U.S. patent application number 14/238349 was filed with the patent office on 2014-08-14 for managing device ownership and commissioning in public-key encrypted wireless networks.
This patent application is currently assigned to TRIDONIC GMBH & CO KG. The applicant listed for this patent is TRIDONIC GMBH & CO KG. Invention is credited to Edgar Holleis.
Application Number | 20140229735 14/238349 |
Document ID | / |
Family ID | 46642531 |
Filed Date | 2014-08-14 |
United States Patent
Application |
20140229735 |
Kind Code |
A1 |
Holleis; Edgar |
August 14, 2014 |
MANAGING DEVICE OWNERSHIP AND COMMISSIONING IN PUBLIC-KEY ENCRYPTED
WIRELESS NETWORKS
Abstract
A mobile commissioning device for assisting in the commissioning
of wireless public-key encrypted networks, the device being
provided with: means for reading the public key from a network node
to be integrated in the wireless network, the channel for reading
the public key being physically different to the wireless network
channel for which the node is to be commissioned, means for at
least temporarily storing the read public key in the device, means
for transferring a public key of the commissioning device to the
network node to be commissioned, the channel for transferring the
public key preferably being the wireless channel for which the node
is to be commissioned, and means for transferring the read public
key to a trust center.
Inventors: |
Holleis; Edgar; (Wien,
AT) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
TRIDONIC GMBH & CO KG |
Dornbirn |
|
AT |
|
|
Assignee: |
TRIDONIC GMBH & CO KG
Dornbirn
AT
|
Family ID: |
46642531 |
Appl. No.: |
14/238349 |
Filed: |
August 8, 2012 |
PCT Filed: |
August 8, 2012 |
PCT NO: |
PCT/EP2012/065497 |
371 Date: |
April 22, 2014 |
Current U.S.
Class: |
713/171 |
Current CPC
Class: |
H04L 63/18 20130101;
H04W 12/00522 20190101; H04W 12/04 20130101; H04W 12/06 20130101;
H04L 63/0442 20130101; H04L 63/06 20130101; H04L 2209/80
20130101 |
Class at
Publication: |
713/171 |
International
Class: |
H04W 12/04 20060101
H04W012/04 |
Foreign Application Data
Date |
Code |
Application Number |
Aug 12, 2011 |
DE |
10 2011 080 876.0 |
Claims
1. A mobile commissioning device (CD,2) for assisting in the
commissioning of wireless public-key encrypted networks, the device
comprising: means for reading (22) the public key (NWN-PUB-KEY)
from a network node (NWN,1) to be integrated in the wireless
network, the channel for reading the public key (NWN-PUB-KEY) being
physically different to the wireless network channel for which the
node (NWN,1) is to be commissioned, means for at least temporarily
storing the read public key (NWN-PUB-KEY) in the device, means (21)
for transferring a provisional public (CD-PUB-KEY) key of the
commissioning device (CD, 2) to the network node (NWN,1) to be
commissioned, the channel for transferring the provisional public
key (CD-PUB-KEY), and means for transferring the read public key
(NWN-PUB-KEY) to a trust center (TC,3).
2. The mobile commissioning device (CD, 2) of claim 1, wherein at
least one of the means (21) for transferring a CD-PUB-KEY key of
the commissioning device (CD, 2) to the network node (NWN,1) to be
commissioned or the means for transferring the NWN-PUB-KEY to the
trust center (TC, 3) is a communication interface (21) for
communicating on the wireless network.
3. The mobile commissioning device (CD, 2) of claims 1, wherein the
means (22) for reading the NWN-PUB-KEY from a network node (NWN,1)
to be integrated in the wireless network is a sensor (22) for
actively and/or passively obtaining (4) the NWN-PUB-KEY from the
network node (NWN,1).
4. The mobile commissioning device (CD, 2) of claim 1, wherein the
means for at least temporarily storing the NWN-PUB-KEY is a memory
internal and/or external memory to the mobile commissioning device
and wherein the memory additionally stores at least one
certificate, signed data record and/or nonce (OTR), and wherein the
mobile commissioning device (CD, 2) is configured to transfer the
NWN-PUB-KEY and the at least one certificate, signed data record
and/or nonce (OTR) to the trust center (TC,3).
5. The mobile commissioning device (CD, 2) of claim 4, wherein the
storing means is removable and/or exchangeable and/or the mobile
commissioning device (CD, 2) generates the certificate, signed data
record and/or nonce (OTR).
6. The mobile commissioning device (CD, 2) of claim 4, further
comprising a computing means for generating the certificate, signed
data record and/or nonce (OTR) from the first public key
(NWN-PUB-KEY) obtained by the reading means (22).
7. The mobile commissioning device (CD, 2) of claim 1, further
comprising a computing means for generating, or together with a
network node (NWN,1) agreeing to, a nonce.
8. The mobile commissioning device (CD, 2) of claim 1, wherein the
reading means is at least one of a barcode-reader, an RFID-reader,
NFC-interface, a smartcard-reader or an optical and acoustical
sensor.
9. The mobile commissioning device (CD, 2) of claim 1, wherein the
mobile commissioning device (CD, 2) encrypts the provisional public
key (CD-PUB-KEY) with the read public key (NWN-PUB-KEY) and/or
engages in a key establishment protocol.
