WO2010117310A1 - Attaching a sensor to a wsan - Google Patents

Attaching a sensor to a wsan Download PDF

Info

Publication number
WO2010117310A1
WO2010117310A1 PCT/SE2009/050361 SE2009050361W WO2010117310A1 WO 2010117310 A1 WO2010117310 A1 WO 2010117310A1 SE 2009050361 W SE2009050361 W SE 2009050361W WO 2010117310 A1 WO2010117310 A1 WO 2010117310A1
Authority
WO
WIPO (PCT)
Prior art keywords
wsan
sensor
gateway
additional sensor
manager
Prior art date
Application number
PCT/SE2009/050361
Other languages
French (fr)
Inventor
Vlasios Tsiatsis
Mattias Johansson
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to EP09843127.3A priority Critical patent/EP2417827A4/en
Priority to PCT/SE2009/050361 priority patent/WO2010117310A1/en
Priority to US13/260,826 priority patent/US9154476B2/en
Priority to CN200980158336.8A priority patent/CN102365901B/en
Publication of WO2010117310A1 publication Critical patent/WO2010117310A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the present invention relates to a method in a WSAN sensor, in a WSAN Gateway and in a WSAN Manager for attaching an additional sensor to a WSAN (a Wireless/Wired Sensor and Actuator Network) .
  • the invention also relates to a WSAN sensor, a WSAN Gateway and a WSAN Manager, each provided with an arrangement for attaching an additional sensor to a WSAN.
  • a Wireless/Wired Sensor and Actuator Network is a wireless/wired network of sensors and actuators, such as e.g. smoke detectors, water leak detectors, temperature sensors, humidity sensors, pressure sensors, vibration sensors, light sensors and light switches, to be deployed e.g. in a household or a car.
  • the services of the WSAN are available remotely via a WSAN Gateway connected to a WAN (Wide Area Network) , using a standardized communication protocol, e.g. the Ethernet or HTTP/SOAP, and another communication protocol, e.g. ZigBee, is used internally within the WSAN.
  • WAN Wide Area Network
  • FIG. 1 illustrates a typical WSAN system, in which a number of WSAN sensors or actuators are connected via wire or radio in a single star or mesh topology to one or more WSAN Gateways which are connected to a WAN (Wide Area Network) .
  • the figure shows two WSANs, 12a, 12b, each WSAN connected to a WAN 14 via a WSAN Gateway, 15a, 15b, and comprising five sensors or actuators.
  • the WSANs are available to the WAN users 11a, lib via the WSAN Gateways, and the WSANs are operated via a WSAN Manager 16 by a WSAN operator 13.
  • a WSAN Gateway acts as a mediator between the sensor nodes and the users/applications outside the domain of a WSAN.
  • the WSAN Gateway is also capable of offering more sophisticated services than a single sensor node can offer.
  • the WSAN Gateway may provide e.g. the average temperature of the house to an external application, as well as the reading of the separate temperature sensors in the rooms.
  • the WSAN Gateway requires suitable protocols and interfaces for requesting individual temperature readings from each sensor, and for presenting raw or aggregated data, such as the average temperature, in a format that is readable by the requesting application.
  • a WSAN Gateway requires a standardized data representation, as well as standardized interfaces with the various applications in a WAN. Additionally, the specific needs of business enablers have to be fulfilled in order to make commercial WSANs successful.
  • a WSAN Gateway using the Semantic Web Technology accesses individual sensors by using a standardized interface and maintains sensor data tagged with semantic metadata describing the meaning of the sensor data.
  • the WSAN Gateway uses a semantic web representation as an interface to the WSAN users and the WAN applications.
  • the combination of the real sensor data and the semantic metadata forms a sensor data Ontology and sensor data Instantiation.
  • FIG. 2 illustrates an Ontology 21, according to the conventional Semantic Web Technology, the illustrated Ontology 21 representing a sensor node having a temperature sensor providing temperature readings in the Celsius scale, as well as an Instantiation 22 of the Ontology 21.
  • Said Instantiation 22 comprises an identification of the real sensor, TempSensorl345, and well as a sensor measurement, 27.5, produced by the sensor, and the sensor identification and the sensor measurement are both linked to the Ontology 21, as illustrated by the arrows in figure 2.
  • the Instantiation 22 indicates the identity of a specific temperature sensor, as well as the output from the temperature sensor, while the Ontology 21 describes how the constants of the Instantiation 22 are connected.
  • the WSAN Gateway has to be able to interact with each individual sensor attached to the WSAN, and a new sensor, not previously connected to the WSAN Gateway, has to be authenticated after insertion in the WSAN.
  • the WSAN Gateway has to obtain the private identity, ID_S, of a new sensor, the service description, suitable drivers and gateway software, as well as the data representation of a new sensor to be able to interact with the sensor.
  • ID_S the private identity
  • the Ontology 21 and the Instantiation 22 illustrated in figure 2 show a data representation of an actual temperature sensor, but the actual mechanism of obtaining the identity of the sensor (TempSensorl345) and the sensor value (27.5) is not defined by the Ontology.
  • the object of the present invention is to address the problem outlined above, and this object and others are achieved by the method and the arrangement according to the appended independent claims, and by the embodiments according to the dependent claims.
  • the invention provides a method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, an existing WSAN sensor performing the following steps:
  • a beacon comprising an indication of the private identity of the additional sensor, when the additional sensor has been inserted in the WSAN.
  • the above step of determining if the additional sensor is eligible for attachment may further comprise a check that an activation time interval of the additional sensor has not expired, the activation time interval received and stored in connection with the indication of the private identity of the additional sensor.
  • the existing WSAN sensor may receive a listening request from the WSAN Gateway, the listening request indicating a listening status for the detection of a beacon from an additional sensor.
  • An additional sensor may perform the following steps, after insertion in the WSAN:
  • the authentication may comprise an establishment of key shared between the additional sensor and the WSAN Gateway, based on said authentication vector, wherein the authentication may be performed according to the AKA protocol.
  • a private identity, ID_S and a secret sensor key of a sensor may be pre-stored in a sensor database by the manufacturer, in connection with pointers to a software database.
  • the invention provides a method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the additional sensor transmitting an indication of its private identity to the existing WSAN sensors after insertion in the WSAN.
  • a WSAN Gateway is performing the following steps:
  • the WSAN Gateway may transmit a listening request to the existing WSAN sensors, the listening request indicating a listening status for detecting a beacon from an additional sensor.
