WO2001072012A2 - System and method for inexpensively providing security and authentication over a communications channel - Google Patents

System and method for inexpensively providing security and authentication over a communications channel Download PDF

Info

Publication number
WO2001072012A2
WO2001072012A2 PCT/US2001/009296 US0109296W WO0172012A2 WO 2001072012 A2 WO2001072012 A2 WO 2001072012A2 US 0109296 W US0109296 W US 0109296W WO 0172012 A2 WO0172012 A2 WO 0172012A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication value
authentication
storage device
arrangement
input
Prior art date
Application number
PCT/US2001/009296
Other languages
French (fr)
Other versions
WO2001072012A3 (en
Inventor
Stephen R. Hanna
Erik A. Guttman
Radia L. Perlman
Joseph E. Provino
Original Assignee
Sun Microsystems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems, Inc. filed Critical Sun Microsystems, Inc.
Priority to AU2001249374A priority Critical patent/AU2001249374A1/en
Publication of WO2001072012A2 publication Critical patent/WO2001072012A2/en
Publication of WO2001072012A3 publication Critical patent/WO2001072012A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention relates generally to the field of digital communications, and more specifically to systems and method for inexpensively facilitating security and authentication in connection with communications among devices in a network
  • a remote control system has been developed primarily for household use, including switching devices and remote control devices which can facilitate turning electrical devices such as lamps and appliances on and off remotely.
  • a switching device is plugged into an electrical outlet and the lamp or appliance to be controlled is plugged into the switching device.
  • a device controller is also plugged into a wall outlet and may be manipulated by an operator, enabled by an internal clock at selected times, or the like, to transmit a message through the wiring to the switching device to enable the switch to open or close.
  • the lamp's or appliance's own switch is normally maintained in a continually closed condition, in which case the system's switching device controls the on or off condition of the lamp or appliance.
  • multiple switching devices can be controlled from a single remote control device by providing each switching device with a device address, and messages provided by the remote control device would include the device address of the switching device whose switch was to open or close.
  • the system also accommodates use in multiple households by providing for a "household address" which is also transmitted with each message; if the household addresses differ as among proximate households, a plurality of households can use the system concurrently.
  • Remote control systems such as those described above generally provide a simple and effective arrangement for controlling simple devices, such as the simple on/off switching devices as described above.
  • communications are generally relatively insecure. While that may not be a significant problem in connection with, for example, control of lamps (although it may be desirable to prevent unauthorized remote control of even lamps for a number of reasons), it is preferable to provide a degree of security in connection with remote control of a number of types of devices, such as, for example, household security systems.
  • secure communications is very desirable in connection with communications facilitating remote control of devices in office or industrial environments.
  • a problem is privacy, so that, if information to be transferred from a source device to a destination device over the communication channel is intercepted by a third device, the intercepting device cannot determine what the actual information is.
  • a second problem is tamper detection, so that, if information transferred from the source device to the destination device has been intercepted and tampered with by a third device, the tampering can be detected.
  • a final problem is to ensure that information received by the destination device is "authentic,” that is, that, if the information indicates that it has been transmitted by the source device, it (that is, the information) has actually been transmitted by the source device and not by a third device.
  • the invention provides a new and improved system and method for inexpensively facilitating security and authentication in connection with communications among devices in a network.
  • the invention provides an inexpensive arrangement for providing an authentication value, which is associated with a controllable device, to a device controller which can control the device over a communication link using a selected communication methodology that facilitates authentication of messages transmitted therebetween. Message authentication is facilitated by the authentication value associated with the device.
  • the arrangement includes an authentication value storage device and, in connection with the device controller, an authentication value input.
  • the authentication value storage device is configured to store the authentication value separate and apart from the device.
  • the authentication value input is configured to receive the authentication value and facilitate use by the device controller in connection with communications with the device.
  • a number of illustrative authentication value storage devices and corresponding authentication value inputs are described herein including tamper evident forms on which the authentication value is printed in alphanumeric, bar code or other appropriate forms and in those cases the authentication value input is in the form of a keypad which an operator can use to input the authentication value, a bar code reader for reading the bar code, or the like.
  • Other illustrative authentication value storage devices include, for example, smart or other cards in which the authentication value is stored in electronic, magnetic or other form, and the authentication value input is in the form of a smart card reader, magnetic strip reader or the like for retrieving the authentication value from the storage device.
  • Authentication values can also be stored in, for example, an external database and retrieved over a network.
  • FIG. 1 schematically depicts a system 10 for inexpensively facilitating security and authentication in connection with communications among devices in a network, constructed in accordance with the invention
  • FIG. 2 is a flow chart depicting operations performed by the system 10 in connection with the invention.
  • FIG. 1 schematically depicts an illustrative system 10 for inexpensively facilitating security and authentication in connection with communications among devices in a network, constructed in accordance with the invention.
  • the system 10 includes a pluraUty of devices 11(1) through 11(N) (generally identified by reference numeral ll(n)) and a device controller 12, all interconnected by a communications arrangement 13.
  • the devices 11 (n) are all of a type which are controllable by information provided by the device controller 12.
  • System 10 may be used in a variety of environments, including household environments, office environments, industrial environments and the like to facilitate control of a variety of apparatus normally found in the respective environments.
  • devices l l(n) may control, for example, lamps, appliances, entertainment systems, heating and cooling systems, security systems, communication systems, transport systems, or any other device, apparatus, or system, however configured, that may be controlled directly or indirectly, with each apparatus controlled by a respective device 1 l(n) being identified by reference numeral 14(n).
  • the devices 1 l(n) may, under control of the device controller 12, control the on or off condition of the lamps and their illumination levels.
  • the devices 1 l(n) may, under control of the device controller 12, control the on or off condition of the respective system components, the programming to be played or recorded, the display brightness and sound volume during play, or other controllable functions.
  • the devices l l(n) may, under control of the device controller 12 adjust the amount of heating or cooling provided in relation to interior and exterior temperature, the level of insolation of the household, the time of day, the presence of household members in particular rooms and the like.
  • some heating and cooling systems also include humidification control apparatus, and for such systems, the devices can provide for adjustment of the humidity level in the household, typically providing for an increase in the humidity level while heating and a reduction in the humidity level during cooling.
  • Ones of devices 11 (n) may also connect to sensors (also not separately shown) for sensing the interior and exterior temperature, humidity level, insolation levels, and other information used by the device controller 12 in determining how to control the devices l l(n) to provide desired levels of heating, cooling and humidity, and, on request from the device controller 12, transmit the information to the device controller 12.
  • the devices l l(n) may, under control of the device controller, control the interior temperature of refrigeration and freezing compartments of refrigerators (not separately shown), turn a cooking oven (also not shown) on and off at particular times, and control the interior temperature to provide for unattended cooking, and the like.
  • Ones of devices l l(n) may also connect to sensors (also not separately shown) for sensing the interior temperature of the refrigerator compartments, oven and the like, and other information used by the device controller 12 in determining how to control the devices l l(n) to provide desired levels of heating and cooling and, on request from the device controller 12, transmit the information to the device controller 12.
  • the devices 11 (n) may, for example, lock and unlock and open and close doors and windows, arm or disarm the system at particular times, control sensors and security cameras, actuate alarms, initiate calls to the police or a central monitoring office, and the like.
  • devices 1 l(n) under control of the device controller 12 can, in connection with outgoing calls, operate to dial a telephone, adjust the handset or speaker volume, control playback of previously-recorded messages, and the like, and, in connection with incoming calls, answer the call, record a message for later retrieval and the like.
  • devices 1 l(n), under control of the device controller 12 can control movement of the wheelchairs, elevators and the like.
  • An office or industrial environment may include many types of controllable systems similar to those described above in connection with a household environment.
  • such environments can include, for example, robotic systems, automatic loading and unloading systems such as fork lifts, conveyor systems, industrial process systems and the like, all of which can be controlled by devices 1 l(n) remotely under control of a device controller 12.
  • the communication arrangement 13 may be any type of arrangement or collection of arrangements for efficiently transferring information between the device controller 12, on the one hand, and the devices ll(n), on the other hand.
  • Illustrative arrangements include, for example, household wiring, local area network arrangements such as an Ethernet, electromagnetic links such as radio transmission, infrared links or the like.
  • the devices l l(n) and device controller 12 communicate by means of messages transmitted over the communication arrangement 13.
  • the device controller 12 can transmit control messages to the devices l l(n) to enable them to actuate and otherwise control the household, office or industrial systems to be controlled by system 10.
  • the device controller 12 can transmit messages to those devices 1 l(n) to enable them to transmit the information to the device controller 12; those devices 1 l(n), in turn, transmit information to the device controller 12 in messages over the communication arrangement 13.
  • the invention provides an inexpensive arrangement by which the devices 1 l(n) and device controller 12 can at least authenticate messages transmitted therebetween.
