JP2005535269A - Communication start method, system, authorization portal, client device and server device - Google Patents

Abstract

Disclosed is a method and system in which an authorized server device can initiate Internet communication between a client device and a server device via an authorization portal. When the server device desires to start Internet communication with a specific client device, the server device sends an Internet message to the authorization portal. The authorization portal relays the message to the client device via a communication protocol other than the Internet, such as SMS. The client device receives the message and establishes Internet communication with the server device. This allows the server device to go through Internet communication regardless of NAT, firewall, or others that are also preventing the server device from starting communication.

Description

  The present invention includes, for example, GSM SMS (Global System for Mobile Communication Short Message Service), ERMES (European Radio Message System) and VPN (Virtual Private) but not VPN The present invention relates to a method and software capable of causing a server device connected to the Internet to start Internet communication with a client device using an asynchronous message communication system, and is particularly affected by undesired network traffic. And the client device is always connected to the Internet. As there is no need, a method and software to start Internet communication to the server apparatus.

  In this specification, the terms “host”, “client”, and “server” are used to indicate a system that communicates using the Internet. The Internet is generally defined as a collection of data communication networks that use the protocol TCP / IP. The Internet is a communication infrastructure (infrastructure) used by applications such as WWW (World Wide Web), electronic mail (e-mail), and file transfer protocol (FTP). A host refers to any system that can communicate using the Internet. Non-limiting examples of hosts can include embedded systems including computers, automotive systems, appliances, measuring instruments, microcontrollers or microprocessors. The server is a host that provides a service accessed by communication on the Internet. Most servers are always connected to the Internet, as described below. The client is a host that accesses a server service through communication on the Internet. Each host can be a client in some services and a server in other services. That is, a host can be a client and a server at the same time.

  A host can be connected to the Internet in two ways. The first is dial-up connection. In this case, the host includes a device such as a modem. The device creates a physical network connection (means for carrying digital signals) with a similar device owned by an Internet provider (hereinafter referred to as ISP). ISPs have other modems that connect to a special type of host called a router. The router is always connected to the Internet backbone network (permanently connected communication network that carries IP packets between ISPS). The host and router execute TCP / IP through a physical network connection. The router forwards the host IP packet to or from the remaining Internet.

  The second is always connected. In this case, the host is always physically connected to the ISP router through the network. The TCP / IP protocol is executed via this physical network.

  Dial-up connection is used due to the following three factors. First, at present, most of the physical network connection between the host and the ISP uses a line switching infrastructure provided by a telephone company. This line-switching infrastructure is wired (telephone line), fiber optic cable, wireless, etc., but it was originally designed for voice telephone technology and for two connected devices. As long as the connection is made, resources must be allocated to the connection.

  As a result, telephone companies usually charge for the connection time, not the amount of data, as in the case of voice calls. Therefore, for cost reasons, the client often maintains a physical network connection with the ISP only when it wants to communicate with a server on the Internet.

  The second reason for performing the dial-up connection is related to the cost in the same manner as the first reason. Even if there are a large number of hosts, the number of hosts included in one communication via the Internet is very small. For this reason, even if the number of telephone lines and modems is the same, the ISP can support more hosts than if the hosts are always connected to the ISP router by using a dial-up connection that is a temporary connection. it can. For this reason, ISP can reduce the cost of service according to dial-up connection.

  Third, in a cellular radio communication system such as GSM, there may be a situation where the capacity of the communication system is insufficient to support a large number of simultaneous connections from hosts in the same cell. . Multiple hosts within a cell are supported only when each host makes a relatively short dial-up connection via a wireless communication system.

  As described above, when a client uses a dial-up connection to communicate with a server, a physical network connection must be established between the client and the ISP. When a client initiates communication, the client needs to establish a physical connection. A connection initiated by a client is common in dial-up connections. For example, when a web browser is activated on a PC (Personal Computer), the PC generates a dial-up connection with the ISP.

