined trust state is inadequate and/or a non-authenticated set of ID values is detected, to command or request for control of the operation or authorization of the devices and/or entities, and/or related (industrial) processes.
  • the processing entity may so control at least partially directly the authorization and/or operation of devices and/or entities in the device's re- spective physical environment coverage.
  • the control may also be done on and from another entity, such as a remote external server or a cloud computing entity.
  • a number of the electronic devices may be functionally connected to each other.
  • the devices may also communicate with or at least transmit to and/or receive information from other similar electronic and/or information and communications technology (ICT) devices.
  • ICT information and communications technology
  • the electronic device may be comprised in a system, which system comprises in addition at least one remote entity configured to receive information in- eluding trust state reference code from the electronic device, and to relate the determined trust state to a physical environment, area, zone or space, covered by said electronic device via scanning and obtaining of ID values in said physical environment.
  • the system may also be able to determine, optionally from, and/or by deciphering, the reference code, the ID values and optionally additionally their respective devices and/or entities.
  • the system comprising the electronic device also comprises a (remote) decoder to at least partially decode or decipher the reference code.
  • a decoder may be embodied e.g. as a computer program product.
  • the predetermined comparison data comprises a set of values comprised in the database.
  • Said set of val- ues is preferably chosen in accordance to the intended coverage of the device so that the device utilizes and/or comprises a set of values that matches the potential authentication situations (devices and/or entities) in the device's physical environment.
  • the decision logic comprises at least the rules and/or an algorithm for determining the authenticity of obtained ID values in relation to the comparison data.
  • a method for carry- ing out authentication utilizing an electronic device comprising:
  • -determining a trust state by comparing the collected ID information to predetermined comparison data according to predetermined decision logic, -creating a reference code of the determined trust state, and -sending said code to an external device or entity.
  • the determined trust state reference data is pseudorandomized or hashed.
  • the method further comprises the item of relating the determined trust state information with a specific physical environment.
  • the method further comprises the item of relating the determined trust state in- formation with a specific set of devices and/or entities said set comprising at least one device and/or entity, optionally in relation to a physical environment or location.
  • a computer pro- gram product embodied in a non-transitory computer readable medium, comprises computer code for causing the computer to execute the method items of the present invention.
  • the com- puter program product further comprises a decoder to decipher or decode the reference code.
  • the decoder may only partially decipher the meaning and object of the reference code or it may fully identify the initial information e.g. comprising the comparison data, ID information and decision logic.
  • reference code is herein used to refer to a code indica- tive of the trust state.
  • the code may be numeric, alphabetical or alphanumeric, for example.
  • the reference code may be a multi-part code comprising multiple separable or distinguishable code portions.
  • ID value and its plural form are used herein to refer to ID in- formation components associated with individual devices and/or entities.
  • Fig. 1 is a block diagram of one embodiment of an electronic device comprising entities in accordance with the present invention.
  • Fig. 2 illustrates an embodiment of an electronic device used as part of a system in accordance with the present invention.
  • Fig. 3 is a flow diagram illustrating an embodiment of a method in accordance with the present invention.
  • Fig. 4 is a flow diagram illustrating another embodiment of a method in accordance with the present invention.
  • Figure 1 illustrates a block diagram of one feasible embodiment of an electronic device 100 in accordance with the present invention.
  • the electronic device 100 essentially comprises at least one sensing entity 102, connection means 104, processing entity 106 and a memory entity 108. Additional elements and means known to a person skilled in the art may be incorporated appropriately according to various embodiments.
  • the sensing entity 102 comprises at least one sensor, reader device and/or element capable of scanning and obtaining ID information from devices and/or entities.
  • the sensing entity 102 has preferably at least wireless scanning and obtaining capabilities.
  • the sensing entity 102 comprises, at least the capability for, contact-based and/or wired scanning and obtaining of ID information.
  • the sensing entity 102 may be chosen in accordance to the communication technology capabilities of the devices and entities whose authenticities are verified.
  • Some feasible communication technologies e.g. for a reader device include Bluetooth or Bluetooth low energy, EPC, NFC, QR, RFID, QR and UCODE.
  • Other feasible technologies that might be utilized include wired or contact-based identification and communication technologies.
  • feasible contact-based sensing techniques that the sensing enti- ty 102 may incorporate include card reading means, and biometric means, such as fingerprint, facial recognition, iris recognition, retinal scan, voice/speech recognition and hand geometry.
  • biometric means such as fingerprint, facial recognition, iris recognition, retinal scan, voice/speech recognition and hand geometry.
  • the device 100 and system may utilize multi-factor identification, i.e. using a combination of different authentication means.
  • ID information data such as timestamp, location and sensory data of the-like, such as temperature, pressure, etc. information
  • Feasible sensors include accelerometer, gyroscope, inclinometer, electronic compass, magne- tometer, temperature sensor, GPS sensor, rotary motion sensor, microphone, proximity sensor, diode, photodiode, vibration sensor, oscillator, inertia measurement unit (IMU), position sensor, impact sensor and/or pressure sensor.
  • sensors may comprise MEMS-sensors and/or smart sensors.
  • the sensing entity 102 comprises at least unidirectional communication means so that the reader device may be able to receive information from tags.
  • the sensing entity 102 may so communicate with both active and passive devices and entities comprising tags or similar communication devices.
  • the sensing entity 102 may be configured to scan and obtain ID information from a particular set of devices and/or entities.
  • the sensing entity 102 may further on comprise dedicated reader devices, sensors and other aforementioned elements for obtaining information from a particular set of devices and/or entities. For example, a number of sensors may be config- ured to scan and obtain only particular parameters whereas a reader device is configured to scan and obtain tags, such as RFID, QR and EPC tags.
  • sensing entity 102 may be configured in any other feasible manner.
  • Said sensing entity 102 elements may also be configured to not be dedicated, such that each element scans and obtains everything that they can in accordance to their technological capabilities and configurations.
  • the electronic device 100 may also comprise more than one sensing entities 102.
  • the sensing entities 102 may be configured to communicate with each other, including optionally additionally communicating with other electronic devices' 100 sensing entities 102.
  • the sensing entities 102 may be also configured with similar operation considerations as sensing entity 102 elements (e.g. dedication and divisions between the sensing entities 102).
  • the electronic device 100 preferably comprises a number of sensing enti- ties 102 arranged to cover the desired set of devices and/or entities and/or the desired coverage (including all feasibly possible (meaning the ones that the device's 100 sensing entities 102 have capability to scan and obtain ID information from) devices and/or entities that may appear inside the coverage) in terms of physical space; i.e. the device's 100 physical en- vironment.
  • the devices and entities whose authenticities are verified comprise users (people), various devices (i.a. computers, mobile terminals, robot units, manufacturing and production machines, reader devices, tags, sensors etc.), parameters and processes. Such devices and entities may further also comprise industrial process parameters and other device- and entity- related parameters and values.
  • the devices and entities may carry, be inte- grated and/or otherwise be associated with readable communication elements such as tags and/or devices utilizing aforementioned communication means. These communication elements may be passive or active and they may be essentially wireless or contact-based.
  • Connection means 104 utilized by the device 100 may comprise a receiver, transmitter and/or a transceiver. Connection means 104 are used to connect the device 100 with other devices and remote devices and/or entities, such as remote servers or clouds.
  • the communication connection may comprise simplex and/or duplex connections over telecommunica- tions networks, such as WANs and/or LANs.