  • the invention provides a number of mechanisms by which the device controller 12 and each device 11 (n) can inexpensively establish a shared secret, in the form of an authentication value, between them, which can be used in authentication of messages transmitted therebetween, while reducing the likelihood that a third party will intercept the authentication value or, if a third party does intercept the authentication value, increasing the likelihood that such interception will be evident to an entity which maintains one or both of the device controller 12 and device 1 l(n).
  • an authentication value is stored on the device 1 l(n) which the device 1 l(n) can use in generating messages which the device 1 l(n) transmits to the device controller 12.
  • the invention provides several arrangements whereby the device controller 12 is notified of the authentication value, which the device controller 12 can use in authenticating messages received from the device ll(n), and which the device controller 12 can further use in generating messages which the device controller 12 transmits to the device 1 l(n).
  • the device 1 l(n) after if receives a message from the device controller 12, can also use the authentication value in authenticating the received message.
  • the device 11 (n) can use a hash function as described above to generate a hash value using the information to be transmitted and the authentication value to generate a hash value that can be included in the message.
  • the device 11 (n) can use the same hash function in connection with the information using the information in the received message and the authentication value to generate a hash value, which it compares to the hash value in the message. If the generated authentication value corresponds to the hash value in the message, the device 11 (n) can determine that the message is authentic and that it is unlikely to have been tampered with.
  • the device controller 12 can perform similar operations in connection with messages to be transmitted to the device 1 l(n) and in connection with authenticating messages received from the device 1 l(n).
  • the authentication value need not be a globally unique value, but it is preferably one of a large enough number of globally unique values that it is unlikely that someone will be able to guess the value within a reasonable amount of time. Since the authentication values are used to authenticate messages transmitted between the device controller 12 and respective devices 11 (n), but not as addresses for the devices 1 l(n), it is not necessary to have different authentication values for different devices ll(n) in the system 10.
  • the invention provides mechanisms by which the device controller 12 and each device 11 (n) can inexpensively establish the authentication value between them, while reducing the likelihood that a third party will intercept the authentication value or, if a third party does intercept the authentication value, increasing the likelihood that such interception will be evident to an entity which maintains one or both of the device controller 12 and device 1 l(n). Since, as noted above, the authentication value is generally stored on the respective device l l(n) during the manufacturing process, it will be necessary to notify the device controller 12 of the authentication value for the respective device.
  • the authentication value is also provided to, for example, the purchaser of the device 1 l(n) when the device is purchased, in a manner such that the authentication value will not be revealed to another or, if it is, the fact that it has been revealed to another will be evident.
  • the authentication value can be provided on or in a carrier device 15 that has been sealed in tamper-evident packaging 16, that is, packaging for which, if the packaging 16 opened or otherwise tampered with, the tampering will be apparent.
  • the authentication value carrier device 15 may comprise a printed form and in that case, the device controller 12 provided with a keypad which the purchaser can use to input the authentication value after unsealing the form.
  • the authentication value can be printed in barcode form also on a tamper-evident sealed form, and in that case the device controller 12 can be provided with a barcode reader to read the barcode after the operator unseals the form.
  • the authentication value can be stored in electronic, magnetic or optical form on an authentication value carrier device 15 in the form of a storage or memory card, smart card or similar device, and in that case the device controller 12 can be provided with or communicatively coupled to a storage card reader to read the storage card or a smart card reader to read the smart card.
  • the storage or smart card will be packaged in tamper-evident packaging. If a smart card is used, instead of or in addition to use of tamper-evident packaging, the smart card can also be programmed to provide the authentication value only once; in that case, a previous retrieval of the authentication value will be evident and any subsequent attempts to obtain the authentication value will be refused.
  • the storage or smart card may also be used as the authentication value store for the device 11 (n), and can be plugged into an appropriate receptacle on the device 1 l(n) for use by the device 1 l(n) after the authentication value has been provided to the device controller 12.
  • the device 1 l(n) can transmit the authentication value over a dedicated wire or an infrared link, which may also be used as part of the communication arrangement 13. If an infrared link is used, the purchaser can hold an infrared transmitter on the device 1 l(n) proximate an infrared receiver on the device controller 12 while the device 11 (n) communicates the authentication value to the device controller 12; during that operation, the space between the transmitter and receiver can be shielded from prying by third parties.
  • the operation of providing the device controller 12 with the authentication value for a device l l(n) as described above can occur during, for example, a set-up procedure during which information such as the fact that a new device 1 l(n) is being added to the system 10 is provided to the device controller 12, information as to the nature and capabilities of device 11 (n) can be provided to the device controller 12.
  • communication protocol information can also be provided to the device controller 12 useful in identifying the communication protocol which is used by the device 1 l(n).
  • the device controller 12 can be provided with an address in the system 10 that will be used in addressing messages transmitted to the device l l(n), and if necessary the device 1 l(n) is notified of an address of device controller 12 which the device 1 l(n) can use in addressing messages transmitted to the device controller 12.
  • the information may be provided during the set-up procedure directly by the device 1 l(n), or it can be determined by device controller 12 from an internal database which it maintains. Alternatively, the information can be determined by the device controller from an external database over, for example, an external communication link which may include, for example, a public network such as the Internet, the public switched telephony network (PSTN), a cable connection, a private network, or any other data communication arrangement which will enable the device controller 12 to download information from the external database. If the device controller 12 is so connected to an external communication link , the authentication value can also be retrieved by the device controller 12.
  • PSTN public switched telephony network
  • the authentication value can be provided in encrypted form, using a public encryption key maintained for the device controller 12; after the device controller 12 receives the encrypted authentication value, it can decrypt it using a private decryption key associated with its public encryption key.
  • the device controller 12 can use, as an identifier for the device ll(n) whose authentication value is to be retrieved, a unique identifier such as a combination of information such as a manufacturer identifier, model number, a serial number, date of manufacturer, and the like, and a secret pass code that allows the device controller to retrieve the authentication value.
  • a unique identifier such as a combination of information such as a manufacturer identifier, model number, a serial number, date of manufacturer, and the like
  • a secret pass code that allows the device controller to retrieve the authentication value.
  • the external database can be configured to provide the authentication value only once; in that case, a previous retrieval of the authentication value will be evident and any subsequent attempts to obtain the authentication value will be refused.
  • the device controller 12 and devices 1 l(n) will be described in more detail in connection with FIG. 1.
  • the device controller 12 includes an authentication value database 20, a control program store 21, a device control information database 22, a communication interface 23, an authentication value input interface 24, and an operator terminal 25, all under control of a control module 26.
  • the device controller 12 is also provided with a external communications link connection, identified by reference numeral 27, which may be a connection to the external communication link as described above.
  • the communication interface 23 connects to the communication arrangement 13 and transmits messages to devices 11 (n) thereover to facilitate control of the respective devices.
  • the communication interface 23, over communication arrangement 13, also receives messages from devices 11 (n) containing, for example, status information relating to the operation of the devices 1 l(n) or the respective device controlled thereby.
  • the operator terminal 25 provides an interface, such as a keypad, through which an operator, such as a purchaser, owner, or other authorized individual or entity, can input information to the device controller 12 to facilitate control of the system 10. For example, an operator can use the operator terminal 25 to turn the device controller 12 on and off, notify the device controller 12 when a device 1 l(n) is added to the system 10 or removed from the system 10. In addition, the operator can use the operator terminal 25 to input and modify operational parameters which the device controller 12 can use in controlling the devices 1 l(n).
  • an operator can use the operator terminal 25 to turn the device controller 12 on and off, notify the device controller 12 when a device 1 l(n) is added to the system 10 or removed from the system 10.
  • the operator can use the operator terminal 25 to input and modify operational parameters which the device controller 12 can use in controlling the devices 1 l(n).
  • the external communications link connection 27 enables the device controller to communicate over an external communication link 30 to upload information to an external information user 31 and/or to download information from an external database 32.
  • Uploaded information may, if the device controller 12 is illustratively used in connection with a security system, include information as to the status of the security system, such as its maintenance status, alarm status, and the like, which may, for example, be used in scheduling system maintenance, reporting that an alarm has been triggered, and so forth.
  • Downloaded information may include, for example, device characteristics of a device 1 l(n), the authentication value for the device 1 l(n), and any other information that the external database 32 may contain for the device 1 l(n) and which the device controller 12 requests to be downloaded.
  • the authentication value input interface 24 provides an interface through which authentication values for the respective devices can be provided to the device controller 12.
  • illustrative authentication value input interfaces 24 include, for example, barcode readers, smart card readers, dedicated wires, infrared ports and the like which can, in the case of barcode or smart card readers, read bar codes or smart cards, in the case of infrared ports, receive information transmitted infrared beams, thereby to accommodate provision of authentication values to the device controller using barcodes, smart cards, dedicated wires, and infrared transmission.