10. A network node (NWN,1) for a public-key encrypted wireless
network, the node comprising: a means for providing (12) a public
key (NWN-PUB-KEY) of the network node (NWN,1), the channel over
which the public key (NWN-PUB-KEY) is provided being physically
different to the wireless network channel for which the node
(NWN,1) is to be commissioned, a storing means for storing at least
temporarily a provisional public key (CD-PUB-KEY) transferred (5)
to the network node (NWN,1) to be commissioned, the channel for
transferring the provisional public key (CD-PUB-KEY), and a storing
means for permanently storing a permanent public key (TC-PUB-KEY)
transferred to the network node (NWN,1) from a trust center
(TC,3).
11. The network node (NWN,1) of claim 10, wherein the provisional
public key (CD-PUB-KEY) and/or the permanent public key
(TC-PUB-KEY) are transferred to the network node (NWN,1) via a
communication means (12) comprised in the network node (NWN,1).
12. The network node (NWN,1) of claim 11, wherein the communication
means (12) is a communication interface for communicating on the
wireless network, and wherein the means for providing (12) a public
key (NWN-PUB-KEY) of the network node (NWN,1), is configured to
provide the public key (NWN-PUB-KEY) in such a way that it can be
actively or passively (4) read by a reading means (22) of a mobile
commissioning device (CD, 2).
13. The network node (NWN,1) of claim 10, further comprising a
computing means to check the validity of a certificate, signed data
record and/or nonce (OTR) transferred to the network node
(NWN,1).
14. The network node (NWN,1) of claim 13, wherein the network node
(NWN,1) stores the permanent public key (TC-PUB-KEY) in the storing
means after the network node (NWN,1) verified the certificate,
signed data record and/or nonce (OTR).
15. The network node (NWN,1) of claim 11, wherein the permanent
public key (TC-PUB-KEY) invalidates and/or replaces the preliminary
public key (CD-PUB-KEY).
16. The network node (NWN,1) of claim 11, wherein the providing
means (12) provides, in addition to the public key (NWN-PUB-KEY),
an identifier.
17. The network node (NWN,1) of claim 11, wherein the providing
means (12) is at least one of a barcode, RFID-tag, NFC interface,
smartcard, a LED interface or an acoustic interface.
18. A trust center unit (TC,3) in a network, the trust center
(TC,3) comprising: a communication means (31) for communicating on
a wireless network, wherein the trust center (TC,3) is configured
to receive (6) at least one public key of a (NWN-PUB-KEY) of at
least one network node (NWN,1) to be integrated in the wireless
network from a mobile commissioning device (CD, 2), and wherein the
trust center (TC,3) is further configured to transfer (7) its
public key (TC-PUB-KEY) to the at least one network node (NWN,1),
wherein the trust center (TC,3) is configured to additionally
receive (6) at least one certificate, signed data record and/or
nonce (OTR) from the mobile commissioning device (CD, 2) to
transfer (7) the at least one certificate, signed data record
and/or nonce (OTR) to the at least one network node (NWN,1) with
the permanent public key (TC-PUB-KEY).
19. The trust center (TC,3) of claim 18, further comprising a
storage means reader for reading a storage means of a mobile
commissioning device (CD, 2).
20. The trust center unit (TC,3) of claim 19, wherein the storage
means reader is a reader for a exchangeable and/or removable
storage means.
21. The trust center unit (TC,3) of claim 18, wherein the trust
center (TC,3) replaces a previously transmitted public key of a
commissioning device (CD-PUB-KEY) by its own TC-PUB-KEY within the
storage means of all network nodes (NWN,1).
22. The trust center unit (TC,3) of claim 18, wherein the trust
center (TC,3) uses the public key (NWN-PUB-KEY) of the at least one
network node (NWN,1) and/or a certificate, signed data record
and/or nonce (OTR) to encrypt and/or securely transfer the trust
center key (TC-PUB-KEY) to the at least one network node
(NWN,1).
23. A method for commissioning wireless public-key encrypted
networks, the method comprising the steps of: obtaining (4) a
public key (NWN-PUB-KEY) of a network node (NWN,1), the channel
over which the public key (NWN-PUB-KEY) is obtained being
physically different to the wireless network channel for which the
node (NWN,1) is to be commissioned, storing the obtained public key
(NWN-PUB-KEY) to a storing means of a mobile commissioning device
(CD, 2), transferring (5) a preliminary public key (CD-PUB-KEY)
from the mobile commissioning device (CD, 2) to the network node
(NWN,1), transferring (6) the public key (NWN-PUB-KEY) of the
network node (NWN,1) from the mobile commissioning device (CD, 2)
to a trust center (TC,3), and transferring (7) a permanent public
key (TC-PUB-KEY) from the trust center to the network node (NWN,
1).
24. The method of claim 23, wherein a certificate, signed data
record and/or nonce (OTR) is additionally transferred from the
mobile commissioning device (CD, 2) to a trust center (TC,3) and
wherein the certificate, signed data record and/or nonce (OTR) is
transferred with the permanent public key (TC-PUB-KEY) to network
node (NWN,1).
25. The method of claim 23, wherein the certificate, signed data
record and/or nonce (OTR) is generated by the mobile commissioning
device (CD, 2).
26. The method of claim 23, wherein the certificate, signed data
record and/or nonce (OTR) is generated by the network node (NWN,1)
and transferred to the mobile commissioning device (CD, 2).
27. The method of claim 23, wherein the certificate, signed data
record and/or nonce (OTR) is jointly negotiated by the network node
(NWN,1) and the mobile commissioning device (CD, 2).