  • the WSAN Gateway may receive an activation time interval for an additional sensor from a WSAN manager and forward the activation time interval to the existing WSAN sensors, in connection with the transmission of the indication of the private identity of the additional sensor.
  • the WSAN Gateway may also transmit an authentication request comprising the private identity of the additional sensor to the WSAN Manager, after receiving the notification of the insertion of the additional eligible sensor in the WSAN.
  • the WSAN Gateway may receive a sensor description and sensor related software from the WSAN Manager, together with the authentication information, and perform the steps of:
  • the invention provides a method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor.
  • a WSAN Manager is performing the following steps,
  • the WSAN Manager may determine an activation time interval for an additional sensor, and transmit the activation time interval to the WSAN Gateway, together with the indication of the private identity of the additional sensor.
  • the WSAN manager may set up a secure communication channel to the WSAN Gateway, after receiving the private identity of the additional sensor.
  • the WSAN Manager may also retrieve the sensor description and the sensor related software from a software database of the manufacturer, after receiving a request from the WSAN Gateway, and transmit the sensor description and the sensor related software to the WSAN Gateway, together with the authentication vector.
  • the invention provides a WSAN sensor adapted to communicate with a WSAN Gateway.
  • the WSAN sensor comprises an arrangement for attaching an additional sensor to a WSAN, the arrangement comprising: - Means for receiving and storing an indication of the private identity of a potential additional sensor from the WSAN Gateway.
  • Means for receiving a beacon comprising an indication of the private identity of an additional sensor, the beacon emitted by an additional sensor after insertion in the WSAN.
  • the WSAN sensor may further comprise an arrangement for attachment to a WSAN comprising at least one existing WSAN sensor, the arrangement comprising:
  • the invention provides a WSAN Gateway arranged to communicate with a WSAN Manager and WSAN sensors.
  • the WSAN Gateway comprises an arrangement for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the additional sensor transmitting an indication of its private identity to the existing WSAN sensors after insertion in the WSAN.
  • Said WSAN Gateway arrangement comprises:
  • Said authentication may comprise the establishment of a shared security key, KS, with the inserted additional sensor.
  • KS shared security key
  • the invention provides a WSAN Manager for managing a WSAN, and arranged to communicate with a WSAN Gateway.
  • the WSAN Manager comprises an arrangement for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, and the arrangement comprises:
  • the arrangement may further be adapted to pre-store the identity of a WSAN Gateway associated with a user subscription.
  • An advantage with embodiments of the present invention is that they accomplish an automatic and network-assisted attachment of an addition sensor in a WSAN, involving authentication and establishment of a secure communication between the sensor and the WSAN Gateway. Another advantage is that an attached additional sensor can be used almost instantly, by means of an automatic updating of the WSAN service description and software in the WSAN Gateway based on the new sensor, as well as based on the composition of the whole WSAN.
  • FIG. 1 illustrates schematically the architecture of an exemplary WSAN-system
  • FIG. 3 illustrates schematically a WAN, a WSAN Gateway and a WSAN comprising one sensor
  • - Figure 4 is a signalling diagram illustrating the addition of a new sensor in a WSAN
  • - Figure 5 is a flow diagram illustrating the steps performed by a WSAN Gateway when a new sensor is attached to a WSAN;
  • FIG. 6a is a flow diagram illustrating the steps performed by a new sensor when it is attached to a WSAN
  • figure 6b is a flow diagram illustrating the steps performed by an existing sensor when a new sensor is attached to the WSAN;
  • FIG. 7 is a flow diagram illustrating the steps performed by a WSAN Manager when a new sensor is attached to a WSAN;
  • FIG. 8 illustrates schematically a WSAN Manager, a WSAN Gateway and a WSAN sensor, according to an exemplary embodiment of this invention
  • - Figure 9 illustrates the grafting of the description of a new sensor
  • - Figure 10 is a block diagram illustrating the storing of the new sensor node description
  • FIG. 11 is a signalling diagram illustrating the attachment of a new sensor to a WSAN.
  • the described functions may be implemented using software functioning in conjunction with a programmed microprocessor or a general purpose computer, and/or using an application-specific integrated circuit.
  • the invention may also be embodied in a computer program product, as well as in a system comprising a computer processor and a memory, wherein the memory is encoded with one or more programs that may perform the described functions.
  • sensor is hereinafter referring to a sensor or an actuator.
  • a user purchases the sensor from a manufacturer, with the purpose of installing the new sensor in his/her WSAN that is managed by a WSAN Operator via a WSAN Manager.
  • the user registers the new sensor with the WSAN Manager, in which the identities of the WSAN Gateways, ID_G, linked to the user, have been previously stored.
  • ID SO the open identifier
  • the WSAN Gateway maintains a description of the hardware, software, and services of the WSAN sensors, e.g. as an Ontology.
  • the WSAN Manager 16 retrieves the private identity, IS_S, and a secret sensor key of a new sensor from the sensor database, after having registered a user of a new sensor, and transmits an indication of the private identity to the WSAN Gateway 15.
  • the WSAN Gateway forwards the indication of the private identity of a potential and eligible new sensor to all the existing sensors in the WSAN 12.
  • the new sensor starts to emit a beacon with an indication of its private identity to the existing sensors in the WSAN, within reach for radio contact with the new sensor, and the beacon may also include identification data derived from the private identity.
  • the existing sensors are expecting to receive a beacon from a new sensor, and according to the preferred embodiment, an existing sensor that receives a beacon will check the eligibility of the new sensor, and forward a notification to the WSAN Gateway when a new eligible sensor is actually inserted in the WSAN.
  • the eligibility check comprises a comparison between an indication of a private identity received in a beacon from a new sensor inserted in the WSAN, and a stored indication, previously received from the WSAN Gateway, of a private identity of a new eligible sensor.
  • the WSAN Gateway Upon reception of a notification from an existing sensor of the insertion of an eligible new sensor in the WSAN, the WSAN Gateway will send an authentication request to the WSAN Manager, and the WSAN Manager will compute an authentication vector, based on the secret sensor key associated with the new sensor, and transmit the vector to the WSAN Gateway for the authentication of the new sensor.
  • the eligibility check of the new sensor is performed by the WSAN Gateway, and an existing sensor that receives a beacon from a new sensor will forward a notification comprising sensor identification information to the WSAN Gateway.
  • the eligibility check is performed by an existing sensor, in order to avoid unnecessary transmission of information to the WSAN Gateway, and save sensor battery capacity.