  • an operator is to enter an authentication value for a device 11 (n) manually, which may be the case if, for example, the authentication value is provided in textual form on a sealed paper, he or she may enter the authentication value using the operator interface 25.
  • the authentication database 20 stores authentication values that have been provided to the device controller 12, either through the authentication value input interface 24, operator interface 25, or the external communications link connection 27.
  • the authentication database 20 can store the authentication values in either plaintext form or encrypted form.
  • the control module 26 controls the device controller 12 and generates messages for transmission to the devices 1 l(n) under control of a control program stored in the control program store 21 and information in the device control information database 22.
  • the device control information database 22 stores information for each device 11 (n) connected in the system 10, which may include, for example, device characteristic information identifying the type of device 1 l(n), characteristics of the apparatus controlled by the device l l(n), communication parameters and protocol information, and other information that the device controller 12 may find useful in communicating with and otherwise controlling the device l l(n).
  • the device control information stored in database 22 includes apparatus control information that indicates, for example, when to enable the device 1 l(n) that controls the respective apparatus to turn the apparatus on or off, settings to be used when the apparatus is on, and so forth.
  • the device characteristic information stored in the device control information database 22 may be provided when the device controller 12 is manufactured. Alternatively or in addition, device characteristic information stored in the device control information database 22 may be provided by the operator or device 1 l(n) during the set-up procedure, or it may be retrieved from the external database 32 during the set-up procedure or on a periodic basis.
  • portions of the control program stored in the control program store 21 that are specific to a particular type of device l l(n), or device controlled by device ll(n), may be similarly provided or retrieved during the set-up procedure or periodically thereafter.
  • Initial apparatus control information may be stored in the device control information database 22 during the set-up procedure, and may be updated by the operaitor as appropriate thereafter when the operator wishes to change when the system turns the apparatus on or off, settings to be used when the apparatus is on, and so forth.
  • Each device 1 l(n) includes an authentication value store 30, a communication interface 31 , an apparatus interface 32 and a control module 33.
  • the communication interface 31 connects to the communication arrangement 13 and receives messages transmitted thereto by device controller 12 to facilitate control of the device l l(n).
  • the communication interface 31, over commumcation arrangement 13, also transmits messages to device controller 12 containing, for example, status information relating to the operation of the device l l(n) or the respective apparatus controlled thereby.
  • the authentication value store 30 stores the authentication value that is associated with the device 1 l(n).
  • the authentication value store 30 may be any of a number of types of components, including any component for storing digital data in a non- volatile manner, including a built-in readonly memory, flash memory, electrically-erasable programmable read-only memory.
  • the authentication value store 30 may comprise a smart card removably mounted in a socket; in that case, the smart card 30 may be removed from the device 11 and used during the set-up procedure to provide the authentication value to the device controller 12 and hereafter re-inserted in the socket.
  • the control module 33 controls the device 1 l(n). In that operation, the control module 33, in response to authenticated messages from the device controller 12, can enable the apparatus interface to generate control signals for controlling the operation of the apparatus and/or to determine the status condition of apparatus and generate status messages for transmission through the commumcation interface 31 and over the communication arrangement 13 to the device controller 12.
  • the device controller 12, and, in particular its control module 26 In generating messages for transmission to a device 1 l(n), the device controller 12, and, in particular its control module 26, generates a hash value for the information to be transmitted in the message and the authentication value for the device 11 (n) as stored in authentication value database 20.
  • the device 1 l(n), and, in particular, its control module 33 after the message is received, can generate a hash value also using the information and the authentication value which it has stored in its authentication value store 30 and compare the hash value in the message to the hash value which it has generated, thereby to authenticate the message. If the control module 33 determines that the hash value in the message corresponds to the generated hash value, then the control module 33 will utilize the message in its operations.
  • control module 33 determines that the hash value in the message does not correspond to the generated hash value, then the control module 33 will ignore the message. In addition, the control module 33 may notify the device controller 12 that it has received a message which contained a hash value which did not correspond to the generated hash value.
  • the device 1 l(n) and, in particular its control module 33 in generating messages for transmission to device controller 12, the device 1 l(n) and, in particular its control module 33, generates a hash value for the information to be transmitted in the message and the authentication for the device 1 l(n) as stored in its authentication value store 30.
  • the device controller 12, and, in particular, its control module 26, after the message is received, can generate a hash value also using the information and the authentication value for the device 11 (n) as stored in the authentication value database 20, and compare the hash value in the message to the generated hash value, thereby to authenticate the message. If the control module 26 determines that the hash value in the message corresponds to the generated hash value, then the control module 26 will utilize the message in its operations.
  • control module 26 determines that the hash value in the message does not correspond to the generated hash value, then the control module 26 will ignore the message. In addition, the control module 26 may log the fact that it has received a message which contained a hash value which did not correspond to the generated hash value.
  • Portions of the messages transmitted by both the device l l(n) and device controller 12, including the hash value, may be in encrypted form to provide a degree of privacy.
  • the control module 33 or 26 of the device 11 (n) or device controller 12 which generates the message will encrypt the portions to be encrypted using either the symmetric key or the public encryption key of the device 1 l(n) or device controller 12 that is to receive the message.
  • the control module 26 or 33 of the device controller 12 or device 1 l(n) which receives the message can use its symmetric key or private decryption key to decrypt the encrypted portions of the message for use in the comparison.
  • the symmetric keys or public encryption keys may be provided by the device l l(n) and device controller 12 to each other during the set-up procedure and, if symmetric key encryption is to be used, some or all of the authentication value itself may comprise the symmetric key.
  • the operator may perform selected operations in connection with the device 1 l(n), including, for example, refusing to purchase the device l l(n) associated therewith if it has not been purchased, or returning it, discarding it, or other operations.
  • he or she may utilize the device 1 l(n) in the system 10 with knowledge that the packaging has been tampered with. Similar operations may be performed if, for example, the authentication value is retrieved from an external database 52.
  • FIG. 2 is a flow chart depicting operations performed by the system 10 in connection with the invention, in particular, in connection with an embodiment in which the authentication value carrier device 15 is a printed form and the operator is to enter the authentication value using an operator terminal in the form of a keyboard. Operations performed in which another form of authentication value carrier device 15 is used will be evident to those skilled in the art. The operations depicted on FIG. 2 will be apparent to those skilled in the art from the above description and so FIG. 2 will not be further describe ⁇ herein.
  • the invention provides a number of advantages.
  • the invention provides an inexpensive mechanism by which one device, such as a device controller 12, can be provided with a secret authentication value associated with another device, such as a device 1 l(n) to be controlled by the device controller, for use in authenticating communications therebetween.
  • the operator terminal 25 has been described as including a mechanism, such as a keypad, which an operator may use to input information to the device controller 12, it will be appreciated that other types of mechanisms may be used.
  • the operator terminal 25 can also include a display for displaying information to the operator.
  • the displayed information may include the information input by the operator to the device interface 12, thereby to provide visual feedback to the operator of the information that the operator is inputting.
  • the information may also include status information indicating the status condition of the device controller 12, the various devices 1 l(n), the apparatus controlled by the devices 1 l(n), and the like.
  • the device controller 12 can periodically update the authentication value to ensure against tampering. In that case, the device controller 12 can transmit an authentication value update message to the device l l(n) including an updated authentication value. It will be appreciated that the updated authentication value in the message is preferably in encrypted form to protect against interception by third parties.
  • the operator terminal 25 is depicted as forming part of the device controller 12, it will be appreciated that, instead or in addition, an operator terminal (not shown) may be remote from the device controller 12 and communicate with the device controller over a communication link (not shown).
  • a remote operator terminal may comprise, for example, a personal computer (not shown) which can communicate with the device controller 12 to facilitate operations such as those described above in connection with operator terminal 25.
  • the device controller 12 and remote operator terminal can use conventional authentication mechanisms such as passwords to provide authentication for messages transmitted during a session.
  • communications between the device controller 12 and the remote operator terminal may be encrypted using any encryption methodology.
  • the authentication value input interface 24 may form part of the device controller 12, or it may be remote therefrom and in communication therewith to facilitate providing the authentication value thereto.
  • a system in accordance with the invention can be constructed in whole or in part from special purpose hardware or a general purpose computer system, or any combination thereof, any portion of which may be controlled by a suitable program.
  • Any program may in whole or in part comprise part of or be stored on the system in a conventional manner, or it may in whole or in part be provided in to the system over a network or other mechamsm for transferring information in a conventional manner.
  • the system may be operated and/or otherwise controlled by means of information provided by an operator using operator input elements (not shown) which may be connected directly to the system or which may transfer the information to the system over a network or other mechanism for transferring information in a conventional manner.

