(19)
(11)EP 3 476 093 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
17.06.2020 Bulletin 2020/25

(21)Application number: 17734052.8

(22)Date of filing:  28.06.2017
(51)International Patent Classification (IPC): 
H04L 29/06(2006.01)
H04W 4/70(2018.01)
H04L 9/32(2006.01)
H04W 12/06(2009.01)
H04W 12/00(2009.01)
(86)International application number:
PCT/EP2017/065950
(87)International publication number:
WO 2018/002111 (04.01.2018 Gazette  2018/01)

(54)

SYSTEM AND METHOD FOR DELEGATING TICKET AUTHENTICATION TO A STAR NETWORK IN THE INTERNET OF THINGS AND SERVICES

SYSTEM UND VERFAHREN ZUR DELEGATION EINER TICKETAUTHENTIFIZIERUNG AN EIN STERNNETZWERK IM INTERNET DER DINGE UND DIENSTLEISTUNGEN

PROCÉDÉ ET DISPOSITIF POUR DÉLÉGUER UNE AUTHENTIFICATION DE TICKET À UN RÉSEAU EN ÉTOILE DANS L'INTERNET DES OBJETS ET SERVICES


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 28.06.2016 US 201662355468 P

(43)Date of publication of application:
01.05.2019 Bulletin 2019/18

(73)Proprietor: Robert Bosch GmbH
70442 Stuttgart (DE)

(72)Inventors:
  • GUAJARDO MERCHAN, Jorge
    Pittsburgh, Pennsylvania 15216 (US)
  • DUPLYS, Paulius
    71706 Markgroeningen (DE)
  • GUILLAUME, Rene
    71032 Boeblingen (DE)
  • DONNE, Jeffrey
    Chicago, Illinois 60657 (US)


(56)References cited: : 
US-A1- 2007 254 630
US-A1- 2015 281 116
US-A1- 2015 097 689
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    FIELD



    [0001] This disclosure relates generally to Internet of Things and Services and, more particularly, to system and method for delegating ticket authentication to star networks in the internet of things and services (IOTs).

    BACKGROUND



    [0002] Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to the prior art by inclusion in this section. Document US 2015/0281116 A1 refers to a method for setting sensor node and setting security in sensor network. Further, US 2007/0254630A1 refers to methods, devices and modules for secure remote access to home networks.

    SUMMARY



    [0003] A summary of certain embodiments disclosed herein is set forth below. It should be understood that these aspects are presented merely to provide the reader with a brief summary of these certain embodiments and that these aspects are not intended to limit the scope of this disclosure. Indeed, this disclosure may encompass a variety of aspects that may not be set forth below.

    [0004] Embodiments of the disclosure related to a star topology network comprises a plurality of sensor nodes, each sensor node including an ID, a user device, and an internet-enabled central gateway in public-key cryptography communication with the user device, wherein the user device to generate a ticket by signing a message with a private key and encrypting the message with a public key of the central gateway after the ID is registered. The user device broadcast the ticket to the plurality of sensor nodes. The central gateway and the sensor nodes exchange a secret shared key after the sensor nodes receive the ticket. The sensor nodes generate a random number, encrypt the random number with shared key between the central device and the sensor nodes, and send a concatenation of the ticket and a message authentication code to the central gateway.

    [0005] The invention is defined by the appended independent claim.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0006] These and other features, aspects, and advantages of this disclosure will become better understood when the following detailed description of certain exemplary embodiments is read with reference to the accompanying drawings in which like characters represent like arts throughout the drawings, wherein:

    FIG. 1 is a flow diagram of a network comprising a user device and an internet-enabled central gateway; and

    FIG. 2 is a flow diagraph of another network comprising a sensor node coupled to the user device and the internet-enabled central gateway.


    DETAILED DESCRIPTION



    [0007] The following description is presented to enable any person skilled in the art to make and use the described embodiments, and is provided in the context of a particular application and its requirements. Various modifications to the described embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications. Thus, the described embodiments are not limited to the embodiments shown, but are to be accorded the widest scope consistent with the principles and features disclosed herein.

