Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L12/00—Data switching networks
  • H04L12/02—Details
  • H04L12/12—Arrangements for remote connection or disconnection of substations or of equipment thereof
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L12/00—Data switching networks
  • H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/06—Authentication
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/08—Access security

Definitions

• TITLE Method for managing a request for access to a local communication network, method for processing a request for access to a local communication network, method for requesting access to a local communication network, devices , management platform, gateway, user terminal, system and related computer programs.
• the field of the invention is that of a local, domestic or professional communication network, managed by a gateway, to which user equipment is connected, the gateway and the equipment being configured to be put on standby when not in use.
• the invention relates to remote access by a user to this local network and the waking up of the gateway and equipment of this network, when the user is authorized to access it.
• Ethernet networks To allow equipment to remain on standby, but to be woken up at any time, whether at the request of a user or automatically, it is also known, on Ethernet networks, to send a wake-up packet to the IP address of the gateway which manages the local communication network, this packet mentioning the MAC address of the equipment to be woken up.
• the invention improves the situation.
• the invention meets this need by proposing a method for managing a request for access to a service operated by a local communication network managed by an access gateway to a remote communication network.
• Said method is implemented by a management platform connected to the remote network and comprises:
• the invention proposes an entirely new and inventive approach to solving the problem of remote access of a user terminal to a local communication network.
• This approach consists in delegating the task of authorizing or prohibiting access to the network requested by the user to a platform managed by the operator of the remote network.
• the latter therefore has the responsibility of verifying upstream that the user requesting access to the local network is indeed authorized to do so, before actually waking up the gateway, when the gateway which manages this network is in a standby state.
• the gateway is active, the wake-up message is simply treated as a request for access to the local network controlled by the management platform.
• the remote network operator controls and secures access to a user's local communication network.
• the user is subscribed to a remote access management service to the local communication network managed by his home gateway. He accesses it via an application installed on his terminal, a web application or even a web page, whose human/machine interface allows him to formulate his access request.
• the invention allows the user to reconcile comfort of use, energy saving and computer security.
• the method comprises the transmission to the user terminal of a request for selection of a local network and the transmission of the wake-up message is triggered, on receipt of a response comprising the identifier of the selected local communication network, intended for the gateway that manages the selected local communication network.
• the man/machine interface available on the user terminal to communicate with the management platform is simple and does not allow the user to choose the local network to which he wishes to access or when the user requests access to a network local for which he does not have access authorization, it is the platform which advantageously offers this choice to the user.
• the access request also includes the identifier of the selected local network and the Verification of user rights authorization consists, at the level of the management platform, in searching for this local network identifier in the access rights associated with the user identifier.
• the method comprises, following the transmission of the wake-up message, the reception of a validation of an authorization to access the service from the gateway and the response is transmitted to the terminal user, following said receipt.
• the filtering carried out upstream is stricter.
• the gateway only receives connection requests from user terminals for which it has validated the authorization granted by the platform.
• the validation of an access authorization received from the gateway comprises an access authorization token and the response transmitted to the user terminal comprises said token.
• the access authorization token because it has been validated by the gateway in response to the platform's validation request, constitutes a correlation link between the access authorization it has granted to the platform management and the request for connection to its network which it then receives from the user terminal.
• One advantage is to facilitate the control of connection requests at the gateway level.
• the gateway which generates this authorization token.
• the authorization token is generated by the platform and transmitted to the gateway in a request for validation of a user's access authorization.
• the gateway reinserts it in the response from validation.
• An advantage of this variant is that the platform on the one hand has a CPU capacity generally greater than that of the gateway and on the other hand that it is legitimate to support this generation because it is the guarantor gateway access security.
• the access authorization token is generated by the user terminal which transmits it to the management platform in its request for access to the local network.
• the invention also relates to a computer program product comprising program code instructions for the implementation of a management method according to the invention, as described previously, when it is executed by a processor.
• the invention also relates to a recording medium readable by a computer on which the computer programs as described above are recorded.
• Such recording medium can be any entity or device capable of storing the program.
• the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or even a magnetic recording means, for example a USB key or a hard disk.
• such a recording medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means, so that the program computer it contains is executable remotely.
• the program according to the invention can in particular be downloaded on a network, for example the Internet network.
• the recording medium may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the aforementioned management method.
• the invention also relates to a device for managing a request for remote access to a local communication network managed by an access gateway to a remote communication network.
• Said device is configured to implement at the level of a management platform connected to the remote network:
• said device is configured to implement the aforementioned method for managing an access request, according to its different embodiments.
• said device is integrated into a management platform, said platform being connected to the remote communications network.
• the management platform, the management device and the aforementioned corresponding computer program have at least the same advantages as those conferred by the aforementioned management method according to the various embodiments of the present invention.
• the invention also relates to a method for processing a request for remote access to a local communication network managed by a remote network access gateway.
• a method for processing a request for remote access to a local communication network managed by a remote network access gateway is implemented by said gateway and comprises:
• connection of the user terminal On receipt of a connection request from the user terminal, connection of the user terminal to the local network.
• the WAN interface of the gateway which manages the local network only processes the wake-up messages emanating from the management platform put in place by the operator of the remote network. As this platform has already filtered the access requests upstream, it only has to validate the authorizations submitted by the platform.
• said method comprises obtaining a connection authorization token and the access authorization validation response comprises said token.
• the gateway obtains an access authorization token that it transmits to the management platform.
• This token is intended to be inserted by the user terminal in its connection request because it allows the gateway to easily establish a correlation link between the authorization that it has validated at the request of the platform. She obtains this token either by generating it herself, or she receives it from the platform in her validation request.