  However, when communication with the client is started from the server side, the situation becomes complicated. In principle, it is possible for the ISP to receive an IP packet from the server to the client and to establish a physical network connection between the ISP and the client. This is not generally done due to billing issues. Obviously, if the client initiates communication and establishes a physical network connection with the ISP, the client side should pay for the connection. If the server wants to communicate with the client, it is difficult to determine who will pay for the connection. If the communication is related to the service that the client wants, it can be said that the ISP is correct to take the connection fee from the client. However, if the server sends unnecessary electronic mail (so-called SPAM) that the client does not want to the client, the client will not want to pay for the connection. If the server can start communication, it is very effective for many applications. For example, a server that monitors traffic conditions desires to send a notification of traffic congestion to clients located in the vehicle.

  There are two additional problems associated with server-initiated Internet communications. These problems occur regardless of whether the client is always connected to the Internet or dial-up. The first problem is related to NAT (Network Address Translation). A host connected to the Internet is identified by an IP address. If two hosts are connected to the Internet for communication, each host must have a unique IP address. An IP address that is unique on the entire Internet is called a global IP address. An IP address is represented by a 32-bit number. The use of bits in an IP address is structured to reflect the network topology and real world organization. Therefore, not all 232 possible IP addresses are used. The global IP address is insufficient and cannot be assigned to all hosts. The ISP solves this problem using NAT.

When a host makes a dial-up connection with an ISP router, the host is assigned a private IP address by the ISP during the connection. This private IP address uniquely identifies the host in the ISP network, but does not need to be able to uniquely identify the host in the entire Internet. (A specific range of IP addresses is reserved for this purpose.)
When a host communicates with a host existing outside the ISP network to which the host belongs, the router that sends the IP packet of the internal host to the Internet backbone network uses the private address in the IP packet as its global IP address. Replace with The router also remembers that the internal host has sent an IP packet to the external host. When an external host responds, the external host sends an IP packet to the ISP router. This is because the IP packet received by the external host includes the global IP address of the router as the source address. The ISP router understands that the IP packet is a response to the internal host, and sends the packet to the internal host.

  A host outside the ISP cannot directly communicate with a host in the ISP's internal network based on the IP address. This is because the host in the internal network does not have a global IP address. Hosts outside the ISP can communicate only with the ISP router. The NAT performs processing only when the internal host (in most cases, the client) of the ISP transmits the first packet for communication (for example, opening a TCP connection). Then, the router can convert between the private IP address of the host and the global IP address of the router (see FIG. 1).

  A second problem associated with server-initiated Internet communications is associated with firewalls. A firewall is a device that restricts IP packets that are allowed to enter or leave an organization's internal TCP / IP network. Typically, firewalls are configured to allow communication between hosts in the network and hosts outside the network when the first IP packet of communication is sent from a host in the organization's internal network . This setting is used to prevent unnecessary IP packets from being sent to hosts inside the organization.

  Even when the hosts are connected to different physical networks, the organization connects the hosts to each other using a technology such as a virtual private network (hereinafter referred to as VPN). A virtual TCP / IP network is formed. In other words, some hosts in the virtual network are connected to the same physical network, while other hosts are connected to the virtual network via channels on the Internet or other means. Hosts in the same virtual network send IP packets to each other without limitation. Hosts outside the virtual network cannot send unsolicited IP packets into the virtual network. This is because VPN is generally connected to the Internet backbone network via NAT or firewall. The specific example of the present invention is applied to communication between a client arranged in such a virtual network and a server arranged outside the virtual network (see FIG. 2).

  IPv6 (RFC2460, Internet Protocol, Version 6: S. Deering, R. Hinden, December 1998), a new TCP / IP protocol, alleviates the shortage of IP addresses.

  Other new network technologies such as GPRS and ADSL allow clients to stay connected to the Internet at all times. Nevertheless, many ISPs and other organizations maintain Internet communications using NAT or firewalls. This is to prevent malicious external hosts from sending unnecessary IP packets that are not required inside the organization. This is particularly important in technologies that require attention to IP packets received by the host, such as GPRS. Therefore, even if a new technology that enables IPv6 or always-on connection is provided, the problems related to Internet communication initiated by the above-described server are not solved.