    [0008] Various operations may be described as multiple discrete actions or operations in turn, in a manner that is most helpful in understanding the claimed subject matter. However, the order of description should not be construed as to imply that these operations are necessarily order dependent. In particular, these operations may not be performed in the order of presentation. Operations described may be performed in a different order than the described embodiment. Various additional operations may be performed and/or described operations may be omitted in additional embodiments.

    [0009] FIG. 1 is a flow diagram illustrating a network 100 comprises a user device D and a central gateway C communicating with the user device D. During an initialization phase 100, both the user device D and the central gateway C generate an unique public-private key pairs. The user device D may be a thin client, a thick client, a mobile phone, a tablet, a phablet, a laptop, a personal digital assistant (PDA), a personal computer (PC), or any suitable electronic devices. The central gateway C is an internet-enabled central gateway. The user device D issues a Certificate Signing Request (CSR) and sends the CSR to the central gateway C. The CSR includes a public key of the user device D. The central gateway C upon receiving the request generates a certificate. The communication between the user device D and the central gateway C is secured either based on public-key cryptography, symmetric-key cryptography, or by the use of a secure channel such as a wired communication.

    [0010] FIG. 2 is a flow diagram illustrating a network 200 comprises a user device D, a central gateway C, and at least one new sensor node S1 added to the existing network 200. Although one sensor node S1 is illustrated, more than one sensor node may be added to the network 200. For instance, in a home automation, more than 10 sensor nodes are connected to the network 200 for a relatively long period of time between several months and several years. The sensor node S1 may be actuators, sensing elements, or any suitable components that can connected to a star topology network. The initialization phase set up between the user device D and the central gateway C in FIG. 2 is similar to the initialization phase as illustrated in FIG. 1. In one embodiment, the user device D may be function as a ticket machine for emitting certified tickets which are personalized to individual sensor nodes. After the initialization phase is completed, the user device D sends a request for receiving a nonce n1 to the central gateway C. In some embodiments, the user device D may send a request for receiving a timestamps instead of random nonces n. Upon receiving the request, the central device C checks if the request was issued by a legitimate device, e.g. the user device D. If the request is valid or authenticated, the central gateway C replies to the user device D with nonce n1. Although one nonce n1 is generated, the central gateway C may generate a set of nonce n and then set the set of nonce n to the user device D once a secure communication link becomes available. Afterwards, a secure communication between the user device D and the central gateway C is no longer required. Consequently, the user device D holds a set of already certified tickets for adding new nodes n to the network 200 at any time. After some individual amount of time, but below a chosen expiration of n1, the user device D reads an ID of the node S1 to be added to the network 200. In one embodiment, the ID can be read directly from the node S1 via a secure communication interface. In some embodiments, the IDS can be read from the node S1 by scanning a barcode or a Quick Response (QR) code located either on the node S1 or on the node S1 accessory such as owner's manual, packages, any materials accompanying with the node S1 and so forth. In another embodiment, the user may receive the ID of the node S1 over an internet when the node S1 is purchased via an online store. In yet another embodiment, the sensor node with a specific ID can be added to an existing network wherein the ID is read off of a smart tag such as a RFID tag. In further yet another embodiment, the ID can be read from a Physically Unclonable Function (PUF) located on the sensor node. Once the ID of the node S1 is registered, the user device D generates a ticket y by signing a message (n1, ID(S1) with its private key PrKD and encrypting it with C's public key PKc. Thereafter, the user device D broadcasts the ticket y or sends the ticket y to S1. After receiving y, the central gateway C and the node S1 start the key agreement procedure to exchange a secret shared key Kcs = (KCS1 || KCS2). The key agreement can be done either by a public-key cryptography such as Diffie-Hellman key exchange protocol or any suitable physical layer security.

