FI120226B - Procedure for identifying a terminal equipment - Google Patents

Description

METHOD FOR IDENTIFICATION OF THE TERMINAL AND FIELD OF THE INVENTION

The present invention relates to telecommunication technology. The present invention relates to a method and apparatus for receiving and / or transmitting alarm, status and / or control information in a public telecommunications network.

BACKGROUND OF THE INVENTION

10 Various objects, such as real estate, can be controlled in many ways, for example, for burglaries and fires. One type of control is the so-called. remote monitoring, where an object, such as a property, has an automated surveillance system that transmits alarm information in the event of a burglary or a fire.

Alarms are transmitted, for example, in a message transmission system (ISJ), which has traditionally been based on a landline (subscriber cable). Other public transport networks, such as the Internet, may also be used as an alarm transmission path.

The Internet network comprises a global network for data transmission and services. It comes with a variety of over-the-top layer (Layer 4) functionality, such as name service, email, 25 network management protocols, VoIP (Voice over IP) and countless applications and protocols. In all of the above cases, the transmission network itself, which routes and connects on L1, L2 and L3 layers, does not comment on the applications to be transported. 30 Applications use a wide range of markup languages and protocols to communicate information.

One problem with the Internet is security. There are a number of ways to access information transmitted at the application level. Generally speaking, there are 35 actors from different backgrounds who wish to gain access to information 2 controlled or transmitted by other parties. One such entity is called "hackers". Their main purpose is to cause havoc and trouble to the target of the hacking. Another example is the 5 spy industrial spies: they try to get the information they want online.

Another component of the security problem is the weaknesses of the operating systems and applications in use. Operating systems and application operations may have security holes that allow third parties to access information that was not originally intended for them.

To improve security, there are security methods that are specific to the transmission network, such as VPN (Virtual Private Network), MPLS (Multiprotocol Label Switching), intranet, tunneling, private access point, and device-related methods such as firewall techniques, access lists, virus protection, etc. What is common to all of the above methods is that malicious activity is generally directed to and above L4, especially if the L4 (Transport Layer) protocol is TCP (Transmission Control Protocol).

25 The recording equipment which monitors various objects and which, in the event of an alarm, transmits information to the control center or receives information is functionally relatively simple. However, the use of equipment should be absolutely safe. In other words, an unauthorized third party may never gain access to control of the device, for example through a data network. Due to the above-mentioned security factor, a large part of the monitors operate over a telephone network. 35 In the telephone network, the sender and the recipient have unique identifiers, which are virtually impossible to falsify.

3

On the other hand, surveillance devices can be made more sophisticated and secure to connect to a public information network (such as the Internet). Such a device typically has an operating system 5 and a plurality of applications that enable a more secure way of transmitting information and receiving control information from a public data network. But as mentioned earlier, operating systems and applications almost invariably have some security issues 10. In addition, operating systems and applications need to be constantly updated in practice to maintain a high level of security.

Another problem with the various operating systems and applications used in the recording devices is that they are too "cumbersome" and bring additional costs and maintenance problems to the recording device, which itself is relatively simple to operate.

PURPOSE OF THE INVENTION

The object of the invention is to eliminate or at least significantly alleviate the above disadvantages. In particular, it is an object of the invention to provide a method, a terminal and a system in which a monitoring terminal can be connected to a public telecommunications network without security problems and wherein the terminal is efficient and simple in operation.

SUMMARY OF THE INVENTION

The present invention relates to a method and a terminal for identifying a terminal (in a public telecommunications network. The terminal is connected to a public telecommunications network, for example the Internet).

35 The method and the terminal are characterized by the IP address assigned to the terminal.

4 The IP address is preferably a global static IP address. Further, at least one identifier identifying at least one other terminal authorized to communicate with the terminal 5 is stored in the memory of the terminal. At least one predetermined application port is opened from the terminal towards the communication network. Anyone can send messages to this port. The application port is preferably a UDP (User Datagram Protocol) port (UDP). However, it may also be, for example, a TCP (Transmission Control Protocol) port. In a preferred embodiment of the invention, only one UDP application port is opened from the terminal towards the communication network. In another embodiment of the invention, one or more UDP and / or TCP ports are open simultaneously. For example, messages do not necessarily need to be filtered by a special firewall. When the first message is received at the application port, the terminal may examine whether the first message is in acceptable form. An acceptable form of "suggestive" refers, for example, to blocking, whether the message has the correct syntax, and / or whether it is encrypted correctly.

The first message received includes a sender identifier, which is a separate identifier from the IP address of the sender 25 of the message. The receiving terminal extracts the sender identifier from the content data of the message and compares the extracted sender identifier with the pre-stored identifiers in the terminal. The identifiers in the memory may also be updated, if necessary, over 30 communication networks, for example from a dedicated monitoring center. The tags may be stored in the memory of the terminal in any suitable data structure. If the retrieved sender identifier corresponds to a pre-stored identifier in the terminal, an acknowledgment message comprising the terminal's own sender identifier is sent in response to the first message to the IP address corresponding to the retrieved sender identifier. In response to the sending of the acknowledgment message, a response message is received. Said first message is rejected if the response message includes a first message rejection-5 request.

In one embodiment of the invention, before the transmission step, a first socket is formed on the sender of the first message and in said transmission step, said acknowledgment message is written to the first socket formed.

If the first message does not have the sender identifier, or if the sender identifier extracted from the first message does not match any identifier previously stored in the terminal, the terminal 15 may reject the received first message.

In one embodiment of the invention, the second predetermined application port receives a second message from the same sender as the first message. From the second message, the sender identifier is retrieved from the second message and the extracted sender identifier is compared with the pre-stored identifiers in the terminal. If the retrieved sender identifier corresponds to a pre-stored identifier in the terminal, a second socket 25 is generated for the sender of the second message and in response to the second message an acknowledgment message comprising the transmitter identifier associated with the terminal is written by writing said acknowledgment message.

The first and second blinds formed in one embodiment of the invention are utilized in a special way. The terminal receives the message from the second terminal via the first socket, but also sends an acknowledgment message via the second socket to the same second terminal. Thus, there are two separate logical channels between the two main 35 telecommunication devices.

6

In one embodiment of the invention, the first message is accepted if the first message acceptance message is received in response to the sending of the acknowledgment message. In another embodiment of the invention, the first message is accepted if no response is received in response to the sending of the acknowledgment message.

In one embodiment of the invention, the terminal is synchronized with one or more other terminals 10 in the same time domain. The synchronization occurs, for example, by transmitting from the terminal to the predetermined reference terminal a synchronization message comprising the transmitter identifier of the terminal. In response to the transmission of the synchronization message, the master 15 receives from the reference terminal a message comprising a time reference. The terminal's own time counter is set according to the time reference.