28. The method of claim 23, wherein before the preliminary public
key (CD-PUB-KEY) is transferred to the network node (NWN,1), the
network node (NWN,1) is powered and/or the network node (NWN,1)
scans for available networks.
29. The method of claim 23, wherein the mobile commissioning device
(CD, 2) acts as temporary trust center.
30. The method of claim 23, wherein after the transfer of the
preliminary public key (CD-PUB-KEY) to the network node (NWN,1),
the network node (NWN,1) provides a specified level of
functionality.
31. The method of claim 23, wherein a storing means removable from
the mobile commissioning device (CD, 2) is used to transfer the
public key (CD-PUB-KEY) of the network node (NWN,1) and/or the
certificate (OTR) to the trust center (TC,3).
32. The method of claim 23, wherein after the transfer of the
permanent public key (TC-PUB-KEY) to the network node (NWN,1) it is
determined whether a correct number and/or type of network nodes
(NWN,1) is present in the network and/or devices are detected with
wrong security parameters to exclude from the network.
33. A system comprising: at least one network node (NWN,1)
according to claim 10, at least one mobile commissioning device
(CD, 2) for assisting in the commissioning of wireless public-key
encrypted networks, the device comprising: means for reading (22)
the public key (NWN-PUB-KEY) from a network node (NWN,1) to be
integrated in the wireless network, the channel for reading the
public key (NWN-PUB-KEY) being physically different to the wireless
network channel for which the node (NWN,1) is to be commissioned,
the network node being a participant of a wireless building
automation network, means for at least temporarily storing the read
public key (NWN-PUB-KEY) in the device, means (21) for transferring
a provisional public (CD-PUB-KEY) key of the commissioning device
(CD, 2) to the network node (NWN,1) to be commissioned, the channel
for transferring the provisional public key (CD-PUB-KEY) being the
wireless channel for which the node (NWN,1) is to be commissioned,
and means for transferring the read public key (NWN-PUB-KEY) to a
trust center (TC,3); and a trust center comprising: a communication
means (31) for communicating on a wireless network, wherein the
trust center (TC,3) is configured to receive (6) at least one
public key of a (NWN-PUB-KEY) of at least one network node (NWN,1)
to be integrated in the wireless network from a mobile
commissioning device (CD, 2), and wherein the trust center (TC,3)
is further configured to transfer (7) its public key (TC-PUB-KEY)
to the at least one network node (NWN,1), wherein the trust center
(TC,3) is configured to additionally receive (6) at least one
certificate, signed data record and/or nonce (OTR) from the mobile
commissioning device (CD, 2) to transfer (7) the at least one
certificate, signed data record and/or nonce (OTR) to the at least
one network node (NWN,1) with the permanent public key
(TC-PUB-KEY).
34. The system of claim 33 using a commissioning method comprising
the steps of: obtaining (4) a public key (NWN-PUB-KEY) of a network
node (NWN,1), the channel over which the public key (NWN-PUB-KEY)
is obtained being physically different to the wireless network
channel for which the node (NWN,1) is to be commissioned, storing
the obtained public key (NWN-PUB-KEY) to a storing means of a
mobile commissioning device (CD, 2), transferring (5) a preliminary
public key (CD-PUB-KEY) from the mobile commissioning device (CD,
2) to the network node (NWN,1), transferring (6) the public key
(NWN-PUB-KEY) of the network node (NWN,1) from the mobile
commissioning device (CD, 2) to a trust center (TC,3), and
transferring (7) a permanent public key (TC-PUB-KEY) from the trust
center to the network node (NWN, 1).
Description
[0001] The invention relates to an encrypted exchange of
information in wireless networks. The invention especially relates
to asymmetric encryption methods (sometimes called
"public-/private-key-cryptography"). In these encryption methods, a
public key has to be exchanged to allow a sender to encrypt
information with a public key of a receiver, where the receiver can
then decrypt information encrypted in that way using its private
key. The invention hence focuses on the problem of public key
exchange in wireless networks and especially in wireless building
automation networks.
[0002] Wireless building automation networks in the sense of the
invention are networks used to connect building technology devices
forming the network nodes, for example lighting means (such as
lamps), sensors (such as light sensors, movement/motion sensors,
acoustic sensors, optical sensors, . . . ) and actors (e.g. for
controlling window blinds), and/or other controls (equipment such
as switches, interrupters, e.g. for controlling lights).
[0003] While the invention primarily relates to wireless building
automation networks and building technology devices, the principles
of this invention can also be used in other fields.
[0004] Traditionally, networked building technology devices are
connected by and to field busses.
[0005] In these traditional setups, no explicit identity management
is required and no issues arise concerning the ownership of the
connected devices and how they can trust each other. On a field
bus, the common assumption is that any device connected to the bus
can fully be trusted. It is hence assumed that a device connected
to the bus does not lie about its identity and that the ownership
of the device is not a problem as, once it is connected to the bus,
full ownership over the device is assumed.
[0006] In wireless networks, however, there is no wired channel to
which the devices can be connected and hence the common model for
trusting devices, for assuming ownership and for assuring identity
cannot be applied.