  Currently, in applications where the server must be able to initiate communication with the client, the client must always be connected to the Internet, and the client must not be under NAT. In this case, the client needs a dedicated physical network connection with the ISP and a dedicated capacity in the ISP, and the client must have a global IP address, which is expensive for the client. Let's go. As described above, it can be said that a true always-on connection is impossible in a cellular radio communication system. Further, in order to prevent the client from receiving an IP packet not requested, a NAT or a firewall is used even when the client is not always connected to the Internet.

  For example, a VoIP (Voice-over-Internet Protocol) system is provided as described in GB2350012, GB2334176, EP1191772, EP0779443 and WO98 / 05145. In the VoPI system, when the first device wants to establish a VoIP connection with the second device, the first device calls the second device via a PSTN (Public Switched Telephony Network) or a wireless network and transmits an identification signal. Then, the second device connects to the Internet and establishes communication with the first device by transmitting an identifier that can be recognized by the first device. These technologies rely on non-Internet forms of signal transmission to cause a VoIP phone that is not normally connected to the Internet to dial into the Internet through an ISP. These VoIP systems do not take into account any problems involved in communication through NAT routers, firewalls, and the like. Certainly, VoIP systems typically use H323 or similar protocols, which can be at least partially inoperative, left open, or extremely complex Requests to be a proxy.

  According to a first aspect of the present invention, a method for starting Internet communication between a client device and a server device is provided. The client device and the server device are separated from each other by a firewall or NAT, and the server device generates a message transmitted to the client device by avoiding the firewall or the NAT router via a communication protocol other than the Internet. Upon receiving the message, the client device initiates the Internet or similar connection to the server device via the firewall or NAT router.

  According to a second aspect of the present invention, there is provided a client device that establishes an Internet connection with a server device upon receiving a message transmission first induced by the server device. The message is received by the client device via a communication protocol other than the Internet. The client device and the server device are separated from each other by a firewall or a NAT router. The client device initiates the Internet or similar connection to the server device via a firewall or the NAT router.

  According to a third aspect of the present invention, there is provided a server device that generates a message to be transmitted to a client device via a communication protocol other than the Internet. The server device and the client device are separated from each other by a firewall or a NAT router. After receiving the message, the client device initiates the Internet or similar connection with the server device via the firewall or NAT router.

  According to a fourth aspect of the present invention, a system including at least a client device and a server device is provided. The client device and the server device are separated from each other by a firewall or NAT. The server device generates a message that is transmitted to the client device by avoiding the firewall or the NAT router via a communication protocol other than the Internet. Upon receiving the message, the client device initiates the Internet or similar connection to the server device via the firewall or NAT router.

  According to a fifth aspect of the present invention, an authorization portal is provided. The authorization portal receives a signal from a predetermined server device and transfers a message to a predetermined client device via a communication protocol other than the Internet. The predetermined client device and the predetermined server device are separated from each other by a firewall or NAT. The client device then receives the message and initiates the Internet or similar connection to the server device via the firewall or NAT router.

  As described above, according to the present invention, when the client device is not always connected to the Internet or when the client device is under NAT, the client device is not required to have an external host inside the organization. Even if you are part of an organization that uses a firewall to prevent sending IP packets, the server device can start Internet communication with the client device.

  In the embodiment of the present invention, for example, GSM SMS (Global System for Mobile communication Short Message Service), ERMES (European Radio Message System), RDS (Radio DataLess) (Radio Frequency), as a communication protocol other than the Internet, the present invention is applied to an asynchronous message communication system that includes (but is not limited to) Traffic Attribute 3 or UDP transmitted on a VPN (Virtual Private Network).

  In this message communication system, Internet communication with a client device that performs dial-up connection and / or a client device under the NAT or firewall is connected to the server device as if it is always connected without being under the NAT or firewall. Can be started. An important feature is that it is the client device that initiates the Internet or similar connection (eg, TCP connection) with the server device. Thereby, a connection through a firewall or a NAT router is generated. If the server device attempts to start communication with the client device, it will not succeed due to the presence of a firewall or NAT router.

  If the client device is not currently connected to the Internet, or if an IP packet cannot be sent to the client device from a host outside the organization to which the client device belongs, a message is transmitted by the authorization portal to notify the client device .