  • the WSAN Gateway transmits a listening request to the existing sensors, in connection with the transmission of the indication of the private identity, and the listening request activates a certain listening status in the existing sensor for the detection of a beacon from a new sensor.
  • the listening status indicates a continuous listening until a beacon from a new sensor is detected, or listening during certain pre-determined clock intervals, which can save sensor battery capacity.
  • an advantage with the present invention is that if an existing sensor picks up a beacon from a node, without having stored any previous indication of its private identity, a new malicious/non-authenticated node may have been detected, and the user may be alerted through the WSAN Gateway.
  • the eligibility check of an additional sensor further comprises a check that a predetermined activation time interval of the sensor has not expired. This embodiment involves a WSAN Manager determining a relevant activation time interval at the registration of the new sensor, and forwarding the activation time interval to the WSAN Gateway, together with an indication of the private identity of the new sensor.
  • the WSAN Gateway forwards the activation time interval to the existing sensors, together with the indication of the private identity of a potential additional sensor in the WSAN.
  • the existing sensor receives a beacon comprising an indication of the private identity of the additional sensor, the existing sensor is able to include a check that the activation time interval has not expired in the determination of the eligibility of the new additional sensor.
  • the activation time interval is stored in the WSAN Gateway.
  • the eligibility check may comprise a control of other policies, e.g. regarding the geographic location of the sensor within the WSAN.
  • This invention involves the authorization of a new sensor to join an existing WSAN comprising at least one sensor, as well as the initial key management associated with the new sensor.
  • the invention also involves an updating of the service descriptions maintained in the WSAN Gateway of the WSAN, as well as of the software in the WSAN Gateway for using the new sensor
  • a secure connection is established with the WSAN Gateway in order to enable encryption and authentication of the data traffic between the sensor and the WSAN Gateway.
  • the WSAN manager pushes the description of the new sensor, e.g. its capabilities and services, such as driver and service software, down to be installed in the WSAN Gateway.
  • Each sensor is identified and authenticated with a private identity of the sensor, ID_S, and with a secret sensor key, which are initially stored in a sensor database, SDB, by the manufacturer, together with an open identifier, ID_SO, which may e.g. be printed on the sensor.
  • the sensor manufacturer installs ID_S, ID_SO and the secret sensor key in a new sensor, and stores this information in a sensor database,
  • the identity of a particular WSAN Gateway linked to the user is stored in the WSAN Manager, together with the identity of new sensor, to enable the establishment of a secure connection.
  • the WSAN Manager node may be an application server of a third party, and the WSAN Gateway will use a suitable protocol, e.g. the GBA (the Generic Boostrap Architecture) to bootstrap and enroll to the application server of the third party.
  • GBA the Generic Boostrap Architecture
  • FIG. 3 illustrates schematically a WAN (Wide Area Network) 14, including a WSAN Manager 16, a sensor database 35 and a software database 34 of the manufacturer.
  • This figure also illustrates a WSAN 12, including one existing sensor 33, as well as the WSAN Gateway 15 connecting the WSAN to the applications of the WAN.
  • the WSAN Manager When a user has registered a new sensor with the WSAN Manager 16, for attachment to the WSAN 12, the WSAN Manager will retrieve the private identity, IS_S, and a secret sensor key of the new sensor from the sensor database 35, using the open identifier, ID_SO, of the sensor.
  • the WSAN Manager will also retrieve contact information pointers, e.g. URL, to the software database 34 from the sensor database 35.
  • the sensor database 35 may erase the private identity and the secret sensor key of the new sensor.
  • the contact information pointers to the software database 34 of the sensor manufacturer is used by the WSAN Manager 16 to retrieve the sensor description, such as capabilities and services, as well as the sensor software, such as drivers and service software, from the software database for instalment in the WSAN Gateway 15.
  • the new sensor and the WSAN Gateway 15 may use e.g. the AKA-protocol (Authentication and Key Agreement) to perform the mutual authentication and the key establishment.
  • AKA-protocol Authentication and Key Agreement
  • the WSAN Manager 16 When the WSAN Manager 16 has retrieved the private identity of a new sensor from the sensor database 35, it sets up a secure channel to the WSAN Gateway 15 of the user and transmits the private identity, and the WSAN Gateway will transmit it further to each existing sensor 33 in the WSAN 12.
  • the new sensor When the new sensor is inserted in its final environment in the WSAN 12 and switched on, it immediately starts to search for a WSAN by emitting beacons containing an indication of its private identity, such as e.g. the private sensor identity ID_S, or the tuple (r, f(r, ID_S) ) where r is a random number and f a cryptographically strong one-way function.
  • the receiving existing sensor When a beacon is picked up by an existing sensor 33 in the WSAN, the receiving existing sensor will check that it comes from an eligible new sensor, by comparing the indication of the private identity included in the beacon with the private identity previously received from the WSAN Gateway. If the beacon includes said tuple, the existing sensor 33 is configured to calculate the function f(r, IS_S) in order to verify that the new sensor is eligible. Upon verification of the eligibility of the new sensor, the WSAN Gateway will be notified by an existing sensor 33 of the insertion of the new sensor, and the WSAN Gateway will check that it no beacon has been received previously from that particular sensor.
  • the WSAN Gateway sets up a secure connection to the WSAN Manager and transmits an authentication request to the WSAN Manager containing an indication of the private identity of the new sensor, the indication being e.g. the private identity, ID_S, or the tuple described above.
  • the WSAN Manager When the WSAN Manager receives the authentication request concerning a particular sensor from the WSAN Gateway, the WSAN Manager will check that the private identity, ID_S, of the sensor is linked with the identity of the requesting WSAN Gateway, ID_G, and if so, the WSAN Manager computes an authentication vector.
  • the WSAN Manager uses a sequence number NR, the secret sensor key plus an additional nonce NONCE generated by the WSAN Manager itself to compute the authentication vector.
  • the authentication vector contains a key, KS, an expected response, XRES, and an authentication token, AUTN, which are returned to the WSAN Gateway, together with NONCE.
  • the WSAN Gateway now forwards the NONCE and the AUTN to the new sensor, which uses the NONCE together with its secret sensor key to verify that the AUTN comes from a trusted source and that the message is freshly generated.
  • the communication of the authentication token may use a path over the existing sensor 33 that transmitted the notification of the new sensor to the WSAN Gateway. Possibly, said path may use several existing sensors in order to establish a point-to-point connection between the new sensor and the WSAN Gateway.