[0007] Nevertheless in wireless networks the ownership of network
nodes still needs to be defined, the identity of the devices
connected to the network has to be assured and it needs to be
determined which devices can be trusted. Especially, the ownership
problem, which the invention implicitly addresses, arises when a
wireless network overlaps with another wireless network where both
should be separated, i.e. determining whether a specific network
node NWN,1 belongs to or is allowed in a specific wireless
network.
[0008] For example, it is required to prevent devices not belonging
to the network from listening in ("eavesdropping") and manipulating
network communication.
[0009] If such a malicious device would be placed in a company
building, an attacker could be able to control building technology
devices (lights, doors, . . . ) or may be able to access other
secret information.
[0010] The invention also targets the commissioning problem, which
relates to securely performing an initial setup of the wireless
network and the network nodes. One aim of the invention is provide
commissioning procedures, which can easily be integrated in the
commissioning process.
[0011] There are well known technologies available, which can be
used to securely communicate in a wireless network. One of these
technologies is public-/private-key encryption.
[0012] Here, the problem of exchanging public keys arises. If the
public keys would be exchanged over the wireless network, the
communication paths can be intercepted easily and a third party may
read a public key and could exchange it with a malicious public key
in an effort to perform a man in the middle attack. Therefore,
additional security measures are required in wireless networks to
perform the exchange of public keys.
[0013] Prior art approaches such as e.g. "ZigBee Smart Energy"
require installation of a private/public key pair with an
additional certificate in the network nodes when the respective
node is produced ("manufacture install certificate"). A certificate
is a public key signed by an independent, trusted third party, a
"certificate authority". In case a customer wishes to add a network
node (e.g. a sensor) to the network later, the customer contacts
the producer or vendor of the network node and goes through an IT
process and cryptographic protocol also involving the certificate
authority. In the end the customer's trust center (network
management node) securely receives and trusts the new network node
and vice versa.
[0014] The invention can establish trust between network nodes and
trust center without relying on third parties (certificate
authority, producer, and vendor).
[0015] The invention provides a solution to the above problems by
providing apparatuses and a method as set forth in the independent
claims.
[0016] In one aspect, the invention provides a mobile commissioning
device for assisting in the commissioning of wireless public-key
encrypted networks, the device being provided with: [0017] means
for reading the public key from a network node to be integrated in
the wireless network, the channel for reading the public key being
physically different to the wireless network channel for which the
node is to be commissioned, means for at least temporarily storing
the read public key in the device, [0018] means for transferring a
provisional public key of the commissioning device to the network
node to be commissioned, the channel for transferring the
provisional public key preferably being the wireless channel for
which the node is to be commissioned, and [0019] means for
transferring the read public key to a trust center.
[0020] The public key is "provisional", in so far that it is not
permanently stored in the network node. E.g. the storage that holds
the provisional public key in the network node first holds the
public key of the commissioning device (provisional public key,
CD-PUB-KEY) and later the public key of the trust center
(TC-PUB-KEY). The keys themselves can be static.
[0021] The means for transferring a provisional public key of the
commissioning device to the network node to be commissioned and/or
the means for transferring the public key to the trust center can
be a communication interface for communicating on the wireless
network.
[0022] The means for reading the public key from the network node
to be integrated in the wireless network can be a sensor for
actively and/or passively obtaining the public key from the network
node.
[0023] The means for at least temporarily storing the read public
key may be an internal memory and/or external memory to the mobile
commissioning device. The storing means can additionally store at
least one of a certificate, a signed data record and a nonce (a
randomly chosen, secret piece of data to be used in a cryptographic
protocol). The mobile commissioning device may be configured to
transfer the read public key and the at least one of a certificate,
signed data record and nonce to the trust center.
[0024] The storing means can be removable and/or exchangeable
and/or the mobile commissioning device generates the certificate,
signed data record and/or nonce, and/or stores the signed data
record or nonce provided by the network node.
[0025] The mobile commissioning device can further provide a
computing means for generating the certificate, signed data record
and/or nonce from the first public key obtained by the reading
means.
[0026] The reading means may be at least one of a barcode-reader,
an RFID-reader, an NFC-interface, a smartcard-reader and an optical
and acoustical sensor.
[0027] The mobile commissioning device can encrypt the provisional
public key with the read public key. The mobile commissioning
device can also use a key establishment protocol like ECMQV (a
variant of which is also used by ZigBee Smart Energy).
[0028] In another aspect, the invention provides a network node for
a public-key encrypted wireless network, especially a wireless
building automation network, and to be integrated in the wireless
network, comprising a means for providing a public key of the
network node, the channel over which the public key is provided
being physically different to the wireless network channel for
which the node is to be commissioned, a storing means for storing
at least temporarily a provisional public key transferred to the
network node to be commissioned, the channel for transferring the
provisional public key preferably being the wireless channel for
which the node is to be commissioned, and a storing means for
permanently storing a permanent public key transferred to the
network node from a trust center.
[0029] The permanent public key is permanent in so far that it is
stored by the network node and cannot be replaced until a specific
command, e.g. a rest command, is submitted to the network node.
Such a command can also be submitted by manipulating the network
device, e.g. by pressing a reset button or using a reset
switch.
[0030] Preferably, the network node is a participant of a wireless
lighting network, such as e.g.: [0031] a control device, such as
e.g. a user interface, [0032] a sensor, such as e.g. a smoke,
occupancy, light, movement and/or temperature sensor, or [0033] an
operating device for lighting means, such as e.g. gas discharge
lamps, LEDs or OLEDs, halogen lamps, . . . .