  • the electronic device 100 may utilize SMS and/or MMS or other similar data sharing techniques. Additionally, said means may be incorporated essentially concurrently e.g. for sending encrypted information content and key via two different media.
  • connection means 104 may be also used to connect a number of electronic devices 100 at least functionally to each other.
  • the devices 100 may so communicate with or at least transmit to and/or receive information from other similar electronic and/or ICT devices.
  • the processing entity 106 comprises a computing entity, which is at least configured to process the ID information by comparing it to comparison data according to decision logic. Additionally, the processing entity 106 is arranged to create a reference code of a determined trust state.
  • the pro- cessing entity 106 comprises, e.g. at least one processing/controlling unit such as a microprocessor, a digital signal processor (DSP), a digital signal controller (DSC), a micro-controller or programmable logic chip(s), optionally comprising a plurality of co-operating or parallel (sub-)units.
  • the device 100 comprises also a memory entity 108 for storing at least a part of a database comprising comparison data and decision logic. The database may be obtained from and remotely maintained in an external database.
  • the database may be created and maintained in the de- vice 100.
  • the memory entity 108 may be utilized to store the obtained ID information.
  • the obtained ID information may be utilized to determine and/or update the comparison data by e.g. collecting a set of data and calculating e.g. a mean value or other parameter potentially updated in accordance with newly obtained data.
  • the comparison data may be predetermined and essentially invariable.
  • the device 100 may also be configured to collect a data log comprising at least information about verified authentication situations. Said log may be accessed from an external entity or it may be sent to another device or entity, optionally in response to a request.
  • the decision logic essentially comprises at least the rules and/or an algorithm for determining the authenticity of obtained ID values in relation to the comparison data.
  • the decision logic may be in the simplest form an algorithm for comparing two sets of data with each other, wherein the sets of data may be in a same format or in different formats, such as in code representing the original value, pseudorandom code or hash code. Additionally, the decision logic comprises the means to retrieve the right set of data from the database, which may be optionally done in accordance with the location, time or other similar variable enabling said variable-based comparison.
  • the collected values are seemingly random-like since they may pertain to any observed and scanned ID value, such as a parameter value, device/entity name, etc. However, the values may be still interpreted or connected to certain processes over time and observation and therefore the reference code comprising the ID information is preferably transformed into a more secure form by for example pseudorandomization.
  • Pseudoran- domization comprises creating a seemingly random set of characters from a set of characters by using an algorithm and a random seed.
  • the random seed may be shared for different devices to be used with the algorithm to create identical and comparable sets of situations. For example, the seed may be shared for the device 100 and an external entity to be used with a particular algorithm, which makes it possible for the external entity to use the pseudorandom reference code.
  • One exemplary feasible requirement (in terms of randomness) for a pseudorandom code comprises constituting it such that the guessing probability of the pseudorandom code yields l/(2 A n), wherein the n is the bit length of the ID value.
  • the reference code may be transformed by hashing.
  • Producing hash code comprises creating a value or a key from a string of characters by using a formula or an algorithm (hash function). Using the formula an index may be created for all the ID values. Searching for a record containing an ID value is done by using the formula creating directly an index key to the record. Hashing may be also used to encrypt the data transmis- sion to an external device. Therein the hash code is generated using the formula and sent with a message, which message the recipient then uses to produce another hash code according to the same formula and compares said produced hash code with the received hash code determining authenticity in a secured manner.
  • the ID information data collected by the sensing entity 102 may be transformed into pseudorandom or hash code in accordance to the aforementioned means before being used to create the reference code representing the trust state.
  • the transformed reference code may be decomposed or deciphered on another device or entity, such as on a cloud computing entity.
  • the transformed code may be used on said other device or entity as such by without for example a decomposition into original parameter value or user/device information.
  • Decomposition or comparison may be both achieved by either using a key, such as a seed for a pseudorandom code, for an algorithm to decompose the code or to create a comparable string according to a database.
  • a key such as a seed for a pseudorandom code
  • Each of the methods enable automatized control and monitoring. However, while the other retains the security (not decom- posing the reference code) the other allows for collecting more detailed diagnostics (decomposing the reference code).
  • the memory entity 108 may be divided between one or more physical memory chips and/or cards.
  • the memory entity 108 may also comprise necessary code, e.g. in a form of a computer program/application, for enabling the control and operation of the device 100, and provision of the related control data.
  • the memory may comprise e.g. ROM (read only memory) or RAM-type (random access memory) implementations as disk storage or flash storage.
  • the memory may further comprise an advantageously detachable memory card/stick, a floppy disc, an optical disc, such as a CD-ROM, or a fixed/removable hard drive.
  • the device 100 may also utilize additional elements. These elements may be for example complementary elements for the other entities and components.
  • the additional elements may be electronic, electro- optic, electroacoustic, piezoelectric, electric, and/or electromechanical by nature, or at least comprise such components.
  • compo- nents may comprise light-emitting components such as Organic Light Emitting Diode (O)LEDs, sound-emitting and or sound-receiving such as microphones and speakers, cameras, conductors, wires, fastening means and encasing(s).
  • O Organic Light Emitting Diode
  • sound-emitting and or sound-receiving such as microphones and speakers, cameras, conductors, wires, fastening means and encasing(s).
  • the configuration of the disclosed components may differ from the explicitly depicted one depending on the requirements of each intended use scenario and selected technologies, wherein the present invention may be capitalized.
  • the device 100 may also comprise or utilize a user interface, comprising at least input means, such as a button or touch surface, and optionally dis- playing means.
  • a user interface comprising at least input means, such as a button or touch surface, and optionally dis- playing means.
  • At least the processing entity 106, memory entity 108 and other additional elements are preferably surface- mount technology (SMTs), through-hole, flip-chip and/or printed entities.
  • SMT, through-hole, flip-chip and printed entities may be attached using optionally substantially flexible means by anchoring, laminating, molding, mechanically (screws, bolts, fingers, etc.) gluing or by other adhesive, such as an epoxy adhesive. Both conductive (for enabling electrical contact) and non-conductive (for mere fixing) adhesives may be utilized.
  • the substrate(s) for the components may be chosen i.a. according to material properties such as flexibility, thickness, adhesion properties, optical properties, conductivity and malleability.
  • Some examples of feasible substrate materials comprise polymers, plastics, silicon, rubber, or a mixture of these.
  • PCB printed circuit board
  • PWB printed wiring board
  • various elements of the electronic device 100 may be directly integrated in the same housing or provided at least with functional connectivity, e.g. wired or wireless connectivity, with each other.
  • the device 100 may be at least partly encapsulated using e.g. polymers, plastics, silicon, rubber, metal or a mixture of these.
  • FIG. 2 illustrates an embodiment of the device used as part of a system in accordance with the present invention.
  • the system comprises two electronic devices 202a, 202b, both monitoring and determining the trust states of two different subprocesses in a physical environment 204.
  • these two devices 202a, 202b are indeed configured to monitor the same physical environment or space but execute it process- specifically.
  • the system comprises an external and remote entity 206 such as a cloud.
  • param- eters, devices (B, C, j, k, w, x, z) and entities (Serviceman 001) outside of the devices' 202a, 202b coverage are depicted who could potentially create trust situations by entering the electronic device's 202a, 202b coverage.
  • the device 202a, 202b scans and obtains ID information from a number of devices and/or entities and determines the trust state by comparing the ID information to comparison data according to decision logic. When determined trust state is such that all the devices and/or entities in the coverage of the device 202a, 202b possess required authenticity they may be seen as to be in trusted state.