  • the new sensor also computes the key, KS, and a response, RES, and RES is then transmitted to the WSAN Gateway to be compared with XRES received previously from the WSAN Manager. If they match, the WSAN gateway proceeds with establishing local keys in the WSAN.
  • the above-described exemplary authentication procedure could e.g. be based on the MILENAGE algorithm.
  • the local keys in the WSAN are often based on different group keys, and specific applications or geographically close sensors could also have different keys. However, these keys are all bootstrapped from the key, KS, shared between the WSAN gateway and the sensor, as described above.
  • Figure 4 is a signalling diagram illustrating the above- described exemplary authentication procedure between a new sensor 39 and the WSAN Gateway 15, after the insertion of the new sensor 39 in the WSAN, the attachment and authentication assisted by at least one existing sensor 33 in the WSAN, the WSAN Manager 16 and the software database 34.
  • step S410 in figure 4 when the new sensor 39 has been switched on after insertion in the WSAN, the new sensor transmits a beacon indicating its private identity, ID_S, e.g. the tuple (r, f(r, ID_S) to the existing sensor/s/ 33 in the WSAN.
  • ID_S the private identity
  • the receiving existing sensor compares the received private identity with the stored private identity of an eligible new sensor previously received from the WSAN Gateway, or alternatively, calculates the function f(r, ID_S) . If there is a match, said receiving existing sensor 33 transmits the private identity of the new sensor, in step S412, in a notification message to the WSAN Gateway.
  • step S413 a secure connection is established between the WSAN Gateway 15 and the WSAN Manager 16, and the WSAN Gateway sends an authentication request to the WSAN Manager in step S414, the request forwarding the private identity, ID_S, of the new sensor.
  • step S415 the WSAN Manager computes the authentication vector, and retrieves the sensor node description and sensor node software from the software database of the sensor node manufacturer, in step S416.
  • step S417 the WSAN Manager transmit KS, XRES, AUTN, NONCE to the WSAN Gateway, and may also push the sensor node description and sensor node software to the WSAN Gateway, as well.
  • step S4108 the WSAN Gateway transmit AUTN, NONCE to the new sensor 39, and the new sensor verifies AUTN and compute KS and RES, in step S419, and transmits RES to the WSAN Gateway, in step S420.
  • step S422 the attachment of the new sensor is continued, using KS as a security bootstrapper, and in step S423, the WSAN Gateway installs the new sensor description and sensor node software in order to handle the new sensor.
  • FIGS. 5 - 7 are flow diagrams illustrating the steps performed by a WSAN Gateway 15, by an additional sensor 39, by an existing sensor 33, and by a WSAN Manager 16, during the attachment of an additional sensor 39 to a WSAN, according to a first exemplary embodiment of this invention.
  • the WSAN Gateway receives an indication of the private identity of a potential additional sensor that eventually will be attached to the WSAN from the WSAN Manager, in step 51.
  • the WSAN Gateway forwards an indication of the private identity of the additional sensor to the existing sensors in the WSAN.
  • the additional sensor When the additional sensor has been inserted in the WSAN, it will emit a beacon comprising an indication of its private identity, e.g. a tuple, and this beacon will be received by at least one of the existing sensors.
  • the receiving existing sensor will check the eligibility by comparing the received private identity with the private identity previously received from the WSAN Gateway in step 52, and if the private identities match, the existing sensor will send a notification of the insertion of the additional sensor to the WSAN Gateway.
  • the existing sensor If a tuple is received, the existing sensor must calculate the tuple and compare it with the one transmitted by the additional sensor. If these two match, the existing sensor will send a notification of the insertion of the additional sensor to the WSAN Gateway.
  • the WSAN Gateway receives the notification, in step 53, it performs an authentication procedure, in step 54, based on an authentication vector received from the WSAN Manager.
  • step 61 when an additional sensor 39 has been inserted in the WSAN, in step 61, the additional sensor emits a beacon, in step 62, comprising an indication of its private identity.
  • This beacon will be received by an existing sensor, which will forward the notification to the WSAN Gateway, if the indication of a private identity received in the beacon matches a stored indication of a private identity previously received from the WSAN Gateway.
  • the WSAN Gateway receives the notification, it performs an authentication procedure with the additional sensor, in step 63, based on an authentication vector from the WSAN Manager.
  • FIG. 6b is a flow diagram illustrating the steps performed by an existing sensor in the WSAN when an additional sensor is attached to the WSAN.
  • the existing sensor receives and stores an indication of the private identity, e.g. the tuple, of a potential additional sensor from the WSAN Manager, via the WSAN Gateway.
  • the existing sensor will receive a beacon from the additional sensor, in step 66, the beacon comprising an indication of private identity of the additional sensor.
  • the existing sensor will determine if the additional sensor is eligible to be attached to the WSAN, by comparing the received private identity with the private identity previously received from the WSAN Gateway, (or the tuples), in step 64, and if the private identities, or the tuples, are equal, the existing sensor will send a notification of the insertion of an eligible additional sensor to the WSAN Gateway, the notification comprising an indication of the private identity of the sensor, in step 68.
  • the WSAN Manager registers a new sensor of a user, in step 71, to be attached to the WSAN.
  • the WSAN Manager retrieves the private identity of the additional sensor, as well as the secret sensor key, from the sensor database, and in step 73, the WSAN Manager forwards the private identity of the additional sensor to the appropriate WSAN
  • FIG. 8 illustrates schematically a WSAN Manager 16, a WSAN Gateway 15 and a WSAN sensor 33, 39, according to exemplary embodiments of the invention, the WSAN Manager and the sensor arranged to communicate with the WSAN Gateway.
  • the WSAN Manager 16 is provided with an arrangement 810 for attaching an additional sensor to a WSAN comprising at least one existing sensor.
  • the arrangement 810 comprises means 811 for retrieving the private identity and the secret sensor key of said additional sensor from a sensor database, after registering a user of the sensor, and forwarding the private identity to the WSAN Gateway.
  • the arrangement also comprises means 812 for computing an authentication vector for authentication of the additional sensor, based on the secret sensor key, after receiving an authentication request from the WSAN Gateway, and forwarding the authentication vector to the WSAN gateway.
  • the arrangement is further provided with means (not illustrated in the figure) for storing the user identity, together with the identity of the WSAN Gateway, and the private identity of the new sensor.