  The authorization portal is a device that can notify a client device to establish a connection to the Internet, such as a computer or a network router. The authorization portal can notify the client device at any time, for example, by sending a message to the client device using the asynchronous message communication system described above. For example, GSM SMS is used. In this case, the authorization portal sends an SMS message using a GSM modem or SMS service center. The client device receives the SMS message using a GSM modem. A GSM modem is an example of a usable method.

  Preferably, the client device is provided with means for determining that the message sent using the asynchronous message communication system is sent by a trusted authorization portal.

  When an authorization portal sends a signal to a client device, for example, the identifier of the client device, the identifier of the authorization portal, and a non-repeating value (eg, date, time, date and time, a value generated by a hardware counter or clock, random A message of an asynchronous message communication system including a valid numerical value and information (nonce) valid only at that time) may be transmitted to the client device. The authorization portal may add an electronic signature of the message to the message body. When a client device receives a message, the identifier of the client device included in the message is its own identifier, the identifier of the authorization portal included in the message is an authorization portal identifier that it trusts, or a value that does not repeat. Is not a known value, and the digital signature attached to the message is correct. If any confirmation fails, the message is discarded.

  Since the client device trusts the authorization portal and the authorization portal trusts the server device, it can be said that the (client) device is only instructed to connect to the server device that the device trusts. This is an important feature in the embodiment of the present invention and is clearly different from the conventional technology related to the VoIP system.

  The electronic signature is generated by a first party that performs special mathematical processing on the data to be signed. The output of the process becomes an electronic signature. The process is such that by examining the data and its signature, the second party can confirm that the data has not changed since the signature was generated and that the first party has generated the signature. Many different electronic signature processes can be applied, and the present invention does not depend on a specific process. Two examples are illustrated below.

Example 1: A one-way function with secret information shared by some means. Some means is, for example, secure Internet communication, manual setting, or programming. Certain data, referred to as “shared secret information”, is known only to authorized portals whose values are trusted by the client device. The data is stored in a built-in or external memory device of the client device and a built-in or external memory device of the authorization portal. The authorization portal applies a one-way function to the message and shared secret information to generate an electronic signature. For example, if F is a one-way function, S is shared secret information, and M is a message, the electronic signature is F (M, S).

  Upon receiving the message, the client device generates an electronic signature by applying the same one-way function to the message and the shared secret information held by the client device. If the electronic signature generated by the client device does not correspond to the electronic signature added to the received message, the message is discarded.

  A one-way function is a mathematical function that outputs Y when X is input. The one-way function has a feature that the input value X cannot be obtained from the output value Y. Since shared secret information known only by the client device and the authorization portal is included in the input value of the one-way function, only the client device and the authorization portal can generate an electronic signature by a method other than guessing. The one-way function is used to prevent an attacker from guessing the electronic signature generated by the one-way function because the output value can vary. Since the input value of the one-way function cannot be obtained from the output value, even if the attacker can obtain the message and signature, the secret information cannot be estimated. Examples of the one-way function include MD5 (Message Digest 5 algorithm), SHA-1 (US Secure Hash Algorithm 1), HMAC-MD5 (Keyed-Hashing for Message Authentication MD5), and HMAC-HSFH SHA-1) can be exemplified.

  Example 2: Public key cryptosystem. Only a trusted authorization portal knows the value, and data called a private key (private key) is stored in an internal or external memory device of the authorization portal. For example, data having a special relationship with the above private key, which is called a public key, is stored in the client device's internal or external memory by some means such as secure Internet communication, manual setting, or programming. Stored in the device. The authorization portal first performs data compression processing on the message, and then generates an electronic signature by encrypting the compressed message using a public key encryption algorithm using a private key. Upon receiving the message, the client device decrypts the signature by using the public key and the corresponding public key decryption algorithm. Then, the client device performs the same data compression processing on the message copy, and confirms whether the result of the compression processing is the same as the decrypted signature. If the result of the compression process and the decrypted signature are not the same, the message is discarded.