Abstract

An inexpensive arrangement is described for providing an authentication value, which is associated with a controllable device, to a device controller which can control the device over a communication link using a selected communication methodology that facilitates authentication and/or encryption of messages transmitted therebetween. Message authentication and/or encryption is facilitated by the authentication value associated with the device. The arrangement includes an authentication value storage device and, in connection with the device controller, an authentication value input. The authentication value storage device is configured to store the authentication value separate and apart from the device. The authentication value input is configured to receive the authentication value and is used by the device controller in connection with communications with the device. A number of illustrative authentication value storage devices and corresponding authentication value inputs are described, including tamper evident forms on which the authentication value is printed in alphanumeric, bar code or other appropriate forms and in those cases the authentication value input is in the form of a keypad which an operator can use to input the authentication value, a bar code reader for reading the bar code, or the like. Other illustrative authentication value storage devices include, for example, smart or other cards in which the authentication value is stored in electronic, magnetic or other form, and the authentication value input is in the form of a smart card reader, magnetic strip reader or the like for retrieving the authentication value from the storage device. Authentication values can also be stored in, for example, an external database and retrieved over a network.

Description

SYSTEM AND METHOD FOR INEXPENSIVELY PROVIDING SECURITY AND AUTHENTICATION OVER A COMMUNICATIONS CHANNEL
FIELD OF THE INVENTION
The invention relates generally to the field of digital communications, and more specifically to systems and method for inexpensively facilitating security and authentication in connection with communications among devices in a network
BACKGROUND OF THE INVENTION
A variety of types of systems have been developed for facilitating remote control in a number of types of environments. For example, a remote control system has been developed primarily for household use, including switching devices and remote control devices which can facilitate turning electrical devices such as lamps and appliances on and off remotely. In such a system, a switching device is plugged into an electrical outlet and the lamp or appliance to be controlled is plugged into the switching device. A device controller is also plugged into a wall outlet and may be manipulated by an operator, enabled by an internal clock at selected times, or the like, to transmit a message through the wiring to the switching device to enable the switch to open or close. The lamp's or appliance's own switch is normally maintained in a continually closed condition, in which case the system's switching device controls the on or off condition of the lamp or appliance. In the system, multiple switching devices can be controlled from a single remote control device by providing each switching device with a device address, and messages provided by the remote control device would include the device address of the switching device whose switch was to open or close. The system also accommodates use in multiple households by providing for a "household address" which is also transmitted with each message; if the household addresses differ as among proximate households, a plurality of households can use the system concurrently.
Remote control systems such as those described above generally provide a simple and effective arrangement for controlling simple devices, such as the simple on/off switching devices as described above. However, one problem that arises in connection with such systems is that communications are generally relatively insecure. While that may not be a significant problem in connection with, for example, control of lamps (although it may be desirable to prevent unauthorized remote control of even lamps for a number of reasons), it is preferable to provide a degree of security in connection with remote control of a number of types of devices, such as, for example, household security systems. In addition, secure communications is very desirable in connection with communications facilitating remote control of devices in office or industrial environments.
Several problems have arisen in connection with communication of information between devices over a communication channel. One problem is privacy, so that, if information to be transferred from a source device to a destination device over the communication channel is intercepted by a third device, the intercepting device cannot determine what the actual information is. A second problem is tamper detection, so that, if information transferred from the source device to the destination device has been intercepted and tampered with by a third device, the tampering can be detected. A final problem is to ensure that information received by the destination device is "authentic," that is, that, if the information indicates that it has been transmitted by the source device, it (that is, the information) has actually been transmitted by the source device and not by a third device. These problems are addressed by a number of communication methodologies including, for example, a keyed hash methodology, such as is described in C. Kaufman, et al., Network Security: Private Communication In A Public World (Prentice Hall: 1995) (hereinafter "Kaufman, et al."), section 4.2.2, p. 107, et seq., symmetric key encryption, such as is described in section 3.7.3, p. 91, et seq., of Kaufman, et al., and use of digital signatures, such as is described in section 5.5, p. 152, et seq., of Kaufman, et al.
SUMMARY OF THE INVENTION
The invention provides a new and improved system and method for inexpensively facilitating security and authentication in connection with communications among devices in a network. In brief summary, the invention provides an inexpensive arrangement for providing an authentication value, which is associated with a controllable device, to a device controller which can control the device over a communication link using a selected communication methodology that facilitates authentication of messages transmitted therebetween. Message authentication is facilitated by the authentication value associated with the device. The arrangement includes an authentication value storage device and, in connection with the device controller, an authentication value input. The authentication value storage device is configured to store the authentication value separate and apart from the device. The authentication value input is configured to receive the authentication value and facilitate use by the device controller in connection with communications with the device.
A number of illustrative authentication value storage devices and corresponding authentication value inputs are described herein including tamper evident forms on which the authentication value is printed in alphanumeric, bar code or other appropriate forms and in those cases the authentication value input is in the form of a keypad which an operator can use to input the authentication value, a bar code reader for reading the bar code, or the like. Other illustrative authentication value storage devices include, for example, smart or other cards in which the authentication value is stored in electronic, magnetic or other form, and the authentication value input is in the form of a smart card reader, magnetic strip reader or the like for retrieving the authentication value from the storage device. Authentication values can also be stored in, for example, an external database and retrieved over a network.
BRIEF DESCRIPTION OF THE DRAWINGS
This invention is pointed out with particularity in the appended claims. The above and further advantages of this invention may be better understood by referring to the following description taken in conjunction with the accompanying drawings, in which: FIG. 1 schematically depicts a system 10 for inexpensively facilitating security and authentication in connection with communications among devices in a network, constructed in accordance with the invention; and
FIG. 2 is a flow chart depicting operations performed by the system 10 in connection with the invention.
DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT
FIG. 1 schematically depicts an illustrative system 10 for inexpensively facilitating security and authentication in connection with communications among devices in a network, constructed in accordance with the invention. With reference to FIG. 1, the system 10 includes a pluraUty of devices 11(1) through 11(N) (generally identified by reference numeral ll(n)) and a device controller 12, all interconnected by a communications arrangement 13. The devices 11 (n) are all of a type which are controllable by information provided by the device controller 12. System 10 may be used in a variety of environments, including household environments, office environments, industrial environments and the like to facilitate control of a variety of apparatus normally found in the respective environments.
In a household environment, devices l l(n) may control, for example, lamps, appliances, entertainment systems, heating and cooling systems, security systems, communication systems, transport systems, or any other device, apparatus, or system, however configured, that may be controlled directly or indirectly, with each apparatus controlled by a respective device 1 l(n) being identified by reference numeral 14(n). For example, in controlling lamps, the devices 1 l(n) may, under control of the device controller 12, control the on or off condition of the lamps and their illumination levels. In controlling entertainment systems, such as television or radio receivers, prerecorded music or video playback systems, video cassette recorders, and the like, the devices 1 l(n) may, under control of the device controller 12, control the on or off condition of the respective system components, the programming to be played or recorded, the display brightness and sound volume during play, or other controllable functions.
In controlling heating and cooling systems, the devices l l(n) may, under control of the device controller 12 adjust the amount of heating or cooling provided in relation to interior and exterior temperature, the level of insolation of the household, the time of day, the presence of household members in particular rooms and the like. In addition, some heating and cooling systems also include humidification control apparatus, and for such systems, the devices can provide for adjustment of the humidity level in the household, typically providing for an increase in the humidity level while heating and a reduction in the humidity level during cooling. Ones of devices 11 (n) may also connect to sensors (also not separately shown) for sensing the interior and exterior temperature, humidity level, insolation levels, and other information used by the device controller 12 in determining how to control the devices l l(n) to provide desired levels of heating, cooling and humidity, and, on request from the device controller 12, transmit the information to the device controller 12.
In controlling household appliances, the devices l l(n) may, under control of the device controller, control the interior temperature of refrigeration and freezing compartments of refrigerators (not separately shown), turn a cooking oven (also not shown) on and off at particular times, and control the interior temperature to provide for unattended cooking, and the like. Ones of devices l l(n) may also connect to sensors (also not separately shown) for sensing the interior temperature of the refrigerator compartments, oven and the like, and other information used by the device controller 12 in determining how to control the devices l l(n) to provide desired levels of heating and cooling and, on request from the device controller 12, transmit the information to the device controller 12.
In controlling components of a security system, the devices 11 (n) may, for example, lock and unlock and open and close doors and windows, arm or disarm the system at particular times, control sensors and security cameras, actuate alarms, initiate calls to the police or a central monitoring office, and the like.
In controlling communication systems, such as telephones and the like, devices 1 l(n), under control of the device controller 12 can, in connection with outgoing calls, operate to dial a telephone, adjust the handset or speaker volume, control playback of previously-recorded messages, and the like, and, in connection with incoming calls, answer the call, record a message for later retrieval and the like. In controlling transport systems, such as wheelchairs, elevators and the like, devices 1 l(n), under control of the device controller 12, can control movement of the wheelchairs, elevators and the like.
An office or industrial environment may include many types of controllable systems similar to those described above in connection with a household environment. In addition, such environments can include, for example, robotic systems, automatic loading and unloading systems such as fork lifts, conveyor systems, industrial process systems and the like, all of which can be controlled by devices 1 l(n) remotely under control of a device controller 12.