  • FIG 8 may be implemented by physical or logical entities using software functioning in conjunction with a programmed microprocessor or general purpose computer, and/or using an application specific integrated circuit (ASIC) .
  • ASIC application specific integrated circuit
  • the WSAN Gateway 15 is provided with an arrangement 820 for attaching an additional sensor to a WSAN comprising at least one existing sensor, the additional sensor transmitting an indication of its private identity to the existing sensors after insertion in the WSAN.
  • the arrangement comprises means 821 for receiving the private identity of the additional sensor from the WSAN Manager, and forwarding an indication of the private identity to the existing sensors in the WSAN, means 822 for receiving a notification from an existing sensor of the insertion of an eligible additional sensor in the WSAN, and means 823 for authentication of the inserted additional sensor, based on an authentication vector received from the WSAN Manager.
  • the arrangement is further provided with means (not illustrated in the figure) for storing the software of the new sensor.
  • the WSAN sensor 33, 39 is provided with an arrangement 840 for attaching an additional sensor to a WSAN.
  • the arrangement 840 comprises means 841 for receiving and storing an indication of the private identity of a potential additional sensor from the WSAN Gateway, means 842 for receiving a beacon comprising an indication of the private identity of an additional sensor, the beacon emitted by the additional sensor when it is inserted in the WSAN, means 843 for determining the eligibility of the additional sensor by comparing the private identity received in a beacon with a stored private identity previously received from the WSAN Gateway, and means 844 for sending a notification of the insertion of the new eligible sensor to the WSAN Gateway, if the private identities are equal.
  • the WSAN sensor 33, 39 is further provided with an arrangement 830 for attaching to a WSAN comprising at least one existing sensor, the arrangement 830 comprising means 831 for emitting a beacon including an indication of its private identity after insertion into the WSAN, to be received by the existing sensors within radio contact, and means 832 for performing an authentication with the WSAN Gateway, based on an authentication vector from the WSAN Manager and transmitted to the new sensor by the WSAN Gateway.
  • the WSAN sensor 33, 39 is further provided with means (not illustrated in the figure) for storing sensor data installed by the manufacturer, such as its private identity, ID_S, open identifier, IS_S, and secret sensor key.
  • a WSAN sensor is described by an Ontology, according to the Semantic Web Technology, and figure 9 illustrates the "grafting" of an Ontology of a new temperature sensor 92 on a previous WSAN Sensor Ontology 96, only including a humidity sensor 91.
  • a new sensor node includes new hardware and offers new sensor data and services that are not described in the WSAN Ontology of the WSAN Gateway.
  • the WSAN Gateway will receive the sensor node description, as well as drivers and service software associated with the new sensor node from the WSAN Manager, when a new sensor is attached to a WSAN and authenticated.
  • the WSAN Gateway "grafts" the Ontology 95 of a new temperature sensor 92 to the WSAN sensor Ontology 96, the Ontology 95 describing the hardware, software and services of the new temperature sensor, thereby updating the sensor node description.
  • the WSAN Gateway will also ask the WSAN Manager if there exist any software regarding the WSAN as a whole, and not only for the new sensor. If so, the WSAN Gateway will download and store this software, as well. If the WSAN Gateway specifies important details, such as the hardware, the operating system and the software, the WSAN Manager will return the appropriate software to the WSAN Gateway, and the WSAN Gateway will store the software into a software repository.
  • the WSAN Manager can also mediate the grafting between the two descriptions by the WSAN Gateway sending both the existing Ontology and the new sensor Ontology to the WSAN Manager, which can contact a 3 rd party Ontology composition service to assist the grafting.
  • FIG. 10 illustrates a WSAN Gateway 15, a WSAN Ontology database 101 for storing the sensor node descriptions, and a software database repository 102 for storing the drivers and service software associated with the sensors.
  • a description of a new sensor node includes an identification, i.e. SW16894, of the new software drivers and services, and the WSAN gateway 15 stores the binary code of these software components in the repository 102, and the identification and the location of the software in a lookup table 103.
  • the WSAN Gateway also stores in the software database repository the services that are not associated with a specific sensor, but to a group of sensors in the WSAN. The insertion of an additional sensor will normally result in the downloading of software services associated with the new sensor and a few existing sensors.
  • FIG 11 is a signalling diagram illustrating the handling of the software for an additional sensor attached to a WSAN, involving the above-described WSAN Ontology database 101, the SWDB Repository 102, and the lookup table 103.
  • the sensor is authenticated and a secure communication is established between the additional sensor 39 and the WSAN Gateway 15.
  • the WSAN Gateway updates the WSAN
  • the sensor node description and the software has been previously obtained by the WSAN Manager from the software database of the sensor manufacturer, and pushed down to the WSAN Gateway. Since the WSAN Manager knows the composition of the WSAN after the insertion of the additional sensor, it can contact a 3 rd party sensor software service 104, in step S113, which is able to retrieve software services and sell to the WSAN Manager, if it is provided with a description of the WSAN. Thereafter, the WSAN Manager can push these aggregate software services to the WSAN Gateway, as well.
  • the WSAN Gateway When the WSAN Gateway receives a request for sensor data, the appropriate sensor node and software identification, e.g. SW 16894, is retrieved by the WSAN Gateway from the WSAN Ontology in the WSAN Ontology database 101, the appropriate location, e.g. swdb: //16894.code, is retrieved by the WSAN Gateway from the look-up table 103, and the binary code is retrieved from the SWDB Repository 102, in step S114. Thereafter, in step S115, the WSAN Gateway uses the binary code to request the data from the sensor node, and the sensor responds with the appropriate data.
  • the appropriate sensor node and software identification e.g. SW 16894
  • this invention offers an automatic attachment of an addition sensor in a WSAN, involving authentication and establishment of a secure communication between the sensor and the WSAN Gateway.
  • the new sensor could be used almost instantly, by means of an automatic updating of the WSAN service description and software in the WSAN Gateway based on the new sensor, as well as based on the composition of the whole WSAN, according to a further embodiment of this invention. Since this invention enables an automatic and network-assisted attachment of sensors to WSANs, involving different roles, such as the manufacturer of the sensor, the owner of the sensor node, and the WSAN Manager, the mapping of these roles onto different legal entities can be very flexible.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Arrangements For Transmission Of Measured Signals (AREA)

Abstract

Methods and arrangements in a WSAN Gateway (15), a WSAN Manager (16) and a WSAN sensor for attaching an additional sensor (39) to a WSAN (12) comprising at least one existing WSAN sensor (33). The additional sensor emits an indication of its private identity after insertion in the WSAN, and the indication is received by the existing sensors in the WSAN and forwarded to the WSAN Gateway, after an eligibility check. Thereafter, the WSAN Gateway sends an authentication request to the WSAN Manager, which computes an authentication vector and transmits to the WSAN Gateway for the authentication of the new sensor.