• the method comprises obtaining wake-up constraints comprising authorized time periods and prohibited time periods and verifying that the wake-up of the gateway is authorized in the current time period.
• the invention also relates to a computer program product comprising program code instructions for implementing a processing method according to the invention, as described previously, when it is executed by a processor.
• the invention also relates to a recording medium readable by a computer on which the computer programs as described above are recorded.
• Such recording medium can be any entity or device capable of storing the program.
• the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or even a magnetic recording means, for example a USB key or a hard disk.
• such a recording medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means, so that the program computer it contains is executable remotely.
• the program according to the invention can in particular be downloaded on a network, for example the Internet network.
• the recording medium may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the aforementioned processing method.
• the invention also relates to a device for processing a request for remote access to a local communication network managed by an access gateway to a remote network.
• Such a device is configured to implement at said gateway:
• a management platform connected to the remote network, said platform being configured to receive a request for access to a service operated by said local communication network from a user terminal connected to the remote network and verifying authorization of said terminal to access said service;
• connection of the user terminal On receipt of a connection request from the user terminal comprising at least the identifier of the gateway, connection of the user terminal to the local network.
• said device is configured to implement the aforementioned method for processing an access request, according to its different embodiments.
• said device is integrated into an access gateway to a remote communication network, configured to manage a local communication network.
• the gateway, the processing device and the aforementioned corresponding computer program have at least the same advantages as those conferred by the aforementioned processing method according to the various embodiments of the present invention.
• the invention also relates to a method for requesting remote access to a local communication network managed by an access gateway to a remote communication network by a user terminal connected to the remote network.
• Said method is implemented by the user terminal and comprises:
• the user terminal only has to know the address of the management platform and have access rights to the local network stored in this platform in order to be able to access the local network.
• the response further comprises a network access authorization token and the connection request comprises said token.
• This token constitutes a correlation link between the access authorization validation requested by the platform and granted by the gateway and the connection request to the gateway sent by the user terminal. It facilitates and secures the control of connection requests received by the gateway.
• This token can be generated by the gateway or by the management platform or even by the terminal. If necessary, it transmits it to the platform via its request for access to the local network.
• the method further comprises a selection of a local network from among a plurality of authorized local networks, upon receipt of a selection request received from the management platform or from the user terminal.
• One advantage is to allow the user to easily choose a local network without having to memorize the identifier of the gateway which manages it. This selection can be offered to him when he does not specify which local network he wishes to access or when his access request includes a local network identifier which he is not authorized to access.
• the man/machine interface available on the terminal is simple and only allows a connection to the management platform.
• it is the platform that asks the user to select a network and/or a device and/or a service among those to which he is authorized.
• the man/machine interface available from the user terminal allows the user to locally select the network to which he wishes to access. For example, a menu is offered to the user.
• the access request sent by the terminal includes the identifier of the requested network.
• the invention also relates to a computer program product comprising program code instructions for the implementation of a method for requesting access to a local area network according to the invention, as described previously, when it is executed by a processor.
• the invention also relates to a recording medium readable by a computer on which the computer programs as described above are recorded.
• Such recording medium can be any entity or device capable of storing the program.
• the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or even a magnetic recording means, for example a USB key or a hard disk.
• such a recording medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means, so that the program computer it contains is executable remotely.
• the program according to the invention can in particular be downloaded on a network, for example the Internet network.
• the recording medium may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the aforementioned access request method.
• the invention also relates to a device for requesting remote access to a local communication network managed by an access gateway to a remote communication network by a user terminal connected to the remote network.
• Said device is configured to implement at the user terminal level:
• said device is configured to implement the aforementioned access request method, according to its different embodiments.
• said device is integrated in a user terminal connected to the remote network.
• the aforementioned terminal, the access request device and the corresponding computer program have at least the same advantages as those conferred by the aforementioned access request method according to the various embodiments of the present invention.
• the invention finally relates to a system for managing remote access to a local communication network managed by an access gateway to a remote network.
• Said system comprises the aforementioned gateway, management platform and user terminal.
• FIG 1 presents an example of architecture of a system for managing remote access to a local communications network according to the invention
• FIG 2 schematically illustrates examples of the architecture of a management platform integrating a device for managing a request for remote access to a service according to one embodiment of the invention, a gateway access to the remote network configured to manage the local network and a user terminal requesting remote access according to one embodiment of the invention;
• FIG 3 describes in the form of a flowchart the steps of a method for managing a request for remote access to a local communication network, according to an exemplary embodiment of the invention
• FIG 4 describes in the form of a flowchart the steps of a method for processing a request for remote access to a local communication network, according to an exemplary embodiment of the invention
• FIG 5 describes in the form of a flowchart the steps of a method for requesting remote access to a local communication network, according to an exemplary embodiment of the invention
• FIG 6 describes in the form of a flowchart the exchanges between the user terminal, the management platform and the access gateway to the local communication network according to a first embodiment of the invention
• FIG 7 describes in the form of a flowchart the exchanges between the user terminal, the management platform and the access gateway to the local communication network according to a second embodiment of the invention
• FIG 8 describes an example of the hardware structure of a device for managing a request for access to a local communication network according to the invention
• FIG 9 describes an example of the hardware structure of a device for processing a request for access to a local communication network according to the invention
• FIG 10 describes an example of the hardware structure of a device for requesting access to a local communication network according to the invention.