If the terminal acts as a reference terminal for synchronization, it receives from the second terminal 20 a synchronization message comprising the transmitter identifier of the other terminal. The reference terminal extracts the sender identifier of the second terminal from the synchronization message and compares the extracted sender identifier to the reference terminal with the pre-stored identifiers. If the extracted sender identifier corresponds to the identifier pre-stored in the reference terminal, the reference terminal transmits, in response to receiving the synchronization message, a message comprising the time reference of the re-30 terminal to the IP address corresponding to the identifier.

In the solution according to the invention, the terminals may encrypt the message they send completely or partially. If the received message is encrypted, the terminal generates a decryption key using the value of the time received by the terminal's time counter message and decrypts it using the decryption key.

7

Similarly, the terminal may encrypt the information to be transmitted to the other terminal. In this case, the terminal normally generates a message containing alarm, status and / or control information. At least a portion of the message is encrypted with an encryption key generated using the transmit-time value of the terminal time counter, and said at least partially encrypted message is sent to the recipient.

In one embodiment of the invention, the terminal 10 may receive an acknowledgment message from another terminal comprising a sender identifier associated with the sender of the acknowledgment message. The other terminal, in turn, has sent an acknowledgment message in response to the message it has received. The terminal checks whether the terminal 15 previously sent a message to the other terminal that would have caused the received acknowledgment message to be sent. If, as a result of the check, it is found that the terminal did not previously send a message to the other terminal that would have sent an acknowledgment-20 message to the terminal, the terminal sends a rejection message to the other terminal. The purpose of the rejection message is to inform the second terminal that the original message received by the second terminal did not originate from the terminal, and that the message may be rejected.

The invention also relates to a terminal in a public telecommunications network. The terminal comprises a message interface for connecting the terminal to a communication network, through which the terminal 30 is arranged to open at least one predetermined application port towards the communication network. In addition, the terminal comprises a memory storing at least one identifier that identifies at least one other terminal which is authorized to communicate with the terminal 35. Through the message interface, the terminal is arranged to open at least one predetermined application port towards the communication network. The terminal 8 is further arranged to receive, at said predetermined application port, a first message containing alarm, status and / or control information., A sender identifier is extracted from the first message.

The terminal is further arranged to compare the extracted sender identifier with the pre-stored identifiers in the terminal. If the extracted sender identifier corresponds to a predetermined identifier in the terminal, the terminal is arranged to send, in response to the first message, an acknowledgment message comprising the sender identifier associated with the terminal to the IP address corresponding to the extracted sender identifier. The terminal is further arranged to receive a reply message in response to the receipt of the acknowledgment message 15, and to reject the first message if the response message includes a first message rejection request.

For other functions, the terminal is arranged to operate according to the above method.

The invention also relates to a method for identifying a terminal in a public telecommunications network. In the method, the terminal is connected to the public telecommunications network and at least one predetermined application port is opened from the terminal to the telecommunication network. A first message is generated in the terminal, comprising alarm, status and / or control information, which message comprises the identifier of the first terminal. The method further transmits the en-30 first message to the recipient; receiving, at the terminal, an acknowledgment message from the second terminal, comprising a sender identifier associated with the sender of the acknowledgment message; checking whether the terminal transmits to the second terminal said first message which would have caused the acknowledgment message to be received from the second terminal; and transmitting a rejection message to the 9 IP addresses corresponding to the sender identifier contained in the acknowledgment message if the first message was not previously sent by the terminal to the second terminal.

The invention also relates to a terminal in a public telecommunications network. The terminal comprises a word interface for connecting the terminal to a communication network, through which the terminal is arranged to open at least one predetermined application port towards the communication network; and a memory 10 storing at least one sender identifier identifying at least one other terminal authorized to communicate with the terminal. The terminal is arranged to generate a first message comprising alarm, status and / or control information and a sender identifier of the terminal 15, to send a first message to a recipient, to receive an acknowledgment message from the second terminal comprising a sender identifier associated with the acknowledgment message; checking whether the terminal sent to the second terminal 20 said first message which would have caused the acknowledgment message to be received from the second terminal; and send a reject message to the IP address corresponding to the sender identifier contained in the acknowledgment message, if the terminal has not previously transmitted the first message to the other terminal.

The invention also relates to a method for identifying a terminal in a public telecommunications network. The method comprises connecting the first terminal to the public telecommunication network directly or via a second network so that the first terminal does not have a global static IP address. The first terminal stores at least one identifier identifying at least one second terminal which is authorized to communicate with the first terminal 35. In response to a predetermined event, a first message is generated comprising the identifier of the first terminal. Said first message is sent to a predetermined en-5 first application port stored in the memory of the first terminal based on said predetermined event. The first terminal receives a second message in response to the transmission of the first message and picks up the sender identifier from the second message. The extracted sender identifier is compared to the pre-stored identifiers in the first terminal, and if the extracted sender identifier corresponds to the pre-stored identifier in the first terminal and if the first terminal has previously transmitted a connection setup message to

Said predetermined event is, for example, an alarm signal, an event occurring within the first terminal or, in general, any gateway 20, as a result of which the first terminal establishes a connection to the second terminal. The content of the first message generated and / or the selected first application port may depend on said predetermined event.

The invention also relates to a terminal in a public telecommunications network. The terminal comprises a message interface for connecting the terminal to the communication network so that the terminal does not have a global static IP address. The terminal comprises 30 memories in which at least one identifier is stored which identifies at least one other terminal which is authorized to communicate with the terminal. Further, the terminal is arranged to generate, in response to a predetermined event, a first message 35 comprising a terminal identifier, to send said first message to a predetermined first application port stored in the memory of the terminal 11 on the basis of said event, to receive a first message. extracting the sender identifier from the message, comparing the sender identifier with the po-5 to the preprogrammed identifiers in the terminal, and if the extracted sender identifier corresponds to the preassigned identifier in the terminal and if the terminal has previously transmitted the

Other features of the invention are set forth in the claims.

Thanks to the present invention, the terminal can be made very simple in structure and function and inexpensive. Further, since the terminal automatically rejects messages received from unknown parties and does not contain elements that automatically communicate with the network, no special firewall or virus protection is required at all. In other words, the terminal can be connected to a public telecommunications network (Internet) without fear that the terminal would be vulnerable to attacks against it.

In addition, the terminal device of the invention may also be located behind, for example, a corporate network, a mobile network, or a home network as a device for which no global static IP address is specified.

LIST OF FIGURES

In the following, the invention will be described in detail with the aid of exemplary embodiments, wherein: Figure 1a shows one embodiment of the method according to the invention; Figure 12a shows another embodiment of the method according to the invention; Fig. 4a shows another embodiment of the method according to the invention, Fig. 4b shows another embodiment of the method according to the invention, Fig. 5a shows a system in which the method and terminal according to the present invention can be used and Figure 6 illustrates a system in which the method and terminal of the present invention can be used.

DETAILED DESCRIPTION OF THE INVENTION

Figure 1a shows an embodiment of the method according to the invention.

According to step 100, a terminal according to the invention receives a message from the communication network. Preferably, the telecommunications network is an Internet network.