Description

ATTACHING A SENSOR TO A WSAN
TECHNICAL FIELD
The present invention relates to a method in a WSAN sensor, in a WSAN Gateway and in a WSAN Manager for attaching an additional sensor to a WSAN (a Wireless/Wired Sensor and Actuator Network) . The invention also relates to a WSAN sensor, a WSAN Gateway and a WSAN Manager, each provided with an arrangement for attaching an additional sensor to a WSAN.
BACKGROUND
A Wireless/Wired Sensor and Actuator Network (WSAN) , is a wireless/wired network of sensors and actuators, such as e.g. smoke detectors, water leak detectors, temperature sensors, humidity sensors, pressure sensors, vibration sensors, light sensors and light switches, to be deployed e.g. in a household or a car. The services of the WSAN are available remotely via a WSAN Gateway connected to a WAN (Wide Area Network) , using a standardized communication protocol, e.g. the Ethernet or HTTP/SOAP, and another communication protocol, e.g. ZigBee, is used internally within the WSAN.
Figure 1 illustrates a typical WSAN system, in which a number of WSAN sensors or actuators are connected via wire or radio in a single star or mesh topology to one or more WSAN Gateways which are connected to a WAN (Wide Area Network) . The figure shows two WSANs, 12a, 12b, each WSAN connected to a WAN 14 via a WSAN Gateway, 15a, 15b, and comprising five sensors or actuators. The WSANs are available to the WAN users 11a, lib via the WSAN Gateways, and the WSANs are operated via a WSAN Manager 16 by a WSAN operator 13.
Since a typical sensor is a simple embedded device that cannot be connected directly to a user or to an application in the WAN for security reasons/ a WSAN Gateway acts as a mediator between the sensor nodes and the users/applications outside the domain of a WSAN. The WSAN Gateway is also capable of offering more sophisticated services than a single sensor node can offer. In a WSAN deployed in a house with several rooms, each room provided with a separate temperature sensor of the WSAN, the WSAN Gateway may provide e.g. the average temperature of the house to an external application, as well as the reading of the separate temperature sensors in the rooms. In order to provide this service, the WSAN Gateway requires suitable protocols and interfaces for requesting individual temperature readings from each sensor, and for presenting raw or aggregated data, such as the average temperature, in a format that is readable by the requesting application.
Thus, a WSAN Gateway requires a standardized data representation, as well as standardized interfaces with the various applications in a WAN. Additionally, the specific needs of business enablers have to be fulfilled in order to make commercial WSANs successful. The conventional Semantic Web
Technology provides a standardized data representation, as well as a part of a standardized interface, and a WSAN Gateway using the Semantic Web Technology accesses individual sensors by using a standardized interface and maintains sensor data tagged with semantic metadata describing the meaning of the sensor data.
Further, the WSAN Gateway uses a semantic web representation as an interface to the WSAN users and the WAN applications. The combination of the real sensor data and the semantic metadata forms a sensor data Ontology and sensor data Instantiation.
Figure 2 illustrates an Ontology 21, according to the conventional Semantic Web Technology, the illustrated Ontology 21 representing a sensor node having a temperature sensor providing temperature readings in the Celsius scale, as well as an Instantiation 22 of the Ontology 21. Said Instantiation 22 comprises an identification of the real sensor, TempSensorl345, and well as a sensor measurement, 27.5, produced by the sensor, and the sensor identification and the sensor measurement are both linked to the Ontology 21, as illustrated by the arrows in figure 2. Thus, the Instantiation 22 indicates the identity of a specific temperature sensor, as well as the output from the temperature sensor, while the Ontology 21 describes how the constants of the Instantiation 22 are connected.
The WSAN Gateway has to be able to interact with each individual sensor attached to the WSAN, and a new sensor, not previously connected to the WSAN Gateway, has to be authenticated after insertion in the WSAN. The WSAN Gateway has to obtain the private identity, ID_S, of a new sensor, the service description, suitable drivers and gateway software, as well as the data representation of a new sensor to be able to interact with the sensor. The Ontology 21 and the Instantiation 22 illustrated in figure 2 show a data representation of an actual temperature sensor, but the actual mechanism of obtaining the identity of the sensor (TempSensorl345) and the sensor value (27.5) is not defined by the Ontology.
Currently, no automatic and secure method is available for attaching a new sensor to a WSAN and enabling updating of a WSAN Gateway with the service description, the software and the drivers for the new sensor, since a conventional commercial sensor has no software, or is a part of a closed WSAN system, to which no sensors should be added. Instead, sensor software and hardcoded descriptions of the data and the services offered by the sensor have to be developed specifically for the WSAN Gateway when a new sensor is added to a WSAN. SUMMARY
The object of the present invention is to address the problem outlined above, and this object and others are achieved by the method and the arrangement according to the appended independent claims, and by the embodiments according to the dependent claims.
According to a first aspect, the invention provides a method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, an existing WSAN sensor performing the following steps:
- Receiving and storing an indication of the private identity of a potential additional sensor from a WSAN Gateway.
- Receiving, from an additional sensor, a beacon comprising an indication of the private identity of the additional sensor, when the additional sensor has been inserted in the WSAN.
- Determining if the additional sensor is eligible for attachment to the WSAN by comparing the indication of the private identity received in the beacon with a previously stored indication of the private identity of a potential additional sensor, and
- sending a notification of the insertion of an eligible additional sensor to the WSAN Gateway, the notification comprising an indication of the private identity of the inserted eligible additional sensor.
The above step of determining if the additional sensor is eligible for attachment may further comprise a check that an activation time interval of the additional sensor has not expired, the activation time interval received and stored in connection with the indication of the private identity of the additional sensor. The existing WSAN sensor may receive a listening request from the WSAN Gateway, the listening request indicating a listening status for the detection of a beacon from an additional sensor.
An additional sensor may perform the following steps, after insertion in the WSAN:
- Transmitting an indication of its private identity in a beacon to the existing WSAN sensors.
- Performing authentication with the WSAN Gateway, based on an authentication vector computed by the WSAN Manager.