  In the public key cryptosystem, an encryption algorithm, a decryption algorithm, and a pair of keys called a public key and a secret key are used. Data encrypted with the private key can only be decrypted with the corresponding public key. Similarly, data encrypted with the public key can only be decrypted with the corresponding private key. Therefore, if the authorization portal holds the secret key secretly (securely) and the client device knows the authorization portal's public key, the client device that has successfully decrypted some data using the public key You can be confident that the data was encrypted by the authorization portal. The public key encryption scheme includes, for example, RSA (Rivest-Shamir-Adleman).

  The data compression process is a mathematical process in which X is input and Y is output. The data compression process is characterized in that the output value Y has a smaller number of bytes than the input value X. Also, it is very difficult to predict Y from X without performing data compression processing on X. Examples of data compression processing include MD5 and SHA-1.

  According to an embodiment of the present invention, a client device is guaranteed that an asynchronous messaging system message is sent to the client device by an authorization portal trusted by the client device, and that the message has not been modified since it was sent. The Also, since there are non-repeating values, the client device can detect and discard old messages received previously. Such a message may have been retransmitted by mistake by the authorization portal, or it may have been deliberately retransmitted by an attacker. Examples of non-repeating values include date, time, date and time, a value generated by a hardware counter or clock, a random numerical value, and information (nonce) valid only at that time.

  According to an embodiment of the present invention, a means for first establishing a dial-up connection to the Internet if necessary and notifying the client device that TCP / IP communication with a specific server device should be established is trusted. Provided to the authorization portal. The term TCP / IP communication is used to describe any communication mechanism that uses the TCP / IP protocol set. This includes, for example, the exchange of TCP packets and UDP packets. The authorization portal may cause the client device to establish TCP / IP communication with a specific server device. The asynchronous message used to send the notification explicitly or implicitly includes a specific server device identifier. Upon receipt of the message, the client device verifies whether the message was sent from a trusted authorization portal. If the message was sent from a trusted authorization portal, the client device responds as follows:

1. If the client device is not yet connected to the Internet, a dial-up connection with the ISP is established.

2. The client device establishes TCP / IP communication with the server device identified explicitly or implicitly by the message. Since TCP / IP communication is established by the client device, the first IP packet is transmitted by the client device. TCP / IP communication operates normally when the ISP to which the client device belongs uses NAT or when the organization including the client device uses a firewall. (TCP / IP communication is initiated by means including, for example, opening a TCP connection or sending a UDP packet.) According to an embodiment of the present invention, in such a way that the authorization portal can confirm the identity of the server device. A means for sending a request to the trusted authorization portal is provided to the trusted server device.

  In order to realize this, the server device may use a secure Internet communication protocol such as SSL (Secure Sockets Layer), TLS (Transport Layer Security), or the like for communication with the authorization portal. Such a secure Internet protocol uses, for example, an electronic certificate to prove the identity of the authorization portal to the server device. Examples of electronic certificates include X. 509 and the like.

  The server device may use, for example, its own electronic signature or password to prove its identity to the authorization portal. Once the server device and the authorization portal confirm each other's identities, the authorization portal accepts a request from the server device transmitted via a secure internet communication protocol.

  According to embodiments of the present invention, the client device owner (eg, an entity authorized to manage the activities of a human or client device) may be identified as described above by any means including, for example, manual configuration. Can be notified to the authorization portal trusted by the client device that the server device is authorized to send a signal to the client device.

  The asynchronous message transmitted from the authorization portal to the client device preferably includes control information. The control information includes, for example, the priority order of messages that the client device should respond to, and the reason why the server device wants to communicate with the client device (see FIG. 3). The control information may alternatively or additionally include one or more instructions in addition to a simple instruction to establish an internet connection. For example, the control information may include an instruction for causing the client device to establish an Internet connection with the server device and automatically transfer predetermined data such as a status report and a data log.

Embodiments of the present invention include the following features and advantages.
1. If the client device is not always connected to the Internet, or if the client device is under a NAT, a firewall is installed to prevent the client device from sending unnecessary IP packets that are not required by the external host inside the organization. Even if it is a part of the organization in use, the server device can start Internet communication with the client device.