The communication arrangement 13 may be any type of arrangement or collection of arrangements for efficiently transferring information between the device controller 12, on the one hand, and the devices ll(n), on the other hand. Illustrative arrangements include, for example, household wiring, local area network arrangements such as an Ethernet, electromagnetic links such as radio transmission, infrared links or the like. In the system 10, the devices l l(n) and device controller 12 communicate by means of messages transmitted over the communication arrangement 13. In particular, the device controller 12 can transmit control messages to the devices l l(n) to enable them to actuate and otherwise control the household, office or industrial systems to be controlled by system 10. In addition, for devices 1 l(n) connected to sensors which are to provide information used by the device controller 12, the device controller 12 can transmit messages to those devices 1 l(n) to enable them to transmit the information to the device controller 12; those devices 1 l(n), in turn, transmit information to the device controller 12 in messages over the communication arrangement 13.
The invention provides an inexpensive arrangement by which the devices 1 l(n) and device controller 12 can at least authenticate messages transmitted therebetween. In particular, the invention provides a number of mechanisms by which the device controller 12 and each device 11 (n) can inexpensively establish a shared secret, in the form of an authentication value, between them, which can be used in authentication of messages transmitted therebetween, while reducing the likelihood that a third party will intercept the authentication value or, if a third party does intercept the authentication value, increasing the likelihood that such interception will be evident to an entity which maintains one or both of the device controller 12 and device 1 l(n). Generally when a device 1 l(n) is being manufactured, an authentication value is stored on the device 1 l(n) which the device 1 l(n) can use in generating messages which the device 1 l(n) transmits to the device controller 12. The invention provides several arrangements whereby the device controller 12 is notified of the authentication value, which the device controller 12 can use in authenticating messages received from the device ll(n), and which the device controller 12 can further use in generating messages which the device controller 12 transmits to the device 1 l(n). The device 1 l(n), after if receives a message from the device controller 12, can also use the authentication value in authenticating the received message.
In generating messages for transmission to the device controller 12, the device 11 (n) can use a hash function as described above to generate a hash value using the information to be transmitted and the authentication value to generate a hash value that can be included in the message. In addition, in authenticating messages from the device controller 12, the device 11 (n) can use the same hash function in connection with the information using the information in the received message and the authentication value to generate a hash value, which it compares to the hash value in the message. If the generated authentication value corresponds to the hash value in the message, the device 11 (n) can determine that the message is authentic and that it is unlikely to have been tampered with. The device controller 12 can perform similar operations in connection with messages to be transmitted to the device 1 l(n) and in connection with authenticating messages received from the device 1 l(n). The authentication value need not be a globally unique value, but it is preferably one of a large enough number of globally unique values that it is unlikely that someone will be able to guess the value within a reasonable amount of time. Since the authentication values are used to authenticate messages transmitted between the device controller 12 and respective devices 11 (n), but not as addresses for the devices 1 l(n), it is not necessary to have different authentication values for different devices ll(n) in the system 10.
As noted above, the invention provides mechanisms by which the device controller 12 and each device 11 (n) can inexpensively establish the authentication value between them, while reducing the likelihood that a third party will intercept the authentication value or, if a third party does intercept the authentication value, increasing the likelihood that such interception will be evident to an entity which maintains one or both of the device controller 12 and device 1 l(n). Since, as noted above, the authentication value is generally stored on the respective device l l(n) during the manufacturing process, it will be necessary to notify the device controller 12 of the authentication value for the respective device. In one embodiment, the authentication value is also provided to, for example, the purchaser of the device 1 l(n) when the device is purchased, in a manner such that the authentication value will not be revealed to another or, if it is, the fact that it has been revealed to another will be evident. After the purchaser has been provided with the authentication value and determined that it has not been revealed to another, he or she can load it into the device controller. For example, the authentication value can be provided on or in a carrier device 15 that has been sealed in tamper-evident packaging 16, that is, packaging for which, if the packaging 16 opened or otherwise tampered with, the tampering will be apparent. For example, the authentication value carrier device 15 may comprise a printed form and in that case, the device controller 12 provided with a keypad which the purchaser can use to input the authentication value after unsealing the form. Alternatively, the authentication value can be printed in barcode form also on a tamper-evident sealed form, and in that case the device controller 12 can be provided with a barcode reader to read the barcode after the operator unseals the form.
As a further alternative, the authentication value can be stored in electronic, magnetic or optical form on an authentication value carrier device 15 in the form of a storage or memory card, smart card or similar device, and in that case the device controller 12 can be provided with or communicatively coupled to a storage card reader to read the storage card or a smart card reader to read the smart card. Preferably the storage or smart card will be packaged in tamper-evident packaging. If a smart card is used, instead of or in addition to use of tamper-evident packaging, the smart card can also be programmed to provide the authentication value only once; in that case, a previous retrieval of the authentication value will be evident and any subsequent attempts to obtain the authentication value will be refused. The storage or smart card may also be used as the authentication value store for the device 11 (n), and can be plugged into an appropriate receptacle on the device 1 l(n) for use by the device 1 l(n) after the authentication value has been provided to the device controller 12.
As yet a further alternative, the device 1 l(n) can transmit the authentication value over a dedicated wire or an infrared link, which may also be used as part of the communication arrangement 13. If an infrared link is used, the purchaser can hold an infrared transmitter on the device 1 l(n) proximate an infrared receiver on the device controller 12 while the device 11 (n) communicates the authentication value to the device controller 12; during that operation, the space between the transmitter and receiver can be shielded from prying by third parties.
The operation of providing the device controller 12 with the authentication value for a device l l(n) as described above can occur during, for example, a set-up procedure during which information such as the fact that a new device 1 l(n) is being added to the system 10 is provided to the device controller 12, information as to the nature and capabilities of device 11 (n) can be provided to the device controller 12. In addition, communication protocol information can also be provided to the device controller 12 useful in identifying the communication protocol which is used by the device 1 l(n). Further, the device controller 12 can be provided with an address in the system 10 that will be used in addressing messages transmitted to the device l l(n), and if necessary the device 1 l(n) is notified of an address of device controller 12 which the device 1 l(n) can use in addressing messages transmitted to the device controller 12.
The information may be provided during the set-up procedure directly by the device 1 l(n), or it can be determined by device controller 12 from an internal database which it maintains. Alternatively, the information can be determined by the device controller from an external database over, for example, an external communication link which may include, for example, a public network such as the Internet, the public switched telephony network (PSTN), a cable connection, a private network, or any other data communication arrangement which will enable the device controller 12 to download information from the external database. If the device controller 12 is so connected to an external communication link , the authentication value can also be retrieved by the device controller 12. In that case, preferably the authentication value can be provided in encrypted form, using a public encryption key maintained for the device controller 12; after the device controller 12 receives the encrypted authentication value, it can decrypt it using a private decryption key associated with its public encryption key. The device controller 12 can use, as an identifier for the device ll(n) whose authentication value is to be retrieved, a unique identifier such as a combination of information such as a manufacturer identifier, model number, a serial number, date of manufacturer, and the like, and a secret pass code that allows the device controller to retrieve the authentication value. It will be appreciated that, although preferably the authentication value will be provided in encrypted form, other communications between the device controller 12 and external database may, but need not, be in encrypted form. As an alternative to encryption, the external database can be configured to provide the authentication value only once; in that case, a previous retrieval of the authentication value will be evident and any subsequent attempts to obtain the authentication value will be refused. With this background, the device controller 12 and devices 1 l(n) will be described in more detail in connection with FIG. 1. Generally, the device controller 12 includes an authentication value database 20, a control program store 21, a device control information database 22, a communication interface 23, an authentication value input interface 24, and an operator terminal 25, all under control of a control module 26. In the following, it will be assumed that the device controller 12 is also provided with a external communications link connection, identified by reference numeral 27, which may be a connection to the external communication link as described above. The communication interface 23 connects to the communication arrangement 13 and transmits messages to devices 11 (n) thereover to facilitate control of the respective devices. The communication interface 23, over communication arrangement 13, also receives messages from devices 11 (n) containing, for example, status information relating to the operation of the devices 1 l(n) or the respective device controlled thereby.
The operator terminal 25 provides an interface, such as a keypad, through which an operator, such as a purchaser, owner, or other authorized individual or entity, can input information to the device controller 12 to facilitate control of the system 10. For example, an operator can use the operator terminal 25 to turn the device controller 12 on and off, notify the device controller 12 when a device 1 l(n) is added to the system 10 or removed from the system 10. In addition, the operator can use the operator terminal 25 to input and modify operational parameters which the device controller 12 can use in controlling the devices 1 l(n).
The external communications link connection 27 enables the device controller to communicate over an external communication link 30 to upload information to an external information user 31 and/or to download information from an external database 32. Uploaded information may, if the device controller 12 is illustratively used in connection with a security system, include information as to the status of the security system, such as its maintenance status, alarm status, and the like, which may, for example, be used in scheduling system maintenance, reporting that an alarm has been triggered, and so forth. Downloaded information may include, for example, device characteristics of a device 1 l(n), the authentication value for the device 1 l(n), and any other information that the external database 32 may contain for the device 1 l(n) and which the device controller 12 requests to be downloaded.
The authentication value input interface 24 provides an interface through which authentication values for the respective devices can be provided to the device controller 12. As noted above, illustrative authentication value input interfaces 24 include, for example, barcode readers, smart card readers, dedicated wires, infrared ports and the like which can, in the case of barcode or smart card readers, read bar codes or smart cards, in the case of infrared ports, receive information transmitted infrared beams, thereby to accommodate provision of authentication values to the device controller using barcodes, smart cards, dedicated wires, and infrared transmission. It will be appreciated that, if an operator is to enter an authentication value for a device 11 (n) manually, which may be the case if, for example, the authentication value is provided in textual form on a sealed paper, he or she may enter the authentication value using the operator interface 25.