The authentication may comprise an establishment of key shared between the additional sensor and the WSAN Gateway, based on said authentication vector, wherein the authentication may be performed according to the AKA protocol.
Further, a private identity, ID_S and a secret sensor key of a sensor may be pre-stored in a sensor database by the manufacturer, in connection with pointers to a software database.
According to a second aspect, the invention provides a method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the additional sensor transmitting an indication of its private identity to the existing WSAN sensors after insertion in the WSAN. According to the method, a WSAN Gateway is performing the following steps:
- Receiving an indication of the private identity of an additional sensor from a WSAN Manager. - Transmitting said received indication of the private identity of an additional sensor to the existing WSAN sensors.
- Receiving a notification from an existing WSAN sensor of the insertion of an eligible additional sensor in the WSAN, the notification comprising an indication of the private identity of the inserted eligible additional sensor.
- Performing authentication of the inserted additional eligible sensor, based on authentication information received from the WSAN Manager.
The WSAN Gateway may transmit a listening request to the existing WSAN sensors, the listening request indicating a listening status for detecting a beacon from an additional sensor.
Further, the WSAN Gateway may receive an activation time interval for an additional sensor from a WSAN manager and forward the activation time interval to the existing WSAN sensors, in connection with the transmission of the indication of the private identity of the additional sensor.
The WSAN Gateway may also transmit an authentication request comprising the private identity of the additional sensor to the WSAN Manager, after receiving the notification of the insertion of the additional eligible sensor in the WSAN.
The WSAN Gateway may receive a sensor description and sensor related software from the WSAN Manager, together with the authentication information, and perform the steps of:
- Updating a WSAN ontology based on the received sensor description, if the sensor node description comprises a WSAN sensor ontology.
- Storing the sensor related software in a local software database repository.
According to a third aspect, the invention provides a method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor. According to the method, a WSAN Manager is performing the following steps,
- Registering the additional sensor.
- Retrieving the private identity and the secret sensor key of the additional sensor from a sensor database.
- Transmitting an indication of the private identity of the additional sensor to a WSAN Gateway.
- Computing an authentication vector for authentication of the additional sensor, based on the secret sensor key, after receiving an authentication request, comprising the private identity of the additional sensor, from the WSAN Gateway.
- Transmitting the authentication vector to the WSAN Gateway.
The WSAN Manager may determine an activation time interval for an additional sensor, and transmit the activation time interval to the WSAN Gateway, together with the indication of the private identity of the additional sensor.
Further, the WSAN manager may set up a secure communication channel to the WSAN Gateway, after receiving the private identity of the additional sensor.
The WSAN Manager may also retrieve the sensor description and the sensor related software from a software database of the manufacturer, after receiving a request from the WSAN Gateway, and transmit the sensor description and the sensor related software to the WSAN Gateway, together with the authentication vector.
According to a fourth aspect, the invention provides a WSAN sensor adapted to communicate with a WSAN Gateway. The WSAN sensor comprises an arrangement for attaching an additional sensor to a WSAN, the arrangement comprising: - Means for receiving and storing an indication of the private identity of a potential additional sensor from the WSAN Gateway.
- Means for receiving a beacon comprising an indication of the private identity of an additional sensor, the beacon emitted by an additional sensor after insertion in the WSAN.
- Means for determining if the additional sensor is eligible for attachment to the WSAN, by comparing the indication of the private identity received in the beacon with a stored indication, and - means for sending a notification of the insertion of an eligible additional sensor to the WSAN Gateway, the notification comprising an indication of the private identity of the eligible additional sensor.
The WSAN sensor may further comprise an arrangement for attachment to a WSAN comprising at least one existing WSAN sensor, the arrangement comprising:
- Means for transmitting an indication of the private identity in a beacon to the existing WSAN sensors, after insertion into the WSAN, and
- means for performing an authentication with the WSAN Gateway, based on an authentication vector from the WSAN Manager.
According to a fifth aspect, the invention provides a WSAN Gateway arranged to communicate with a WSAN Manager and WSAN sensors. The WSAN Gateway comprises an arrangement for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the additional sensor transmitting an indication of its private identity to the existing WSAN sensors after insertion in the WSAN. Said WSAN Gateway arrangement comprises:
- Means for receiving an indication of the private identity of the additional sensor from the WSAN Manager, and forwarding the indication to the existing WSAN sensors. - Means for receiving a notification from an existing WSAN sensor of the insertion of an eligible additional sensor in the WSAN, and
- means for authentication of the inserted additional sensor, based on an authentication vector received from the WSAN
Manager.
Said authentication may comprise the establishment of a shared security key, KS, with the inserted additional sensor.
According to a sixth aspect, the invention provides a WSAN Manager for managing a WSAN, and arranged to communicate with a WSAN Gateway. The WSAN Manager comprises an arrangement for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, and the arrangement comprises:
- Means for retrieving the private identity and the secret sensor key of the additional sensor from a sensor database, after registering the additional sensor, and forwarding an indication of the private identity of the additional sensor to a WSAN Gateway, and
- means for computing an authentication vector for authentication of the additional sensor, based on the secret sensor key, after receiving an authentication request from the WSAN Gateway, and forwarding the authentication vector to the WSAN gateway.
The arrangement may further be adapted to pre-store the identity of a WSAN Gateway associated with a user subscription.
An advantage with embodiments of the present invention is that they accomplish an automatic and network-assisted attachment of an addition sensor in a WSAN, involving authentication and establishment of a secure communication between the sensor and the WSAN Gateway. Another advantage is that an attached additional sensor can be used almost instantly, by means of an automatic updating of the WSAN service description and software in the WSAN Gateway based on the new sensor, as well as based on the composition of the whole WSAN.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will now be described in more detail, and with reference to the accompanying drawings, in which:
- Figure 1 illustrates schematically the architecture of an exemplary WSAN-system;
- Figure 2 illustrates an exemplary ontology and instantiations;
- Figure 3 illustrates schematically a WAN, a WSAN Gateway and a WSAN comprising one sensor;
- Figure 4 is a signalling diagram illustrating the addition of a new sensor in a WSAN; - Figure 5 is a flow diagram illustrating the steps performed by a WSAN Gateway when a new sensor is attached to a WSAN;
- Figure 6a is a flow diagram illustrating the steps performed by a new sensor when it is attached to a WSAN, and figure 6b is a flow diagram illustrating the steps performed by an existing sensor when a new sensor is attached to the WSAN;
- Figure 7 is a flow diagram illustrating the steps performed by a WSAN Manager when a new sensor is attached to a WSAN;
- Figure 8 illustrates schematically a WSAN Manager, a WSAN Gateway and a WSAN sensor, according to an exemplary embodiment of this invention;
- Figure 9 illustrates the grafting of the description of a new sensor; - Figure 10 is a block diagram illustrating the storing of the new sensor node description; and
- Figure 11 is a signalling diagram illustrating the attachment of a new sensor to a WSAN.