  2. Only the authorization portal trusted by the client device uses the electronically signed asynchronous message communication system message to notify the client device to establish TCP / IP communication with the server device. be able to. Then, only the server device permitted by the owner of the client device causes the client device to notify the authorization portal trusted by the client device to establish a TCP / IP session with the server device. Can do. In this way, the owner of the client device can control which server device is allowed to allow the client device to establish TCP / IP communication with the server device.

  3. Implementation of the present invention on a client device under NAT or on a client device that is part of an organization that uses a firewall to prevent external hosts from sending unwanted IP packets that are not required inside the organization When the form is applied, only the server device permitted by the owner of the client device can start Internet communication with the client device. Other hosts outside the NAT or firewall cannot send IP packets to the client device. This eliminates the need for the client device to receive unwanted IP packets. In particular, in an environment where the client device side must pay for receiving an IP packet, the client device only has to pay for the packet approved by the owner.

  4). Since the server device can start Internet communication even if NAT is present, according to the embodiment of the present invention, the server device can start Internet communication even if the client device does not have a global IP address.

  5). As described above, since the server device can start Internet communication even if the client device does not have a global IP address, according to the embodiment of the present invention, IPv6 is used to solve the IPv4 address shortage. Even without this, the server device can start Internet communication.

  For a further understanding of the present invention and to illustrate how the present invention provides advantages, reference is made to the accompanying drawings. FIG. 1 shows a conventional client-server configuration for dial-up Internet connection. FIG. 2 shows a configuration of a conventional client-server in which a firewall is implemented. FIG. 3 shows a client-server configuration according to an embodiment of the present invention. FIG. 4 illustrates a trust relationship between an end user, an embedded device, a server device, and an authorization portal according to an embodiment of the present invention.

  FIG. 1 shows a conventional configuration including two client devices 1 and 2 (for example, each client device may be an embedded device). The two client devices 1 and 2 can be connected to the ISP 3 through dial-up connections 4 and 4 '. ISP3 uses NAT. In other words, the client devices 1 and 2 are known only to the ISP 3 and have a dedicated private IP address used only by the ISP 3. The ISP 3 has a global IP address, and the ISP 3 can directly communicate with another server device 6 via the global Internet backbone network 5 using the global IP address. According to the example shown in the figure, the communication is performed via the continuous connections 7 and 8. In this case, for example, when the client device 2 needs to communicate with the remote server device 6, the client device 2 must first establish a dial-up connection with the ISP 3. The client device 2 transmits at least one packet including its own private IP address and the global IP address of the server device 6, and the IP packet is first transmitted to the ISP 3. The ISP 3 remembers the private IP address of the client apparatus 2 that is the source of the IP packet, replaces the private IP address in the IP packet with its own global IP address using NAT, and then converts the IP packet to the Internet backbone network. 5 to the server device 6. The response from the server device 6 is transmitted to the client device 2 via the Internet backbone network 5 by a response IP packet destined for the global IP address of the ISP 3. The ISP 3 can determine that the IP packet is for the client device 2 from the data included in the response IP packet using the NAT. Then, the ISP replaces the global IP address in the response IP packet with the private IP address of the client device 2 and sends it to the client device via the dial-up connection 4. According to this conventional configuration, since the private IP addresses of the client apparatuses 1 and 2 are not known to the server apparatus 6, the server apparatus 6 cannot start communication with the specific client apparatuses 1 and 2.

  FIG. 2 shows a conventional configuration including client devices 10, 11, 12, and 13. The client devices 10, 11, 12, and 13 are connected to each other within a private TCP / IP network 14 (for example, a LAN or WAN operated by a company or organization). The private TCP / IP network 14 includes a firewall device 15 that communicates with the outside via the Internet backbone network 5. As shown in FIG. 2, the firewall device 15 may be configured as an ISP, or may be connected to the Internet backbone network via an independent ISP 3 as shown in FIG. Similarly to FIG. 1, a server device 6 connected by a constant connection 8 is also provided. The firewall device 15 permits communication between the client device 10 and the server device 6 only when the first IP packet is transmitted from the client device 10 in the private TCP / IP network 14. This prevents an unsolicited IP packet from being transmitted from the outside to the client device 10 in the private TCP / IP network.