  • the device 202a, 202b may create reference data based on the trust state, which may comprise ID values, comparison data, result of the authenticity verification of the devices and/or entities, and/or other diagnostics of the devices and/or entities.
  • the trust state may comprise ID values, comparison data, result of the authenticity verification of the devices and/or entities, and/or other diagnostics of the devices and/or entities.
  • determined trust state is such that at least one of devices and/or entities in the coverage of the device 202a, 202b do not possess a required authenticity, or cannot be authenticated, they may be seen as to be in distrust state, i.e. for a set of devices and/or entities the trust state is inadequate, too low or missing/impossible to solve. This may be a result of a number of devices and/or entities lacking the required authenticity, which may be then communicated to an external entity.
  • the communication may then comprise the distrust state of the individual devices and/or entities lacking the required authenticity or the device 202a, 202b may communicate that the whole device's 202a, 202b coverage of physical environment 204 is in a distrust state, e.g. even in the case of only at least one of many devices and/or entities doesn't possess the required authenticity.
  • the device may further on control or adjust the operation or parameters of the devices and/or entities lacking the authenticity or a request for the same from a remote entity.
  • the processing entity may so control at least partially directly the authorization and/or operation of devices and/or entities in the device's 202a, 202b respective coverage inside the physical environment 204.
  • the actual control may so be done on another entity 206, such as on a remote external server or on a cloud computing entity. Further on, such control and/or adjustment enables a broader control of whole processes, such as industrial processes, by controlling their parameters and associated devices and users in relation to monitored values and information.
  • the device itself is essentially physical environment agnostic.
  • the sensing means utilized by the electronic device aren't tied to a physical environment 204 and the device itself doesn't recognize the environment 204 but is rather configured by means of coverage and the comparison data selected from the database to verify authentication of various devices and/or en- tities by comparing the ID information received from them to the comparison data in accordance to a decision logic.
  • the configuration may be done in accordance to the decision logic so that the decision logic essentially dictates the operation, physical environment 204, and/or the devices and/or entities whose authenticities are verified as well as the rel- evant comparison data from the database.
  • the device needn't recognize the data or the devices and/or entities carrying the ID information but in the simplest form it only compares the information realtime, periodically, from a request or by the change in the scanned environment 204, such as an appearance of new ID value or disappearance of an ID value, to a predetermined set of data, comparison data, in accordance to a decision logic, determines the trust state and creates the reference data comprising the information about said determined trust state.
  • the remote external entity 206 may then be used to collect, process, e.g. decipher, as well as to save the collected data. Further on, said remote entity 206 may be used to monitor and control a number of the electronic devices e.g. to automate for example a system comprising a number of the electronic devices. For example, a laboratory, commercial building or a factory comprising a lot of different zones or physical environments 204 with different authentication statuses may incorporate a number of electronic devices to cover the authentication needs of the premises accounting for the varying authentication statuses.
  • the database comprises the comparison data and the decision logic.
  • the database may be in a remote device or entity 206 or on the device itself.
  • the database may be e.g. stored and maintained in a remote entity 206 wherefrom it is accessible for the devices.
  • New comparison data may be created on the database or on the devices wherein it may be updated on the primary reference database, such as the one on the remote device or entity 206. Creating new comparison data may be done for example on the devices based on the obtained ID information or it may be done externally based on for example on the reference data received from a number of de- vices and/or entities.
  • the collected ID information, determined trust states and partial trust states represent particular situations comprised in the reference code.
  • the reference code so comprises or pertains to an individualized situation, which may be used to automatize commands or actions such as an inquiry to start a process, an inquiry for a service or control over a process.
  • the automated actions may comprise the authorization, initiation of or access to e.g. external services, such as to a cloud service.
  • the reference code may be directly used to control or initiate a number of processes, or to access or provide a service, such as a process in a cloud entity.
  • Figure 3 shows a flow diagram of one feasible embodiment for the method in accordance with the present invention.
  • the device performing the method is configured.
  • the configuration comprises at least determining the comparison data and decision logic.
  • the device and/or entity related scanning and monitoring means may be configured.
  • the production of reference code as well as the optional encryption and/or transformation of the reference code are decided.
  • the configurations, including the comparison data, decision logic, pseu- dorandomization algorithm, hash function and/or their respective keys may be also retrieved and/or updated for example from and/or according to database on an external device or entity, such as a cloud computing en- tity.
  • the sensing entity scans and detects present ID values.
  • the devices and/or entities in the coverage area of the sensing entities of the device are either actively or passively scanned and detected.
  • the scanning and detec- tion of devices and/or entities may be done in predetermined intervals or essentially continuously.
  • the device may scan and detect essentially continuously or it may scan a device's or entity's ID value every time a new device or entity appears or disappears from the device's coverage.
  • the ID values of the scanned and detected devices are obtained.
  • the obtaining may be done e.g. every time a new ID value is detected.
  • the obtained ID values may be transformed into pseudorandom or hash code.
  • the trust state of the devices and/or entities is determined by comparing the obtained ID information (comprising ID values) to a predetermined comparison data in accordance to decision logic.
  • the obtained ID information may be used to update the comparison data comprised in the database.
  • the device may deny the operation and/or authorization of the devices and/or entities, which do not possess the required authenticity.
  • the reference code is created.
  • the reference code may comprise essentially the determined trust states of individual devices and/or entities or it may comprise the trust state created collectively by all the devices and/or entities in the device's coverage.
  • the reference code comprises pseudorandom code or hash code.
  • the reference code is sent to an external device or entity.
  • the reference code may be sent in a partitioned form using optionally different media or data transfer means.
  • the reference code may be sent with a key for deciphering the reference code on the external device or entity.
  • the device may continue scanning and detecting of devices and/or entities in its coverage. Alterna- tively, the device may be reconfigured or receive commands from an external entity or device.
  • Figure 4 shows a flow diagram of another feasible embodiment for the method in accordance with the present invention.
  • the items of 402-412 correspond to the items 302-312 of figure 3.
  • the reference code may be decomposed or deciphered back to meaningful and device-related sensor value using parallel and/or sequen- tial paths, and/or collected and used for comparison, analysis, controlling, monitoring and/or saved on the external device or entity.
  • the reference code may be also used for collecting diagnostics.
  • the external or device or entity may relate the de- termined trust state information comprised in the reference code with a specific location, such as the scanning and detecting device's physical environment.
  • the reference code information may be also used to update the database, comprising or constituting at least the comparison data and optionally the decision logic and/or pseudorandomization or hashing algorithms, and/or keys.
  • the remote device or entity may provide a command or service preferably essentially automatically based on the reference code, including the information about the trust state.
  • the external entity may control to disable, deny the authorization or limit the operation of any of the devices and/or entities, and/or related (industrial) processes, in the device's coverage. For example, devices and/or entities that do not possess the required authenticity may be denied access or operation in the device's physical environment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