The authentication database 20 stores authentication values that have been provided to the device controller 12, either through the authentication value input interface 24, operator interface 25, or the external communications link connection 27. The authentication database 20 can store the authentication values in either plaintext form or encrypted form.
The control module 26 controls the device controller 12 and generates messages for transmission to the devices 1 l(n) under control of a control program stored in the control program store 21 and information in the device control information database 22. The device control information database 22 stores information for each device 11 (n) connected in the system 10, which may include, for example, device characteristic information identifying the type of device 1 l(n), characteristics of the apparatus controlled by the device l l(n), communication parameters and protocol information, and other information that the device controller 12 may find useful in communicating with and otherwise controlling the device l l(n). In addition, the device control information stored in database 22 includes apparatus control information that indicates, for example, when to enable the device 1 l(n) that controls the respective apparatus to turn the apparatus on or off, settings to be used when the apparatus is on, and so forth. The device characteristic information stored in the device control information database 22 may be provided when the device controller 12 is manufactured. Alternatively or in addition, device characteristic information stored in the device control information database 22 may be provided by the operator or device 1 l(n) during the set-up procedure, or it may be retrieved from the external database 32 during the set-up procedure or on a periodic basis. Similarly, portions of the control program stored in the control program store 21 that are specific to a particular type of device l l(n), or device controlled by device ll(n), may be similarly provided or retrieved during the set-up procedure or periodically thereafter. Initial apparatus control information may be stored in the device control information database 22 during the set-up procedure, and may be updated by the operaitor as appropriate thereafter when the operator wishes to change when the system turns the apparatus on or off, settings to be used when the apparatus is on, and so forth.
Each device 1 l(n) includes an authentication value store 30, a communication interface 31 , an apparatus interface 32 and a control module 33. The communication interface 31 connects to the communication arrangement 13 and receives messages transmitted thereto by device controller 12 to facilitate control of the device l l(n). The communication interface 31, over commumcation arrangement 13, also transmits messages to device controller 12 containing, for example, status information relating to the operation of the device l l(n) or the respective apparatus controlled thereby.
The authentication value store 30 stores the authentication value that is associated with the device 1 l(n). The authentication value store 30 may be any of a number of types of components, including any component for storing digital data in a non- volatile manner, including a built-in readonly memory, flash memory, electrically-erasable programmable read-only memory. Alternatively, the authentication value store 30 may comprise a smart card removably mounted in a socket; in that case, the smart card 30 may be removed from the device 11 and used during the set-up procedure to provide the authentication value to the device controller 12 and hereafter re-inserted in the socket.
The control module 33 controls the device 1 l(n). In that operation, the control module 33, in response to authenticated messages from the device controller 12, can enable the apparatus interface to generate control signals for controlling the operation of the apparatus and/or to determine the status condition of apparatus and generate status messages for transmission through the commumcation interface 31 and over the communication arrangement 13 to the device controller 12.
In generating messages for transmission to a device 1 l(n), the device controller 12, and, in particular its control module 26, generates a hash value for the information to be transmitted in the message and the authentication value for the device 11 (n) as stored in authentication value database 20. The device 1 l(n), and, in particular, its control module 33, after the message is received, can generate a hash value also using the information and the authentication value which it has stored in its authentication value store 30 and compare the hash value in the message to the hash value which it has generated, thereby to authenticate the message. If the control module 33 determines that the hash value in the message corresponds to the generated hash value, then the control module 33 will utilize the message in its operations. On the other hand, if control module 33 determines that the hash value in the message does not correspond to the generated hash value, then the control module 33 will ignore the message. In addition, the control module 33 may notify the device controller 12 that it has received a message which contained a hash value which did not correspond to the generated hash value.
Similarly, in generating messages for transmission to device controller 12, the device 1 l(n) and, in particular its control module 33, generates a hash value for the information to be transmitted in the message and the authentication for the device 1 l(n) as stored in its authentication value store 30. The device controller 12, and, in particular, its control module 26, after the message is received, can generate a hash value also using the information and the authentication value for the device 11 (n) as stored in the authentication value database 20, and compare the hash value in the message to the generated hash value, thereby to authenticate the message. If the control module 26 determines that the hash value in the message corresponds to the generated hash value, then the control module 26 will utilize the message in its operations. On the other hand, if control module 26 determines that the hash value in the message does not correspond to the generated hash value, then the control module 26 will ignore the message. In addition, the control module 26 may log the fact that it has received a message which contained a hash value which did not correspond to the generated hash value.
Portions of the messages transmitted by both the device l l(n) and device controller 12, including the hash value, may be in encrypted form to provide a degree of privacy. In that case, the control module 33 or 26 of the device 11 (n) or device controller 12 which generates the message will encrypt the portions to be encrypted using either the symmetric key or the public encryption key of the device 1 l(n) or device controller 12 that is to receive the message. The control module 26 or 33 of the device controller 12 or device 1 l(n) which receives the message can use its symmetric key or private decryption key to decrypt the encrypted portions of the message for use in the comparison. The symmetric keys or public encryption keys may be provided by the device l l(n) and device controller 12 to each other during the set-up procedure and, if symmetric key encryption is to be used, some or all of the authentication value itself may comprise the symmetric key.
If the operator determines that the packaging 16 has been tampered with, he or she may perform selected operations in connection with the device 1 l(n), including, for example, refusing to purchase the device l l(n) associated therewith if it has not been purchased, or returning it, discarding it, or other operations. Alternatively, he or she may utilize the device 1 l(n) in the system 10 with knowledge that the packaging has been tampered with. Similar operations may be performed if, for example, the authentication value is retrieved from an external database 52.
FIG. 2 is a flow chart depicting operations performed by the system 10 in connection with the invention, in particular, in connection with an embodiment in which the authentication value carrier device 15 is a printed form and the operator is to enter the authentication value using an operator terminal in the form of a keyboard. Operations performed in which another form of authentication value carrier device 15 is used will be evident to those skilled in the art. The operations depicted on FIG. 2 will be apparent to those skilled in the art from the above description and so FIG. 2 will not be further describeα herein.
The invention provides a number of advantages. In particular, the invention provides an inexpensive mechanism by which one device, such as a device controller 12, can be provided with a secret authentication value associated with another device, such as a device 1 l(n) to be controlled by the device controller, for use in authenticating communications therebetween.
It will be appreciated that a number of modifications may be made to the system as described herein. For example, although the operator terminal 25 has been described as including a mechanism, such as a keypad, which an operator may use to input information to the device controller 12, it will be appreciated that other types of mechanisms may be used. In addition, the operator terminal 25 can also include a display for displaying information to the operator. The displayed information may include the information input by the operator to the device interface 12, thereby to provide visual feedback to the operator of the information that the operator is inputting. The information may also include status information indicating the status condition of the device controller 12, the various devices 1 l(n), the apparatus controlled by the devices 1 l(n), and the like.
In addition, it will be appreciated that, after the device controller 12 has been provided with a device's authentication value during the set-up procedure, it can periodically update the authentication value to ensure against tampering. In that case, the device controller 12 can transmit an authentication value update message to the device l l(n) including an updated authentication value. It will be appreciated that the updated authentication value in the message is preferably in encrypted form to protect against interception by third parties. Although the operator terminal 25 is depicted as forming part of the device controller 12, it will be appreciated that, instead or in addition, an operator terminal (not shown) may be remote from the device controller 12 and communicate with the device controller over a communication link (not shown). A remote operator terminal may comprise, for example, a personal computer (not shown) which can communicate with the device controller 12 to facilitate operations such as those described above in connection with operator terminal 25. In that case, the device controller 12 and remote operator terminal can use conventional authentication mechanisms such as passwords to provide authentication for messages transmitted during a session. In addition, communications between the device controller 12 and the remote operator terminal may be encrypted using any encryption methodology. Similarly, the authentication value input interface 24 may form part of the device controller 12, or it may be remote therefrom and in communication therewith to facilitate providing the authentication value thereto.
In addition, although certain communications mechanisms described herein have been described as making use of wires and/or infrared links, it will be appreciated that any convenient medium can be used, including, in the case of wires, for example, metal wires and optical fibers, and, in the case of infrared links, links for carrying electro-magnetic signals of any convenient frequency. It will be appreciated that, since it is desirable to maintain the signals comprising the authentication value transferred over such wires or links in a such manner that the likelihood that a third party will be able to intercept the signals will be reduced or minimized, if, for example a wireless link is used, preferably the signal power will be relatively low and the signal spread will be minimized.
It will be appreciated that a system in accordance with the invention can be constructed in whole or in part from special purpose hardware or a general purpose computer system, or any combination thereof, any portion of which may be controlled by a suitable program. Any program may in whole or in part comprise part of or be stored on the system in a conventional manner, or it may in whole or in part be provided in to the system over a network or other mechamsm for transferring information in a conventional manner. In addition, it will be appreciated that the system may be operated and/or otherwise controlled by means of information provided by an operator using operator input elements (not shown) which may be connected directly to the system or which may transfer the information to the system over a network or other mechanism for transferring information in a conventional manner.
The foregoing description has been limited to a specific embodiment of this invention. It will be apparent, however, that various variations and modifications may be made to the invention, with the attainment of some or all of the advantages of the invention. It is the object of the appended claims to cover these and such other variations and modifications as come within the true spirit and scope of the invention.
What is claimed as new and desired to be secured by Letters Patent of the United States is:

Claims

1. For use in connection with a communication system comprising a controllable device and a device controller which communicate over a commumcation link using a selected communication methodology facilitating authentication of messages transmitted therebetween, authentication being facilitated by an authentication value associated with the device, an arrangement for providing the authentication value to said device controller, the arrangement comprising:
A. an authentication value storage device configured to store the authentication value, and
B . in connection with the device controller, an authentication value input configured to receive the authentication value for use by the device controller in connection with communications with the device.
2. An arrangement as defined in claim 1 in which the device includes an authentication value store configured to store said authentication value.
3. An arrangement as defined in claim 2 in which the authentication value is stored in the authentication value store when the device is manufactured.
4. An arrangement as defined in claim 2 in which the authentication value store stores the authentication value in encrypted form.
5. An arrangement as defined in claim 2 in which the authentication value store comprises the authentication value storage device.
6. An arrangement as defined in claim 5 in which the authentication value input is configured to retrieve the authentication value from the authentication value storage device.
7. An arrangement as defined in claim 1 in which the authentication value input is configured to retrieve the authentication value from the authentication value storage device.
8. An aiTangement as defined in claim 7 in which the authentication value storage device is configured to store the authentication value separate and apart from the device.
9. An arrangement as defined in claim 1 in which the device controller includes an authentication value database, the authentication value being stored in the authentication value database when the authentication value is received through the authentication value input.
10. An arrangement as defined in claim 9 in which the authentication value database stores the authentication value in encrypted form.
11. An arrangement as defined in claim 1 in which the authentication value storage device comprises a sealed form on which the authentication value is printed.
12. An arrangement as defined in claim 11 in which the form is sealed in a tamper-evident manner.
13. An arrangement as defined in claim 11 in which the authentication value is printed on the authentication value storage device in alphanumeric form, the authentication value input comprising a keypad by which an operator can input the authentication value from the authentication value storage device.
14. An arrangement as defined in claim 11 in which the authentication value is printed on the authentication value storage device in machine readable form, the authentication value input comprising a reader for reading the authentication value from the authentication value storage device.
15. An arrangement as defined in claim 14 in which the authentication value is printed in bar code form.
16. An arrangement as defined in claim 1 in which the authentication value is stored on the authentication value storage device in machine readable form, the authentication value input comprising a reader for reading the authentication value from the authentication value storage device.
17. An arrangement as defined in claim 16 in which the authentication value storage device is in the form of a smart card which stores the authentication value in electronic form, the authentication value input comprising a smart card reader for reading the authentication value from the smart card.
18. An arrangement as defined in claim 17 in which the smart card is packaged in tamper-evident packaging.
19. An aπangement as defined in claim 17 in which the smart card is configured to provide the authentication value at most once.
20. An arrangement as defined in claim 16 in which the authentication value storage device is in the form of a storage card which stores the authentication value in a predetermined machine-readable form, the authentication value input comprising a storage card reader for reading the authentication value from the storage card.
21. An arrangement as defined in claim 20 in which the storage card stores the authentication value in magnetic form, the authentication value input comprising a magnetic strip reader for reading the authentication value from the magnetic strip.
22. An aπangement as defined in claim 20 in which the storage card is packaged in tamper-evident packaging.
23. An aπangement as defined in claim 1 in which the authentication value storage device comprises an external database and the authentication value input includes a retrieval arrangement configured to retrieve the authentication value from said external database.
24. An aπangement as defined in claim 23 in which the authentication value input is configured to retrieve the authentication value from said external database over a public network.
25. An aπangement as defined in claim 24 in which said public network comprises the Internet.
26. An aπangement as defined in claim.24 in which said public network comprises the public switched telephony network.
27. An aπangement as defined in claim 23 in which the external database is configured to provide the authentication value in encrypted form, the authentication value input being configured to decrypt the encrypted authentication value.
28. An aπangement as defined in claim 23 in which the external database is configured to provide the authentication value at most once.
29. An aπangement as defined in claim 23 in which authentication value input is configured tc retrieve the authentication value over a private network.
30. An aπangement as defined in claim 29 in which the private network includes an infrared link.
31. An aπangement as defined in claim 29 in which the private network includes a wire.
32. An aπangement as defined in claim 1 in which the selected communication methodology includes encryption of at least a portion of communications between the device and the device controller.
33. An aπangement as defined in claim 1 in which method authentication is performed in connection with an authentication methodology that includes a keyed hash methodology.
34. A method of providing an authentication value to a device controller for use in facilitating authentication of messages transmitted between controllable device and a device controller which communicate over a commumcation link using a selected communication methodology therebetween, authentication being facilitated by an authentication value associated with the device, the method comprising the steps of
A. storing the authentication value in an authentication value storage device and
B. enabling the device controller to receive the authentication value for use by the device controller in connection with communications with the device.
35. A method as defined in claim 34 in which the device includes an authentication value store configured to store said authentication value.
36. A method as defined in claim 35 further comprising the step of storing the authentication value in the authentication value store when the device is manufactured.
37. A method as defined in claim 35 further comprising the step of encrypting the authentication value prior to storage in the authentication value store.
38. A method as defined in claim 35 in which the authentication value store comprises the authentication value storage device.
39. A method as defined in claim 38 in which the authentication value reception enabling step includes the step of enabling the retrieval of the authentication value from the authentication value storage device.
40. A method as defined in claim 34 in which the authentication value reception enabling step includes the step of enabling the retrieval of the authentication value from the authentication value storage device.
41. A method as defined in claim 40 in which the authentication value storage device is configured to store the authentication value separate and apart from the device.
42. A method as defined in claim 34 in which the device controller includes an authentication value database, the method further including the step of storing the received authentication value in the authentication value database.
43. A method as defined in claim 42 further including the step of encrypting the authentication value in the authentication value database in encrypted form.
44. A method as defined in claim 34 in which the authentication value storage device comprises a sealed form on which the authentication value is printed, the method further including the steps of printing the authentication value on the form and sealing the form.
45. A method as defined in claim 44 in which the sealing step includes the step of sealing the form in a tamper-evident manner.
46. A method as defined in claim 44 in which the authentication value is printed on the authentication value storage device in alphanumeric form and the device controller is provided with an authentication value input comprising a keypad, the authentication value reception enabling step including the step of enabling an operator to input the authentication value from the authentication value storage device using the keypad.
47. A method as defined in claim 44 in which the authentication value is printed on the authentication value storage device in machine readable form, the authentication value reception enabling step including the step of using a authentication value input in the form of a reader for reading the authentication value from the authentication value storage device.
48. A method as defined in claim 47 in which the authentication value is printed in bar code form and the reader comprises a bar code reader.
49. A method as defined in claim 34 in which the authentication value is stored on the authentication value storage device in machine readable form, the authentication value reception enabling step including the step of using an authentication value input comprising a reader for reading the authentication value from the authentication value storage device.
50. A method as defined in claim 49 in which the authentication value storage device is in the form of a smart card which stores the authentication value in electronic form, the authentication value reception enabling step including the step of using an authentication value input comprising a smart card reader for reading the authentication value from the smart card.
c 1. A method as defined in claim 50 further comprising the step of packaging the smart card in tamper-evident packaging.
52. A method as defined in claim 50 in which the smart card is configured to provide the authentication value at most once.
53. A method as defined in claim 49 in which the authentication value storage device is in the form of a storage card which stores the authentication value in a predetermined machine-readable form, the authentication value reception enabling step including the step of using an authentication value input comprising a storage card reader for reading the authentication value from the storage card.
54. A method as defined in claim 53 in which the storage card stores the authentication value in magnetic form, the authentication value reception enabling step including the step of using an authentication value input comprising a magnetic strip reader for reading the authentication value from the magnetic strip.
55. A method as defined in claim 53 further comprising the step of packaging the storage card in tamper-evident packaging.
56. A method as defined in claim 34 in which the authentication value storage device comprises an external database, the authentication value reception enabling step including the step of enabling the retrieval of the authentication value from said external database.
57. A method as defined in claim 56 in which the authentication value reception enabling step includes the step of enabling the retrieval of the authentication value from said external database over a public network.
58. A method as defined in claim 57 in which said public network comprises the Internet.
59. A method as defined in claim 57 in which said public network comprises the public switched telephony network.
60. A method as defined in claim 56 in which the external database is configured to provide the authentication value in encrypted form, method further including the step of decrypting the encrypted authentication value.
61. A method as defined in claim 56 in which the external database is configured to provide the authentication value at most once.
62. A method as defined in claim 56 in which the authentication value reception enabling step includes the step of enabling the retrieval of the authentication value over a private network.
63. A method as defined in claim 62 in which the private network includes an infrared link.
64. A method as defined in claim 62 in which the private network includes a wire.
65. A method as defined in claim 34 in which the selected communication methodology includes encryption of at least a portion of communications between the device and the device controller.
66. A method as defined in claim 34 in which method authentication is performed in connection with an authentication methodology that includes a keyed hash methodology.
PCT/US2001/009296 2000-03-23 2001-03-22 System and method for inexpensively providing security and authentication over a communications channel WO2001072012A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001249374A AU2001249374A1 (en) 2000-03-23 2001-03-22 System and method for inexpensively providing security and authentication over acommunications channel