[0034] The provisional public key and/or the permanent public key
can be transferred to the network node via a communication means
comprised in the network node.
[0035] The communication means may be a communication interface for
communicating on the wireless network. The means for providing a
public key of the network node, can be configured to provide the
public key in a way it can be actively or passively read by a
reading means of a mobile commissioning device. In particular, the
means for providing a public key of the network node can be at
least one of a barcode, RFID-tag, NFC-interface and an optical
and/or acoustical signaling unit.
[0036] The network node can further comprise a computing means to
check the validity of the certificate, singed data record and/or
nonce transferred to the network node. The network node can further
provide a computing means generating the nonce or for generating
the signed data record based on its public key.
[0037] The network node may store the certificate, singed data
record and/or nonce in the storing means.
[0038] The network node may store the permanent public key in the
storing means after it verified the certificate, singed data record
and/or nonce.
[0039] The permanent public key can invalidate and/or replace the
preliminary public key.
[0040] The providing means can, in addition to the public key,
provide an identifier, e.g. a MAC address.
[0041] The providing means may be at least one of a barcode, RFID
tag, NFC interface, smartcard and an optical, e.g. a LED, and/or
acoustical signaling unit.
[0042] In a further aspect, the invention provides a trust center
in a network, especially a wireless building automation network,
comprising a communication means for communicating on a wireless
network, wherein the trust center is configured to receive at least
one public key of at least one network node (at least one
NWN-PUB-KEY) to be integrated in the wireless network from a mobile
commissioning device, and wherein the trust center is further
configured to transfer a permanent public key to the at least one
network node.
[0043] The trust center can be configured to additionally receive
from the mobile commissioning device at least one certificate,
singed data record and/or nonce and to transfer the at least one
certificate, singed data record and/or nonce to the at least one
network node with the permanent public key.
[0044] The trust center may further comprise a storage means reader
for reading a storage means of a mobile commissioning device.
[0045] The storage means reader can be a reader for an exchangeable
and/or removable storage means.
[0046] The trust center may transmit its permanent public to all
network nodes.
[0047] The trust center can use the public key of the at least one
network node (NWN, 1) to encrypt and/or securely transfer the trust
center key to the at least one network node (NWN, 1).
[0048] In yet another aspect, the invention provides a method for
commissioning wireless public-key encrypted networks, especially
wireless building automation networks such as e.g. lighting
networks, comprising the steps of obtaining a public key of a
network node, the channel over which the public key is obtained
being physically different to the wireless network channel for
which the node is to be commissioned, storing the obtained public
key to a storing means of a mobile commissioning device,
transferring a preliminary public key from the mobile commissioning
device to the network node, transferring the public key of the
network node from the mobile commissioning device to a trust
center, and transferring a permanent public key to the network
node.
[0049] A certificate, singed data record and/or nonce can be
additionally transferred from the mobile commissioning device to a
trust center. The certificate, singed data record and/or nonce may
be transferred with the permanent public key to network node.
[0050] The certificate, singed data record and/or nonce can be
generated by the mobile commissioning device or the network
node.
[0051] Before the preliminary public key is transferred to the
network node, the network node may be powered and/or the network
node can scan for available networks.
[0052] The mobile commissioning device can act as temporary trust
center.
[0053] After the transfer of the preliminary public key to the
network node, the network node may provide a specified level of
functionality.
[0054] A storing means removable from the mobile commissioning
device may be used to transfer the public key of the network node
and/or the certificate, singed data record and/or nonce to the
trust center.
[0055] After the transfer of the permanent public key to the
network node it can be determined whether a correct number and/or
type of network nodes is present in the network and/or devices are
detected with wrong security parameters to exclude from the
network.
[0056] The certificate, signed data record and/or nonce (OTR) may
be generated by the mobile commissioning device.
[0057] The certificate, signed data record and/or nonce (OTR) can
be generated by the network node and transferred to the mobile
commissioning device.
[0058] In still a further aspect, the invention provides a system
of at least one network node as described above, at least one
mobile commissioning device as described above and a trust center
as described above. In the system, a commissioning method as
described above may be used.
[0059] Additional aspects of the invention are now described in
detail in view of the figures, wherein
[0060] FIG. 1 schematically shows components of the inventive
system, and
[0061] FIG. 2 schematically shows the information exchange between
the components of FIG. 1.
[0062] The invention assumes that each network node, which should
participate in the automation network, is able to provide its
respective public key without using the communication paths of the
wireless network used for the wireless communication, which means
`out-of-band`, i.e. on a communication path physically separate
from the wireless communication paths later used for information
transmission on the wireless network.
[0063] Preferably, the network node is a participant of a wireless
lighting network, such as e.g.: [0064] a control device, such as
e.g. a user interface, [0065] a sensor, such as e.g. a smoke,
occupancy, light, movement and/or temperature sensor, or [0066] an
operating device for lighting means, such as e.g. gas discharge
lamps, LEDs or OLEDs, halogen lamps, . . . .
[0067] This `out-of-band` exchange needs to be performed in a way
that can be easily handled by staff typically installing the
network nodes in a building and has to provide secure
communications as the public keys of the network nodes
(NWN-PUB-KEYs) need to be installed at least in a trust center and
the public key of the trust center (TC-PUB-KEY) has to be installed
in the network nodes.