An electronic device 100, 202a, 202b comprising: at least one sensing entity 102 configured to scan and obtain ID information, preferably wirelessly, from a number of devices and/or entities, connection means 104 configured to at least transmit information towards a number of remote entities 206, optionally a remote server or a cloud computing system, and a processing entity 106, arranged to collect ID information via said at least one sensing entity 102, and further on arranged to determine the trust state of said devices and/or entities by comparing said collected ID information to predetermined comparison data according to predetermined decision logic, and further on configured to create a reference code based on the trust state and to send said code, utilizing the connection means 104, to an external entity 206. Corresponding systems and methods are also presented.

Description

LOCAL TRUST CREATION AND VERIFICATION DEVICE
FIELD OF THE INVENTION Generally the present invention concerns electronic devices in the context of authentication systems. Particularly, however not exclusively, the invention pertains to a device for generating and verifying authentication situations in a physical environment and to a method for determining the authenticity of a number of devices and entities according to their ID in- formation.
BACKGROUND
Almost every factory nowadays utilizes automation and, in fact, many of them are already practically fully automated. The automated processes and systems that they utilize require countless authentication situations at various points in time and location. However, traditionally authentication in automated systems and other authentication-related activities are done in- situ in factories and sites of the like.
Current ICT systems utilize login names, passwords and key lists for connecting into systems and as proofs of identity. Even further, complex systems may have several login names for each person and strong passwords, which are difficult to remember.
In addition to authenticating devices, comprehensive authentication should also cover a wide range of other entities and (their) activities such as current operation and use, users, processes, process parameters, input/output materials, etc. Ideally, such authentication should be extended from au- thenticating single users and devices to authenticating all devices and entities and their operation and use parameters that are specific and essential to a particular authenticated system. However, current authentication systems and methods aren't capable of doing this in a comprehensive and centralized manner. Instead, they utilize local-based and internal control solutions which are labor-intensive and difficult to outsource and automatize. At the same time, the recent developments in the field of cloud computing and service models have opened up possibilities for external control and operation of many different systems and devices ranging from individual sensors to multi-device systems and processes. Even so, current authenti- cation systems aren't capable of utilizing such external controlling means i.a. due to problematic and arduous data security aspects.
SUMMARY OF THE INVENTION
The objective of the embodiments of the present invention is to at least alleviate one or more of the aforementioned drawbacks evident in the prior art arrangements particularly in the context of devices for generating and verifying authentication situations. The objective is generally achieved with a device and a method in accordance with the present invention by scanning and obtaining ID information in a physical environment from a number of various devices, such as sensors, and/or entities and determining the authenticity of said devices and entities based on predetermined comparison data and decision logic and further on communicating said determined authenticity to an external device or entity.
One of the advantageous features of the present invention is that it allows for large scale automation of verifying authentication situations. These situations may comprise a myriad of different settings, operations and activities created by e.g. users, processes, current use, process parameters, input and output materials, etc. in various locations.
Another one of the advantageous features of the present invention is that even though the authentication is mostly physical environment -specific the invention itself is not limited to function in any particular location, which allows for the device to be utilized in and configured for different locations and authentication situations.
Further advantageous feature of the present invention is that it allows for real-time remote monitoring and control of multiple local authentication situations. For example, authentication situations may be generated and verified locally in-situ in different locations, such as in parts of a factory or a commercial building, which situations are then monitored and controlled on, or in accordance to, a remote and external entity, such as a server. This allows for remote and centralized controlling of many situations constituting for example a whole factory's or a building's authentication needs. Further on, the invention subsequently allows for improved monitoring and automation of process control, operations and diagnostics.
Finally, one of the very advantageous features stems from the fact that the invention allows for protection for the data processing and sharing by utilizing data and information securing means. In accordance with one aspect of the present invention an electronic device comprising:
-at least one sensing entity configured to scan and obtain ID information, preferably wirelessly, from a number of devices and/or entities,
-connection means configured to at least transmit information towards a number of remote entities, optionally a remote server or a cloud computing system, -a processing entity, arranged to collect ID information via said at least one sensing entity, and further on arranged to determine the trust state of said devices and/or entities by comparing said collected ID information to predetermined comparison data according to predetermined decision logic, and further on configured to create a reference code based on the trust state and to send said code, utilizing the connection means, to an external entity via connection means.
The trust state refers to an authentication situation wherein a number of devices and/or entities with individual ID values are detected in a physical environment, or a zone, covered (by means of scanning and obtaining) by the electronic device. The value of the trust state is a result of the ID information (comprising the ID values) authenticity, i.e. whether the set of ID values obtained from the devices and/or entities match the comparison data (a corresponding set of values on a database).
According to an exemplary embodiment of the present invention the reference code may comprise pseudorandom code. Optionally, the reference code may comprise hash code. According to an exemplary embodiment of the present invention the sensing entity may comprise a number of sensors and/or reader devices. The sensing entity may be integrated in the device or it may be remotely, such as wirelessly or by-wire, connected to the device. The device may of course comprise a plurality of sensing entities. The sensing entity is capable of at least scanning and obtaining ID information from a number of devices and/or entities, optionally wirelessly. According to an exemplary embodiment of the present invention the device is arranged to connect and/or send information, such as the reference code, to or receive information from, an external server or a cloud computing entity. According to a further exemplary embodiment of the present invention the device may be also arranged to comprise connection means capable to receive information, such as code, commands or control parameters, from a number of remote entities, such as remote server or cloud computing entities. According to an exemplary embodiment of the present invention the device may be arranged to send and/or receive information, such as code, commands or control parameters, to and/or from a remote device or entity.
According to an exemplary embodiment of the present invention the processing entity may be arranged to signal and/or communicate whenever a determined trust state is inadequate and/or a non-authenticated set of ID values is detected, to command or request for control of the operation or authorization of the devices and/or entities, and/or related (industrial) processes. The processing entity may so control at least partially directly the authorization and/or operation of devices and/or entities in the device's re- spective physical environment coverage. The control may also be done on and from another entity, such as a remote external server or a cloud computing entity.
According to a further exemplary embodiment of the present invention a number of the electronic devices may be functionally connected to each other. The devices may also communicate with or at least transmit to and/or receive information from other similar electronic and/or information and communications technology (ICT) devices. According to another exemplary embodiment of the present invention the electronic device may be comprised in a system, which system comprises in addition at least one remote entity configured to receive information in- eluding trust state reference code from the electronic device, and to relate the determined trust state to a physical environment, area, zone or space, covered by said electronic device via scanning and obtaining of ID values in said physical environment. According to an exemplary embodiment of the present invention the system may also be able to determine, optionally from, and/or by deciphering, the reference code, the ID values and optionally additionally their respective devices and/or entities.