  FIG. 3 shows a configuration according to an embodiment of the present invention. As described above, the client device 20 that communicates with the remote server device 6 via the Internet router 5 via the NAT router and / or the firewall 21 is shown. The client device 20 has a dial-up or constant connection 22 to the NAT router and / or firewall 21, and the NAT router and / or firewall 21 has a dial-up or constant connection 23 to the Internet backbone network 5. The server device 6 is always connected 8 to the Internet backbone network 5. Furthermore, an authorization portal 24 that is always connected to the Internet backbone network 5 is provided. When the remote server device 6 desires communication with the client device 20, the server device 6 transmits a communication start signal to the authorization portal 24 via the Internet backbone network 5. The communication start signal includes identification information that identifies the client device 20 that should establish communication with the server device 6.

  The client device 20 has several unique identifier forms, and the authorization portal 24 has a database mapping various client device 20 identifiers. In the database, the addresses required for the appropriate asynchronous message communication protocol 26 are mapped. The identifier type of the client device 20 may be the most suitable for the application. For example, if the client device 20 is a device incorporated in a vehicle and the asynchronous message communication protocol 26 is GMS SMS, the appropriate client identifier can be the registration number or vehicle identification number (VIN) of each vehicle. The address of the message communication may be a telephone number of a GMS modem provided in the automobile related to the client device 20 incorporated therein.

  The server device 6 transmits a message “I want to communicate with a client device incorporated in a car having a registration number X123 ABC” to the authorization portal 24 via the Internet backbone network 5. The authorization portal 24 searches the database for the registration number “X123 ABC”, and obtains the telephone number (for example, “07777 123 456”) of the GMS modem associated with the client device 20 incorporated in the inquiring car. The authorization portal 24 then transmits the SMS message to the GSM modem having the number “07777 123 456” associated with the client device 20 by the asynchronous message communication protocol 26. The client device 20 receives a message from the authorization portal 24, and whether the message is from a predetermined server device 6 trusted by the client device 20 (and optionally the message is also the client device). 20 and / or the remote server device 6 trusted by the authorization portal 24). The client device 20 responds to the message by, for example, establishing TCP / IP communication with the remote server device 6 via the NAT router / firewall 21 and the Internet backbone network 5. Importantly, in this example, it is not necessary for the server apparatus 6 to know the message communication address or private IP address of the client apparatus 20, and it is effective that the server apparatus 6 knows the private IP address of the client apparatus 20 by NAT. It is preventing.

  FIG. 4 illustrates the various trust relationships required by the embodiments of the present invention. The end user 30 owns the client device 20 and implicitly trusts the client device 20. Similarly, the end user 30 trusts an application running on the server device 6 at a predetermined remote location. The client device 20 trusts the predetermined authorization portal 24, and the server device 6 also trusts the authorization portal 24.

  When the server device 6 wishes to communicate with the client device 20, the server device 6 first authenticates with the authorization portal 24 by transmitting the client device “activation request” to the authorization portal 24 (via the Internet backbone network 5). Must. Then, the authorization portal 24 transmits an asynchronous notification message to the client device 20. The notification message includes an encrypted digital signature and the like, so that the client device can authenticate the authorization portal 24 and / or the server device 6. The client device 20 can establish communication with the server device 6 via the Internet backbone network 5. The features of the invention are applicable to all aspects of the invention and can be used in conjunction.

  Throughout this specification and claims, the terms “comprising”, “including”, etc. mean “including but not limited to” other elements, integers, one or more, additions or steps. Is not excluded.

1 shows a conventional client-server configuration for dial-up Internet connection. 1 shows a conventional client-server configuration with a firewall implemented. 2 shows a client-server configuration according to an embodiment of the present invention. FIG. 4 illustrates a trust relationship between an end user, an embedded device, a server device, and an authorization portal according to an embodiment of the present invention.

Claims (26)

A method for initiating Internet communication between a client device and a server device comprising:
The client device and the server device are separated from each other by a firewall or NAT;
The server device generates a message transmitted to the client device by bypassing the firewall or the NAT router via a communication protocol other than the Internet;
The client device receives the message and starts the Internet or similar connection to the server device via the firewall or the NAT router. The server device first transmits the message to an authorization portal via the Internet or a similar communication network, and the authorization portal relays the message to the client device via a communication protocol other than the Internet. The communication start method according to claim 1, wherein 3. The authorization portal relays the message to the client device by adding at least one data selected from the group consisting of a client identifier, an authorization portal identifier, and a non-repeating value. The communication start method described in 1. The communication initiation method according to claim 1, wherein the authorization portal adds an electronic signature to the message and relays the message to the client device. 5. The communication protocol other than the Internet is selected from the group consisting of GSM SMS, ERMES, RDS, LW radio, other RF signals, and UDP communicated over VPN. The communication start method according to any one of claims. A client device that establishes an Internet connection with the server device after receiving a message transmitted from the server device:
Receiving the message via a communication protocol other than the Internet;
Separated from the server device by a firewall or NAT router;
A client device characterized by initiating an Internet or similar connection to the server device via the firewall or the NAT router. Receiving means for receiving a message from the authorization portal via a communication protocol other than the Internet;
The client device according to claim 6, wherein the message is first transmitted from the server device to the authorization portal via the Internet or a similar communication network. 8. The client device according to claim 6, further comprising a modem for establishing an internet connection with the server device after receiving the message. A server device that generates a message that is transmitted to a client device via a communication protocol other than the Internet:
Separated from the client device by a firewall or NAT router;
The server device, wherein after the message is received by the client device, the Internet or similar connection is started via the firewall or the NAT router. Send a message to the authorization portal via the Internet or similar communication network;
The server apparatus according to claim 9, wherein the message is relayed to the client apparatus by the authorization portal via a communication protocol other than the Internet. In a system comprising at least a client device and a server device:
The client device and the server device are separated from each other by a firewall or NAT;
The server device generates a message transmitted to the client device by bypassing the firewall or the NAT router via a communication protocol other than the Internet;
The client device receives the message and initiates the Internet or similar connection to the server device via the firewall or the NAT router. It further comprises an authorization portal that receives a message transmitted by the server device via the Internet or a similar communication network, and relays the message to the client device via a communication protocol other than the Internet. The system according to claim 11. When the message is relayed to the client device, the authorization portal adds at least one data selected from the group consisting of a client identifier, an authorization portal identifier, and a non-repeating value to the message. The system according to claim 12. The system according to claim 12 or 13, wherein the authorization portal adds an electronic signature to the message when the message is relayed to the client device. 15. The communication protocol other than the Internet is selected from the group consisting of GSM SMS, ERMES, RDS, LW radio, other RF signals, and UDP communicated over VPN. The system according to any one of the above. Receiving a signal from a predetermined server device and transferring a message to a predetermined client device via a communication protocol other than the Internet;
The client device and the server device are separated from each other by a firewall or NAT;
An authorization portal, wherein the client device receives the message and initiates an Internet or similar connection to the server device via the firewall or the NAT router. 17. The signal according to claim 16, wherein the signal is received from the server device via the Internet or a similar communication network, and the message is transmitted to the client device via a communication protocol other than the Internet. Authorization portal. 17. When transmitting the message to the client device, at least one data selected from the group consisting of a client identifier, an authorization portal identifier, and a non-repeating value is added to the message. Authorization portal according to 17. The authorization portal according to any one of claims 16 to 18, wherein an electronic signature is added to the message when the message is transmitted to the client device. 20. The communication protocol other than the Internet is selected from the group consisting of GSM SMS, ERMES, RDS, LW radio, other RF signals, and UDP communicated over VPN. The authorization portal according to any one of the items. 21. The authorization portal according to any one of claims 12 to 20, wherein a database mapping client identifiers and message transmission addresses is accessed using a communication protocol other than the Internet. A method for initiating Internet communication between a client device and a server device, which will be described below with reference to FIGS. A client device substantially as described below with reference to the attached FIGS. A server device substantially described below with reference to FIGS. 3 and 4 attached. A system comprising at least a client device and a server device, substantially as described below with reference to the accompanying FIGS. An authorization portal substantially as described below with reference to the attached FIGS.

Images