[0068] To achieve this, each network node NWN,1 can e.g. provide
its public key (NWN-PUB-KEY) by display of a barcode (such as a
QR-Code), by an RFID tag, NFC communication interface or through a
Smartcard affiliated with the network node.
[0069] The provision of the public key (NWN-PUB-KEYs) for each
network node NWN,1 allows obtaining the public key out-of-band as
e.g. the barcode can be read by a barcode reader an can hence be
transferred outside the wireless communication paths.
[0070] As explained above, the network nodes are typically
installed in an incremental fashion and hence the trust center,
which e.g. can be a central control unit of the automation network,
might still not be in place or not working when the network nodes
are installed. Also, the network nodes need to provide at least a
basic functionality even if the trust center is not available, e.g.
the lights need to work.
[0071] The invention solves this problem by providing a device
which can be used by installation staff when the network nodes are
installed. This tool, called "mobile commissioning device" in the
following is able to obtain the public keys (NWN-PUB-KEYs) from the
network nodes.
[0072] To achieve this, the mobile commissioning device CD,2 uses a
sensor, e.g. a barcode reader, RFID tag reader, NFC communication
interface, a reader for a smartcard, etc. to read the public key
(NWN-PUB-KEY) from the network nodes (FIG. 2, 4). As the network
nodes can also use other means to "publish" their public keys, e.g.
optically (e.g. by using an LED (blinking)) and/or acoustically,
the mobile commissioning device CD,2 just needs a respective
fitting sensor able to recognize and/or decode the way the public
key (NWN-PUB-KEY) is published.
[0073] In one aspect of the invention, the mobile commissioning
device CD,2 uses barcodes displayed on the network nodes (switches,
sensors, operating devices, e.g. a 2D-barcode, which at least
display information from which the public key (NWN-PUB-KEY), and,
optionally, an identifier, such as a unique address of the network
node NWN,1 (e.g. a MAC-address) can be derived.
[0074] The mobile commissioning device CD,2 is also able to install
(FIG. 2, 5) a preliminary public key (CD-PUB-KEY) in the network
nodes NWN,1. Additionally, the mobile commissioning device CD,2 is
also capable of transferring the public keys (NWN-PUB-KEYs) of the
network nodes to the trust center at a later stage.
[0075] Commissioning using the mobile commissioning device CD,2
hence requires the execution of the following steps:
[0076] In a first step, the mobile commissioning device CD,2
obtains a public key (NWN-PUB-KEY) from a network node, e.g. by
reading a barcode of a network node. The mobile commissioning
device CD,2 then saves the obtained public key (NWN-PUB-KEY) to an
internal or external memory, such as, for example a memory card
(e.g. SD-card).
[0077] Afterwards, the network node NWN,1 is, e.g., switched on if
not already active.
[0078] The mobile commissioning device CD,2 now acts as a temporary
trust center and the network node NWN,1 can communicate with the
mobile commissioning device CD,2 over a wireless channel.
[0079] Now, the mobile commissioning device CD,2 installs a
(preliminary) public key (CD-PUB-KEY) in the network node NWN,1.
The mobile commissioning device CD,2 can use the public key of the
network node (NWN-PUB-KEY) NWN,1 to engage in a cryptographic key
exchange like ECMQV, or simply encrypt its transmitted public key
(CD-PUB-KEY) with the public key of the network node (NWN-PUB-KEY).
The private and public key of the mobile commissioning device CD,2
can be fixed or changeable, e.g. recomputed by request of the user
of the mobile commissioning device.
[0080] The mobile commissioning device CD,2 also stores additional
information from the network node NWN,1, in particular an
"ownership transfer record" (OTR) and/or the identifier obtained
from the network node NWN,1.
[0081] The OTR is a certificate and/or data record, which allows a
participant of the network using the OTR to transfer a new public
key to the network node NWN,1 once, as the public key that should
be used for authenticating the trust center. The OTR can either be
generated and/or stored by the network node NWN,1 and then
transferred to the mobile commissioning device CD,2 using either
the wireless network or the `out-of-band` communication means, or
the OTR can be generated by the mobile commissioning device CD,2
for the network node, or the OTR can be the result of a
cryptographic protocol between network node NWN,1 and the mobile
commissioning device CD,2.
[0082] This means, the public key, which the network node NWN,1
holds for authenticating its trust center, and which is the
preliminary public key (CD-PUB-KEY) received from the mobile
commissioning device CD,2 can be changed once when the OTR is
submitted to the network node NWN,1 together with a new public
key.
[0083] Therefore, the public key of the mobile commissioning device
CD,2 acting as a preliminary trust center can be exchanged by the
public key of the "final" trust center in the finally established
wireless network.
[0084] The security of the OTR can either be based on digital
signatures, or on a cryptographic nonce agreed to by the network
node and the mobile commissioning device.
[0085] After the transfer (FIG. 2, 5) of the preliminary public key
(CD-PUB-KEY) to the network node NWN,1, the network node NWN,1 in
one aspect of the invention is already capable of some basic
communication functionality so that, for example, when one switch
is activated all lighting means on the network can be activated
through wireless communication.
[0086] In a further step, the information stored in the memory of
the mobile commissioning device CD,2 is transferred to the final
trust center TC,3. This means that for each network node NWN,1 a
public key (NWN-PUB-KEY) as well as maybe the respective OTR is
transmitted to the final trust center TC,3. Using the OTR the trust
center is able to install its public key (TC-PUB-KEY) in the
network nodes NWN,1.
