WO2015006815A1 - System and method for efficient credentialing - Google Patents
System and method for efficient credentialing Download PDFInfo
- Publication number
- WO2015006815A1 WO2015006815A1 PCT/AU2014/000735 AU2014000735W WO2015006815A1 WO 2015006815 A1 WO2015006815 A1 WO 2015006815A1 AU 2014000735 W AU2014000735 W AU 2014000735W WO 2015006815 A1 WO2015006815 A1 WO 2015006815A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- credential
- access
- profile
- credential profile
- controlled
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/029—Location-based management or tracking services
Definitions
- credentials are widely used to control access by individuals to information or other resources.
- IT computing
- a user name and a secret password is a widely-used means of evidencing an individual's credentials to access an IT account.
- Other access-controlled environments might evidence an individual's credentials using any of a large number of techniques such as fingerprints, voice recognition, retinal scans, X.509 public key infrastructure, and so on.
- Preferred embodiments provide for controlled dissemination of credential profiles, by issuing licenses with each credential profile including distribution control information, lease expiry times, and version information to permit credential profile version control.
- the present invention provides a computer program product comprising computer program code means to make a computer execute a procedure for providing an individual with a credential profile for accessing an access-controlled environment, the computer program product comprising computer program code means for carrying out the method of the first aspect.
- the present invention provides a system for providing an individual with a credential profile for accessing an access-controlled environment; the system comprising:
- At least one administrator device configured to issue, change and/or revoke credential profiles of individuals in relation to the access controlled-environment, and the first device carrying a credential profile defining a desired credential set of an individual
- first device and second device are configured to establish a secure communications connection between the first device and a second device and to transfer the credential profile from the first device to the second device in a secure manner whereby the second device and the credential profile it carries can be used to effect access to access- controlled resources in the access-controlled environment in a manner defined by the credential profile.
- the present specification is directed to acts which a person is permitted to perform, such as the person obtaining access a restricted site or the person being given control over a restricted-access control system and the like.
- Figure 1 illustrates a first embodiment of the present invention implemented in an access controlled environment
- Figure 2 generally illustrates an intelligent remote control device suitable for implementation of the present invention
- Figures 3a, 3b and 3c illustrate the motion, velocity profiles and acceleration profiles, respectively, consistent with a nudge performed to effect transfer of a credential profile
- Figure 4 is a flowchart illustrating the method for dissemination of a credential profile in accordance with an embodiment of the present invention.
- smartphones and/or tablets 202, 204 are used to undertake monitoring and control of the smart environment 250 controlled by the system.
- the overall master control functionality of this system is in an on- site smart meter controller 210 such as, by way of non-limiting example, in the manner set out in WO 2010/091450 by the present applicant, the contents of which are incorporated herein by reference.
- the server 210 may instead be in the cloud running on a server, for example.
- the smart box 210 holds information regarding the reticulation network for utilities at the site (schematics) as well as the control and monitoring style and rules.
- the smart box 210 is responsible for synchronizing any changes to the credential profile of a newly credentialed IRD 204 and these changes are one directional from smart box 210 to IRD 204.
- the smartphones 202, 204 are used as they are suitable for use as intelligent remote control devices with displays, referred to herein as IRD.
- Smartphones 202, 204 are used to visualize key information and to invoke command and control of the site 250.
- An advantage of using an IRD instead of a purpose built control device, is that smartphones and other IRDs have the ability to reconfigure the user interface displayed by the device, for example to incorporate changes in the manner in which monitoring and control can be undertaken.
- the IRDs 202, 204 can be configured to allow an individual to perform tasks such as switching lights 252 on or off, adjusting settings of an air conditioner 254 or heater whether temporarily or to reprogram the ongoing operation thereof, gaining read only (playback) or full edit access to a media store 256 holding photos or videos, and access secure areas within the building such as a utilities basement or server room 258.
- These access-controlled environments 252, 254, 256, 258 are simply by way of example and a considerably larger number of such devices and areas may be selectively controlled in accordance with the present invention.
- the credential profile may enable access to statistics and data for the site 250, or be used to provide access to the control of specific devices like air conditioning or general area lighting programs.
- the present embodiment recognises that with increasingly smart buildings and/or increasing requirements for finely gradated access control to sites, there are many challenges for access controlled sites in providing for command and control of the site, and granting access to the site.
- to give control and access credentials by conventional means is complex, and typically unique to the site and devices in question.
- Authentication and permissions for the user of the IRD need to be setup, including how long these permissions would apply.
- To repeat this process if a second device is to be credentialed for control and access is laborious. This is particularly problematic when considering day visitors to work sites, short term contractors, or guests at a domestic site, who often must be given use of the smart infrastructure at the site and/or access credentials to access-controlled areas at considerable effort but only for a very short period of time.
- the present embodiment provides for the configuration, sharing and controlled distribution of credential profiles for IRDs.
- a credential profile is created by or otherwise loaded into an administrator device at 402.
- suitable application software running in the administrator device and secondary device such as an app
- a primary-to- secondary transfer is effected as illustrated in Figure 3a. Both devices are placed on a flat table or surface, and the user of the secondary device leaves their on the surface without holding or touching it.
- primary device 202 is moved by its user, with velocity vector 304, while secondary device 204 remains stationary.
- primary device 202 is moving more quickly, with velocity vector 314, approaching stationary secondary device 204.
- primary device 202 is caused to collide with secondary device 204.
- Velocity profile 352 of device 202 increases slowly, at a rate defined by normal human motion. However, the velocity decreases rapidly at the time of the collision with the secondary device. At the same time, the velocity 354 of the secondary device increases suddenly from zero, then reduces gradually under friction. Correspondingly, the acceleration 362 of device 202 is small, and positive, initially. At the time of the collision the device 202 undergoes a sudden negative acceleration at the moment of the collision. At the same time, secondary device 204 suddenly accelerates 364 before gradually decelerating after the collision. These acceleration and/or velocity profiles allow a typical nudge characteristic to be detected, and used by the app in each device to confirm the intention of the users to update the credential profile of device 204.
- the nudge between the devices 202, 204 is monitored by the respective accelerometer of the device ( Figure 2), and is recorded then dispatched to a server.
- the server can validate that the transfer between the devices 202, 204 is authorized. Then the transfer of the credential profile is commenced between the two devices 202, 204 indirectly via the server.
- the user of the primary device 202 is prompted by the app to separately confirm whether the required credential profile update is a clone (resulting in two credentialed devices) or transfer (in which the originating device is de-credentialed), the lease timeframe, whether the receiver is permitted to further distribute the credential profile, the security level the receiver can have, whether the nudge is limited in number (eg 1) or unlimited nudges are permitted, and in the case of a transfer the lease stipulates whether the IRD configuration reverts or lapses.
- the smart box 210 revokes the lease certificate for the originator IRD 202 and the parties involved in the nudge are advised that the IRD was transferred.
- the administrator device 202 being associated with the person who already has monitoring/control authority over the site, may store and/or disseminate one or more
- the device 202 may further provide such credential profiles for more than one access-controlled site or environment, including for example the person's home and work.
- the device 202 may be a primary administrator device in one environment, such as that user's home, while simultaneously being a secondary device for another environment, such as the user's workplace, or a gym or club.
- the credential profile which configures the secondary device 204 to be an IRD for environment 250 has a lease certificate that specifies whether the credential profile can be further distributed by the secondary device 204 to another device.
- the lease certificate also specifies a location within which further distribution can occur, such as within the physical area of the site 250.
- the lease certificate further specifies a time-window for which the credential profile is current, after which the app deactivates the credential profile in the secondary device 204.
- Updates to the credential profile of device 204 may be made as required from time to time.
- the credential profile can be changed, and tailored in terms of functionality, for example so that the display visualization of the remote control dashboard can be altered, as well as the manner in which devices 252 etc are controlled.
- This adaptation is also monitored by the administrator device 202 by way of suitable status reports issued by the app of device 204 and/or smart box 210.
- the provision of versioning information with the credential profile enables the recipient 204 to later receive another version of a credential profile and undertake version control.
- the initial cloned or transferred credential profile will be deactivated or revoked and the new version will become the active credential profile.
- Persistent policies associated with the first credential profile may be maintained and applied in respect of second and subsequent credential profiles. In this way the originating (ancestor) party of generations of updated descendant credential profiles is able to observe which credential profile is the dominant current version.
- the present embodiment of the invention therefore allows authorized users to easily and with minimal effort transfer a credential profile to IRD 204 of a third party, using a natural gesture of pushing one IRD into another. This automated data transfer, version control and so on, minimizes errors of setting up the configuration for an IRD.
- the present embodiment allows visitors to sites to obtain credentials and also to obtain the ability to monitor and control a site. This can be done efficiently even for only temporary site visitors, so that after a period of time or when the visitor leaves the site the credential profile is revoked.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2014292812A AU2014292812A1 (en) | 2013-07-19 | 2014-07-18 | System and method for efficient credentialing |
AU2018267586A AU2018267586A1 (en) | 2013-07-19 | 2018-11-20 | System and method for efficient credentialing |
AU2021206802A AU2021206802A1 (en) | 2013-07-19 | 2021-07-19 | System and method for efficient credentialing |
AU2023222866A AU2023222866A1 (en) | 2013-07-19 | 2023-08-29 | System and method for efficient credentialing |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2013902685A AU2013902685A0 (en) | 2013-07-19 | System and method for efficient credentialing | |
AU2013902685 | 2013-07-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015006815A1 true WO2015006815A1 (en) | 2015-01-22 |
Family
ID=52345617
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/AU2014/000735 WO2015006815A1 (en) | 2013-07-19 | 2014-07-18 | System and method for efficient credentialing |
Country Status (2)
Country | Link |
---|---|
AU (4) | AU2014292812A1 (en) |
WO (1) | WO2015006815A1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030005333A1 (en) * | 2001-06-26 | 2003-01-02 | Tetsuya Noguchi | System and method for access control |
US20060149970A1 (en) * | 2000-12-28 | 2006-07-06 | Morgan Stanley | Authentication method and device |
-
2014
- 2014-07-18 WO PCT/AU2014/000735 patent/WO2015006815A1/en active Application Filing
- 2014-07-18 AU AU2014292812A patent/AU2014292812A1/en not_active Abandoned
-
2018
- 2018-11-20 AU AU2018267586A patent/AU2018267586A1/en not_active Abandoned
-
2021
- 2021-07-19 AU AU2021206802A patent/AU2021206802A1/en not_active Abandoned
-
2023
- 2023-08-29 AU AU2023222866A patent/AU2023222866A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060149970A1 (en) * | 2000-12-28 | 2006-07-06 | Morgan Stanley | Authentication method and device |
US20030005333A1 (en) * | 2001-06-26 | 2003-01-02 | Tetsuya Noguchi | System and method for access control |
Also Published As
Publication number | Publication date |
---|---|
AU2018267586A1 (en) | 2018-12-06 |
AU2021206802A1 (en) | 2021-08-05 |
AU2014292812A1 (en) | 2016-03-10 |
AU2023222866A1 (en) | 2023-09-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107111697B (en) | Role-based access control for connected consumer devices | |
CN106411857B (en) | A kind of private clound GIS service access control method based on virtual isolation mech isolation test | |
US10616207B2 (en) | Context and device state driven authorization for devices | |
CN106537871B (en) | System, method and apparatus for providing registration of devices in a network | |
EP3738029B1 (en) | Method and system for managing sub-tenants in a cloud computing environment | |
RU2483476C2 (en) | Network node and method of installing distributed network security architecture | |
Agarwal et al. | Buildingdepot: an extensible and distributed architecture for building data storage, access and sharing | |
KR102168392B1 (en) | Registry apparatus, agent device, application providing apparatus and corresponding methods | |
US20190372981A1 (en) | Methods and resources for creating permissions | |
WO2014068632A1 (en) | Facility management device, facility management system and program | |
EP2820584B1 (en) | System and method for access decision evaluation for building automation and control systems | |
JP2016106495A (en) | Remote control and remote control system | |
CN105225072B (en) | Access management method and system for multiple application systems | |
KR20160082937A (en) | Unlocking method of managing permissions and authentication devices | |
US10587622B2 (en) | System of third party control of network connected devices | |
CN108322432A (en) | A kind of mechanism application rights management method and service system based on tree-like tissue model | |
EP3539274B1 (en) | Structure-based access control | |
US20160309304A1 (en) | Determining and navigating to a target location | |
Fantacci et al. | Short paper: Overcoming IoT fragmentation through standard gateway architecture | |
JP2013171388A (en) | Management system and system management method | |
AU2023222866A1 (en) | System and method for efficient credentialing | |
CN116325844A (en) | Techniques for managing smart home configuration | |
CN111183400A (en) | User preference utilization in remote applications | |
US10069823B1 (en) | Indirect access control | |
KR20100070763A (en) | Access control method and device of usn middleware |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14826334 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2014292812 Country of ref document: AU Date of ref document: 20140718 Kind code of ref document: A |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14826334 Country of ref document: EP Kind code of ref document: A1 |