• the general principle of the invention is based on the implementation of a management platform in a remote communication network, which manages all requests for access to the local communication network from a remote network access gateway by coming from a user terminal connected to this remote network. To do this, it receives the request for access to a local communication network, verifies that the user is authorized to access this local network, wakes up the gateway which manages this local network, if necessary, validates this access authorization by the gateway and redirects this validation to the user terminal. With the connection information received from the platform, the user terminal can then connect to the gateway and access the requested network. He can then ask the gateway to access a device/service on the local network.
• This invention finds numerous applications both in everyday and professional life, for any type of user terminal, such as a smart phone, a tablet, a laptop computer, etc., which is connected to a WAN ("Wide Access Network”, in English) who wishes to remotely access services of a local communication network LAN (“Local Access Network”, in English) of his personal or professional environment.
• WAN Wide Access Network
• LAN Local Access Network
• this invention is particularly advantageous when the gateway which manages it is in a standby state.
• service operated in the local communication network denotes, in the broad sense, one or more functions performed by one or more devices connected to this network. This is, for example, remote access to a photo album stored in a NAS network storage server connected to a user's home network.
• a service can also include a more complex sequence of functions defined by a program or script, and require cooperation between different resources or equipment. This is the case, for example, of a presence simulation service involving several devices of the local network or even of a local video broadcasting service whose implementation is based on the cooperation of storage resources, communication in local network and video broadcasting (decoder/screen).
• FIG. 1 an example of the architecture of a management system 10 of a request for access to a communication network LAN by a user terminal TU connected to a remote communication network WAN d an operator according to an exemplary embodiment of the invention.
• the communication network LAN is managed by a gateway GW for access to the remote network WAN supplied by the operator to a user who has taken out a subscription with this operator.
• the gateway is connected to the remote WAN network by an ADSL or fiber link. Of course, it can also connect to the operator's cellular network via a 2G to 5G type link.
• the LAN network is a home network, to which several devices are connected such as a CAM camera, a network storage server or NAS (Network Attached Storage), an STB (Set Top Box”, in English) or even a PLG connected socket, an LGT connected lamp and a PC personal computer. These devices are connected to the gateway GW.
• the NAS storage server, the LGT connected lamp and the PLG connected socket are connected to the GW gateway by a wired link, for example of the Ethernet, USB or CPL type on electrical wiring
• the STB decoder and the CAM camera are connected by a radio wireless link, for example Wi-Fi and the personal computer PC is connected via the LTG connected lamp by an optical wireless link of the LiFi type.
• other types of wireless link can be used such as Bluetooth, Bluetooth Low Energy, z-wave, zigbee, DECT-ULE etc.
• terminals such as the smart telephone (smartphone) TU or the portable computer (laptop) LTP of at least one user U to be connected to the local area network LAN but which are, in the example in Figure 1, away from home and connected to the remote WAN network.
• terminals such as the smart telephone (smartphone) TU or the portable computer (laptop) LTP of at least one user U to be connected to the local area network LAN but which are, in the example in Figure 1, away from home and connected to the remote WAN network.
• the user has left his home and has gone to a resort for several days.
• the administrative user of the gateway and of the local area network LAN of the house which may or may not be the user U, has placed at least part of the equipment of this network in the standby state.
• he activated the "Prolonged absence" usage situation on a service administration portal for his home gateway GW offered by his operator.
• this portal is accessible from a mobile application installed on his TU telephone or a web application accessible from a web browser on his LTP laptop.
• the explicit passage in this situation of use induces for example:
• standby commands (ad hoc Ethernet packet) to equipment likely to be woken up during this period, whether on demand or by fixed or semi- random (simulation of presence), such as for example STBs, televisions, connected lamps,
• gateway stopping non-essential and energy-intensive interfaces on the gateway, such as, where applicable, Wi-Fi or 4G/5G, and maintaining others, such as BLE and Ethernet,
• BLE Bluetooth Low Energy
• the gateway GW which manages it is in a standby state. For example, he wishes to access the LAN network to view on his terminal TU a photo album stored in the storage server NAS.
• the system 10 comprises a management platform PTF managed by the operator of the remote network WAN and connected to this network.
• This platform is configured to receive and manage a request for remote access to a LAN network service sent by the user terminal.
• the system 10 also comprises the gateway GW configured to manage the local network LAN and to route the communications of the user terminals connected to the network LAN to the remote network WAN.
• the system 10 finally comprises the user terminal TU.
• FIG. 2 represents an example of architecture of the PTF management platform, according to one embodiment of the invention.
• the platform PTF comprises a device 100 for managing a request for remote access to the local area network LAN according to the invention, configured to receive this request for remote access from the user terminal TU, verifying that it is authorized to access the requested local area network LAN using access rights previously stored in memory, if necessary waking up the home gateway GW, obtaining an access authorization validation and redirect it to the user terminal.
• the access rights are for example recorded in a table TA1 in association with an identifier of the user IDU or of his terminal in a local or remote memory MEM, for example organized as a database, to which the platform PTF can to access.
• the device 100 can be independent of the management platform PTF, but connected to it by any link, wired or not.
• the management device 100 comprises a reception module REC. RA of a request for access to a local network originating from the user terminal TU, the request comprising at least one identifier of the user IDU, a verification module VER. DA of a user's authorization to access the requested network, a wake-up module WOW GW of the gateway, configured to be implemented when the user is authorized to access the network, a module for obtaining OBT. IA of an authorization validation by the gateway, and a TRNS transmission module. IA to user terminal TU gateway connection information.
• the verification can relate to the terminal, the user, or both:
• the user's identifier is that of the terminal or of the instance of the application in charge of the usage session
• the device 100 also comprises an AUTH module for authentication of the management platform with the gateway GW. It may also comprise a module for requesting the selection of a local network RSEL to the user terminal from among a plurality of authorized local networks and a module for obtaining SEL of the local network selected by the user terminal from the transmitted plurality. It may also include a module for obtaining OBT. JA of a gateway access authorization token, said token being intended to be transmitted to the user terminal in the gateway connection authorization information.