The terminal has a static IP address that anyone can send messages to. It is advantageous for the invention that the most common operating systems (e.g., Windows, Linux, Macintosh, etc.) are not installed on the terminal. Therefore, the terminal device preferably does not contain elements (for example, numerous open operating system ports) that could respond to messages coming from the network. Since, in this example, the terminal uses the Transport Protocol-35 yellow UDP (User Data Gram Protocol) and a fixed application port number, there is only one possible public open application port through which the terminal receives information from the communication network. In the example of Figure 1, the terminal comprises only one UDP application port facing the communication network. In other embodiments of the invention, there may be more than one UDP port in use. In other words, anyone can send information to the device. However, the device is passive in nature and responds only to the messages it interprets as correct.

10 In step 102, the terminal examines whether the message is acceptable. The term "acceptable" refers, for example, to the terminal examining the syntax of a received message and possibly whether the message is encrypted correctly. The functionality related to encryption is explained in more detail in connection with Figure 4. If the message is not accepted, the terminal rejects the message (step 118). In another embodiment, there is no separate step 102 for examining the message format. If the terminal is unable to retrieve the sender identifier from the 20 messages, the message can be automatically rejected.

If the message format was acceptable, the sender identifier is retrieved from the message (step 104). The sender identifier refers to the identifier in the terminal's predefined IP address. In other words, the identifier is preferably a pointer to the IP addresses pre-stored in the terminal's memory. The identifiers and their corresponding IP addresses may be stored in the memory of the terminal in any suitable data structure. The IP address in the message (in the UDP frame) is not used because the message may have actually come from the person who has changed the address of the message to the desired address.

The sender identifier contained in the message ver-35 is traced (step 106) to the pre-stored identifiers of the terminal, and if a corresponding identifier is found in the terminal (step 108), the terminal picks up the IP address corresponding to the identifier. If no identifier is found, the received UDP message is automatically rejected (step 116).

In step 110, the terminal transmits an acknowledgment message based on the extracted sender identifier 5 comprising the sender identifier associated with the terminal. The sender identifier can identify the IP address from a pre-stored table in the terminal, and as a result, an acknowledgment message is sent to this IP address.

In another embodiment of the invention, the retrieved sender identifier does not directly identify the IP address. If, for example, the second terminal transmitting messages to the terminal is behind a firewall on the local area network, no global IP address is specified for the terminal. For this reason, for example, the actual sender of the message based on the IP address is a firewall. The firewall forms a reflex port 20 for the local device. When a firewall receives a message to this port, the firewall is able to route the message to the local device based on the device's MAC address and its local IP address.

For this reason, in this second embodiment of the invention, before transmitting the acknowledgment message to the sender of the first message, a first socket is formed in the second terminal, and in said transmission step, said acknowledgment message is written to the first socket formed. Also in this embodiment, the acknowledgment message includes the sender identifier of the first terminal.

The purpose of sending an acknowledgment message is to verify the origin of a previously received message. Since the sender of the original message can be virtually anyone, 35, the identification of the sender is accomplished by a separate transaction. The acknowledgment message also comprises a sender identifier associated with the terminal. In this way, the recipient of the acknowledgment message 15 can use the sender identifier in the message in the same manner as described above. If an acknowledgment message was sent to a recipient who did not send the original message, the terminal receives the message from the recipient (step 118), which results in the original message being rejected (step 116). If the terminal does not receive a response to the acknowledgment message, the terminal interprets the situation so that the recipient 10 of the acknowledgment message was also the sender of the original message, and thus the terminal can finally accept the message it initially received (step 114).

In another embodiment, the terminal in any case receives a reply message to its acknowledgment message. The reply message may expressly indicate whether or not the recipient of the acknowledgment message has sent the original message.

Because the UDP protocol leaves no "trace" on routing and does not create open (reflek-20 winged) ports between devices, each message is routed according to the IP address being transmitted. Since the received message contains a reference to the sender's IP address, the acknowledgment message is sent according to the number in the memory. If the sender was incorrect, the "correct" terminal receives an acknowledgment message, and thus the "correct" terminal transmits a rejection message in response to receiving the acknowledgment message.

In a further embodiment of the image la, the first terminal receives a second message from the same sender as the first message to the predetermined second application port 30. The terminal extracts the sender identifier from the second second message and compares it to the first terminal with the pre-stored identifiers. If the extracted sender-35 identifier corresponds to a predetermined identifier in the first terminal, a second socket is formed for the sender of the second message. In response to the second message 16, the first terminal generates an acknowledgment message comprising the first terminal's own transmitter identifier. The generated acknowledgment message is then written to the second blind formed.

In one embodiment of the invention, the sockets formed (first and second sockets) can be used for a common purpose. For example, the first terminal may receive an alarm from the second terminal via the first blind. However, the first terminal 10 is arranged to operate so that an acknowledgment message is sent to the second blind. As stated above, both the first and the second sockets were formed at the earlier stage for the same second terminal. In this way, when the alarm arrives, the sender verification is performed through a second contact.

Figure Ib shows another embodiment of the method according to the invention. In the method shown in Figure Ib, no static IP address is defined for the terminal as described in connection with Figure 1a. Here, for example, a terminal is, for example, a terminal behind a GPRS connection or a terminal behind a firewall in a local area network.

As in the example of Fig. 1a, at least one identifier is stored in the memory of the first terminal which identifies at least one second terminal which is authorized to communicate with the first terminal. The identifier can be a static IP address or any other device identifier. In response to a predetermined event 30, the first terminal generates a first message comprising an identifier of the first terminal (step 140). A predetermined event is, for example, activating a device for alarm and monitoring use, an alarm condition, or any other event that results in a desire to establish a connection from the first terminal to the second terminal. In one embodiment, the first terminal 17 may retrieve the time reference from the second terminal before establishing the connection described in step 140. Finding the time reference is explained in more detail in connection with Figure 2.

5 The first terminal transmits the first message to a specific second terminal's IP address stored in the terminal's memory at the first application port (step 142). For different purposes, the connection establishment can be made to different terminals. For example, the connection established for transmitting the alarm information may be established to the terminal 1 and the other for transmitting the information to the terminal 2. The said first application port may have been predefined for the first terminal.

The first terminal receives a message in response to the transmission of the first message from the second terminal (step 144). The sender identifier (step 146) is retrieved from the message and the extracted sender identifier is compared with the identifiers previously stored in the first terminal (step 148). If the extracted sender identifier corresponds to a pre-stored identifier on the first terminal and if the first terminal has previously transmitted a connection setup message to the identifier 25, the first connection established between the first and the second terminal is accepted (steps 150 and 152). If the retrieved sender identifier does not match the pre-stored identifier in the first terminal, or if the first terminal did not send 30 previously established connection messages to the terminal identified by the sender identifier, the received message is rejected 154.

In a further embodiment of Figure Ib, a third message 35 is formed in response to a predetermined event, comprising the identifier of the first terminal. Said third message is based on the aforesaid event on a predetermined second application port stored in a specific IP address of the second terminal stored in the first terminal. In this case, the second terminal is the same as the second terminal shown in step 142. The first terminal 5 receives the message in response to the transmission of the third message and retrieves the sender identifier from the message. The extracted sender identifier is compared to the pre-stored identifiers in the first terminal, and if the extracted sender identifier matches the pre-stored identifier in the first terminal, and if the first terminal has previously transmitted a connection setup message to the

Above, two different logical connections were established between the first and the second terminal. The established connections can be used for a common purpose. For example, the first terminal may send an alarm to the second terminal via a first logical connection, and accordingly receive an acknowledgment of an alarm it has transmitted via a second logical connection.

Since the first and / or second logical connections are preferably TCP connections, the first terminal may periodically send a refresh message to keep the connection established.

Figure 2 illustrates a preferred example of the operation of the method of the present invention for determining a time reference. Reference is also made to Figure 5a to clear the example. Figure 5a shows a simplified example of a system in which a terminal according to the present invention can be used. Figure 5a comprises three terminals 35,500, 502, 504, each of which is assigned a static IP address, all of which are accessible through a public IP network (e.g., the Internet). In fact, some of the terminals of Figure 5a may be, for example, a terminal in or under the control of a control center or other operator, which in practice receives alarm and / or status information from "monitoring" terminals and respectively transmits control information to the monitoring terminals.

In the example of Figure 5a, the terminal 502 runs some time reference which increments at regular intervals. The time reference can be maintained, for example, by a UCT-10 clock, a DCF77 receiver, a GPS receiver (GPS, Global

Positioning System) or any other suitable arrangement. The counting interval is, for example, 0.1 s or any other suitable time interval. The absolute value of time does not matter in this case.

When the terminal 500 turns on and initializes itself, it transmits a UDP message to the terminal 502 (step 200). The message net data contains a time request and a reference (sender identifier) to the recipient's IP address table. The reference is defined because the re-20 ferry terminal (terminal 502 in this example) responds only to those terminals specified in the table. If the terminal 502 receives an unrecognized message, the message may be automatically rejected. Similarly, if someone "pretends" to be the sender, 25 he or she will not receive an answer to the message they are sending.

In response to receiving the time reference request, the terminal 502 transmits its current time reference value to the terminal 500 requesting the time reference. If, for example, the message transmission to the terminal 30 500 takes 20 ms, the clock of the terminal 500 is thus 20 ms behind the clock of the terminal 502. Such a small time difference is not essential to the operation of the method. Similarly, the terminal 504 may perform a corresponding synchronization. After synchronization, the terminals 35 are synchronized.

When the terminal 500 receives the time reference message from the terminal 502, the terminal 500 sets its time counter 20 in accordance with the time reference in the message. The time reference message may further include a sender identifier which allows the terminal 500 to finally verify that the time reference 5 message actually came from the terminal 502. If the terminal 500 receives the time reference message for some reason even if it has not requested the time reference, the received message may be automatically rejected. Messages related to obtaining the time reference can be encrypted, but encryption is not necessary.

The terminal 500 may store in a memory a predetermined order of terminals to which a time reference request can be sent. If the time reference request sent to the upstream terminal in priority-15 order does not produce a response, the time reference may be requested from the next terminal in the order of priority.

Figure 3 shows a preferred example 20 of the operation of the method of the present invention for determining time reference. Fig. 3 differs from Fig. 2 in that Fig. 3 illustrates the operation of the terminal in the sense that the terminal acts as a provider of time reference.

In step 300, the terminal receives from the second terminal a synchronization message requesting a time reference. The received message contains the identifier of the sending terminal (the second terminal). The terminal extracts the sender identifier 30 from the synchronization message (step 302) and compares it with the pre-stored identifiers (step 304). If a corresponding identifier is found in the pre-stored identifiers in the terminal's memory, the terminal checks its time counter value from its internal clock and sends a message containing the time reference to the IP address corresponding to the identifier 35 (steps 306 and 308). The terminal preferably includes its own sender identifier in the message.

Similarly, based on this identifier, the second terminal may verify that the time reference message came from the same terminal to which the second terminal had originally sent the time reference request. If the sender identifier in the sync-5 climbing message is not found in the terminal memory, it rejects the received message (step 310).

Fig. 4a shows an advantageous example of the way in which a terminal encrypts a message it sends to another terminal 10.

In step 400, the terminal generates the message it is transmitting to the other terminal. If it is not necessary to encrypt the message, the transmission is carried out in the normal manner (steps 402 and 408).

In this example, it is assumed that both terminals (sender, receiver) are at substantially the same time. In other words, they have previously synchronized their clock, for example, as shown in Figures 2 and 3. The sa-20 expression key used in this example is generated by a time counter and possibly by a common algorithm. There is no need to send pointers or identifiers between the terminals to identify their use, since the sender uses its own clock to generate the encryption key, and the receiver uses its own clock to generate the decryption key, respectively.

In step 404, the terminal generates an encryption key. Any algorithm that utilizes the current clock value can be used to generate the encryption key. It is essential that both the transmitting and receiving terminals use the same algorithm. One exemplary method of selecting an encryption key is to pre-store a plurality of encryption keys in the terminal 35. The clock time of the transmitting terminal can thus be used as a pointer to the encryption key table. In this example, it is assumed that n of the encryption keys are stored in the transmitting terminal. For example, the pointer formation is done by dividing the time (in this example, the time by an integer) by the number of encryption keys, 5, and the remaining partitioner indicates the encryption key used. Obviously, this is only one example for generating or selecting a cryptographic key, and any other suitable method may be used. In another embodiment, the decoder keys are not pre-stored in the terminal 10, but the encryption key is generated by a suitable algorithm which uses the current time of the terminal as input.

Once the encryption key has been generated, the terminal 15 encrypts at least a portion of the message by means of an encryption key and a suitable algorithm (step 406). Finally, said at least partially encrypted message is sent to the recipient (step 408).

Figure 4b illustrates a preferred example ta-20, whereby a terminal decrypts a message it receives from another terminal.

According to step 410, the terminal receives a message from the second terminal. If the message is not encrypted, the terminal interprets the message content according to its 25 normal operating procedures (steps 412 and 418). In step 414, a decryption key is generated. Any algorithm that utilizes the current clock value can be used to generate the decryption key. It is essential that both the transmitting device 30 and the receiving terminal use the same algorithm. One exemplary way of selecting a decryption key is to pre-store a set of encryption keys in the terminal. The same encryption keys must also have been previously stored in the memory of the transmitting terminal 35. The time of the receiving terminal can thus be used as a pointer to the encryption key table size. In this example, it is assumed that n pieces of encryption keys are stored in the terminal 23. For example, the pointer formation is done by dividing the time (in this example, the time by an integer) by the number of encryption keys and the remaining 5 remaining partitions indicating the decryption key to be used. Obviously, this is only one example of how to generate or select a decryption key, and any other suitable method can be used. In another embodiment, the decryption keys are not pre-stored in the terminal, but the decryption key is generated by a suitable algorithm that uses the current time of the terminal as input. In addition, it is assumed here, for example, that the terminal uses a 15 symmetric encryption algorithm, that is, the message is encrypted and decrypted with the same encryption key. It is obvious that an asymmetric algorithm can also be used as the encryption algorithm, that is, encryption is done with one key and decryption with another.

If the decryption key (step 416) fails with the selected decryption key, this may be because the terminal is using an "expired" decryption key. The obsolescence is due, for example, to the fact that the message transmission delay has been longer than the nor-25 target. In this case, the terminal may try to decrypt it with one or more of the previous keys (the key selected based on the previous time).

Fig. 5b illustrates an example of a terminal 500 according to the invention. The terminal 500 is used, for example, to securely transmit and / or receive alarm, status and / or control information over a telecommunications network. The terminal 500 is basically quite simple and does not use the most common operating systems in this preferred embodiment.

The terminal includes a processor 510 which controls the operation of the terminal 500 under the control of one or more applications 518 stored in the memory 512. For example, one of the applications refers to an operating system controlling the operation of the terminal 500. The memory 512 itself may refer to one or more separate 5 memories. In addition, one of the memories may also be internal memory of the processor 510. The memory type may be any suitable volatile or non-volatile memory type.

The terminal 500 comprises a message interface 514 10 for receiving messages from a communication network. Through the message interface interface 514, the terminal 500 maintains at least one application port towards the communication network. In various embodiments of the invention, one or more UDP and / or TCP ports may be open. Anyone can send messages to these one or 15 more ports. However, in the terminal 500 according to the invention, it is not necessary to maintain, for example, a firewall or virus protection at all, since the terminal 500 is practically "immune" to attacks. The terminal 500 further 20 may comprise a monitoring interface 516 through which the terminal 500 receives, for example, alarm, status, or control information from the object being monitored. The property to be monitored is, for example, a home property, a business property, or any other similar object of control. If the terminal device 500 functions, for example, as an alarm receiving terminal, the control interface 516 may not be provided at all in the device.

The terminal memory 512 may store the global static IP address 30 defined for the terminal. In another embodiment, the terminal does not have a global static IP address, but a dynamic or local IP address. Further, the terminal 500 is arranged to send and receive messages formed using a predetermined 35 syntax (message format). The syntax refers, for example, to the message format used in the actual data portion of the UDP message. Both the sender and the 25 recipients of the message must know the syntax to use to successfully exchange messages between terminals. In addition, several other data and / or applications may be stored in the memory 512, for example software and / or the operating system implementing the invention to-5, which enable the terminal 500 to operate as described in the invention. For example, memory 512 stores credentials associated with other terminals. With the help of the identification information, the terminal 500 can verify the authenticity of the origin of the messages it has received. The message received by the terminal 500 typically has a sender identifier. However, the sender identifier does not refer to the sender's IP address to be transmitted in the UDP message. The terminal 500 compares the received-15 sender identifiers received with the stored identifiers 520 stored in the memory 512. In addition, a global static IP address may be associated with each identifier stored in the memory. If the received message requires an acknowledgment message to be sent, the acknowledgment message 20 is sent to the IP address corresponding to the received identifier.

In another embodiment of Figure 5b, the terminal 500 may store the device identifier associated with another terminal instead of the IP address. The functionality associated with this is described in more detail in connection with Figure 6.

If data encryption is used between two terminals, the encryption and decryption algorithm 30 used for encryption and decryption may have been stored in memory 512 for this purpose. Further, in this case, one or more encryption keys and decryption keys may be stored in memory 512. Further, for encryption, the terminal 500 maintains in its memory 512 running time references (e.g., a clock). In one embodiment of the invention, messages transmitted by the terminal 500 are encrypted by utilizing the current time of the clock. With the current time and 26 possibly additional algorithms, it is possible to select the encryption key to be used from memory 512 or alternatively to generate the encryption key to be used. In the memory 512 of the terminal 500, it is still possible to store 5 priority order of the terminals from which time reference can be requested.

The above examples of the invention are mainly illustrated using one UDP port as an example. As an open application port, you can also use the TCP port instead of the UDP port. While the UDP protocol is by nature offline, the TCP protocol establishes an acknowledgment connection between the sender and the recipient.

Figure 6 shows an example system 15 in which the method and terminal of the present invention can be used. Fig. 6 comprises five terminals 600, 602, 604, 612 and 614. A static IP address is defined for the terminals 600, 602 and 604 and these terminals are accessible through a public IP network (e.g., the Internet) 606. One of the terminals 600, 602 or 604 may be, for example, a terminal in the premises or controlled by a control center or other operator, which in practice receives the alarm and / or status information from the "controlling" terminals and respectively transmitting control information to the supervising terminals.

In this example, two other networks are also connected to Internet 606, namely a corporate network 608 and a mobile network 610. The terminal 612 connected to the corporate network 608 does not have a global static IP address, but only has an internal IP address within the corporate network. The terminal 612 can also communicate via the Internet 606, but then the dedicated server 358 provided in the corporate network 608 acts as the actual sender of the data packets. Similarly, the server receives data packets from the Internet 606 and forwards them to the terminal 612.

27 Such operations are often described by the term Network Address Translation (NAT). Mobile station 614 is connected to the Internet via mobile network 610. Mobile station 614 may be assigned 5 dynamic IP addresses. Such an IP address is not static by name, but typically changes between each use.

Previous examples of the invention mainly described terminals for which 10 global static IP addresses were defined. The example in Figure 6 illustrates that it is also possible to connect to the system devices having a dynamic IP address (for example, over a GPRS connection) or an unclassified corporate network address. In such a situation, the receiving terminal 15 having a global static IP address defined maintains one or more blinds to the transmitting terminal. Whereas in the example of Fig. 5a all the terminals had a static IP address and the static IP addresses of the other terminals were pre-stored in the terminals, the example of Fig. 6 uses a predetermined device identifier (arbitrary) which is predefined in the memory of other terminals.

25 Unlike static IP addresses, in this case, the message to be sent is written to the sending terminal's blind, whereby it is routed to the addressed recipient. Neither procedure uses the sender's IP-30 address as the sender's identifier, but the sender's identifier is a separate reference in the actual data field of the message being sent, either to the sending IP or to said device identifier.

The functionality with respect to the 35 sockets themselves (creation, maintenance, etc.) is not described further here, as one skilled in the art is aware of this functionality.

28

In one embodiment of Fig. 6, the terminal 612 requests a time reference from the terminal 602. The terminal 612 transmits a clear language message to the terminal 602. The message includes a static IP address reference in place of the terminal device 612 itself, which is known in advance to the terminal 602. The terminal 602 forms the socket of the terminal 612, by typing in which the response message is directed to the terminal 612. The corresponding functionality described above also applies to the terminal 1014.

The operation of the invention is not limited to utilizing only one UDP or TCP port and opening it in the terminal. In one embodiment of the invention, two or more application ports are simultaneously opened in the terminal. Open ports can be UDP ports, TCP ports, or both. In one embodiment of the invention, it is essential that the application portlets to be opened are not port 20 which are generally open in operating systems but predefined and port-specific application ports.

In one embodiment of the invention, the opened application ports can be used for different purposes. One of the 25 application ports can be used to receive, for example, status information, the other application port can be used to receive, for example, alarm information, etc. Such operation requires the message sender to know which application ports on a particular receiving terminal are intended for what purpose. In addition, different terminals may have different number ports. Therefore, in one embodiment of the invention, information is stored in the terminal, associated with each receiving terminal, about which ports the receiving terminal uses and for what purpose each port is used.

29

In summary, the preferred terminal device according to the invention does not have any unnecessary operating system or application ports that respond to messages sent to them. In its si-5, only a limited number of application ports are opened in the terminal.

The invention is not limited only to the above exemplary embodiments, but many modifications are possible within the scope of the inventive idea defined by the claims.

Claims (56)

A method for identifying a terminal equipment in a public communication network 5 (606), the method comprising the steps of: a terminal equipment (500) being joined to the public communication network (606); in the memory (512) of the terminal equipment (500), at least one transmitter identifier is stored which specifies at least one other terminal equipment which is capable of communicating with the terminal equipment; from the terminal equipment (500) to the communication network (606), at least one predetermined application port is opened; characterized in that the method further comprises the stages: in said predetermined application port, a first message is received containing alarm, condition and / or control information; from the first message's content data P1, the transmitter identifier is also extracted; the picked transmitter identifier is compared with the transmitter identifiers stored previously in the terminal equipment, and if the selected transmitter identifier corresponds to a identification stored in the terminal equipment in advance; in response to the first message for securing its origin, a receipt message is sent to an IP address corresponding to the picked transmitter identifier, which includes the terminal transmitter's own transmitter identifier; in response to the sending of the acknowledgment message, a response message is received; and the first message is rejected if the reply message contains a request for rejection of the message. 2. A method according to claim 1, characterized in that, before the transmission stage, a first socket is formed for the transmitter of the first message and at that transmission stage said acknowledgment message is written in the formed first socket. Method according to claim 1 or 2, characterized in that the method further comprises the steps: a second message is received in a second predetermined application port originating from the same transmitter as the first message; from the second message, the transmitter identifier is picked out; the picked transmitter identifier is compared with the identifiers stored in the terminal equipment in advance, and if the selected transmitter identifier corresponds to a pre-identified identifier stored in the terminal equipment; a second socket is formed for the transmitter of the second message 20; and in response to the second message, a receipt message, which includes the transmitter identification associated with the terminal equipment (500), is sent by writing said acknowledgment message 25 in the formed second socket. Method according to claim 2 or 3, characterized in that the method further comprises the steps: with the terminal equipment (500) a third message is received via the first socket; from the third message, the transmitter identifier is picked out; the picked transmitter identifier is compared to the pre-identified identifiers stored in the terminal equipment, and if the selected transmitter identifier corresponds to a pre-stored identifier in the terminal equipment; In response to the third message, a receipt message is sent, which comprises the transmitter identifier associated with the terminal equipment (500), by writing said acknowledgment message in the formed second socket. Method according to any of claims 1 4, characterized in that the method further comprises the stage: the received message is rejected, if the transmitter identifier in the message does not exist or if the transmitter identifier extracted from the message does not correspond to any identifier stored in the terminal equipment in advance. Method according to any of claims 1 to 5, characterized in that the method further comprises the stage: in the terminal equipment it is checked whether the message in its form is acceptable. A method according to claim 6, characterized in that the message in its form is acceptable if the message's syntax is correct and / or the message is correctly encrypted. Method according to any of claims 177, characterized in that the method further comprises the stage: the first message is approved if the first message's approval message is received in response to the sending of the acknowledgment message. Method according to any of claims 1 to 7, characterized in that the method further comprises the stage: the first message is accepted if no response is received at all in response to the sending of the acknowledgment message. Method according to any of claims 1 9, characterized in that the method further comprises the stages: from the terminal equipment (500) a synchronization message is sent to a predetermined reference terminal equipment, which comprises the transmitter identifier of the terminal equipment; In response to the transmission of the synchronization message, a message is received from the reference terminal equipment which comprises a time reference / and terminal equipment (500) time counter installed according to the received time reference. 10 Method according to any of claims 1 9, characterized in that the method further comprises the steps: from the second terminal equipment a synchronization message is received, which comprises the transmitter identifier of the second terminal equipment; and from the synchronization message, the transmitter identifier of the other terminal equipment is picked out; the picked transmitter identifier is compared with the pre-identified identifiers stored in the terminal equipment, and if the selected transmitter identifier corresponds to a pre-stored identifier in the terminal equipment; in response to receiving the synchronization message, a message is sent to the IP address corresponding to the identifier, which includes the terminal equipment's (500) time reference. Method according to claim 10 or 11, characterized in that if the received message is encrypted, the method further comprises the stage: an encryption opening key is formed by utilizing the value of the receiving time of the message by the terminal equipment's timer; and the encryption is decrypted by means of a decryption key. Method according to any one of claims 1 to 12, characterized in that said at least one predetermined application port comprises a UDP port and / or a TCP port. A method for identifying a terminal equipment in a public communication network 5 (606), the method comprising the steps of: the terminal equipment (500) being combined with the public communication network (606); from the terminal equipment (500) to the communication network (606), at least one predetermined application port is opened; in the terminal equipment (500) a first message is formed, which comprises alarm, condition, and / or control information, which message comprises the identifier of the first terminal equipment (500); A first message is sent to a recipient; with the terminal equipment (500), a second acknowledgment message is received from a second terminal equipment, which comprises a transmitter identifier belonging to the transmitter of the acknowledgment message; checked if the terminal equipment (500) of the second terminal equipment sent said first message, which would have received a receipt of a receipt message from the second terminal equipment; to the IP address corresponding to the transmitter identifier containing the acknowledgment message, a rejection message is sent, if the terminal equipment (500) has not previously sent to the second terminal equipment a first message. 15. A method according to claim 14, characterized in that said at least one predetermined application port comprises a UDP port and / or a TCP port. 35 Method according to claim 14 or 15, characterized in that the method further comprises the stage: at least a part of the message is encrypted with an encryption key, which is formed by utilizing the value of the terminal equipment's time of transmission. 5 17. A method according to any of claims 14 to 16, characterized in that the method further comprises the stage: an approval message is sent to the second terminal equipment, if the terminal equipment (500) previously sent a first message to the second terminal equipment. 18. A method according to any of claims 14 to 16, characterized in that the method further comprises the stage: a separate approval message is sent unsent to the second terminal equipment, if the terminal equipment (500) previously sent a first message to the second terminal equipment. 