FR2857537A1 - Communication network access control process for e.g. portable computer, involves communicating network access control local table and unique identifiers of equipments to equipment, and wirelessly communicating table to another equipment - Google Patents

Abstract

The process involves obtaining a mnemonic associated with equipment from a unique identifier. Access authorization of the equipment is updated in a network access control local table corresponding to the mnemonic. The table and unique identifiers of equipments whose mnemonics are stored in the table are communicated to the equipment. The table is wirelessly communicated to another equipment. Independent claims are also included for the following: (a) a device for control of access to a communication network (b) a computer equipment in a communication network (c) an information medium readable by a computer system having computer program instructions to control access to a communication network (d) a computer program stored on an information medium having instructions to control access to a communication network.

Description

2857537 1

  The invention relates to a method for controlling access to a communication network and to equipment implementing such a method.

  More particularly, the method according to the invention allows access control to the network for so-called "hybrid" equipment, that is to say comprising both wired communication means and wireless telecommunications means.

  By wired communication means, will be understood in the remainder of this document, the means of communication through any type of hardware connector, namely for example a cable or a pin, but also the secure wireless communication means on very short distances, for which signal interception is practically impossible, such as capacitive-effect transmissions.

  Thus, and without limitation, the invention can be applied to the access control of laptops to a radio communication network, these computers also having a wired communication interface, for example Ethernet type .

  The invention can also be applied to lighter terminals, such as digital telephones or personal assistants equipped with wireless communication means, of the infrared or radio type, when these terminals furthermore comprise a wired connection, such as the one used, for example and in a known manner, for recording these terminals with a base station.

  SAMSUNG (US 6,163,703) discloses a method for controlling the access of hybrid terminals to a centralized telecommunications network around a base station.

  According to this method, a mobile device receives an identifier from the base station by means of a wired communication, the terminal responding to the base station by sending its identifier by means of a radio communication.

  This method thus makes it possible to prevent the identifier transmitted by the base station to the terminal from being intercepted by another mobile terminal.

  Nevertheless, the method described in the SAMSUNG document has a major disadvantage because it requires any terminal wishing to communicate in the network wireless network to physically connect with the base station. This disadvantage is all the more prejudicial when the base station is installed in an inaccessible place.

  The invention aims to solve the problem mentioned above. To this end, it relates to a method of controlling access to a communication network that can be implemented in a first piece of equipment in the network, the method comprising a wired reception step, originating from a second piece of equipment, a unique identifier of this second equipment.

  The method according to the invention is remarkable in that it further comprises the following steps: obtaining a mnemonic associated with the second device from the unique identifier, and memorizing this mnemonic; -Updated in a first local network access control table, access authorization of the second equipment in correspondence with the mnemonic; wired communication to the second equipment, the first local table and unique identifiers of equipment whose mnemonic is stored in the table; and wirelessly communicating the table to at least one third piece of equipment.

  Thus, according to the access control method according to the invention, the second equipment wishing to communicate in the communication network can transmit its identifier, by means of a wired communication, to any equipment of the network, and not necessarily to a network. dedicated equipment of the base station type.

  The first equipment having received this identifier then obtains a mnemonic of the second equipment and communicates it wirelessly to the other equipment of the network by means of the local table. 30

  On the other hand, the first device receives, wired, the local table of the first device and all the equipment mnemonics of this table, which allows it to establish a correspondence between the identifiers and the symbols of the equipment of the device. network.

  According to the invention, the identifier of a device is never transmitted during a wireless communication and can not be intercepted. The equipment receiving a wireless message uses the above-mentioned correspondence to identify the equipment at the origin of the message.

  Thus, equipment outside the network can not enter the network unless prior to establishing a wired communication with any equipment in the network.

  In a preferred embodiment, the control method according to the invention comprises, on command of a user of the first equipment, a step of replacing, in the first table, the access authorization, by a prohibition of access to the network for the second equipment.

  This feature advantageously allows the user to record the prohibition of access of a device to the communication network by means of this command.

  In a preferred embodiment, the first equipment receives, during the wired reception step, from the second equipment, a second access control table and the unique identifiers of equipment whose mnemonic is stored in this second table.

  This second access control table is maintained by the second device and is similar to the first access control table.