• the device 100 finally comprises a TX/RX module for receiving and transmitting information via the remote LAN network. Alternatively, it uses the transmission/reception module of the PTF platform in which it is integrated.
• the non-volatile memory MEM1 advantageously comprises a table TA1 associating access rights to one or more local communication networks LAN and to equipment/services of this network with an identifier of the user.
• the device 100 thus implements the method for managing a request for remote access to a local communication network according to the invention which will be detailed below in relation to FIG. 3.
• FIG. 2 also presents an example of architecture of a gateway GW according to one embodiment of the invention.
• the gateway GW comprises a device 200 for processing a remote access request sent by a user terminal to a local area network LAN according to the invention, configured to receive a message from wake up from the PTF platform, if necessary wake up, validate a service access authorization request from the platform and send it a validation response including gateway connection information and, upon receipt of a connection request from the user terminal, treat his request favorably when it includes said connection information.
• the device 200 can be independent of the gateway GW, but connected to the latter by any wired or non-wired link.
• the processing device 200 comprises a reception module REC. WOW of a wake-up message from the PTF management platform, a VAL validation module.
• IA of a request for authorization to access the service from the management platform PTF and the transmission to said management platform of a validation response TRNS.
• IA including gateway connection information.
• the device 200 also comprises a module for connecting the user terminal to the service upon receipt of a connection request comprising the connection information to said gateway.
• the device 200 also comprises an authentication module AUTH PTF of the management platform PTF and a transmission module RSEL EQ to the user terminal of a request for selection of an equipment/service from among a plurality of equipment/services which the user is authorized to access. It may include a module JA for obtaining an access authorization token, said token then being inserted into the validation response to the platform among the connection information. This token can be generated by the gateway itself or received from the platform.
• the device 200 finally comprises a TX/RX module for receiving and transmitting information via an interface with the remote network LAN and another interface with the local communication network LAN. Alternatively, it uses the transmission/reception module of the GW gateway in which it is integrated.
• the non-volatile memory MEM2 advantageously comprises a table TA2 associating access rights to the local communication network LAN and to equipment/services of this network with an identifier of the user.
• the device 200 thus implements the method for processing a request for remote access to a local area network according to the invention which will be detailed below in relation to FIG.
• FIG. 2 finally presents an example of architecture of a user terminal TU according to an embodiment of the invention.
• the user terminal TU comprises a device 300 for requesting remote access to a local area network LAN, configured to send a request for access to such a network to the platform PTF, receive connection information to the gateway from the platform PTF and send a connection request to the gateway GW comprising the connection information.
• the device 300 can be independent of the user terminal TU, but connected to the latter by any link, wired or not.
• the access request device 300 comprises a module TRNS RA for sending a request for access to a local communication network LAN intended for the platform PTF, a module REC. IA for receiving connection information to the gateway GW and a connection request module CNX destined for the IP address of the gateway, the connection request comprising the connection information received.
• this information includes a gateway access authorization token.
• device 300 also includes a module SEL. LAN of a local network among a plurality of local networks authorized by the platform for the user terminal and a module SEL.
• S selection of equipment/service from among a plurality of equipment/services authorized by the gateway for the user terminal may also include a module for generating the gateway access authorization token, said token being transmitted in its request for access to the local network transmitted to the PTF platform.
• the device 300 finally comprises a TX/RX module for receiving and transmitting information via an interface with the remote network LAN and another interface with the local communication network LAN.
• a TX/RX module for receiving and transmitting information via an interface with the remote network LAN and another interface with the local communication network LAN.
• it uses the transmission/reception module of the user terminal TU in which it is integrated.
• the device 300 thus implements the method for requesting remote access to a service according to the invention which will be detailed below in relation to FIG. 5.
• FIG. 3 in the form of a flowchart, a first example of implementation of a method for managing a request for access to a local communication network LAN managed by the gateway GW d access to the remote network WAN, from the user terminal TU, when the gateway GW is in a standby state, according to one embodiment of the invention.
• the management platform PTF connected to the remote network WAN, receives the request RA for access to a local network LAN from the user terminal TU.
• This request RA includes at least one identifier of the identifier IDU of the user of the terminal TU.
• it also includes an identifier of the local network IDLAN which operates the service and/or an identifier of the gateway IDGW which manages the local network LAN and/or an identifier of an equipment or of an IDS service to which the user wishes access remotely.
• the user has subscribed to a service for managing remote access to the local communication network managed by his home gateway, offered by the operator of the remote network.
• this access request RA depends in particular on a level of intelligence of the man/machine interface and on the information relating to the access rights of the user which it has. At a minimum, it has the unique identifier of the PTF management platform in the remote WAN network to which to send the RA access request, but if its interface is more advanced, it can offer the user the choice of a network local among a plurality of local networks for which he has an access authorization, or even the services operated by these networks.
• the term service designates here in the broad sense any functionality made available to a user by one or more resources of a local communication network. This is for example the Wi-Fi interface of the gateway or a presence simulation service which involves several resources of the local network (camera, NAS storage server, Wi-Fi interface, etc.). Examples of embodiments will be detailed below in relation to FIGS. 6 and 7.
• the device 100 obtains information DA relating to the access rights of the user, for example associated in a memory MEM1 with the identifier IDU of the user contained in his request RA. For example, it queries a TLAN database based on the IDU identifier and obtains in return one or more identifiers, also called labels, of gateways or networks premises to which the user is authorized to connect. It is understood that a user can be authorized to access several local networks, for example the domestic network of his home, managed by his domestic gateway and one or more professional local networks. It is also possible to envisage that several labels of local networks be stored in association with an IDS site label, a site corresponding to a professional or domestic place which groups together several local networks.
• the device 100 transmits a request for selection of a local network to the user terminal, comprising the identifiers of the authorized local networks.
• the access request does not include a local network or gateway identifier, for example a MAC address or a unique identifier, or else when the user has requested access to a local network which it is not authorized while at least one identifier of authorized local networks is associated with the identifier of the user IDU in the table.
• the term “unique identifier” denotes a future identifier envisaged to supplant the MAC addresses at the level of the link layer. Today, equipment with Wi-Fi interfaces on different frequency bands has a different MAC address for each of them. It might be useless with such a unique ID.
• the device 100 Upon receipt of a response, comprising the identifier of a local area network IDLAN, the device 100 checks at 33 that the user is authorized to access the local area network LAN received at 30 or at 33 on the basis of the access rights obtained.
• the device 100 has previously obtained an IP address of the gateway, for example in a second routing table T@ in association with the MAC address of this gateway.
• This IP address is maintained in the platform using a static association IP address/MAC address of the gateway stored in a routing table.
• the IP address of a gateway can be fixed, preferential or dynamic. It is assumed that the user as a client of the remote access service to his local network benefits for his gateway from a fixed or preferential address. In the event that this address is changed after a certain number of days of inactivity, the platform would only need to periodically wake up the gateway and then send it a standby application message to maintain its address table. .
• the wake-up message is a “Wake on Wan” type message, known to those skilled in the art, encapsulated in an IP packet.
• This wake-up packet is transmitted, for example according to the UDP protocol (for “User Datagram Protocol”, in English), to the GW gateway via the WAN network, whatever the technology, ADSL or fiber for example, used and transits by a DSLAM (Digital Subscriber Line Access Multiplexer”, in English) for the first or ONT (“Optical Network Termination”, in English) for the second.
• UDP protocol for “User Datagram Protocol”, in English
• ADSL or fiber for example
• ONT Optical Network Termination
• device 100 receives an authentication request from gateway GW. It responds to this by implementing an encrypted exchange of mutual authentication of the gateway and of the platform, according to a procedure known to those skilled in the art.
• the device 100 transmits to the gateway a request for DVA validation of the access authorization that it has granted to the user to the requested local area network, for validation.
• This request includes the access rights (“credentials”) obtained in memory for this local network in association with the identifier IDU of the user. These are, for example, login/password connection information, possibly an encryption key.
• credentials obtained in memory for this local network in association with the identifier IDU of the user.
• these are, for example, login/password connection information, possibly an encryption key.
• the response further comprises an access authorization token JA generated by the gateway.
• it is the DVA validation request transmitted by the device 100 to the gateway GW which includes a temporary authorization token JAT which is sent back as a validated authorization token JA by the gateway to the platform.
• the temporary token was received from the user terminal in its access request DA and inserted into the connection information of the validation request sent by the platform PTF to the gateway GW.
• the device 100 redirects the connection information received in the validation response from the gateway to the user terminal TU.
• FIG. 4 in the form of a flowchart, an example of implementation of a method for processing a request for access to a local communication network LAN managed by the gateway GW of access to the remote network WAN from the user terminal TU, according to one embodiment of the invention.
• this method is implemented by the device 200.
• gateway GW is in a standby state.
• the device 200 receives a WOW wake-up message from the management platform PTF, on its interface with the remote WAN network.
• the device 200 optionally checks that the wake-up of the gateway GW is authorized.
• the device 200 obtains information relating to wake-up constraints stored in memory. These are, for example, time constraints which are recorded in a table of the calendar type, which associates an authorization or a prohibition on waking up with a particular period. In this case, the period can be expressed in hours or in days.
• verification consists of check that the current day/date/time belongs to an authorized period.
• the device 200 to do this commands a driver of the WAN interface of the gateway to trigger an appointment management program.
• the device 200 transmits a negative response to the platform.
• the device 200 commands at 42 the execution of a gateway wake-up.
• the device 200 transmits an authentication request to the platform and implements, upon receipt of a response from the platform, a mutual authentication procedure, involving encrypted exchanges. Since this procedure is known to those skilled in the art, it is not detailed.
• the device 200 verifies the access authorization granted by the platform, received in a DVA validation request from the platform and from access rights stored in memory in association with an IDU user identifier.
• this authorization If it validates this authorization, it transmits at 45 to the management platform PTF a validation message VA comprising connection information IA.
• a validation message VA comprising connection information IA.
• he obtains an access authorization token JA which has for example been generated by the gateway or by a dedicated module of the local network. It stores this JA token in memory in association with the user's identifier.
• this authorization token was not generated by the gateway, but corresponds to a temporary authorization token JIT received from the management platform PTF in its DVA validation request.
• the gateway verifies that this connection information corresponds to that which it has validated in the request received from the platform.
• this information includes the access authorization token JA and it checks that the access authorization token received corresponds to that which it issued in response to the platform's DVA validation request. If necessary, it establishes a connection with the user terminal TU.
• the gateway offers him at 47 a choice of equipment and/or services rendered by this equipment to which this user has authorization to access, such as for example the gateway itself the NAS storage server, the camera, the laptop, a home automation base, etc. Depending on the choice received from the user, it wakes up at 48 the selected equipment item. As this equipment is not integrated into the gateway, it recovers in a non-volatile memory the connection information with this equipment and its different communication interfaces in the LAN network, then sends it a wake-up packet on a communication interface that has remained active.
• the equipment For example, if the equipment is connected by Ethernet, it sends it a wake-up packet of the “Wake on LAN” type, in a manner known to those skilled in the art. Finally, it transmits its IP address @EQ to the user terminal TU so that it can connect to the requested equipment.
• the gateway treats it as a signal to warn it that it will receive a validation request from an access authorization for a user terminal to its local area network LAN from the PTF platform.
• FIG. 5 in the form of a flowchart, an example of implementation of a method for requesting access from a user terminal to a local communication network managed by an access gateway to a remote network, according to one embodiment of the invention.
• the method is implemented by the device 300.
• this device 300 is integrated into the user terminal TU.
• the device 300 transmits a request RA for access to a local communication network, for example the local network LAN managed by the gateway GW of FIG. 1.
• This request RA comprises at least one identifier IDU of the user of the terminal TU.
• the user formulates his request for access to the local area network LAN via a man/machine interface of his terminal, for example an application implemented by the terminal or a web application.
• This application can have information relating to the local networks to which the user has already accessed or is authorized to access and propose to him to easily select the network which interests him. For example, it accesses a table TA3 associating access rights with the identifier of the user IDU.
• This application may also have a quantity of information limited to the IP address of the PTF management platform to contact.
• the RA request is a simple connection request to the PTF platform.
• the device 300 receives a request to select a LAN network from the platform, the request comprising at least two LAN network identifiers which the user is authorized to access. He selects at 53 the identifier of the LAN network which interests him and transmits it to the platform.
• connection information from the platform.
• They include at least the identifier of the gateway GW and for example a connection identifier and a password of the user.
• They can also comprise an access authorization token JA.
• this token was generated by the gateway and transmitted to the platform which redirected it to the terminal. According to an alternative, it was generated by the platform which transmitted it to the gateway in its access authorization validation request.
• the gateway GW sends a connection request to the gateway GW comprising the connection information and advantageously the authorization token JA received.
• he receives at 56 from the gateway GW a request to select a device from a plurality of devices to which he is authorized to access. He responds at 57 and receives at 58 equipment connection information comprising at least an IP address or a unique identifier of this equipment.
• the user has subscribed to a remote access service to his local network(s) with his operator and that he accesses it via the web or a mobile application that he has installed on his terminal TU or yet another web application.
• he has an identifier and a password to connect to an interface or portal of this PTF platform.
• he sends a CNX connection request with this interface, identifies himself and authenticates himself with the platform using his identifier and his password.
• His request for access to a local network is therefore limited to a connection request to the platform's remote access service and does not specify the desired LAN communication network.
• the platform receives and processes the connection request at 30.
• the user terminal Once the user terminal has been authenticated, it obtains at 31 the access rights associated with the identifier IDU of the user. For example, it obtains the identifiers of the local communication networks to which it is authorized to access.
• At 32 it sends him a request to select a local network from a list of local networks to which he is authorized to access. If he is not authorized to access any local network, she informs him and terminates the connection.
• the selection request is received by the user terminal TU which makes its choice then sends it at 53 to the platform.
• the platform sends at 35 to the IP address of the gateway GW which manages the selected LAN communication network, a wake-up message WOW, for example a wake-up packet of the “Wake On Wan” type. It is transmitted by the remote WAN network to the gateway which receives it at 40 on its WAN interface.
• gateway GW is in a standby state.
• the WAN interface of the gateway GW activates a program for managing wake-up constraints. For example, it is an appointment calendar and it obtains information relating to time constraints for waking up the gateway for different times of the day or days of the week and it verifies that the waking up of the gateway and the local network is authorized for the current time period. If this is indeed the case, it wakes up in 42 at least one interface for managing remote access requests to its local area network LAN and a communication interface in the local area network, such as for example its Wifi interface. Optionally, it triggers at 43 a mutual authentication with the PTF platform. Exchanges between the gateway and the platform are encrypted. If, on the contrary, the wake-up call is not authorized, it rejects the wake-up request and notifies the platform of the rejection of its wake-up request.
• a program for managing wake-up constraints For example, it is an appointment calendar and it obtains information relating to time constraints for waking up the gateway for different times of the day or days of the week and it verifies that the waking up of the
• the platform PTF transfers to the gateway at 37 a request for validation of an authorization to access the local communication network LAN for the user terminal TU.
• This request may include connection information making it possible to certify that the access request from the terminal TU to the gateway GW has been validated by the platform PTF.
• This data can be for example a simple indicator (for “flag”), or else an identifier/password pair of the terminal TU or of its user.
• This DVA request can also include a temporary access authorization token JAT generated by the platform PTF or else received from the user terminal TU in its access request DA to the LAN network.
• the GW gateway following authentication, activated a program for validating user access rights.
• This response includes the validated IA connection information and in particular the JA access authorization token, which may be identical to the temporary JAT token that it received from the platform.
• the PTF platform receives the response from the gateway at 38, extracts the connection information and redirects it at 39 to the user terminal.
• the user terminal receives at 54 this connection authorization information from the PTF platform. At 55, it sends a connection request to the IP address of the gateway, comprising the connection information and advantageously the authorization token JA. Upon receipt at 46, the gateway verifies this information and in particular the authorization token JA of the user connection. If they correspond to the information recorded for this user and in particular to the authorization previously validated with the PTF platform, the gateway GW establishes the connection.
• the gateway itself, an alarm panel, a personal computer, a stand-alone camera, a NAS network storage server, etc.