19. A terminal equipment in a public communication network, which terminal equipment (500) comprises: a message interface (514) for connecting the terminal equipment (500) with the communication network (506), via which message interface (514) the terminal equipment (500) is arranged to open at least one predetermined application port / memory (512) against the communication network (506), in which is stored at least one transmitter identifier, which specifies at least a second terminal equipment which is capable of communicating with the terminal equipment (500); characterized in that: the terminal equipment (500) is arranged to receive in said predetermined application port a first message, which contains alarm, condition and / or control information, extract the transmitter identifier from the contents of the first message , comparing the picked transmitter identifier with the identifiers stored in the terminal equipment (500) in advance, and if the selected transmitter identifier corresponds to a pre-stored identifier in the terminal equipment, in response to the first message for securing its origin, sending a receipt message to a IP address corresponding to the picked transmitter identifier, which includes a transmitter identifier belonging to the terminal equipment (500), in response to the transmission of the acknowledgment message receiving a response message; and reject the first message, if the reply message contains a request for rejection of the first message. Terminal equipment according to Claim 19, 15, characterized in that before the transmission stage, the terminal equipment (500) is arranged to form a first socket for the transmitter of the first message and at the said transmission stage the terminal equipment (500) is arranged to write said acknowledgment message. 20 in said first socket. Terminal equipment according to claim 19 or 20, characterized in that the message interface (514) is further arranged to receive in the second predetermined application port a second message, which originates from the same transmitter as the first message, and that the terminal equipment (500) is arranged to pick out the transmitter identifier from the second message, compare the picked transmitter identifier with the identifiers stored in the terminal equipment, and if the selected transmitter identifier corresponds to a identifier in the terminal equipment, the second transmitter the message a second socket and in response to the second message sending a receipt message, which comprises the transmitter identifier belonging to the terminal equipment, by writing said acknowledgment message in the formed second socket. Terminal equipment according to claim 19 or 20, characterized in that the message interface (514) is arranged to receive a third message via the first socket and that the terminal equipment (500) is arranged to receive from the third message. picking out the transmitter identifier, comparing the picked transmitter identifier with the pre-stored identifiers in the terminal equipment, and if the selected transmitter identifier corresponds to a pre-stored identifier in the terminal equipment, in response to the third message, sending a receipt message, which includes transmitter identifier which belongs to the terminal equipment, by writing said acknowledgment message in the formed second socket. Terminal equipment according to any of claims 19 to 22, characterized in that the terminal equipment (500) is arranged to reject a received message, if the message does not contain a transmitter identifier or if the transmitter identifier removed from the first message does not correspond to any one. 25 identifiers are stored in the terminal equipment in advance. Terminal equipment according to any of claims 19-23, characterized in that the terminal equipment (500) is further arranged to check if the received message in its form is acceptable. Terminal equipment according to claim 24, characterized in that the message in its form is acceptable if the message syntax is correct and / or the message is correctly encrypted. Terminal equipment according to any of claims 19-25, characterized in that the terminal equipment (500) is arranged to transmit to a predetermined reference terminal equipment a synchronization message, comprising the transmitter identifier of the terminal equipment (500), in response to the transmission of the transmission signal by the transmitter. receiving from the reference terminal equipment a message which comprises a time reference and setting the time equipment counter (500) according to the received time reference. Terminal equipment according to any of claims 19 to 26, characterized in that the terminal equipment (500) is arranged to receive from another terminal equipment a synchronization message, which comprises the transmitter identifier of the other terminal equipment, to pick up from the synchronization message. out the transmitter identifier of the other terminal equipment, compare the picked transmitter identifier with the identifiers stored in the terminal equipment in advance, and in response to receiving the synchronization message send to the corresponding IP address an identifiable message which includes the terminal equipment's (500) time. 28. Terminal equipment according to claim 26 or 27, characterized in that the terminal equipment (500) is arranged to form a decryption key for the encryption by utilizing the time of reception of the terminal equipment (500), if the message is encrypted and decrypted. using the decryption key. Terminal equipment according to any of claims 19 to 28, characterized in that said at least one predetermined application port comprises a UDP port and / or a TCP port. 30. Terminal equipment in a public communication network, which terminal equipment (500) comprises: a message interface (514) for connecting the terminal equipment (500) with a communication network (506), via which message interface (514) the terminal equipment (500) is arranged to open at least one predetermined application port against the communication network (506); a memory (512) in which at least one transmitter identifier is stored which specifies at least a second terminal equipment which is capable of communicating with the terminal equipment (500); characterized in that: the terminal equipment (500) is arranged to form a first message, which comprises alarm, condition and / or control information and the transmitter identifier of the terminal equipment, send a first message to the receiver, from the second terminal equipment to receive a receipt message , which comprises a transmitter identifier associated with the acknowledgment message transmitter; checking whether the terminal equipment (500) of the second terminal equipment sent the first message, which would have received receipt of the acknowledgment message from the second terminal equipment; and sending a rejection message to the IP address corresponding to the transmitter identifier containing the acknowledgment message, if the terminal equipment (500) has not previously sent the first message to the second terminal equipment. 31. Terminal equipment according to claim 30, 30, characterized in that the terminal equipment is arranged to encrypt at least part of the message with an encryption key, which is formed by utilizing the value of the transmission equipment's time counter transmit time. Terminal equipment according to claim 30 or 31, characterized in that the terminal equipment is further arranged to send an approval message to the second terminal equipment, if the terminal equipment (500) previously sent a first message to the second terminal equipment. 33. Terminal equipment according to claim 30 or 31, characterized in that the terminal equipment is further arranged not to send a separate approval message to the second terminal equipment, if the terminal equipment (500) previously sent a first message to the second terminal equipment. 34. Terminal equipment according to any one of claims 30 to 33, characterized in that said at least one predetermined application port comprises a UDP port and / or TCP port. A method for identifying a terminal equipment in a public communications network (606), the method comprising the steps of: a first terminal equipment (500) being connected to the public communication network (606) directly or via another network, such that the first terminal equipment (500) ) does not have a global static IP address; in the memory (512) of the first terminal equipment (500), at least one identifier is stored which specifies at least one second terminal equipment which is capable of communicating with the first terminal equipment; characterized in that the method further comprises the stages: in response to an alarm, condition and / or control event, a first message is formed, which comprises the identifier of the first terminal equipment (500); said first message is sent to a certain second terminal equipment IP address stored in the memory (512) of the first terminal equipment (512) to a predetermined first application port; in response to the first message, a second message is received; the transmitter identifier is extracted from the second message's content data; The selected transmitter identifier is compared with the pre-identified identifiers stored in the first terminal equipment, and if the selected transmitter identifier corresponds to an identifier stored in the first terminal equipment (500) and the first terminal equipment (500) previously sent a connection message. to the terminal equipment identified by the transmitter identifier, the first connection established between the first (500) and the second terminal equipment is approved. 