According to an exemplary embodiment of the present invention the system comprising the electronic device also comprises a (remote) decoder to at least partially decode or decipher the reference code. Such decoder may be embodied e.g. as a computer program product.
According to an exemplary embodiment the predetermined comparison data comprises a set of values comprised in the database. Said set of val- ues is preferably chosen in accordance to the intended coverage of the device so that the device utilizes and/or comprises a set of values that matches the potential authentication situations (devices and/or entities) in the device's physical environment. According to an exemplary embodiment the decision logic comprises at least the rules and/or an algorithm for determining the authenticity of obtained ID values in relation to the comparison data.
In accordance with one aspect of the present invention a method for carry- ing out authentication utilizing an electronic device, comprising:
-scanning and detecting ID values of devices and/or entities in a physical environment, -obtaining ID information from said devices and/or entities,
-determining a trust state by comparing the collected ID information to predetermined comparison data according to predetermined decision logic, -creating a reference code of the determined trust state, and -sending said code to an external device or entity.
According to another exemplary embodiment the determined trust state reference data is pseudorandomized or hashed.
According to an exemplary embodiment of the present invention the method further comprises the item of relating the determined trust state information with a specific physical environment.
According to an exemplary embodiment of the present invention the method further comprises the item of relating the determined trust state in- formation with a specific set of devices and/or entities said set comprising at least one device and/or entity, optionally in relation to a physical environment or location.
In accordance with one aspect of the present invention a computer pro- gram product embodied in a non-transitory computer readable medium, comprises computer code for causing the computer to execute the method items of the present invention.
According to an exemplary embodiment of the present invention the com- puter program product further comprises a decoder to decipher or decode the reference code. The decoder may only partially decipher the meaning and object of the reference code or it may fully identify the initial information e.g. comprising the comparison data, ID information and decision logic.
The previously presented considerations concerning the various embodiments of the electronic device may be flexibly applied to the embodiments of the method and of the computer program product mutatis mutandis and vice versa, as being appreciated by a skilled person. Similarly, the elec- tronic structure obtained by the method and corresponding arrangement is scalable in the limitations of the entities according to the arrangement. As briefly reviewed hereinbefore, the utility of the different aspects of the present invention arises from a plurality of issues depending on each particular embodiment. The expression "a number of may herein refer to any positive integer starting from one (1). The expression "a plurality of may refer to any positive integer starting from two (2), respectively.
The expression "reference code" is herein used to refer to a code indica- tive of the trust state. The code may be numeric, alphabetical or alphanumeric, for example. The reference code may be a multi-part code comprising multiple separable or distinguishable code portions.
The term "ID value" and its plural form are used herein to refer to ID in- formation components associated with individual devices and/or entities.
The term "exemplary" refers herein to an example or example-like feature, not the sole or only preferable option. Different embodiments of the present invention are also disclosed in the attached dependent claims.
BRIEF DESCRIPTION OF THE RELATED DRAWINGS Next, some exemplary embodiments of the present invention are reviewed more closely with reference to the attached drawings, wherein
Fig. 1 is a block diagram of one embodiment of an electronic device comprising entities in accordance with the present invention.
Fig. 2 illustrates an embodiment of an electronic device used as part of a system in accordance with the present invention.
Fig. 3 is a flow diagram illustrating an embodiment of a method in accordance with the present invention.
Fig. 4 is a flow diagram illustrating another embodiment of a method in accordance with the present invention.
DETAILED DESCRIPTION OF THE EMBODIMENTS Figure 1 illustrates a block diagram of one feasible embodiment of an electronic device 100 in accordance with the present invention.
The electronic device 100 essentially comprises at least one sensing entity 102, connection means 104, processing entity 106 and a memory entity 108. Additional elements and means known to a person skilled in the art may be incorporated appropriately according to various embodiments.
The sensing entity 102 comprises at least one sensor, reader device and/or element capable of scanning and obtaining ID information from devices and/or entities. The sensing entity 102 has preferably at least wireless scanning and obtaining capabilities. Optionally the sensing entity 102 comprises, at least the capability for, contact-based and/or wired scanning and obtaining of ID information.
The sensing entity 102 may be chosen in accordance to the communication technology capabilities of the devices and entities whose authenticities are verified. Some feasible communication technologies e.g. for a reader device include Bluetooth or Bluetooth low energy, EPC, NFC, QR, RFID, QR and UCODE. Other feasible technologies that might be utilized include wired or contact-based identification and communication technologies.
Optionally, feasible contact-based sensing techniques that the sensing enti- ty 102 may incorporate include card reading means, and biometric means, such as fingerprint, facial recognition, iris recognition, retinal scan, voice/speech recognition and hand geometry. Optionally the device 100 and system may utilize multi-factor identification, i.e. using a combination of different authentication means.
Other means for obtaining ID information data, such as timestamp, location and sensory data of the-like, such as temperature, pressure, etc. information comprise using various different sensors. Feasible sensors include accelerometer, gyroscope, inclinometer, electronic compass, magne- tometer, temperature sensor, GPS sensor, rotary motion sensor, microphone, proximity sensor, diode, photodiode, vibration sensor, oscillator, inertia measurement unit (IMU), position sensor, impact sensor and/or pressure sensor. Such sensors may comprise MEMS-sensors and/or smart sensors.
The sensing entity 102 comprises at least unidirectional communication means so that the reader device may be able to receive information from tags. The sensing entity 102 may so communicate with both active and passive devices and entities comprising tags or similar communication devices. The sensing entity 102 may be configured to scan and obtain ID information from a particular set of devices and/or entities. The sensing entity 102 may further on comprise dedicated reader devices, sensors and other aforementioned elements for obtaining information from a particular set of devices and/or entities. For example, a number of sensors may be config- ured to scan and obtain only particular parameters whereas a reader device is configured to scan and obtain tags, such as RFID, QR and EPC tags. Of course said reader devices, sensors and the-like comprised in the sensing entity 102 may be configured in any other feasible manner. Said sensing entity 102 elements may also be configured to not be dedicated, such that each element scans and obtains everything that they can in accordance to their technological capabilities and configurations. The electronic device 100 may also comprise more than one sensing entities 102. The sensing entities 102 may be configured to communicate with each other, including optionally additionally communicating with other electronic devices' 100 sensing entities 102. The sensing entities 102 may be also configured with similar operation considerations as sensing entity 102 elements (e.g. dedication and divisions between the sensing entities 102).
The electronic device 100 preferably comprises a number of sensing enti- ties 102 arranged to cover the desired set of devices and/or entities and/or the desired coverage (including all feasibly possible (meaning the ones that the device's 100 sensing entities 102 have capability to scan and obtain ID information from) devices and/or entities that may appear inside the coverage) in terms of physical space; i.e. the device's 100 physical en- vironment.
The devices and entities whose authenticities are verified comprise users (people), various devices (i.a. computers, mobile terminals, robot units, manufacturing and production machines, reader devices, tags, sensors etc.), parameters and processes. Such devices and entities may further also comprise industrial process parameters and other device- and entity- related parameters and values. The devices and entities may carry, be inte- grated and/or otherwise be associated with readable communication elements such as tags and/or devices utilizing aforementioned communication means. These communication elements may be passive or active and they may be essentially wireless or contact-based. Connection means 104 utilized by the device 100 may comprise a receiver, transmitter and/or a transceiver. Connection means 104 are used to connect the device 100 with other devices and remote devices and/or entities, such as remote servers or clouds. The communication connection may comprise simplex and/or duplex connections over telecommunica- tions networks, such as WANs and/or LANs. In addition to data network communication, the electronic device 100 may utilize SMS and/or MMS or other similar data sharing techniques. Additionally, said means may be incorporated essentially concurrently e.g. for sending encrypted information content and key via two different media.