• the user receives it at 56 and responds at 57 by selecting an equipment/service from among those offered by the gateway.
• the gateway wakes up one of its communication interfaces with the NAS server and sends it a wake-up message. For example, it activates its Wifi interface and sends it a "Wake On Lan" type wake-up packet. As soon as it wakes up, the NAS server activates a wake-up program.
• the gateway which redirects the IP address of the NAS server to the user terminal at 48.
• the user terminal Upon receipt at 58, the user terminal sends at 59 a connection request to the IP address of the NAS server . Once connected, he accesses his reception program and the services offered.
• the GW gateway puts its local network and its own functions back on standby.
• site refers to the geographical location of the buildings of a company or an individual, comprising one or more local communication networks.
• this interface accesses in a memory an association between the user's IDU identifier and a site identifier, one or more identifiers of local networks of this site authorized for this user and for each local network identifier at a or more equipment/service identifiers.
• Step 50 it proposes at 50 to the user to choose at least the local area network or even the equipment which interests him in a menu, but he can also choose an equipment of this local area network.
• this choice triggers the transmission at 51 by the terminal of a request for access RA to the chosen local network intended for the platform PTF.
• Steps 30-32 of receiving the request and verifying access rights are implemented similarly to the example in FIG. 6.
• the platform specifically verifies that the user terminal has the right to 'access the local network that the user has explicitly requested.
• the platform When the user is authorized, the platform sends at 35 a WOW wake-up message to the gateway which manages the requested access network, as previously described. Steps 35 to 38 implemented by the platform are unchanged, as are steps 40-45 implemented by the gateway.
• the user terminal TU receives the connection information to the gateway which manages the requested access network, as previously described, comprising at least the IP address of the gateway or a unique identifier of this gateway, a connection identifier and a password and optionally the JA access authorization token.
• the application interface on the user terminal side sends a CNX connection request to the gateway, which includes not only the ICNX connection information, but also the identifier of the EQ equipment to which the user wishes to access.
• the gateway verifies that the authorization token is correct and that the user is authorized to access the equipment/service requested. If so, it wakes up the relevant EQ equipment at 48, as previously described.
• the gateway GW then sends an application message to the user terminal comprising equipment connection information.
• the user terminal TU sends a connection request to the equipment EQ comprising the connection information received. Once connected, he accesses the services offered by this equipment.
• the GW gateway puts its local network and its own functions back on standby.
• FIG. 8 another example of the hardware structure of a device 100 for managing a request for remote access to a local communication network according to the invention, comprising, as illustrated by the first example of Figure 2, at least one receiving module REC.
• RA of a request for access to a local network from the terminal user TU, the request comprising at least one identifier of the user IDU, a module for obtaining OBT DA access rights associated with the identifier of the user, a verification module VER.
• AR of a user's authorization to access the requested network a WOW wake-up module of the gateway, configured to be implemented when the user is authorized to access the network, an OBT obtaining module.
• JA of an authorization validation by the gateway comprising an access authorization token and a TRNS transmission module. JA of the authorization token to the user terminal TU.
• the device 100 also comprises an AUTH module for authentication of the management platform with the gateway GW. It may also comprise a module for requesting the selection of a local network RSEL(LAN) to the user terminal from among a plurality of authorized local networks and a module for obtaining SEL(LAN) of the local network selected by the user terminal from the plurality transmitted.
• an AUTH module for authentication of the management platform with the gateway GW. It may also comprise a module for requesting the selection of a local network RSEL(LAN) to the user terminal from among a plurality of authorized local networks and a module for obtaining SEL(LAN) of the local network selected by the user terminal from the plurality transmitted.
• module can correspond both to a software component and to a hardware component or a set of hardware and software components, a software component itself corresponding to one or more computer programs or sub-programs or in a more general to any element of a program capable of implementing a function or a set of functions.
• such a device 100 comprises a random access memory 103 (for example a RAM memory), a processing unit 102 equipped for example with a processor, and controlled by a computer program Pgl, representative of the reception modules, verification , validation and transmission of connection information, stored in a read only memory 101 (for example a ROM memory or a hard disk).
• a computer program Pgl representative of the reception modules, verification , validation and transmission of connection information
• a read only memory 101 for example a ROM memory or a hard disk.
• the code instructions of the computer program are for example loaded into the random access memory 103 before being executed by the processor of the processing unit 102.
• the random access memory 103 can also contain a table comprising a entry associating access rights to local networks with the identifier of the user.
• FIG. 8 only illustrates one particular way, among several possible, of making the device 100 so that it performs the steps of the method for managing a request for access to a local communication network as detailed above, in relationship with Figures 3, 6 and 7 in its various embodiments. Indeed, these steps can be carried out either on a reprogrammable calculation machine (a PC computer, a DSP processor or a microcontroller) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example a set of logic gates like an FPGA or an ASIC, or any other hardware module).
• a reprogrammable calculation machine a PC computer, a DSP processor or a microcontroller
• a program comprising a sequence of instructions
• a dedicated calculation machine for example a set of logic gates like an FPGA or an ASIC, or any other hardware module.
• the corresponding program (that is to say the sequence of instructions) could be stored in a removable storage medium (such as for example an SD card , a USB key, a CD-ROM or a DVD-ROM) or not, this storage medium being partially or totally readable by a computer or a processor.
• a removable storage medium such as for example an SD card , a USB key, a CD-ROM or a DVD-ROM
• a second example of hardware structure of a device 200 for processing a request for access to a local communication network comprising, as illustrated by the example of Figure 2, at least one receiving module REC. WOW of a wake-up message from the PTF management platform, a wake-up authorization module based on predetermined constraints, a module for validating a service access authorization request from the platform management PTF and the transmission to said management platform of an access authorization token.