  In this preferred embodiment, the first device updates the first local table taking into account the information contained in the second table.

  Preferably, the first device receives wirelessly, from a third device, a third access control table maintained by this third device and similar to the first access control table; and updates the first local table taking into account the information contained in this third table.

  These characteristics make it possible to propagate within the network the access authorizations and prohibitions of the various devices of the network, without compromising security, since no identifier is transmitted by means of a wireless communication.

  In particular, this feature allows the immediate propagation to all network equipment, a prohibition of access to this network for a particular equipment, without the need to reconnect the equipment by their wired communication means.

  According to a preferred embodiment, taking into account is carried out only if the information contained in the second or in the third table is more recent than that of the first table.

  This feature advantageously avoids conflicts between authorizations and access bans of a particular equipment.

  In a preferred embodiment, each wireless communication message includes the mnemonic associated with the equipment transmitting the message, and the first equipment rejects any wireless communication message if the mnemonic included in this message is not memorized and associated. access permission in the first table.

  This feature enhances the security of the communication network, no message can be received from equipment whose mnemonic is not associated with an access authorization in the access control table local to the receiving equipment of this message.

  Correlatively, the invention relates to a device for controlling access to a communication network that can be incorporated into a first equipment of the network, this device comprising wireless communication means and wired communication means. This device is remarkable: in that the wired means are adapted to receive, from a second equipment, a unique identifier of the second equipment; in that it comprises: means for obtaining, from this unique identifier, a mnemonic associated with the second piece of equipment; means for memorizing this mnemonic; and updating means in a first local access control network table, a network access authorization for the second equipment item, this authorization being associated with the mnemonic; in that the wired communication means are adapted to transmit, to the second equipment, the first local table and the unique identifiers of the equipment whose mnemonic is stored in

this table.

  The invention also relates to a computer equipment in a communication network comprising wired communication means and wireless communication means, this equipment comprising means for implementing an access control method or a control device The invention also provides an information medium readable by a computer system, possibly totally or partially removable, in particular a CD-ROM or magnetic medium, such as a hard disk or a floppy disk, or transmissible medium such as an electrical or optical signal, this medium comprising instructions of a computer program for implementing an access control method as briefly described above, when this program is loaded and executed by a computer system.

  The invention also relates to a computer program stored on an information medium, this program including instructions for implementing an access control method as briefly described above, when this program is loaded and executed by a computer system.

  The particular advantages and characteristics of the access control device, the computer equipment, the information carrier and the computer program being the same as those described above concerning the access control method according to the invention. invention, they will not be recalled here.

  Other aspects and advantages of the present invention will emerge more clearly on reading the description of particular embodiments which will follow, this description being given solely by way of nonlimiting example and with reference to the appended drawings in which: FIG. 1 represents a communication network comprising four hybrid computer equipment according to the invention in a particular embodiment; and FIGS. 2 and 3 represent in flowchart form the main steps of a program implementing an access control method according to the present invention, in a preferred embodiment.

  FIG. 1 represents a communication network R comprising four hybrid computer equipment (or terminals) A, B, C and D according to the invention in a particular embodiment.

  Each terminal A, B, C, D comprises an access control device 100 according to the present invention, in a particular embodiment.

  In order to simplify FIG. 1, only the access control device 100 of the terminal A is represented.

  The access control device 100 comprises wireless communication means 101 and wired communication means 102.

  The wireless communication means 101 are, for example, radio modules that comply with the IEEE802.11a standard or the DECT standard of ETSI.

  The wired communication means 102 are, for example, modules compliant with the Ethernet standard, or with the USB standard.

  The solid lines 105, 106, 107 represent three wire links respectively established between the terminals A and D, A and B, and B and C. The dotted lines 108, 109, 110 represent three wireless links respectively established between the terminals A and D, A and B, and A and C. The access control device 100 comprises a CPU processor associated with a random access memory RAM, a ROM and an EEPROM type memory.

  The ROM ROM of the access control device 100 comprises in particular a computer program PROG implementing the access control method according to the present invention, in a preferred embodiment.

  The computer program PROG will be described later with reference to FIG.

  The wired communication means 102 are adapted to receive a unique identifier ID_B (respectively ID_D) coming from a second equipment B (respectively D) of the network R. In the preferred embodiment described here, these unique identifiers ID_B, ID_D are stored in the EEPROM.

  The wired communication means 102 are also adapted to receive, in particular from the second equipment B, the table local to this equipment and the unique identifiers of the equipment whose mnemonic is stored in this table.

  Thus, the equipment A receives by its wired communication means 102, the local table of the equipment B, this table having the mnemonic MN_C of the equipment C, and the unique identifier ID_C of this equipment.

  The computer program PROG includes an OBT_MN routine for obtaining a mnemonic, from a unique identifier.

  In the preferred embodiment described here, the OBT routine MN randomly generates a mnemonic from a unique identifier.

  Anyway, the routine OBT_MN memorizes the mnemonic obtained in the EEPROM memory.

  Thus, the EEPROM memory of FIG. 1 comprises two registers MN_B and MN_D each memorizing a mnemonic of the same name MN_B, MN_D obtained from the unique identifiers ID_B and ID_D of the terminals B and D. The computer program PROG also comprises a function update of updating, in an access control local table T, access permissions to the network R for the various equipment A, B, C and D of this network R. In the embodiment described here, this local table access control T is stored in the EEPROM.

  The local table T described here comprises a certain number of lines, each of these lines being divided into three columns: a first column comprising the mnemonic of an equipment; a second column comprising either a two-state value representative of the authorization (+) or the prohibition (-) of access to the network for the equipment associated with this mnemonic, or the value 0 when the mnemonic of the first column is that of the terminal comprising the local table T; and a third column storing the date of the change of said two-state value.

  Thus, the local table T of the control device 100 of FIG. 1 comprises: a first line signifying that the table T is local to the terminal whose mnemonic is MN A, the value 0 being memorized in the second column; a second line signifying that the terminal whose mnemonic is MN_B is authorized to access the network R, this authorization 30 having been recorded on the date t1; 2857537 9 - a third line signifying that the access to the network R for the terminal whose mnemonic is MN_C must be prohibited, this prohibition having been recorded on the date t2; and a fourth line signifying that the terminal whose mnemonic is MN_D is authorized to access the network R, this authorization having been recorded on the date t3.

  As described later, the wireless communication means 101 and the wired communication means 102 are adapted to transmit the local table T to another hybrid equipment B, C, D of the network R. On the other hand, only the wired communication means 102 are adapted to transmit the unique identifiers stored in the EEPROM memory.

  The computer program PROG furthermore comprises a function MNG_KEYB for receiving a command from a user, this command comprising an mnemonic MN of a device of the network R. In the preferred embodiment of FIG. 1, this command is entered using a KEYB keyboard.

  On receipt of this command, the function MNG_KEYB obtains the line of the local access control table T having the mnemonic MN 20 in the first column, and stores: in the second column of this line, the value "-" representative of the prohibition of access to the network for the equipment associated with mnemonic MN, and - in the third column of this line, the current date and time t.

  According to the invention, any message received by the wireless communication means 101 includes the mnemonic associated with the network equipment R transmitting this message.

  In the preferred embodiment described here, the wireless communication means 101 comprise a filter F adapted to reject any message whose mnemonic is not memorized and associated with the value "+" in the local access control table. The wired communication means 102 and the wireless communication means 101 are further adapted to receive an access control table respectively T2, T3 from an equipment of the network R. These tables are similar to the access control table T described above.

  In the preferred embodiment described here, these access control tables T2 and T3 are stored in the random access memory RAM.

  Upon receipt of an access control table T2, T3, the update update function updates the local access control table T with the information contained in the table T2, T3 if they are more The updating of the local access control table T will now be explained with reference to FIGS. 2 and 3 which represent in a flowchart the main steps of a PROGR program. implementing an access control method according to the present invention, in a preferred embodiment.

  In the remainder of the description, we will consider that the computer program PROGR is implemented in the terminal A. This program PROGR consists of four main functions, namely: the function RX_Filaire implemented when the terminal A receives data by its wired communication means 102; the function RX Sans_Fil implemented when the terminal A receives data by its wireless communication means 101; the function MNG_KEYB implemented to prohibit access to the network R by a given terminal; and the MNG_CONNECT function for managing the connection mode (wired or wireless) implemented at a given moment.

  We will first describe the RX_Filaire function assuming that the terminal A receives data by its wired communication means 102 from the terminal B. The RX_Filaire function comprises a first step E200 during which the terminal A receives the unique identifier ID_B of the equipment B and stores this unique identifier ID_B in the EEPROM memory.

  During this same reception step E200, the terminal A receives the local table to the equipment B and the unique identifiers of the equipment whose mnemonic is recorded in this table.

  The equipment B being connected by its wired communication means to the equipment C, the local table of the equipment B comprises in particular a line with: the mnemonic MN_C of the equipment C in the first column; - the value "+" in the second column representative of the authorization of access to the network R for the equipment C; and - in the third column, the date t3 at which this authorization was stored.

  On reception, this line is stored in the local table T of the equipment A. Similarly, the unique identifier ID_C of the equipment C is received by the equipment A and stored in its EEPROM memory.

  This reception step is followed by a step E205 for obtaining the mnemonic MN_B from the unique identifier ID_B received in the previous step.

  This obtaining is carried out by implementation of OBT_MN routine for obtaining a mnemonic.

  During this same step E205, the mnemonic MN_B is stored in the EEPROM memory, in association with the unique identifier ID_B.

  The step E205 for obtaining a mnemonic is followed by an update step E210 in the access control table T local to the terminal A of a network access authorization for the equipment B. step uses the updating function update and stores in the row of the table T having in first column the mnemonic MN_B: the sign "+" in the second column; and 2857537 12 -the current date and time t in the third column.

  If the table T does not contain a line containing the mnemonic MN_B in the first column, this line is created during this same step.

  The step E210 for updating the table T is followed by an E215 test in which it is checked whether a T2 access control table from the equipment B has been received by the terminal A. If such is In this case, the result of the E215 acceptance test is positive. This test is then followed by a step E220 updating the local table T using the content of the table T2 received from the equipment B. This update step is also performed by the update function. day update.

  More precisely, in the embodiment described here, the received table T2 is traversed line by line, and for each line: For each current line of the received table T2, the mnemonic MN_x is read in first column. If this mnemonic MN_x is different from the mnemonic MN_A of the equipment A, one seeks if the local table T comprises a line whose first column stores this mnemonic MN_x; If this search is unsuccessful, we create a line in the local table T in which we copy the contents of the current line of the

received table T2.

  On the other hand, if the local table T comprises a line whose first column stores this mnemonic MN_x, it is checked whether the date stored in the third column of this line is earlier than the date stored in the third column of the current row of the table. received T2.

  If this is the case, the information in this row of the local table t is replaced by the information of the current row of the received table T2.

  The step E220 for updating the local table T is followed by a step E225, during which the terminal A transmits to all the terminals with which it is connected by its wired communication means 102, on the one hand the local table T, and secondly the unique identifiers ID_x 2857537 13 associated, in the EEPROM, each mnemonic MN_x stored in the first column of said local table T. The wired transmission step E225 is followed by a step E230 wireless transmission of the local table T, this transmission being effected using the wireless communication means 101.

  The local table T of the terminal A is thus received by all the equipment of the network R having established a wireless communication channel with the terminal A. If the terminal A has not received a table T2 from the equipment B, the result of the E215 test is negative. This test is then followed by the wireless transmission steps E225 and E230 previously described.

  The wireless transmission step E230 terminates the RX_Wire reception function.

  We will now describe the RX_Sans_Fil function assuming that the terminal A receives data by its wireless communication means 101 from the terminal B. In the preferred embodiment described here, each wireless communication message has the associated MN_x mnemonic to the equipment 20 transmitting this message.

  In the example described here, the first step E235 of the RX_Sans_Fil function is a step of receiving a wireless communication message, this message comprising the mnemonic MN_B of the terminal B. This step E235 of receiving a message is followed by an E240 test during which it is checked whether the local table T of the equipment A comprises a line storing in first column the mnemonic MN_B of the received message and the value "+" in the second column.

  If this is not the case, the equipment A rejects this wireless communication message, the E240 test then terminating the RX_Sans_Fil function of receiving a wireless communication message.

  On the other hand, if the local access control table T includes a line storing the mnemonic "MN_B" in the first column and the value "+" in the second column, the result of the test E240 is positive.

  This test is then followed by an E245 test in which it is checked whether the terminal A has received an access control table T3 from the equipment B. This test is similar to the test E215 described above.

  If such a table T3 has been received, during the step E250, the local access control table T is updated with the information contained in this received table T3.

  This step E250 of updating from the table T3 is similar to the step E220 of updating from the table T2 described above.

  The step E250 of updating the local table T from the contents of the table T3 is followed by the wireless transmission steps E225 and E230 previously described.

  Similarly, if the terminal A has not received a table T3 from the equipment B, the result of the test E245 is negative. This test is then followed by the E225 wireless transmission and E230 wireless transmission steps.

  The wireless transmission step E230 terminates the RX_Sans_Fil function of receiving a wireless communication message.

  When a user wishes to prohibit access to the network R by a terminal B, this user enters the mnemonic MN_B of this terminal using the keyboard KEYB.

  This action generates a command with this mnemonic MN_B. Upon receipt of this command the program PROGR implements the function MNG KEYB.

  This function MNG_KEYB comprises a first test E255 in which it is checked whether a command to prohibit access to the network R 30 by a terminal has actually been received.

  If this is not the case, the result of the test E255 is negative and the function MNG KEYB ends.

  On the other hand, if a network access prohibition command has been received, this command having a mnemonic MN_B, the result of the test E255 is positive.

  This test is then followed by an update step E260 in the access control table T local to the terminal A of a network access prohibition for the equipment B. This step uses the updating function MAJ and memorizes in the row of the table T having in first column the mnemonic MN_B: -the sign "-" in the second column; and - the current date and time t in the third column.

  If the table T does not contain a line containing the mnemonic MN_B in the first column, this line is created during this same step. The step E260 of updating the local table T is followed by the steps

  Wired transmission E225 and wireless transmission E230 previously described.

  The wireless transmission step E230 terminates the MNG KEYB function.

  FIG. 3 shows the main steps E300 to E350 of the MNG_CONNECT function for managing the connection mode of the terminal A in a preferred embodiment.

  This function is implemented as soon as the terminal A is powered up. It comprises a first step E300 for obtaining the mnemonic MN_A of the equipment A from its unique identifier ID_A. This obtaining step is similar to the step E205 described above with reference to FIG.

  It is followed by an access control table update step E310. This updating step E310 here consists in creating a first line in the table T, this line comprising the mnemonic MN_A obtained at the step previous in first column, and 0 in second column.

  The updating step E310 is followed by a first E320 loop during which it is tested whether the terminal A is connected by its wired communication means 102 to another terminal.

  When this is the case, this first loop ends and is followed by a step E330 during which the wired terminal is transmitted to the terminal A: - the unique identifier ID_A; and

- the local table T.

  The transmission step E330 is followed by a second loop E340 during which it is tested whether the terminal A is in wireless communication mode.

  In the preferred embodiment described here, it is considered that the terminal A is in wireless communication mode when its wired communication means 102 are disconnected and its wireless communication means 101 are active.

  When these two conditions are met, the second E340 loop ends.

  It is followed by a wireless transmission step E350 of a message comprising the mnemonic MN_A of terminal A. The wireless transmission step E350 is followed by the first E320 loop already described.

Claims (4)

17 CLAIMS   1. A method of controlling access to a communication network (R) that can be implemented in a first device (A) of said network, the method comprising a wired reception step (E200), originating from a second equipment (B), a unique identifier (ID_B) of this second equipment (B), the method being characterized in that it further comprises the steps of: -obtaining (E205) an associated mnemonic (MN_B) the second equipment (B) from said unique identifier (ID_B), and memorizing this mnemonic; update (E210) in a first local access control table (T) to said network (R), access authorization (+) of the second device (B) corresponding to said mnemonic (MN_B) ; wired communication (E225) to the second equipment (B), to said first local table (T) and to unique identifiers (ID_x) of equipment whose mnemonic (MN_x) is stored in said table (T); and -communication without (E230) wire of said table (T) to at least a third equipment.   2. Control method according to claim 1, characterized in that it comprises, on command of a user of said first equipment (A), a replacement step (E260) in said first table (T), said authorization access (+), by a prohibition of access (-) to the network for said second equipment (B).   3. Control method according to claim 1 or 2, characterized in that during said wired reception step (E200), the first equipment (A): 2857537 18 -receives, from the second equipment, a second table access control (T2) maintained by the second device (B) and unique identifiers (ID_x) of the equipment whose mnemonic (MN_x) is stored in said access control table (T2), this table of access control (T2) being similar to the first local access control table (T); and in that it updates (E220) the first local table (T) taking into account the information contained in the second table (T2).   4. Control method according to any one of claims 1 to 3, characterized in that the first equipment: -receives wireless (E235) from a third equipment (B), a third control table d ' access (T3) maintained by the third device (B) and similar to the first local access control table (T); and in that it updates (E250) the first local table (T) taking into account the information contained in the third table (T3).   5. Control method according to any one of claims 3 or 4, characterized in that said taking into account (E220, E250) is performed only if the information contained in said second table or in said third table are more recent than those of said first table.   6. Control method according to any one of claims 1 to 5, characterized in that each wireless communication message comprises the mnemonic (MN_B) associated with the transmitting equipment (B) of said message, and in that said first equipment (A) rejects (E240) any wireless communication message if the mnemonic included in this message is not stored and associated with an access permission (+) in said first table (T).   7. A device for controlling access to a communication network (R) that may be incorporated in a first device (A) of said network, said device (100) comprising wireless communication means (101) means wired communication device (102), and being characterized in: - said wired means (102) are adapted to receive, from a second equipment (B), a unique identifier (ID_B) of the second equipment; in that it comprises: means for obtaining (OBT MN), from said unique identifier (ID_B), a mnemonic (MN_B) associated with the second equipment item (B); means for memorizing said mnemonic (MN_B); and update means (MAJ) in a first local access control (R) access local table (T), a network access access authorization (R) for said second equipment ( B), said authorization (+) being associated with said mnemonic (MN_B); in that said wired communication means (102) are adapted to transmit to the second equipment (B) the first local table (T) and the unique identifiers (ID_x) of the equipment whose mnemonic (MN_x) is stored in said table ( T); and in that said wireless communication means (101) are adapted to transmit said table (T) to at least one third piece of equipment.   8. Control device according to claim 7, characterized in that it comprises: - receiving means (KEYB, MNG_KEYB) a control of a user of said first equipment (A); and replacement means (MAJ), in said first table (T), of said access authorization (+), by a prohibition of access (-) to the network (R) for said second equipment (B) upon receipt of said order. 15   9. A control device according to claim 7 or 8, characterized in that the update means (MAJ) of the first local table (T) take into account information contained in a second access control table. (T2) maintained by the second device (B) and similar to the first local access control table (T), said second table (T2) being received by said wired communication means (102) from the second equipment (B).   10. Control device according to any one of claims 7 to 9, characterized in that said wireless communication means (101) are adapted to receive, from a third equipment (B), a third control table access control (T3) maintained by the third equipment (B) and similar to the first local access control table (T), and in that the updating means (MAJ) of the first local table (T) take into account the information contained in said third table (T3).   11. Control device according to claim 9 or 10, characterized in that the updating means (MAJ) only take into account said information contained in the second table (T2) or in said third table (T3) if they are more recent than those of the first table (T).   12. Control device according to any one of claims 7 to 11, characterized in that each wireless communication message comprising the mnemonic (MN_B) associated with the transmitting equipment (B) of said message, said device comprises means for filtering (F) adapted to reject any wireless communication message if the mnemonic (MN_B) included in the message is not stored and associated with access authorization (+) in said first table (T).   13. Computer equipment in a communication network comprising wired communication means (102) and wireless communication means (101), characterized in that it comprises means (PROGR) for implementing a method. access control system according to one of claims 1 to 6, or an access control device (100)   according to any one of claims 7 to 12.   14. Information carrier readable by a computer system, possibly completely or partially removable, including CD-ROM or magnetic medium, such as a hard disk or a floppy disk, or transmittable medium such as an electrical or optical signal, characterized in that it comprises instructions of a computer program (PROGR) allowing the implementation of an access control method according to any one of claims 1 to 6, when the program is loaded and executed by a computer system.   15. Computer program stored on an information carrier, said program (PROGR) comprising instructions for implementing an access control method according to any one of claims 1 to 6, when this program is loaded and executed by a computer system.