    [0011] After the shared key Kcs has been exchanged between the node S1 and the central gateway C, the node S1 generates a random number rsi. Subsequently, the node S1 encrypts rS1 with KCS1 and sends a concatenation of y, EKCS1(rS1) and a message authentication code (MAC) to the central gateway C. Since the central gateway C can decrypt y, the central gateway C checks the validity of nonce n1 and if the ticket has been signed by the trusted device D. If the central gateway C is a legitimate gateway, the central gateway C receives acknowledgement of ID(S1). Using the established key KCS1, the central gateway C decrypts y2 thereby obtaining the random number rsi. Then, the central gateway C concatenates rS1 and the ID of the node S1 to be added to the existing network 200, i.e. ID(S1), and computes a hash h(rS1, ID(S1)) of the concatenated value. The central gateway C then generates a random number rc, concatenates the random number rc with a hash value and sends the message y3=EKCS1(rC,h(rS1,ID(S1)))||MACKCS2 (y3) to the node S1. Upon receiving the message y3, node S1 decrypts the message y3, thereby obtaining the random number rC and the hash value h(rS1,ID(S1)). Since node S1 knows the random number rS1, node S1 can compute the hash value and compare it to the received has value. If the values are identical, the response of the central gateway C to the challenge rS1 is valid.

    [0012] Next, the node S1 takes the random number rc generated by the central gateway C and computes the hash h(rc,ID(S1)). The node S1 concatenates the hash value with the random number rS1 and sends the message y3=Ek(rC,h(rc,ID(S1)), rS1)||MACKCS2 (y4) to the central gateway C. Upon receiving the message, the central gateway C decrypts the message and verifies that the hash value h(rc,ID(S1) returned by the node S1 for the challenge rc is equal to the hash value locally computed by the central gateway C. Finally, if the received and the computed hash values are identical, the central gateway C sends a message to the user device D indicating that the new node S1 is successfully added to the network 200. In one embodiment, the time between the request to add a new sensor node S1 to an existing network 200 and the start of the key agreement can be limited by an upper bound tmax such that the new node S1 can only be added within a small period of time.

    [0013] In some embodiments, the hash function h can be replaced by some function ƒ that takes a random number and the Id of the node S1 as an input. For instance, ƒ can be a function that takes an n-bit random number and the first half of an 2n-bit ID(S) and returns an XOR of these.

    [0014] According to another aspect of the disclosure, if the communication between the user device D and the central gateway C is a symmetric-key cryptography, instead of signing the message with its private key, the user device D can calculate a MAC on the nonce n using a shared key between the user device D and the central gateway C, i.e. KDC.

    [0015] The embodiments described above have been shown by way of example, and it should be understood that these embodiments may be susceptible to various modifications and alternative forms.

    [0016] Embodiments within the scope of the disclosure may also include non-transitory computer-readable storage media or machine-readable medium for carrying or having computer-executable instructions or data structures stored thereon. Such non-transitory computer-readable storage media or machine-readable medium may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such non-transitory computer-readable storage media or machine-readable medium can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures. Combinations of the above should also be included within the scope of the non-transitory computer-readable storage media or machine-readable medium.

    [0017] Embodiments may also be practiced in distributed computing environments where tasks are performed by local and remote processing devices that are linked (either by hardwired links, wireless links, or by a combination thereof) through a communications network.

    [0018] Computer-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Computer-executable instructions also include program modules that are executed by computers in stand-alone or network environments. Generally, program modules include routines, programs, objects, components, and data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of the program code means for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps.

    [0019] While the patent has been described with reference to various embodiments, it will be understood that these embodiments are illustrative and that the scope of the disclosure is not limited to them. Many variations, modifications, additions, and improvements are possible. More generally, embodiments in accordance with the patent have been described in the context or particular embodiments. Functionality may be separated or combined in blocks differently in various embodiments of the disclosure or described with different terminology. These and other variations, modifications, additions, and improvements may fall within the scope of the disclosure as defined in the claims that follow.