• the device 200 also comprises a module for connecting the user terminal to the service upon receipt of a connection request comprising the access authorization token.
• the device 200 also comprises an authentication module AUTH PTF of the management platform PTF and a transmission module TRNS DS of a request to select a service from among a plurality of services to which the user is authorized to access. .
• module can correspond both to a software component and to a hardware component or a set of hardware and software components, a software component itself corresponding to one or more computer programs or sub-programs or in a more general to any element of a program capable of implementing a function or a set of functions.
• such a device 200 comprises a random access memory 203 (for example a RAM memory), a processing unit 202 equipped for example with a processor, and controlled by a computer program Pg2, representative of the reception modules, of validation of an authorization and of connection, stored in a read only memory 201 (for example a ROM memory or a hard disk).
• a read only memory 201 for example a ROM memory or a hard disk.
• the code instructions of the computer program are for example loaded into the random access memory 203 before being executed by the processor of the processing unit 202.
• the random access memory 203 can also contain a table comprising a input associating to the identifier of the user IDU a right of access to the local area network LAN managed by the gateway and to the equipment of this network.
• FIG. 9 only illustrates one particular way, among several possible, of making the device 200 so that it performs the steps of the processing method as detailed above, in relation to FIGS. 4, 6 and 7 in its different modes of achievement. Indeed, these steps can be carried out either on a reprogrammable calculation machine (a PC computer, a DSP processor or a microcontroller) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example a set of logic gates like an FPGA or an ASIC, or any other hardware module).
• a reprogrammable calculation machine a PC computer, a DSP processor or a microcontroller
• a dedicated calculation machine for example a set of logic gates like an FPGA or an ASIC, or any other hardware module.
• the corresponding program (that is to say the sequence of instructions) can be stored in a removable storage medium (such as for example an SD card , a USB key, a CD-ROM or a DVD-ROM) or not, this storage medium being partially or totally readable by a computer or a processor.
• a removable storage medium such as for example an SD card , a USB key, a CD-ROM or a DVD-ROM
• an example of the hardware structure of a device 300 for requesting access to a local communication network comprising, as illustrated by the example of FIG. 2, at least one transmission module TRNS RA of a request for access to a local communication network LAN intended for the management platform PTF, a module REC. @ I P, JA receiving connection information to the GW gateway including an IP address of the gateway and an access authorization token and a CNX connection request module to the gateway IP address, the connection request including the network access authorization token.
• device 300 also includes a module SEL. S selection of a local network from among a plurality of local networks authorized by the platform for the user terminal.
• module can correspond both to a software component and to a hardware component or a set of hardware and software components, a software component itself corresponding to one or more computer programs or sub-programs or in a more general to any element of a program capable of implementing a function or a set of functions.
• such a device 300 comprises a random access memory 303 (for example a RAM memory), a processing unit 302 equipped for example with a processor, and controlled by a computer program Pg3, representative of the reception modules, of validation of an authorization and connection, stored in a ROM 301 (for example a ROM memory or a hard disk).
• ROM 301 for example a ROM memory or a hard disk.
• the code instructions of the computer program are for example loaded into the random access memory 303 before being executed by the processor of the processing unit.
• RAM 303 can also contain a table comprising an entry associating with the identifier of the user IDU a right of access to the local area network LAN managed by the gateway and to equipment of this network.
• FIG. 10 only illustrates one particular way, among several possible, of making the device 300 so that it performs the steps of the access request method as detailed above, in relation to FIGS. 5, 6 and 7 in its various embodiments. Indeed, these steps can be carried out either on a reprogrammable calculation machine (a PC computer, a DSP processor or a microcontroller) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example a set of logic gates like an FPGA or an ASIC, or any other hardware module).
• a reprogrammable calculation machine a PC computer, a DSP processor or a microcontroller
• a dedicated calculation machine for example a set of logic gates like an FPGA or an ASIC, or any other hardware module.
• the corresponding program (that is to say the sequence of instructions) can be stored in a removable storage medium (such as for example an SD card , USB key, CD-ROM or DVD-ROM) or not, this storage medium being partially or totally readable by a computer or a processor.
• a removable storage medium such as for example an SD card , USB key, CD-ROM or DVD-ROM
• the invention which has just been described in its various embodiments has numerous advantages.
• it facilitates the task of a user who wishes to remotely access a local communication network placed in a standby state, while guaranteeing the security of the equipment of this network.
• the user always addresses the same platform regardless of the communication network he wishes to access.
• This platform stores this user's access rights to one or more sites and/or local networks.
• the platform secures upstream access to the gateway and its local network by allowing only duly identified and authorized requests to pass. It is therefore much more difficult for hackers to access a user's local network when he is in a sleep state.
• the invention therefore encourages users to put their equipment on standby when they are absent, and therefore contributes to saving energy resources.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=74554031

Family Applications (1)

Country Status (4)

Families Citing this family (1)

Family Cites Families (5)

• 2020
  • 2020-12-04 FR FR2012733A patent/FR3117295A1/fr active Pending
• 2021
  • 2021-12-02 WO PCT/FR2021/052193 patent/WO2022117972A1/fr active Application Filing
  • 2021-12-02 EP EP21848167.9A patent/EP4256830A1/de active Pending
  • 2021-12-02 US US18/255,841 patent/US20240015039A1/en active Pending
  • 2021-12-06 WO PCT/FR2021/052214 patent/WO2022117976A1/fr active Application Filing

Also Published As

Similar Documents

Legal Events