The connection means 104 may be also used to connect a number of electronic devices 100 at least functionally to each other. The devices 100 may so communicate with or at least transmit to and/or receive information from other similar electronic and/or ICT devices.
The processing entity 106 comprises a computing entity, which is at least configured to process the ID information by comparing it to comparison data according to decision logic. Additionally, the processing entity 106 is arranged to create a reference code of a determined trust state. The pro- cessing entity 106 comprises, e.g. at least one processing/controlling unit such as a microprocessor, a digital signal processor (DSP), a digital signal controller (DSC), a micro-controller or programmable logic chip(s), optionally comprising a plurality of co-operating or parallel (sub-)units. The device 100 comprises also a memory entity 108 for storing at least a part of a database comprising comparison data and decision logic. The database may be obtained from and remotely maintained in an external database. Optionally, the database may be created and maintained in the de- vice 100. Further on, the memory entity 108 may be utilized to store the obtained ID information. The obtained ID information may be utilized to determine and/or update the comparison data by e.g. collecting a set of data and calculating e.g. a mean value or other parameter potentially updated in accordance with newly obtained data. Optionally, the comparison data may be predetermined and essentially invariable.
The device 100 may also be configured to collect a data log comprising at least information about verified authentication situations. Said log may be accessed from an external entity or it may be sent to another device or entity, optionally in response to a request.
The decision logic essentially comprises at least the rules and/or an algorithm for determining the authenticity of obtained ID values in relation to the comparison data. The decision logic may be in the simplest form an algorithm for comparing two sets of data with each other, wherein the sets of data may be in a same format or in different formats, such as in code representing the original value, pseudorandom code or hash code. Additionally, the decision logic comprises the means to retrieve the right set of data from the database, which may be optionally done in accordance with the location, time or other similar variable enabling said variable-based comparison.
The collected values are seemingly random-like since they may pertain to any observed and scanned ID value, such as a parameter value, device/entity name, etc. However, the values may be still interpreted or connected to certain processes over time and observation and therefore the reference code comprising the ID information is preferably transformed into a more secure form by for example pseudorandomization. Pseudoran- domization comprises creating a seemingly random set of characters from a set of characters by using an algorithm and a random seed. The random seed may be shared for different devices to be used with the algorithm to create identical and comparable sets of situations. For example, the seed may be shared for the device 100 and an external entity to be used with a particular algorithm, which makes it possible for the external entity to use the pseudorandom reference code. One exemplary feasible requirement (in terms of randomness) for a pseudorandom code comprises constituting it such that the guessing probability of the pseudorandom code yields l/(2An), wherein the n is the bit length of the ID value.
Optionally the reference code may be transformed by hashing. Producing hash code comprises creating a value or a key from a string of characters by using a formula or an algorithm (hash function). Using the formula an index may be created for all the ID values. Searching for a record containing an ID value is done by using the formula creating directly an index key to the record. Hashing may be also used to encrypt the data transmis- sion to an external device. Therein the hash code is generated using the formula and sent with a message, which message the recipient then uses to produce another hash code according to the same formula and compares said produced hash code with the received hash code determining authenticity in a secured manner.
Optionally even the ID information data collected by the sensing entity 102 may be transformed into pseudorandom or hash code in accordance to the aforementioned means before being used to create the reference code representing the trust state.
The transformed reference code may be decomposed or deciphered on another device or entity, such as on a cloud computing entity. Alternatively, the transformed code may be used on said other device or entity as such by without for example a decomposition into original parameter value or user/device information. Decomposition or comparison may be both achieved by either using a key, such as a seed for a pseudorandom code, for an algorithm to decompose the code or to create a comparable string according to a database. Each of the methods enable automatized control and monitoring. However, while the other retains the security (not decom- posing the reference code) the other allows for collecting more detailed diagnostics (decomposing the reference code).
The memory entity 108 may be divided between one or more physical memory chips and/or cards. The memory entity 108 may also comprise necessary code, e.g. in a form of a computer program/application, for enabling the control and operation of the device 100, and provision of the related control data. The memory may comprise e.g. ROM (read only memory) or RAM-type (random access memory) implementations as disk storage or flash storage. The memory may further comprise an advantageously detachable memory card/stick, a floppy disc, an optical disc, such as a CD-ROM, or a fixed/removable hard drive. The device 100 may also utilize additional elements. These elements may be for example complementary elements for the other entities and components. As an example, the additional elements may be electronic, electro- optic, electroacoustic, piezoelectric, electric, and/or electromechanical by nature, or at least comprise such components. Further on, such compo- nents may comprise light-emitting components such as Organic Light Emitting Diode (O)LEDs, sound-emitting and or sound-receiving such as microphones and speakers, cameras, conductors, wires, fastening means and encasing(s). As being appreciated by skilled readers, the configuration of the disclosed components may differ from the explicitly depicted one depending on the requirements of each intended use scenario and selected technologies, wherein the present invention may be capitalized.
The device 100 may also comprise or utilize a user interface, comprising at least input means, such as a button or touch surface, and optionally dis- playing means.
From the manufacturing point-of-view, at least the processing entity 106, memory entity 108 and other additional elements are preferably surface- mount technology (SMTs), through-hole, flip-chip and/or printed entities. SMT, through-hole, flip-chip and printed entities may be attached using optionally substantially flexible means by anchoring, laminating, molding, mechanically (screws, bolts, fingers, etc.) gluing or by other adhesive, such as an epoxy adhesive. Both conductive (for enabling electrical contact) and non-conductive (for mere fixing) adhesives may be utilized.
The substrate(s) for the components may be chosen i.a. according to material properties such as flexibility, thickness, adhesion properties, optical properties, conductivity and malleability. Some examples of feasible substrate materials comprise polymers, plastics, silicon, rubber, or a mixture of these. Optionally printed circuit board (PCB) or printed wiring board (PWB) may be used as either of, or essentially partly together with, the substrate. As being clear to a skilled person, various elements of the electronic device 100 may be directly integrated in the same housing or provided at least with functional connectivity, e.g. wired or wireless connectivity, with each other. The device 100 may be at least partly encapsulated using e.g. polymers, plastics, silicon, rubber, metal or a mixture of these.