    Claims

    1. A star topology network (100) comprising:

    a plurality of sensor nodes, each sensor node including an ID;

    a user device (D);

    an internet-enabled central gateway (C) in public-key cryptography communication with the user device (D);

    wherein the user device (D) is configured to generate a ticket by signing a message with a private key and encrypting the message with a public key of the central gateway (C) after an ID of a sensor node is read,

    wherein the user device (D) is further configured to broadcast the ticket to the plurality of sensor nodes,

    wherein the central gateway (C) and the sensor nodes are configured to exchange a secret shared key after the sensor nodes receive the ticket,

    wherein the sensor nodes are configured to generate a random number, encrypt the random number with the shared key, and send a concatenation of the ticket, the encrypted random number and a message authentication code to the central gateway (C), and

    wherein the central gateway (C) is configured to decrypt the ticket and thereafter validate a nonce comprised in the ticket, wherein the nonce has previously been transmitted from the central gateway to the user device, and check if the ticket has been signed by the user device.


     


    Ansprüche

    1. Sterntopologie-Netzwerk (100), das Folgendes umfasst:

    mehrere Sensorknoten, wobei jeder Sensorknoten eine ID beinhaltet;

    eine Benutzereinrichtung (D);

    ein internetfähiges Zentral-Gateway (C) in kryptographischer Kommunikation unter Verwendung eines öffentlichen Schlüssels mit der Benutzereinrichtung (D);

    wobei die Benutzereinrichtung (D) dazu ausgelegt ist, ein Ticket durch Signieren einer Nachricht mit einem privaten Schlüssel und Verschlüsseln der Nachricht mit einem öffentlichen Schlüssel des Zentral-Gateways (C) zu erzeugen, nachdem eine ID eines Sensorknotens gelesen wird,

    wobei die Benutzereinrichtung (D) ferner dazu ausgelegt ist, das Ticket zu den mehreren Sensorknoten zu broadcasten,

    wobei das Zentral-Gateway (C) und die Sensorknoten dazu ausgelegt sind, einen geheimen gemeinsam genutzten Schlüssel auszutauschen, nachdem die Sensorknoten das Ticket empfangen,

    wobei die Sensorknoten dazu ausgelegt sind, eine Zufallszahl zu erzeugen, die Zufallszahl mit dem gemeinsam genutzten Schlüssel zu verschlüsseln und

    eine Konkatenation des Tickets, der verschlüsselten Zufallszahl und eines Nachrichtenauthentifizierungscodes zu dem Zentral-Gateway (C) zu senden, und

    wobei das Zentral-Gateway (C) dazu ausgelegt ist, das Ticket zu entschlüsseln und danach eine in dem Ticket enthaltene Nonce zu validieren, wobei die Nonce zuvor von dem Zentral-Gateway zu der Benutzereinrichtung übertragen wurde, und zu prüfen, ob das Ticket durch die Benutzereinrichtung signiert wurde.


     


    Revendications

    1. Réseau à topologie en étoile (100) comprenant :

    une pluralité de nœuds de capteurs, chaque nœud de capteur comprenant un ID ;

    un dispositif utilisateur (D) ;

    une passerelle centrale accessible par Internet (C), en communication cryptographique à clé publique avec le dispositif utilisateur (D) ;

    où le dispositif utilisateur (D) est configuré pour générer un ticket en signant un message avec une clé privée et en cryptant le message avec une clé publique de la passerelle centrale (C) après la lecture de l'ID d'un nœud de capteur, où le dispositif utilisateur (D) est en outre configuré pour diffuser le ticket à la pluralité de nœuds de capteurs,

    où la passerelle centrale (C) et les nœuds de capteurs sont configurés pour échanger une clé secrète partagée après que les nœuds de capteurs ont reçu le ticket,

    où les nœuds de capteurs sont configurés pour générer un nombre aléatoire, crypter le nombre aléatoire avec la clé partagée et envoyer une concaténation du ticket, le nombre aléatoire crypté et un code d'authentification de message à la passerelle centrale (C), et

    où la passerelle centrale (C) est configurée pour décrypter le ticket puis valider un nombre aléatoire compris dans le ticket, où le nombre aléatoire a été préalablement transmis de la passerelle centrale au dispositif utilisateur, et pour vérifier si le ticket a été signé par le dispositif utilisateur.


     




    Drawing











    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description