[0087] After this step, the exchange between the public keys of the
network nodes NWN,1 and the trust center is completed and the
public keys have been securely exchanged.
[0088] The trust center can now perform additional steps required
in the commissioning procedure, such as auditing, whether the
correct number of network nodes NWN,1 and the correct types of
network nodes NWN,1 are connected to the wireless network and to
detect devices with wrong security parameters.
[0089] Instead of the barcode, RFID tag or NFC communication
interface, also other means can be provided at the network nodes
NWN,1 that allow the network node NWN,1 to display information.
That can for example be a blinking LED, an acoustic coupling or an
otherwise readable code, including but not limited to a human
readable label.
[0090] After the installation of the permanent public key
(TC-PUB-KEY), and optionally the auditing step, trust is
established in the wireless network and the network nodes NWN,1 are
now fully trusted or to a predefined degree.
[0091] In summary, the invention uses known cryptographic
techniques (encryption, signatures, certificate) in a wireless
network, such as a wireless building automation network, in order
to manage identity, ownership and trust. More precisely, it
implements an initial, trusted, outofband key exchange in a way
compatible with established procedures, especially of the lighting
and construction industries and requires only minimal manual
intervention. Therefore it does not increase the burden on the
staff installing the network nodes.
[0092] The invention is now exemplarily explained in even more
detail.
[0093] At the construction site, equipment belonging to the
wireless network is installed and commissioned at different points
in time. For example, lighting gear (lighting fixtures,
interrupters, controls, circuit breakers) is installed by
electricians. HVAC (Heating, Ventilating and Air Conditioning) gear
(valves, controls, AC units, . . . ) is typically installed by
plumbers, electricians and specialized craftsmen. This installation
normally progresses incrementally, floor by floor, at a time when
other parts of the building may not even be erected while other
parts may already be close to completion. It is important for fast
and efficient progress of the construction that the installed
equipment, especially lighting, can already fulfill its basic
operation at a time before the building automation network has been
properly commissioned and fully parameterized.
[0094] In DALI (Digital Addressable Lighting Interface) for
example, all interrupters switch all lights within the DALI loop as
poweron is a default setting. At a later stage, the commissioner
binds controls to lights as well as program groups and scenes. Most
of the time a computer is used in the commissioning step where the
commissioning is based on plans provided by the architect. Before
completion of the building, the precompiled parameters are
programmed into the building automation system. At that stage there
often is neither time, nor manpower for visiting all nodes of the
network in order to install security identifiers. Many network
nodes NWN,1 will not even be accessible anymore at that stage, as
they are embedded in ceilings or walls.
[0095] The invention therefore considers the following constrains:
[0096] Any steps requiring physical access to network nodes NWN,1
need to be performed during installation even though neither a
network management nor any other central network infrastructure can
be assumed to be operational at that time. [0097] The installation
procedures should not be complicated and only the simplest possible
manipulations are eligible since, e.g., the staff installing the
equipment is limited in it capabilities. It also has to be possible
to perform all necessary steps overhead and e.g. with thick working
gloves, and without mains power. [0098] After initial powering of
newly installed network nodes NWN,1 or even a network segment, the
devices/segment needs to be able to provide at least some limited
functionality, for example, all lights should work (e.g. all
interrupters switch all lights), the network nodes NWN,1 should be
able to indicate to the electrician that they were correctly
installed, a full operation of security protocols is not required,
but vandalism as well as manipulations that may subvert security at
a later stage has to be prevented.
[0099] An example for the security protocol according to the
invention is now described. While the protocol is described for
number of network nodes NWN,1, the protocol, of course, can also be
performed by with a single network node NWN,1: [0100] 1. The
network nodes NWN,1 have a MAC level address and a public key
(NWN-PUB-KEY) (created at manufacturing time) printed on the casing
in computer readable form, e.g. a QRCode (or a 2D bar code). [0101]
2. An electrician uses a mobile commissioning device CD,2 providing
a QR code reader, a wireless network interface and a removable
storage media (SD card). The mobile commissioning device CD,2 may
additionally provide additional interface elements including, e.g.,
at least one of a "SCAN" button to activate the QR code reader, an
"On/Off" switch, and an LED and/or a beeper to, e.g., visually and
acoustically indicate successful scanning. Furthermore the mobile
commissioning device CD,2 requires a wireless communication
interface to communicate with at least with the network nodes
NWN,1. [0102] 3. Whenever the staff installs a network node NWN,1,
first the Barcode is scanned. The mobile commissioning device CD,2
indicates successful scanning and saves MAC address and public key
(NWN-PUB-KEY) to the storage media. No communication needs to be
performed over the wireless network at scan time, since it is
assumed that mains powered devices will not be powered. [0103] 4.
At first poweron of the network nodes NWN,1, they will send a
beacon request (IEEE 802.15.4) which is answered by all available
networks. The nodes will attempt to join the networks willing to
accept new devices. This involves contacting the coordinator and
trust center of the respective network (this is a standard
procedure as specified e.g. in the ZigBee Home Automation profile).
In a specific case, the mobile commissioning device CD,2 acts as
temporary network coordinator and trust center and it will allow
joining of the newly powered devices if they were previously
scanned and the mobile commissioning device CD,2 therefore finds
their MAC addresses on the storage medium. [0104] 5. After the
network nodes NWN,1 joined, the mobile commissioning device CD,2
will take over the ownership over the network node NWN,1. This
involves the following steps: [0105] The new network nodes NWN,1
authenticate themselves to the mobile commissioning device CD,2.