Figure 2 illustrates an embodiment of the device used as part of a system in accordance with the present invention. The system comprises two electronic devices 202a, 202b, both monitoring and determining the trust states of two different subprocesses in a physical environment 204. In the shown case, these two devices 202a, 202b are indeed configured to monitor the same physical environment or space but execute it process- specifically. Further on, the system comprises an external and remote entity 206 such as a cloud. For illustrative purposes other components, param- eters, devices (B, C, j, k, w, x, z) and entities (Serviceman 001) outside of the devices' 202a, 202b coverage are depicted who could potentially create trust situations by entering the electronic device's 202a, 202b coverage. The device 202a, 202b scans and obtains ID information from a number of devices and/or entities and determines the trust state by comparing the ID information to comparison data according to decision logic. When determined trust state is such that all the devices and/or entities in the coverage of the device 202a, 202b possess required authenticity they may be seen as to be in trusted state. The device 202a, 202b may create reference data based on the trust state, which may comprise ID values, comparison data, result of the authenticity verification of the devices and/or entities, and/or other diagnostics of the devices and/or entities. When determined trust state is such that at least one of devices and/or entities in the coverage of the device 202a, 202b do not possess a required authenticity, or cannot be authenticated, they may be seen as to be in distrust state, i.e. for a set of devices and/or entities the trust state is inadequate, too low or missing/impossible to solve. This may be a result of a number of devices and/or entities lacking the required authenticity, which may be then communicated to an external entity. The communication may then comprise the distrust state of the individual devices and/or entities lacking the required authenticity or the device 202a, 202b may communicate that the whole device's 202a, 202b coverage of physical environment 204 is in a distrust state, e.g. even in the case of only at least one of many devices and/or entities doesn't possess the required authenticity. The device may further on control or adjust the operation or parameters of the devices and/or entities lacking the authenticity or a request for the same from a remote entity. The processing entity may so control at least partially directly the authorization and/or operation of devices and/or entities in the device's 202a, 202b respective coverage inside the physical environment 204. The actual control may so be done on another entity 206, such as on a remote external server or on a cloud computing entity. Further on, such control and/or adjustment enables a broader control of whole processes, such as industrial processes, by controlling their parameters and associated devices and users in relation to monitored values and information. The device itself is essentially physical environment agnostic. The sensing means utilized by the electronic device aren't tied to a physical environment 204 and the device itself doesn't recognize the environment 204 but is rather configured by means of coverage and the comparison data selected from the database to verify authentication of various devices and/or en- tities by comparing the ID information received from them to the comparison data in accordance to a decision logic. Optionally, the configuration may be done in accordance to the decision logic so that the decision logic essentially dictates the operation, physical environment 204, and/or the devices and/or entities whose authenticities are verified as well as the rel- evant comparison data from the database. This way the device needn't recognize the data or the devices and/or entities carrying the ID information but in the simplest form it only compares the information realtime, periodically, from a request or by the change in the scanned environment 204, such as an appearance of new ID value or disappearance of an ID value, to a predetermined set of data, comparison data, in accordance to a decision logic, determines the trust state and creates the reference data comprising the information about said determined trust state.
The remote external entity 206 may then be used to collect, process, e.g. decipher, as well as to save the collected data. Further on, said remote entity 206 may be used to monitor and control a number of the electronic devices e.g. to automate for example a system comprising a number of the electronic devices. For example, a laboratory, commercial building or a factory comprising a lot of different zones or physical environments 204 with different authentication statuses may incorporate a number of electronic devices to cover the authentication needs of the premises accounting for the varying authentication statuses.
The database comprises the comparison data and the decision logic. The database may be in a remote device or entity 206 or on the device itself. The database may be e.g. stored and maintained in a remote entity 206 wherefrom it is accessible for the devices. New comparison data may be created on the database or on the devices wherein it may be updated on the primary reference database, such as the one on the remote device or entity 206. Creating new comparison data may be done for example on the devices based on the obtained ID information or it may be done externally based on for example on the reference data received from a number of de- vices and/or entities.
The collected ID information, determined trust states and partial trust states represent particular situations comprised in the reference code. The reference code so comprises or pertains to an individualized situation, which may be used to automatize commands or actions such as an inquiry to start a process, an inquiry for a service or control over a process. Further on, the automated actions may comprise the authorization, initiation of or access to e.g. external services, such as to a cloud service. Further on, the reference code may be directly used to control or initiate a number of processes, or to access or provide a service, such as a process in a cloud entity.
Figure 3 shows a flow diagram of one feasible embodiment for the method in accordance with the present invention.
At 302, referring to the initial state of the method the device performing the method is configured. The configuration comprises at least determining the comparison data and decision logic. Additionally, the device and/or entity related scanning and monitoring means may be configured. Optionally, also the production of reference code as well as the optional encryption and/or transformation of the reference code are decided. The configurations, including the comparison data, decision logic, pseu- dorandomization algorithm, hash function and/or their respective keys may be also retrieved and/or updated for example from and/or according to database on an external device or entity, such as a cloud computing en- tity.
At 304, the sensing entity scans and detects present ID values. The devices and/or entities in the coverage area of the sensing entities of the device are either actively or passively scanned and detected. The scanning and detec- tion of devices and/or entities may be done in predetermined intervals or essentially continuously. For example, the device may scan and detect essentially continuously or it may scan a device's or entity's ID value every time a new device or entity appears or disappears from the device's coverage.
At 306, the ID values of the scanned and detected devices are obtained. The obtaining may be done e.g. every time a new ID value is detected.
Optionally additionally, the obtained ID values may be transformed into pseudorandom or hash code.
At 308, the trust state of the devices and/or entities is determined by comparing the obtained ID information (comprising ID values) to a predetermined comparison data in accordance to decision logic.
Additionally, the obtained ID information may be used to update the comparison data comprised in the database.
Additionally, the device may deny the operation and/or authorization of the devices and/or entities, which do not possess the required authenticity.
At 310, the reference code is created. The reference code may comprise essentially the determined trust states of individual devices and/or entities or it may comprise the trust state created collectively by all the devices and/or entities in the device's coverage.
Optionally additionally, the reference code comprises pseudorandom code or hash code. At 312, the reference code is sent to an external device or entity. The reference code may be sent in a partitioned form using optionally different media or data transfer means. For example, the reference code may be sent with a key for deciphering the reference code on the external device or entity.
At 314, referring to the final state of the method the device may continue scanning and detecting of devices and/or entities in its coverage. Alterna- tively, the device may be reconfigured or receive commands from an external entity or device.
Figure 4 shows a flow diagram of another feasible embodiment for the method in accordance with the present invention.
The items of 402-412 correspond to the items 302-312 of figure 3.
At 414, the reference code may be decomposed or deciphered back to meaningful and device-related sensor value using parallel and/or sequen- tial paths, and/or collected and used for comparison, analysis, controlling, monitoring and/or saved on the external device or entity. The reference code may be also used for collecting diagnostics.
Optionally additionally, the external or device or entity may relate the de- termined trust state information comprised in the reference code with a specific location, such as the scanning and detecting device's physical environment.
The reference code information may be also used to update the database, comprising or constituting at least the comparison data and optionally the decision logic and/or pseudorandomization or hashing algorithms, and/or keys.
At 416, the remote device or entity may provide a command or service preferably essentially automatically based on the reference code, including the information about the trust state. Optionally additionally, the external entity may control to disable, deny the authorization or limit the operation of any of the devices and/or entities, and/or related (industrial) processes, in the device's coverage. For example, devices and/or entities that do not possess the required authenticity may be denied access or operation in the device's physical environment. The scope of the invention is determined by the attached claims together with the equivalents thereof. The skilled persons will again appreciate the fact that the disclosed embodiments were constructed for illustrative purposes only, and the innovative fulcrum reviewed herein will cover further embodiments, embodiment combinations, variations and equivalents that better suit each particular use case of the invention.