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US53441800A 2000-03-23 2000-03-23
US09/534,418 2000-03-23

Publications (2)

Publication Number Publication Date
WO2001072012A2 true WO2001072012A2 (en) 2001-09-27
WO2001072012A3 WO2001072012A3 (en) 2002-04-18

Family

ID=24129937

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/009296 WO2001072012A2 (en) 2000-03-23 2001-03-22 System and method for inexpensively providing security and authentication over a communications channel

Country Status (2)

Country Link
AU (1) AU2001249374A1 (en)
WO (1) WO2001072012A2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1351480A1 (en) * 2002-04-05 2003-10-08 Abb Research Ltd. Method for remote controlling of a system
WO2004057553A2 (en) * 2002-12-19 2004-07-08 Koninklijke Philips Electronics N.V. Remote control system and authentication method
WO2006073768A1 (en) * 2004-12-30 2006-07-13 Honeywell International, Inc. System and method for initializing secure communications with lightweight devices
WO2006136969A1 (en) * 2005-06-20 2006-12-28 Koninklijke Philips Electronics N.V. System comprising a first device and a second device
WO2009004540A2 (en) * 2007-07-04 2009-01-08 Philips Intellectual Property & Standards Gmbh Network and method for initializing a trust center link key
EP2009524A3 (en) * 2007-01-26 2015-09-02 Rockwell Automation Technologies, Inc. Authentication for licensing in an embedded system
US9137212B2 (en) 2006-12-04 2015-09-15 Oracle America, Inc. Communication method and apparatus using changing destination and return destination ID's
US10678950B2 (en) 2018-01-26 2020-06-09 Rockwell Automation Technologies, Inc. Authenticated backplane access
CN111367184A (en) * 2018-12-26 2020-07-03 博西华电器(江苏)有限公司 Household appliance control system, household appliance and control method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4728949A (en) * 1983-03-23 1988-03-01 Telefunken Fernseh Und Rundfunk Gmbh Remote control device for controlling various functions of one or more appliances
US5519878A (en) * 1992-03-18 1996-05-21 Echelon Corporation System for installing and configuring (grouping and node address assignment) household devices in an automated environment
US5909183A (en) * 1996-12-26 1999-06-01 Motorola, Inc. Interactive appliance remote controller, system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4728949A (en) * 1983-03-23 1988-03-01 Telefunken Fernseh Und Rundfunk Gmbh Remote control device for controlling various functions of one or more appliances
US5519878A (en) * 1992-03-18 1996-05-21 Echelon Corporation System for installing and configuring (grouping and node address assignment) household devices in an automated environment
US5909183A (en) * 1996-12-26 1999-06-01 Motorola, Inc. Interactive appliance remote controller, system and method

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1647497B (en) * 2002-04-05 2010-12-01 Abb研究有限公司 Method for remotely controlling and/or regulating a system
WO2003085945A1 (en) * 2002-04-05 2003-10-16 Abb Research Ltd Method for remotely controlling and/or regulating a system
EP1351480A1 (en) * 2002-04-05 2003-10-08 Abb Research Ltd. Method for remote controlling of a system
US8032749B2 (en) 2002-04-05 2011-10-04 Abb Research Ltd Method for remotely controlling and/or regulating a system
WO2004057553A2 (en) * 2002-12-19 2004-07-08 Koninklijke Philips Electronics N.V. Remote control system and authentication method
WO2004057553A3 (en) * 2002-12-19 2004-10-21 Koninkl Philips Electronics Nv Remote control system and authentication method
WO2006073768A1 (en) * 2004-12-30 2006-07-13 Honeywell International, Inc. System and method for initializing secure communications with lightweight devices
US8051296B2 (en) 2004-12-30 2011-11-01 Honeywell International Inc. System and method for initializing secure communications with lightweight devices
WO2006136969A1 (en) * 2005-06-20 2006-12-28 Koninklijke Philips Electronics N.V. System comprising a first device and a second device
US9137212B2 (en) 2006-12-04 2015-09-15 Oracle America, Inc. Communication method and apparatus using changing destination and return destination ID's
US10142119B2 (en) 2006-12-04 2018-11-27 Sun Microsystems, Inc. Communication method and apparatus using changing destination and return destination ID's
EP2009524A3 (en) * 2007-01-26 2015-09-02 Rockwell Automation Technologies, Inc. Authentication for licensing in an embedded system
WO2009004540A3 (en) * 2007-07-04 2009-04-30 Philips Intellectual Property Network and method for initializing a trust center link key
WO2009004540A2 (en) * 2007-07-04 2009-01-08 Philips Intellectual Property & Standards Gmbh Network and method for initializing a trust center link key
RU2474073C2 (en) * 2007-07-04 2013-01-27 Конинклейке Филипс Электроникс Н.В. Network and method for initialising trust centre link key
US10678950B2 (en) 2018-01-26 2020-06-09 Rockwell Automation Technologies, Inc. Authenticated backplane access
CN111367184A (en) * 2018-12-26 2020-07-03 博西华电器(江苏)有限公司 Household appliance control system, household appliance and control method

Also Published As

Publication number Publication date
AU2001249374A1 (en) 2001-10-03
WO2001072012A3 (en) 2002-04-18

Similar Documents

Publication Publication Date Title
US11044608B2 (en) System and method for access control via mobile device
US20220076513A1 (en) Access management and reporting technology
US8583910B2 (en) Method and apparatus for device detection and multi-mode security in a control network
US11451409B2 (en) Security network integrating security system and network devices
US10979389B2 (en) Premises management configuration and control
CN105981352B (en) Controller, the annex and communication means controlled by controller
US11698846B2 (en) Accessory communication control
US8620268B2 (en) Secure system for programming electronically controlled locking devices by means of encrypted acoustic accreditations
US10091014B2 (en) Integrated security network with security alarm signaling system
US20180083831A1 (en) Forming A Security Network Including Integrated Security System Components
EP1388126B1 (en) Remotely granting access to a smart environment
US8473619B2 (en) Security network integrated with premise security system
US10313303B2 (en) Forming a security network including integrated security system components and network devices
KR102537363B1 (en) Systems and methods for secure Internet of Things (IoT) device provisioning
CN101375289A (en) Safe with controllable data transfer capability
CN1937494A (en) Electronic device control apparatus
US20050024228A1 (en) Method for matching transmitters and receiver
WO2001072012A2 (en) System and method for inexpensively providing security and authentication over a communications channel
Chatzigiannakis Apps for smart buildings: A case study on building security
US11096111B2 (en) System and method to assist in adding new nodes to wireless RF networks
KR20150006099A (en) Methods and apparatuses of controlling interphone
KR20060032854A (en) Home automation system
JPH02189678A (en) Remote controller for room control device
JP2004032235A (en) Remote control system or adapter device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP