EP3360293A1 - Mittel zur verwaltung des zugriffs auf daten - Google Patents

Mittel zur verwaltung des zugriffs auf daten

Info

Publication number
EP3360293A1
EP3360293A1 EP16793941.2A EP16793941A EP3360293A1 EP 3360293 A1 EP3360293 A1 EP 3360293A1 EP 16793941 A EP16793941 A EP 16793941A EP 3360293 A1 EP3360293 A1 EP 3360293A1
Authority
EP
European Patent Office
Prior art keywords
module
data
communication network
access
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP16793941.2A
Other languages
English (en)
French (fr)
Inventor
Gildas MOREL DES VALLONS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Novathings
Original Assignee
Novathings
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Novathings filed Critical Novathings
Publication of EP3360293A1 publication Critical patent/EP3360293A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access

Definitions

  • the present invention relates to data management means that can be used by users, particularly in a mobility situation. More particularly, the invention relates to a method and a system capable of enabling automated data backup from a plurality of devices, duplication of data saved on various devices coupled to one or more networks, secure sharing of data. secured data with a plurality of users, and remote access to the data of each user, including when said user is in a mobility situation.
  • the mobile device It is then necessary for the mobile device to be able to exchange requests and data, with the data management system, via the Internet, in a rising voice - that is, from the mobile device to the mobile device.
  • data management system - and in descending voice - that is to say from the data management system to the mobile device.
  • the network termination equipment generally has a public address - for example an address designated by the acronym "IP” for "Internet Protocol", representing an entry point accessible via the Internet, to the network.
  • IP Internet Protocol
  • Network termination equipment is typically coupled to a firewall device that handles inbound and outbound connections to terminals connected to the local network.
  • the firewall device is configured to allow outgoing connections using the hypertext transfer protocol - more generally referred to by the acronym “HTTP” for "HyperText Transfer Protocol” - or the outgoing connections using the transfer protocol secure hypertext, more generally referred to by the acronym “HTTPS” for "HyperText Transfer Protocol Secure”.
  • the data management system can transmit requests and data to the mobile device connected to the Internet, using usual means, for example using the HTTP or HTTPS protocol.
  • the firewall device is generally configured to block incoming connections using the HTTP or HTTPS protocol to the terminals connected to the local network. The transmission of requests and data from the mobile device connected to the Internet to the data management system, therefore requires the implementation of specific solutions.
  • a first solution is to manually modify the rules implemented by the firewall device to allow incoming connections to the data management system from the mobile device.
  • this solution is impractical and difficult to implement because it requires the user to an additional step of configuration of the network termination equipment, which can be difficult for an inexperienced user complex and tedious if many terminals must be allowed.
  • a second solution is to use an automatic configuration protocol, compatible with the terminating equipment.
  • automatic configuration protocols mention may be made of the UPnP protocol IGD (English acronym for "Universal Plug and Play Internet Gateway Device"), the PCP (Portorean Protocol for Port Control Protocol) or the protocol NAT Port Mapping Protocol (acronym for "Network Address Translation Port Mapping Protocol”).
  • IGD International Plug and Play Internet Gateway Device
  • PCP Portable Network Protocol for Port Control Protocol
  • NAT Port Mapping Protocol an automatic Configuration Protocol
  • the network termination equipment is not necessarily compatible with the automatic configuration protocols mentioned, or be available only after a configuration and activation phase. Also, to deal with the situation where the network termination equipment only manages certain automatic configuration protocols, it is necessary to test the protocols one after the other to define those compatible with the equipment of the network. network termination to which the data management system is connected.
  • each data management system must have a URL (acronym for "Uniform Resource Locator") of its own. This URL must therefore be configured to point to the public IP address of the network termination equipment, which poses various security problems by exposing the local network to different types of attacks such as denial of service attacks, or deviation (more commonly referred to as "pharming"), etc.
  • the use of an automatic configuration protocol may cause conflicts with other terminals coupled to the local network that may use the same configuration options as the data management system.
  • a data management system coupled to a local area network provided with a network termination equipment itself coupled to an external network, the data management system being accessible by a network. terminal connected indifferently to the local network or the external network, without requiring a prior configuration step by a user of the network termination equipment.
  • An object of the invention is to provide efficient data management means, coupled to a local area network provided with a network termination equipment itself coupled to an external network, the data management system being accessible through a terminal connected indifferently to the local network or to the external network, without requiring a prior configuration step by a user of the network termination equipment.
  • Another object of the invention is to provide efficient means of data management, ensuring a high level of security, in particular by guaranteeing access to the data to authorized users only.
  • Another object of the invention is to allow the use of reliable, inexpensive and widely used means, without requiring the use of infrequent protocols or specific or dedicated technical infrastructure.
  • Another object of the invention is to allow access to data by a user, when the latter is in a mobility situation.
  • the invention relates to a method for transmitting, a first set of data accessible by a management module on a first communication network, to an access module coupled to a second communication network.
  • the first communication network and the second communication network are coupled via a third communication network.
  • a communication module is coupled to the third communication network and configured to enable the establishment of a bidirectional communication channel between the management module and the access module.
  • the method comprises:
  • the management module can transmit the first set of data to a storage module coupled to the third communication network.
  • the location on the third network described by the first address can then be determined by the storage module, the first set of data then being stored by the storage module at the location on the third network described by the first address, the first address then being transmitted by the storage module to the management module.
  • the management module transmits the first set of data to the storage module in an encrypted form capable of guaranteeing access to the data of the first set only to the entities having knowledge of at least one first security element, the first data set in its encrypted form then being stored by the storage module at the location on the third network described by the first address.
  • the security element is for example a password, a certificate or any cryptographic element adapted to allow encrypting the first set of data.
  • the management module can transmit the first set of data to the storage module, via a secure communication channel, for example using the HTTPS secure hypertext transfer protocol.
  • the storage module can erase the first set of data at the location on the third network described by the first address, after a predetermined lapse of time after storing the first set of data at the location described by the first set of data. first address.
  • the third step is implemented only if a user at the origin of the transmission of the first request has been previously authenticated and / or has rights necessary and sufficient to access the first set of data.
  • An authentication method using authentication tokens more generally designated by the Anglo-Saxon term "token”, can be used for this purpose.
  • the invention relates to a management module, and optionally a storage module, adapted to implement the method according to the first aspect.
  • the invention relates to a method for receiving, on an access module coupled to a second communication network, a first set of data accessible by a module of management on a first communication network.
  • the first communication network and the second communication network are coupled via a third communication network.
  • a communication module is coupled to the third communication network and configured to enable the establishment of a bidirectional communication channel between the management module and the access module.
  • the method comprises:
  • the access module can obtain the first set of data by transmitting a request to download the first set of data to a storage module coupled to the third communication network, the download request comprising the first set of data. address, the location on the third network described by the first address is then used by the storage module to access the first set of data, the first set of data then being transmitted by the storage module to the access module.
  • the invention also relates to an access module and optionally a storage module, adapted to implement the method according to the second aspect.
  • the invention relates to an interconnection method, by a communication module coupled to a third communication network, capable of allowing reception, on an access module coupled to a second communication network, a first set of data accessible by a management module on a first communication network.
  • the first communication network and the second communication network are coupled via the third network of communication. communication.
  • the communication module is configured to allow the establishment of a bidirectional communication channel between the management module and the access module.
  • the method comprises:
  • the invention also relates to a communication module adapted to implement the method according to the third aspect.
  • the invention relates to a method for receiving a second set of data accessible by an access module on a second communication network, on a management module coupled to a first communication network, the first network.
  • communication network and the second communication network are coupled via a third communication network.
  • a communication module is coupled to the third communication network and configured to enable the establishment of a bidirectional communication channel between the management module and the access module. The method comprises:
  • the management module can obtain the second set of data by transmitting a request to download the second set of data to a storage module coupled to the third communication network, the download request comprising second address, the location on the third network described by the second address being then used by the storage module for accessing the second set of data, the second set of data then being transmitted by the storage module to the access module.
  • the invention also relates to a management module, and optionally a storage module, adapted to implement the method according to the fourth aspect.
  • the invention relates to a method for transmitting a second set of data accessible by an access module on a second communication network, to a management module coupled to a first communication network.
  • the first communication network and the second communication network are coupled via a third communication network.
  • a communication module is coupled to the third communication network and configured to enable the establishment of a bidirectional communication channel between the management module and the access module.
  • the method comprises:
  • the access module can transmit the second set of data to a storage module coupled to the third communication network.
  • the location on the third network described by the second address can then be determined by the storage module, the second set of data then being stored by the storage module at the location on the third network described by the second address, the second address is then transmitted by the storage module to the access module.
  • the access module transmits the second set of data to the storage module in an encrypted form capable of guaranteeing access to the data of the second set only to the entities having knowledge of the second set of data.
  • the second set of data in its encrypted form then being stored by the storage module at the location on the third network described by the second address.
  • the security element is for example a password, a certificate or any cryptographic element adapted to allow encrypting the first set of data.
  • the access module can transmit the second set of data to the storage module, via a secure communication channel, for example using the HTTPS secure hypertext transfer protocol.
  • the storage module can erase the second set of data at the location on the third network described by the second address, after a predetermined period of time after storing the second set of data at the location described by the second set of data. second address.
  • the second step is implemented only if a user at the origin of the transmission of the second request has been previously authenticated and / or has rights necessary and sufficient to request the transfer of the second set of data. to the management module.
  • An authentication method using authentication tokens more generally designated by the Anglo-Saxon term “token”, can be used for this purpose.
  • the invention also relates to an access module, and optionally a storage module, adapted to implement the method according to the fifth aspect.
  • the invention relates to an interconnection method, by a communication module coupled to a third communication network, able to allow the reception, on a management module coupled to a first communication network, of a communication module. a second set of data accessible by an access module on a second communication network.
  • the first communication network and the second communication network are coupled via the third communication network, the communication module being configured to enable the establishment of a bidirectional communication channel between the management module and the communication module. 'access.
  • the method comprises: A first step of transmitting, to the management module, a second request, sent by the access module destined for the management module, the second request comprising the second address and information indicating that the access module wishes to transmit the second set of data to the management module.
  • the invention also relates to a communication module adapted to implement the method according to the sixth aspect.
  • the invention relates to a computer program comprising instructions for carrying out the steps of the method according to the first aspect, according to the second aspect, according to the third aspect, according to the fourth aspect, according to the fifth aspect, or according to the sixth aspect, when said program is executed by a processor.
  • Each of these programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any form what other form is desirable.
  • scripting languages such as in particular tel, javascript, python, perl that allow "on demand" code generation and do not require significant overhead for their generation or modification.
  • the invention relates to a computer-readable recording medium on which is recorded a computer program comprising instructions for executing the steps of the method according to the first aspect, according to the second aspect, according to the third aspect, according to the fourth aspect, according to the fifth aspect, or according to the sixth aspect.
  • the information carrier may be any entity or any device capable of storing the program.
  • the medium may comprise storage means, such as a ROM, for example a CD-ROM or a microelectronic circuit ROM, or a magnetic recording means, for example a diskette or a hard disk.
  • the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed by an electrical or optical cable, by radio or by other means.
  • the program according to the invention can be downloaded in particular on an Internet or Intranet network.
  • the information carrier may be an integrated circuit in which program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.
  • the invention also relates to a system comprising:
  • At least one management module according to the first and / or fourth aspect, coupled to a first communication network;
  • At least one access module according to the second and / or fifth aspect, coupled to a second communication network;
  • At least one communication module according to the third and / or sixth aspect, coupled to a third communication network;
  • At least one storage module coupled to the third communication network.
  • FIG. 1 is an architecture diagram of a system for remote access to data, according to one embodiment of the invention
  • FIG. 2 is a diagram of a management module according to one embodiment of the invention.
  • FIG. 3 is a diagram of an access module according to one embodiment of the invention.
  • FIG. 4 is a block diagram of the steps of a method of access to data by an access module, according to one embodiment
  • Figure 5 is a block diagram of the steps of a data backup method, accessible from the computer access module, according to one embodiment
  • FIG. 6a is a block diagram of the steps of a method of authenticating a user with the management module, according to one embodiment
  • FIG. 6b is a block diagram of the steps of a service request method, formulated by an authenticated user, with the management module, according to one embodiment. detailed description
  • FIG. 1 is an architecture diagram of a remote access system to data, according to one embodiment of the invention.
  • the system comprises a management module 12, a communication module 14, a storage module 16, and at least one access module 18, 20, 22.
  • the management module 12 comprises a processing device 32 equipped with a central computing unit (more generally designated by the acronym “CPU” for “Central Processing Unit”) and memories.
  • CPU central computing unit
  • memories More generally referred to by the English acronym
  • the management module 12 is adapted to execute a set of instructions forming a software, in order to implement the steps of the method to be executed by the management module 12 and described hereinafter with reference to FIGS. 4, 5 and 6a. and 6b.
  • the management module 12 further comprises a communication interface 34, coupled to the processing device 32, adapted to allow access to a local area network Rd of communication.
  • the local network Rd is interconnected to a network 10 so as to allow the management module 12 to exchange data with the devices coupled to the local network Rd or the communication network 10.
  • the local network Rd is a home network, interconnected via network termination equipment (not shown in the figures), to the Internet.
  • the management module 12 also includes storage means 36, for example a hard disk and / or an electronic disk (more generally designated by the acronym "SSD” for "solid-state drive”).
  • the storage means 36 make it possible to store data and to authorize the access module to read and / or write said data.
  • the management module 12 can be implemented on a standalone device. Alternatively, the management module 12 can be implemented on a device having other functionalities, for example a home application server, a network termination equipment or a computer.
  • Said at least one access module can be a mobile device access module 18, a v, or a web browser access module 22.
  • the system can comprise several modules, each access module can be one of the three types presented above. As illustrated in FIG.
  • the access module comprises a processing device 42 equipped with a central computing unit (more generally designated by the acronym “CPU” for “Central Processing Unit”) and memories. bes (more generally referred to by the acronym “RAM” for “Random-Access Memory”).
  • the access module is adapted for executing a set of instructions forming a software, in order to implement the steps of the method to be performed by the access module and described below with reference to Figures 4, 5, 6a and 6b.
  • the access module includes storage means 44, for example a hard disk and / or an electronic disk (more generally designated by the acronym “SSD” for "solid-state drive”).
  • the storage means 44 can store data and allow the access module to read and / or write said data.
  • the access module also comprises a communication interface 46, coupled to the processing device 42, adapted to allow access to an external REXT communication network.
  • the external REXT network is interconnected to the network 10 so as to allow the access module to exchange data with the devices coupled to the local network R d or the communication network 10.
  • the external REXT network may be a network accessible to a user in a mobility situation, typically via wireless access, and interconnected to the Internet.
  • the access module also comprises a user interface 48, provided for example with input and display means.
  • the communication interface 46 may also be adapted to allow access to the local network R d , so that the access module can be used in a mobility situation but also in a local situation.
  • the mobile device access module 18 can be implemented on a device of the mobile phone or tablet type, provided with an application adapted to implement the steps of the method to be executed by the access module and described herein. - next with reference to Figures 4, 5, 6a and 6b.
  • the computer access module 20 can be implemented on a device of the desktop or laptop type, provided with an application adapted to implement the steps of the method to be executed by the access module and described hereinafter with reference to FIGS. 4, 5, 6a and 6b.
  • the web browser access module 22 can be implemented on any device adapted to execute a Web browser, and provided with a Web application adapted to implement the steps of the method to be executed by the access module and described below with reference to Figures 4, 5, 6a and 6b.
  • the storage module 16 is coupled to the communication network 10.
  • the storage module 16 is configured to receive data from terminals connected to the network 10, for storing said data and for transmitting to the terminals connected to the network 10 said data.
  • the storage module 16 is for example a file server coupled to the Internet.
  • the storage module 16 is accessible by the mobile device access module 18, by the computer access module 20, and by the web browser access module 22, when the access module is coupled to the local network R d Or to the external network REXT.
  • the communication module 14 is coupled to the communication network 10.
  • the communication module 14 is configured to allow bidirectional exchange, via the communication network 10, of requests and / or data between the management module 12, the storage module 16, and the module (s). s) access 18, 20, 22.
  • the communication module 14 is configured to establish bidirectional communication channels (or "full-duplex" in English) in connected mode using the transmission control protocol - more generally designated by the acronym "TCP” for "Transmission Control Protocol", suitable for browsers and Web servers.
  • TCP Transmission Control Protocol
  • the communication module 14 is configured to enable the implementation of the Web standard protocol WebSocket designating an application layer network protocol and a programming interface of the World Wide Web.
  • the WebSocket protocol is described in particular in the document Request For Comments 6455 (http://tools.ietf.org/html/rfc6455).
  • the use of the communication module implementing the WebSocket protocol makes it possible, in particular, to exchange messages between the entities of the access system according to the invention in a bidirectional manner, without the need for a prior request to be made. has been issued by one of the system entities so that another system entity has the right to send a message to it: thus all entities in the system can send a request directly to the other entities.
  • the communication channels used to exchange information between on the one hand the management module 12, the storage module 16, and the access module (s) 18, 20, 22 and on the other hand the module communication 14 can be secured, for example by using the HTTPS protocol.
  • the messages exchanged between the management module 12, the storage module 16, the access module (s) 18, 20, 22 and the communication module 14 may be in a structured data format, for example. for example the JSON format (of the English "Javascript Object Notation"), described in particular in the document Request For Comments 7159.
  • Each access module 18, 20, 22 is configured to access the communication module 14 and, by the intermediate of the latter, to exchange messages with the management module 12, the storage module 16, and optionally with the other access modules 18, 20, 22.
  • the communication module 14 can be configured to use an active waiting method, more generally referred to by the English term "polling": the communication module 14 can send to each entity of the system according to the invention, at regular intervals, an HTTP request and immediately receive a response. The latter is subsequently used by the communication module 14 to transfer a message, as soon as said entity sends to the communication module 14 a request.
  • an active waiting method more generally referred to by the English term "polling”: the communication module 14 can send to each entity of the system according to the invention, at regular intervals, an HTTP request and immediately receive a response. The latter is subsequently used by the communication module 14 to transfer a message, as soon as said entity sends to the communication module 14 a request.
  • the communication module 14 can be configured to use a broadcasting method, more generally referred to by the Anglo-Saxon term "streaming": Each access module 18, 20, 22 sends a complete request to the module 14. The latter returns and maintains an open response, updated continuously. The communication module 14 can then respond to said access module 18, 20, 22 with a message, without closing the response, so that the connection between the communication module 14 and the access module remains open, for future exchanges.
  • a broadcasting method more generally referred to by the Anglo-Saxon term "streaming”:
  • Anglo-Saxon term "streaming” Each access module 18, 20, 22 sends a complete request to the module 14. The latter returns and maintains an open response, updated continuously.
  • the communication module 14 can then respond to said access module 18, 20, 22 with a message, without closing the response, so that the connection between the communication module 14 and the access module remains open, for future exchanges.
  • the steps of the method described below with reference to FIGS. 4, 5, 6a and 6b can be implemented in software by the execution of a set of instructions or a program by a programmable processing device, such as a personal computer, a signal processing processor and / or a microcontroller; or alternatively in a material manner by a machine or a dedicated component, such as a programmable logic circuit - for example of the type commonly designated by the acronym "FPGA” for "Field Programmable Gate Array", or an integrated circuit specific to an application more commonly referred to by the acronym “ASIC” for "Application-Specific Integrated Circuit".
  • a programmable processing device such as a personal computer, a signal processing processor and / or a microcontroller
  • a programmable logic circuit - for example of the type commonly designated by the acronym "FPGA” for "Field Programmable Gate Array", or an integrated circuit specific to an application more commonly referred to by the acronym "ASIC” for "Application-Specific Integrated Circuit.
  • FIG. 6a a method of authenticating a user to the management module 12, according to one embodiment, will now be described.
  • the following example describes the case where a user wishes to authenticate with the management module 12, using the web browser access module 22.
  • the authentication method could be implemented by the user. using the mobile device access module 18 or the computer access module 20.
  • AUTH authentication information able to enable the authentication of the user by the management module 12 is received by the access module for web browser 22.
  • AUTH authentication information is for example an identifier and a password.
  • the web browser access module 22 then transmits, to the communication module 14, a RAUTH request to the management module 12 to authenticate the user.
  • the request R1 comprises for example the following elements:
  • An identification element to make it possible to determine from the sender of the request in this case the web browser access module 22;
  • a second step 320 after receiving the RAUTH request, the communication module 14 transmits the RAUTH request to the management module 12.
  • a third step 330 after receiving the RAUTH request transmitted by the communication module 14, the management module 12 checks the validity of the authentication information AUTH. For example, the management module 12 may ensure that the AUTH authentication information received corresponds to that of one of the users of a list of users authorized to access the management module 12.
  • the management module 1 2 During the third step 330, if the AUTH authentication information is considered valid by the management module 1 2, the latter generates a TOK authentication token, specific to the user, more generally designated by the term Anglo -saxon "token". The security token is used to prove an identity electronically (such as a customer trying to access his bank account).
  • the management module 1 2 then transmits, to the communication module 14, a RPAUTH response to the web browser access module 22.
  • the response RPAUTH comprises for example the following elements:
  • the response RPAUTH comprises for example the following elements:
  • a fourth step 340 after receiving the RPAUTH response, the communication module 14 transmits the RPAUTH response to the web browser access module 22.
  • a fifth step 350 after receiving the RPAUTH response transmitted by the communication module 14, the web browser access module 22 records, for later use, the TOK authentication token included in the response RP2, and can display and / or record the information of the success of the authentication, or display, if necessary, an error message indicating that the authentication has failed.
  • a service request method formulated by an authenticated user, to the management module 12, according to one embodiment, will now be described.
  • the following example describes the case where a user has previously been authenticated, for example following the implementation of the method illustrated in FIG. 6a.
  • the service request method could be implemented by the user using the mobile device access module 18 or the computer access module 20.
  • the access module for web browser 22 transmits, to the communication module 14, a request R3 to the management module 12 to request a service.
  • the service corresponds to a request to obtain a list of images accessible via the management module 12.
  • the request R3 comprises for example the following elements:
  • An identification element to make it possible to determine from the sender of the request in this case the web browser access module 22;
  • a second step 370 after receiving the request R3, the communication module 14 transmits the request R3 to the management module 12.
  • a third step 380 after receiving the request R3 transmitted by the communication module 14, the management module 12 verifies the validity of the TOK authentication token. For example, the management module 12 can ensure that the authentication token TOK corresponds to a token it has previously generated, and / or if the TOK authentication token is still valid.
  • the management module 12 executes the actions requested in the request R3, in this example, determine a list of accessible images.
  • the management module 12 transmits, to the communication module 14, a response RP3 to the web browser access module 22.
  • the response RP3 includes the list of accessible images.
  • the management module 12 transmits, to the communication module 14, a response RP3 to the module
  • the response RP3 includes information that the requested actions can not be performed because the user has not been authenticated.
  • a fourth step 390 after receiving the response RP3, the communication module 14 transmits the response RP3 to the web browser access module 22.
  • a fifth step 350 after receiving the response RP3 transmitted by the communication module 14, the web browser access module 22 can display and / or save the list of accessible images or display, where appropriate the message indicating that the requested actions can not be performed because the user has not been authenticated.
  • the data can be of various kinds, for example images, documents, videos, etc.
  • the data can be accessed by the management module 12.
  • the data may for example be stored on storage means, coupled to the local network Rd, to which the management module 12 can access.
  • the following example describes the case where a user wishes to access an F1 file, accessible by the management module 12, using the mobile device access module 18.
  • the method could be applied indifferently to the module of the device. computer access 20 or the web browser access module 22.
  • the access module for mobile device 18 transmits, to the communication module 14, a request R1 to destination of the management module 12 to obtain the file F1.
  • the request R1 comprises for example the following elements:
  • An identification element to make it possible to determine from the transmitter of the request in this case the access module for mobile device 18;
  • the communication module 14 transmits the request R1 to the management module 12.
  • the management module 12 receives the request R1 and transfers the file F1 to the storage module 16.
  • the management module 12 can encrypt the file F1 before the to transmit to the storage module 16.
  • the F1 file arrives on the storage module in encrypted form and is stored as well.
  • the management module 12 can still use a secure communication channel to the storage module 16, for example by transferring the file F1 using the HTTPS protocol.
  • a fourth step 140 after receiving the file F1, the storage module 16 determines an address A1, for example a URL address, by means of which the terminals connected to the communication network 10 can reach the location on the module. storage 16 where the F1 file is stored. The storage module 16 then transmits said address A1 to the management module 12.
  • an address A1 for example a URL address
  • a fifth step 150 after the end of the transmission of the file F1 to the storage module 16, the management module 12 transmits a response RP1 to the communication module 14 to the access module for the mobile device 18.
  • the response RP1 for example includes the following elements:
  • Security elements making it possible to decrypt the file F1, if the file F1 has been transmitted by the management module 12 in encrypted form to the storage module 16.
  • the management module 12 receives the response RP1, then transmits the response RP1 to the mobile device access module 18.
  • the mobile device access module 18 receives the response RP1. After extraction of the address A1 from the response RP1, the mobile device access module 18 downloads the file F1 to the address A1, on the storage module 16. For this, the management module 12 can send, at the storage module 16, a request to download the F1 file with I address A1. Once downloaded, if the file F1 is in encrypted form, the mobile device access module 18 can decrypt the file F1 using the security elements received in the response RP1. The F1 file can then be saved or displayed.
  • the storage module 16 can store the file F1 for a predetermined period - typically a few minutes - during which the file F1 could be downloaded again , then automatically deleted.
  • the storage module erases the F1 file at the address F1, after having passed a predetermined lapse of time - typically a few minutes - after the completion of the fourth step 140.
  • the data access method described in FIG. 4 requires the prior authentication of the user of the mobile device access module 18 to download the file F1.
  • the method of authenticating a user with the management module 12, described in Figure 6a can be used, after which the user has a TOK authentication token.
  • the service request method, illustrated in FIG. 6b, can then be implemented, the service then corresponding to the access to the file F1.
  • the request R1 will still include the authentication token TOK, and the third step 130, fourth step 140, and fifth step 150 are executed only if the management module considers the TOK authentication token received in the request R1 as valid.
  • the data access method may also require that the user of the access module has rights necessary and sufficient to download the file F1.
  • the data can be of various kinds, for example images, documents, videos, etc.
  • the data can be accessed by the computer access module 20.
  • the data can be for example stored on the storage means 44 of the computer access module 20.
  • the following example describes the case where a user wishes to save an F2 file, using the computer access module 20.
  • the method could be applied indifferently using the module. mobile device access port 20 or the web browser access module 22.
  • the computer access module 20 transmits the file F2 to the storage module 16.
  • the access module 12 can encrypt the file F2 before transmitting it. to the storage module 16.
  • the file F2 arrives on the storage module in encrypted form and is stored as well.
  • the computer access module 20 can still use a secure communication channel to the storage module 16, for example by transferring the file F2 using the HTTPS protocol.
  • a second step 220 after receiving the file F2, the storage module 16 determines an address A2, for example an address
  • the storage module 16 then transmits said address A2 to the computer access module 20.
  • the request R2 comprises for example the following elements:
  • An identification element to make it possible to determine from the sender of the request in this case the computer access module 20;
  • a fourth step 240 after receiving the request R2, the communication module 14 transmits the request R2 to the management module 12.
  • the management module 12 receives the request R2. After extraction of the address A2 from the request R2, the management module 12 downloads the file F2 from the address A2, on the storage module 16. For this, the management module 12 can send to the storage module 16 , a request to download the file F2 with I address A2. Once downloaded, the file F2 can then be saved by the management module 12, for example by using backup means and / or storage connected to the local network RD. If the file F2 has been encrypted, the management module 12 can save the file F2 in an encrypted form. If the file F2 has not been previously encrypted, the management module 12 can save the file F2 in an encrypted form.
  • the storage module 16 can store the file F2 for a predetermined period - typically a few minutes - during which the file F2 could be downloaded again, then automatically deleted .
  • the management module 12 transmits a response RP2 to the communication module 14 to the computer access module 20.
  • the response RP2 comprises for example a confirmation that the F2 file has been successfully saved or, if so, an error message if the backup operation failed.
  • the communication module 14 receives the response RP2, then transmits the response RP2 to the computer access module 20.
  • the computer access module 20 receives the response RP2, and can display and / or record the success information of the backup of the file F2 or display, where appropriate the error message.
  • the data backup method requires the prior authentication of the user of the computer access module 20 to save the file F2.
  • the method of authenticating a user with the management module 12, described in Figure 6a can be used, after which the user has a TOK authentication token.
  • the service request method, illustrated in FIG. 6b, can then be implemented, the service then corresponding to the backup of the file F2.
  • the request R2 will still include the TOK authentication token, and the third step 230, fourth step 240, and fifth step 250 are executed only if the management module considers the TOK authentication token received in the request R2 as valid.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)
EP16793941.2A 2015-10-09 2016-10-05 Mittel zur verwaltung des zugriffs auf daten Withdrawn EP3360293A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1559605A FR3042362B1 (fr) 2015-10-09 2015-10-09 Moyens de gestion d'acces a des donnees
PCT/FR2016/052563 WO2017060624A1 (fr) 2015-10-09 2016-10-05 Moyens de gestion d'accès à des données

Publications (1)

Publication Number Publication Date
EP3360293A1 true EP3360293A1 (de) 2018-08-15

Family

ID=55361614

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16793941.2A Withdrawn EP3360293A1 (de) 2015-10-09 2016-10-05 Mittel zur verwaltung des zugriffs auf daten

Country Status (3)

Country Link
EP (1) EP3360293A1 (de)
FR (1) FR3042362B1 (de)
WO (1) WO2017060624A1 (de)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2273761A1 (de) * 2009-06-26 2011-01-12 France Telecom Zugriff auf Inhalt eines verteilten Datenspeichersystems
FR2969444A1 (fr) * 2010-12-20 2012-06-22 France Telecom Distribution selective d'un flux multicast

Also Published As

Publication number Publication date
WO2017060624A1 (fr) 2017-04-13
FR3042362B1 (fr) 2017-12-01
FR3042362A1 (fr) 2017-04-14

Similar Documents

Publication Publication Date Title
EP3008872B1 (de) Verfahren zur authentifizierung eines endgeräts durch ein gateway eines internen netzes mit schutz durch eine einheit zur bereitstellung von sicherem zugang
EP1909462B1 (de) Verfahren zur unterteilten Bereitstellung eines elektronischen Dienstes
EP3032799B1 (de) Authentifizierungsverfahren eines benutzers, entsprechender server, entsprechendes kommunikationsendgerät und entsprechende programme
FR2822318A1 (fr) Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote
FR2923337A1 (fr) Procede et systeme d'echange de donnees entre serveurs distants.
EP2692089A2 (de) Eingehender umleitungsmechanismus auf einem reverse-proxy
EP2912818B1 (de) Gegenseitiges authentifizierungsverfahren zwischen einem endgerät und einem fernserver über ein portal eines dritten
FR2997525A1 (fr) Procede de fourniture d’un service securise
EP3588903A1 (de) Verfahren, vorrichtung und server zur gesicherten übertragung einer konfiguration an ein endgerät
WO2006010810A2 (fr) Procede et systeme de certification de l’identite d’un utilisateur
FR3066342A1 (fr) Singularisation de trames a emettre par un objet connecte et blocage de trames reemises sur un reseau de communication sans-fil basse consommation
EP1737191B1 (de) Verfahren zur Erstellung eines User Equipment Splits zwischen einem Endgerät und seriell verbundenen Geräten
WO2017060624A1 (fr) Moyens de gestion d'accès à des données
WO2005079038A1 (fr) Procede, terminal mobile, systeme et equipement pour la fourniture d’un service de proximite accessible par l’intermediaire d’un terminal mobile
FR2826812A1 (fr) Procede et dispositif de securisation des communications dans un systeme informatique
EP2710779A1 (de) Verfahren zur sicherung einer authentifizierungsplattform sowie entsprechende hardware und software
EP2400726B1 (de) Verfahren zur Identifizierung eines lokalen Netzwerks, welches durch eine offentliche IP Adresse identifiziert wird
EP3679499B1 (de) Perfektionierte anmeldung eines geräts in einem sicheren netzwerk
EP2525525B1 (de) Verfahren, Computerprogramm und Kooptationsgerät, welche es einem Dienstabonnenten ermöglichen, diesen Dienst mit einem anderen Benutzer zu teilen
EP4362391A1 (de) Verfahren zur verwaltung des zugriffs eines benutzers auf mindestens eine anwendung, computerprogramm und system dafür
FR3112053A1 (fr) Procédé de gestion d’une phase d’appairage entre dispositifs de traitement de données.
FR3076638A1 (fr) Procede de gestion d'un acces a une page web d'authentification
WO2016083476A1 (fr) Procédé de notification de messages

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20180509

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20181004