Claims

Claims
1. An electronic device 100, 202a, 202b comprising: -at least one sensing entity 102 configured to scan and obtain ID information, preferably wirelessly, from a number of devices and/or entities,
-connection means 104 configured to at least transmit information towards a number of remote entities 206, optionally a remote server or a cloud computing system, and
-a processing entity 106, arranged to collect ID information via said at least one sensing entity 102, and further on arranged to determine the trust state of said devices and/or entities by comparing said collected ID infor- mation to predetermined comparison data according to predetermined decision logic, and further on configured to create a reference code based on the trust state and to send said code, utilizing the connection means 104, to an external entity 206.
2. The device 100, 202a, 202b according to claim 1, wherein the reference code comprises pseudorandom code.
3. The device 100, 202a, 202b according to any preceding claim, wherein the reference code comprises hash code.
4. The device 100, 202a, 202b according to any preceding claim, configured to scan and obtain ID information through receiving it from a tag associated with the device and/or entity of said number.
5. The device 100, 202a, 202b according to any preceding claim, wherein processing entity 106 is arranged to execute responsive device or process, optionally industrial process, control according to the trust state.
6. The device 100, 202a, 202b according to any preceding claim, wherein the device 100, 202a, 202b is arranged to connect and/or send information, such as the code, to or receive information from, an external server or a cloud.
7. The device 100, 202a, 202b according to any preceding claim, wherein the device 100, 202a, 202b is arranged to send the reference code at least partially as SMS or MMS and/or via data network.
8. The device 100, 202a, 202b according to any preceding claim, wherein the processing entity 106 is arranged to signal and/or communicate whenever a trust state is too low, impossible to solve and/or a non- authenticated set of ID information is detected, to command or request control, adjustment or disablement of the operation or authorization of the devices and/or entities.
9. The device 100, 202a, 202b according to any preceding claim, wherein a sensing entity 102 comprises at least one reader device, optionally comprising wireless scanning and/or data collection means.
10. The device 100, 202a, 202b according to any preceding claim, wherein the connection means 104 is further configured to receive information from remote devices.
1 1. A system comprising a number of electronic devices 100, 202a, 202b of any preceding claim, further comprising at least one remote entity 206 configured to receive information including reference codes from the electronic devices 100, 202a, 202b.
12. The system of claim 1 1, wherein the remote entity 206 is configured to relate the determined trust state comprised in the reference code to a physical environment, area, zone or space, 204 covered by the electronic device 100, 202a, 202b.
13. The system of any of claims 1 1-12, wherein the remote entity 206 is configured to relate said reference code with individual devices and/or entities, optionally in relation to a physical environment 204 or device or entity location.
14. The system of any of claims 1 1-13, wherein the remote entity 206 is configured to execute responsive process control and/or adjust the operation of the devices and/or entities according to the trust state comprised in the reference code.
15. The system of any of claims 1 1-14, wherein the remote entity 206 is configured to control the operation of the electronic devices 100, 202a, 202b.
16. The system of any of claims 1 1-15, wherein the remote entity 206 comprises a database wherein comparison data and/or decision logic are stored, and optionally the means to create and/or update the decision logic and/or comparison data, and/or allocate the decision logic and/or compari- son data to the electronic devices 100, 202a, 202b.
17. The system of any of claims 1 1-16, wherein the system comprises a decoder to at least partially decode or decipher the reference code.
18. The system of any of claims 1 1-17, configured to forward said received information or control access to or operation of a digital service, optionally cloud computing service, based thereon.
19. A method for carrying out authentication utilizing an electronic de- vice, comprising:
-scanning and detecting ID values 304, 404 of devices and/or entities in a physical environment, -obtaining ID information 306, 406 from said devices and/or entities,
-determining a trust state 308, 408 by comparing the collected ID information to predetermined comparison data according to predetermined decision logic,
-creating a reference code of the determined trust state 310, 410, and
-sending said code to an external device or entity 312, 412.
20. The method according to claim 19, wherein the determined trust information is written into pseudorandom code.
21. The method according to claims 19-20, comprising further on the aspect of relating the determined trust state information with a specific physical environment.
22. A computer program product embodied in a non- transitory computer readable medium, comprising computer code for causing the computer to execute the method items of claim 19.
23. The computer program product of claim 22, further comprising a decoder to decipher or decode the reference code.
PCT/FI2015/050665 2014-10-07 2015-10-06 Local trust creation and verification device Ceased WO2016055697A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20145878 2014-10-07
FI20145878 2014-10-07

Publications (1)

Publication Number Publication Date
WO2016055697A1 true WO2016055697A1 (en) 2016-04-14

Family

ID=54478050

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2015/050665 Ceased WO2016055697A1 (en) 2014-10-07 2015-10-06 Local trust creation and verification device

Country Status (1)

Country Link
WO (1) WO2016055697A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3273379A1 (en) * 2016-07-18 2018-01-24 DinBox Sverige AB Identification authentication method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6038666A (en) * 1997-12-22 2000-03-14 Trw Inc. Remote identity verification technique using a personal identification device
US20030208386A1 (en) * 2000-02-25 2003-11-06 Rayner Brondrup Wireless reservation, check-in, access control, check-out and payment
US20090282258A1 (en) * 2006-09-12 2009-11-12 Microlatch Pty Ltd. Password generator
US20100253470A1 (en) * 2007-10-22 2010-10-07 Microlatch Pty Ltd Transmitter For Transmitting A Secure Access Signal
US20120311343A1 (en) * 2003-08-13 2012-12-06 Securicom (NSW) Pty Ltd. Remote entry system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6038666A (en) * 1997-12-22 2000-03-14 Trw Inc. Remote identity verification technique using a personal identification device
US20030208386A1 (en) * 2000-02-25 2003-11-06 Rayner Brondrup Wireless reservation, check-in, access control, check-out and payment
US20120311343A1 (en) * 2003-08-13 2012-12-06 Securicom (NSW) Pty Ltd. Remote entry system
US20090282258A1 (en) * 2006-09-12 2009-11-12 Microlatch Pty Ltd. Password generator
US20100253470A1 (en) * 2007-10-22 2010-10-07 Microlatch Pty Ltd Transmitter For Transmitting A Secure Access Signal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3273379A1 (en) * 2016-07-18 2018-01-24 DinBox Sverige AB Identification authentication method and system

Similar Documents

Publication Publication Date Title
EP3289789B1 (en) Wearable discovery for authentication
US11405391B2 (en) Apparatus and methods for micro-segmentation of an enterprise internet-of-things network
US20190199717A1 (en) Systems and methods for performing user recognition based on biometric information captured with wearable electronic devices
CN103238155B (en) Portable terminal device, authentication system, authentication method, program, and integrated circuit
CN106447838B (en) Password modification method and system and lock pairing method and system
US11902856B2 (en) Electronic device
US9773362B2 (en) Directional sensing mechanism and communications authentication
CN104468113A (en) Distribution of user credentials
JP2016536889A (en) Authentication system, transmitting terminal, receiving terminal, and authority authentication method
CN104521216A (en) Authorising a user by means of a portable communications terminal
KR101575687B1 (en) Biometrics user authentication method
US20210385653A1 (en) Cryptographic process for portable devices, and user presence and/or access authorization system and method employing same
CN109863730A (en) Multi-session authentication
US10169612B2 (en) Method for executing a safety-critical function of a computing unit in a cyber-physical system
WO2015195011A1 (en) Method and arrangement for triggering a user controlled action
Kanagamalliga et al. Arduino-Powered Fingerprint Authentication for Door Access Control
Gupta Implementation of biometric security in a smartphone based domotics
US12199975B2 (en) Apparatus and methods for automating password generators
WO2016055697A1 (en) Local trust creation and verification device
KR20190045486A (en) Method for Managing Distributed Commuting Record
US20150319180A1 (en) Method, device and system for accessing a server
CN106529624B (en) Method and device for authenticating biological characteristics
KR20120014533A (en) Remote personal authentication system and method using biometrics
CN202854813U (en) Monitoring system based on fingerprint identification and global position system (GPS) positioning
TWI512488B (en) Private cloud creation system and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15791324

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15791324

Country of ref document: EP

Kind code of ref document: A1