The network node NWN,1 proves that they know the private keys
belonging to the public keys (NWN-PUB-KEYs) acquired during
scanning of the network nodes; [0106] The mobile commissioning
device CD,2 inscribes itself as owner into the new network nodes
NWN,1 by conveying its own public key (CD-PUB-KEY) to them, a
procedure the new network nodes NWN,1 will only allow once (unless
it is reset to factory defaults); [0107] The mobile commissioning
device CD,2 creates a new OTR for each network node NWN,1, signed
by its own private key and saves the OTR on the storage media,
which can be used at a later stage to transfer ownership of the
network nodes NWN,1 from the mobile commissioning device CD,2 to
the permanent network coordinator (permanent trust center) TC,3
during final commissioning; Alternatively the OTR is created and
signed by the network node NWN,1 and communicated to the mobile
commissioning device CD,2. Alternatively the security of the OTR is
based not on signatures but on a nonce negotiated between network
node NWN,1 and mobile commissioning device CD,2. [0108] The mobile
commissioning device CD,2 transfers the its public key (CD-PUB-KEY)
to the new network nodes that allows it to function in
halfcommissioned mode (the lifecycle is advanced from
non-commissioned to half-commissioned). [0109] 6. The new network
nodes NWN,1 then enter half-commissioned mode and function in
accordance with the requirements. They can also communicate with
nodes commissioned by a different mobile commissioning device CD,2,
as long as both tools hand out equal network names and network keys
(CD-PUB-KEY), or provide other means of establishing trust between
different nodes bound to different commissioning devices. [0110] 7.
At any point during or after installation of the network nodes
NWN,1, the information stored on the storage media of the mobile
commissioning device CD,2 is transferred to the final trust center
TC,3. Then, the first step of commissioning is performed, which is
the transfer of the ownership of the devices to the new permanent
network coordinator (final trust center TC,3): [0111] The new
permanent network coordinator (final trust center TC,3) first joins
the half commissioned network; [0112] The permanent network
coordinator (final trust center TC,3) then uses the OTRs to
transfer its own network key (TC-PUB-KEY), the final public key of
the final trust center TC,3 and the network nodes NWN,1 accept the
transfer of ownership; [0113] Finally, the permanent network
coordinator (final trust center TC,3) deactivates the network key
of the mobile commissioning device CD,2 (CD-PUB--KEY) used for the
halfcommissioned mode (the lifecycle is advanced from
half-commissioned to commissioned); [0114] This last step
implicitly authenticates the new permanent network coordinator to
all network nodes NWN,1, because nodes controlled by rouge mobile
commissioning devices CD,2 will now forcibly drop off the network
since they are now unable to participate in key negotiation with
the trust center.
[0115] After step 7, high grade security is established and the
commissioner can continue with commissioning the network. The
protocol can be implemented on any IEEE 802.15.4 or similar SoC
with adequate resources, or with the help of a crypto coprocessor
and secure key storage (a smartcard).
[0116] As mentioned above, the scanning of a barcode can be
replaced by comparable technologies such as RFID. RFID allows the
mobile commissioning device CD,2 to assume ownership of the nodes
at scan time by imprinting its own public key early. The mobile
commissioning device CD,2 does not need to communicate with each
device individually at poweron-time. The mobile commissioning
device CD,2 may also communicate with the device via NFC which can
additionally power a device's micro controller. Device and mobile
commissioning device CD,2 can go through the full protocol at scan
time, eliminating the power-on phase completely.
[0117] With infrastructure for ownership management in place, the
mobile commissioning device CD,2 can be used to map device
identities (addresses) to physical location. For this purpose the
mobile commissioning device CD,2 needs to be aware of the location
which can be achieved in one of the following ways: [0118] The
mobile commissioning device CD,2 features a human interface which
allows the electrician to keep track of the room number, and/or
[0119] the building/installation plan e.g. features additional
information, e.g. barcodes, RFID-tags, etc., that encode the
location. The staff alternately scans the location from the plan
and the device identity from the device to be installed, and/or
[0120] the mobile commissioning device CD,2 supports in-door
localization or any other localization technique such as GPS.
[0121] The location aware mobile commissioning device CD,2 saves
the location information together with the OTRs to the removable
storage. If mobile commissioning device CD,2 and device communicate
via RFID or NFC, the mobile commissioning device CD,2 may convey
the location information to the device at scan time.
[0122] FIG. 1 exemplarily and schematically shows the components of
the inventive system: A network node 1 with a communication
interface 11 providing a public key (NWN-PUB-KEY); a mobile
commissioning device 2 with a communication interface 21 and a
sensor 22 (e.g. a barcode-, smartcard-, RFID or NFC-reader)
providing at least a public key (CD-PUB-KEY), but can also provide
a (generated) OTR; a trust center 3 with a communication interface
31, providing a public key (TC-PUB-KEY).
[0123] FIG. 2 shows schematically how the public keys (and also the
OTRs) are exchanged in the system in respect to FIG. 1. The dotted
arrow 4 shows that a separate communication path is used to obtain
4 the public key (NWN-PUB-KEY) from the network node NWN,1 by the
mobile commissioning device CD,2. This communication path differs
from the communication path used for the remaining key
transmissions 5, 6 and 7.
* * * * *