36. A method according to claim 35, characterized in that said first message constitutes the synchronization request message of the time reference and the method further comprises the stage: the timer of the first terminal equipment (500) is set according to the time reference which the second message received contains. 37. A method according to claim 35 or 36, characterized in that the method further comprises the stages: in response to an alarm, condition and / or control event, a third message is formed, which comprises the identifier of the first terminal equipment; Said third message is sent to a certain second terminal equipment IP address stored in the memory (512) of the first terminal equipment (512) to a predetermined second application port; in response to the third message, a message is received; from the message content data, the transmitter identifier is picked out; the picked transmitter identifier is compared with the identifiers stored in the first terminal equipment in advance, and if the selected transmitter identifier corresponds to an identifier stored in the first terminal equipment (500) and the first terminal equipment (500) previously sent a If a connection message to the terminal equipment identified by the transmitter identifier, the second connection formed between the first (500) and the second terminal equipment is approved. 38. A method according to any of claims 35 to 37, characterized in that the method further comprises the stage: the received message is rejected, if there is no transmitter identifier in the first message or if the transmitter identifier removed from the first message does not correspond to any one. Identifier stored in advance in the terminal equipment (500). 20 39. A method according to any of claims 35 - 38, characterized in that the method further comprises the stage: in the first terminal equipment (500), the received message to its form 25 is verified. A method according to claim 39, characterized in that the received message is acceptable in its form, if the message's syntax is correct and / or the message is correctly encrypted. 41. A method according to any of claims 35 to 40, characterized in that the method further comprises the stages: a fourth message is formed in the first terminal equipment (500), comprising alarm, condition and / or control information; and the message is sent to the recipient via the first or second connection. 42. The method of claim 41, characterized in that the method further comprises the stage: at least a portion of the message is encrypted with an encryption key, which is formed by utilizing the value of the terminal equipment's time of transmission. 10 43. A method according to any one of claims 35 to 42, characterized in that the method further comprises the stage: with the first terminal equipment (500) a fifth message is received via the first or second connection; the transmitter identifier is extracted from the contents of the fifth message; the picked transmitter identifier is compared with the identifiers stored in the first terminal equipment in advance, and if the selected transmitter identifier corresponds to an identifier stored in the first terminal equipment, transmitted via the first connection or the second connection on the basis of the transmitter identifier 25 the fifth message a receipt message, which includes the identifier belonging to the first terminal equipment (500). 44. The method of claim 43, characterized in that it further comprises the stages: with the first terminal equipment (500) receiving from the second terminal equipment via the first connection or the second connection a acknowledgment message comprising the transmitter identifier belonging to the terminal. other terminal equipment; it is checked if the first terminal equipment (500) previously sent to the second terminal equipment a message which would have sent the received acknowledgment message / and to the second terminal equipment a rejection message is sent, if the first terminal equipment (500) was not previously sent sent to the second terminal equipment a message, which would have been sent sending the acknowledgment message to the first terminal equipment (500). 10 The method according to any of claims 35 - 44, characterized in that said first and / or second application port is a TCP port. 46. Terminal equipment in a public communications network, which includes terminal equipment (500): a message interface (514) for connecting a terminal equipment (500) to a communication network (506), so that the terminal equipment (500) does not have 20 a global static IP address; a memory (512) in which at least one identifier is stored, which specifies at least a second terminal equipment which is capable of communicating with the terminal equipment (500); Characterized in that: the terminal equipment (500) is arranged in response to an alarm, condition and / or control event to form a first message, comprising the identifier of the first terminal equipment, to transmit said first message to a the first terminal equipment memory stored certain second terminal equipment IP address to a predetermined first application port; in response to sending the first message, receiving a second message, picking out the transmitter identifier from the second message's content data, comparing the picked transmitter identifier with the identifiers stored in the first terminal equipment, and if the selected the transmitter identifier corresponds to a pre-identified identifier stored in the first terminal equipment and if the first terminal equipment previously sent a connection message to the terminal equipment identified by the transmitter identifier, approve the first formed connection between the first and second terminal equipment. 47. Terminal equipment according to claim 46, 10, characterized in that said first message is a time reference synchronization request message and that terminal equipment (500) is further arranged to set the time counter in accordance with the time reference contained in the received second message 15. 48. Terminal equipment according to claim 46 or 47, characterized in that the terminal equipment (500) is further arranged as a response to an alarm, condition and / or control event 20 to form a third message, comprising the identifier of the first terminal equipment, that sending said third message to a certain second terminal equipment IP address stored in the memory of the first terminal equipment to a predetermined second application port; and that the message interface (514) is arranged to receive a message in response to the transmission of the third message, and that the terminal equipment (500) is arranged to extract from the message contents data of the message, to compare the selected transmitter identifier the identifiers stored in the first terminal equipment in advance and if the selected transmitter identifier corresponds to an identifier stored in the first terminal equipment and if the first terminal equipment previously sent a connection message to the terminal equipment identified by the transmitter identifier between the first and second terminal equipment. 49. Terminal equipment according to any of patent claims 46 - 48, characterized in that the terminal equipment is further arranged to discard the received message, if there is no transmitter identification in the message or if the transmitter identifier extracted from the message does not correspond somewhat. of the identifications stored in advance in the terminal equipment. 50. Terminal equipment according to any of patent claims 46 - 49, characterized in that the terminal equipment is further arranged to check if the received message in its form is acceptable. 51. Terminal equipment according to claim 50, characterized in that the received message in its form is acceptable, if the message's syntax is correct and / or the message is correctly encrypted. 52. Terminal equipment according to any of patent claims 46 - 51, characterized in that the terminal equipment (500) is further arranged to form a fourth message, which comprises alarm, condition and / or control information and sends the message to the receiver via the first or the other connection. 53. Terminal equipment according to claim 52, characterized in that the terminal equipment is further arranged to encrypt at least part of the message with an encryption key, which is formed by utilizing the value of the terminal equipment's time of transmission. 54. Terminal equipment according to any of claims 46 to 53, characterized in that the terminal equipment (500) is further arranged to receive a fifth message via the first or second connection, to extract the transmitter identifier from the fifth message's data. comparing the picked transmitter identifier with the identifiers stored in the first terminal equipment in advance, and if the selected transmitter identifier corresponds to an identifier stored in the first terminal equipment via the first or second connection on the base of the transmitter identifier in response to the fifth message, a receipt message, which comprises the identifier belonging to the first terminal equipment. 55. Terminal equipment according to claim 54, characterized in that the terminal equipment (500) is further arranged to receive from the second terminal equipment via the first or second connection a receipt message, comprising a transmitter identification belonging to the second terminal equipment, the first terminal equipment transmitted to the second terminal equipment a message which would have sent the transmission of the received acknowledgment message, and send to the second terminal equipment a rejection message, if the first terminal equipment had not previously sent to the second terminal equipment a message. message, which would have been sent sending the acknowledgment message to the first terminal equipment. 56. Terminal equipment according to any of claims 46 to 55, characterized in that said first and / or second application ports comprise a TCP port.