DETAILED DESCRIPTION
In the following description, specific details are set forth, such as a particular architecture and sequences of steps in order to provide a thorough understanding of the present invention. However, it is apparent to a person skilled in the art that the present invention may be practised in other embodiments that may depart from these specific details.
Moreover, it is apparent that the described functions may be implemented using software functioning in conjunction with a programmed microprocessor or a general purpose computer, and/or using an application-specific integrated circuit. Where the invention is described in the form of a method, the invention may also be embodied in a computer program product, as well as in a system comprising a computer processor and a memory, wherein the memory is encoded with one or more programs that may perform the described functions.
The term "sensor" is hereinafter referring to a sensor or an actuator.
Normally, before a new sensor is inserted in a WSAN, a user purchases the sensor from a manufacturer, with the purpose of installing the new sensor in his/her WSAN that is managed by a WSAN Operator via a WSAN Manager. After the purchase, the user registers the new sensor with the WSAN Manager, in which the identities of the WSAN Gateways, ID_G, linked to the user, have been previously stored. At the registration, the open identifier, ID SO, of the sensor is stored in the WSAN Manager, together with the identity of the user and the identity of a particular WSAN Gateway, as well as the identity of the sensor database, SDB, in which a private identity, ID_S, and a secret sensor key of the new sensor have been pre-stored by the manufacturer. Further, the WSAN Gateway maintains a description of the hardware, software, and services of the WSAN sensors, e.g. as an Ontology.
According to a preferred embodiment of the invention, the WSAN Manager 16 retrieves the private identity, IS_S, and a secret sensor key of a new sensor from the sensor database, after having registered a user of a new sensor, and transmits an indication of the private identity to the WSAN Gateway 15. The WSAN Gateway, in turn, forwards the indication of the private identity of a potential and eligible new sensor to all the existing sensors in the WSAN 12.
Later, when the new sensor is inserted in the WSAN and switched on, the new sensor starts to emit a beacon with an indication of its private identity to the existing sensors in the WSAN, within reach for radio contact with the new sensor, and the beacon may also include identification data derived from the private identity. The existing sensors are expecting to receive a beacon from a new sensor, and according to the preferred embodiment, an existing sensor that receives a beacon will check the eligibility of the new sensor, and forward a notification to the WSAN Gateway when a new eligible sensor is actually inserted in the WSAN. The eligibility check comprises a comparison between an indication of a private identity received in a beacon from a new sensor inserted in the WSAN, and a stored indication, previously received from the WSAN Gateway, of a private identity of a new eligible sensor. Upon reception of a notification from an existing sensor of the insertion of an eligible new sensor in the WSAN, the WSAN Gateway will send an authentication request to the WSAN Manager, and the WSAN Manager will compute an authentication vector, based on the secret sensor key associated with the new sensor, and transmit the vector to the WSAN Gateway for the authentication of the new sensor.
According to an alternative embodiment, the eligibility check of the new sensor is performed by the WSAN Gateway, and an existing sensor that receives a beacon from a new sensor will forward a notification comprising sensor identification information to the WSAN Gateway. Advantageously, however, the eligibility check is performed by an existing sensor, in order to avoid unnecessary transmission of information to the WSAN Gateway, and save sensor battery capacity.
According to a further embodiment of the invention, the WSAN Gateway transmits a listening request to the existing sensors, in connection with the transmission of the indication of the private identity, and the listening request activates a certain listening status in the existing sensor for the detection of a beacon from a new sensor. According to alternative exemplary embodiments, the listening status indicates a continuous listening until a beacon from a new sensor is detected, or listening during certain pre-determined clock intervals, which can save sensor battery capacity.
An advantage with the present invention is that if an existing sensor picks up a beacon from a node, without having stored any previous indication of its private identity, a new malicious/non-authenticated node may have been detected, and the user may be alerted through the WSAN Gateway. According to a still further exemplary embodiment, the eligibility check of an additional sensor further comprises a check that a predetermined activation time interval of the sensor has not expired. This embodiment involves a WSAN Manager determining a relevant activation time interval at the registration of the new sensor, and forwarding the activation time interval to the WSAN Gateway, together with an indication of the private identity of the new sensor. The WSAN Gateway, in turn, forwards the activation time interval to the existing sensors, together with the indication of the private identity of a potential additional sensor in the WSAN. Thereby, when the existing sensor receives a beacon comprising an indication of the private identity of the additional sensor, the existing sensor is able to include a check that the activation time interval has not expired in the determination of the eligibility of the new additional sensor.
Alternatively, in case the eligibility check is performed by the WSAN Gateway, the activation time interval is stored in the WSAN Gateway.
Further, the eligibility check may comprise a control of other policies, e.g. regarding the geographic location of the sensor within the WSAN.
This invention involves the authorization of a new sensor to join an existing WSAN comprising at least one sensor, as well as the initial key management associated with the new sensor. The invention also involves an updating of the service descriptions maintained in the WSAN Gateway of the WSAN, as well as of the software in the WSAN Gateway for using the new sensor
When a new sensor joins a WSAN, according to the invention, a secure connection is established with the WSAN Gateway in order to enable encryption and authentication of the data traffic between the sensor and the WSAN Gateway. The WSAN manager pushes the description of the new sensor, e.g. its capabilities and services, such as driver and service software, down to be installed in the WSAN Gateway.
Each sensor is identified and authenticated with a private identity of the sensor, ID_S, and with a secret sensor key, which are initially stored in a sensor database, SDB, by the manufacturer, together with an open identifier, ID_SO, which may e.g. be printed on the sensor. The ID_SO may or may not depend on ID_S in such a way so that ID_SO=f (ID_S) where f may be a cryptographically secure one-way function. Thus, the sensor manufacturer installs ID_S, ID_SO and the secret sensor key in a new sensor, and stores this information in a sensor database,
SDB, along with the contact information pointers to its software database.
As described above, the identity of a particular WSAN Gateway linked to the user is stored in the WSAN Manager, together with the identity of new sensor, to enable the establishment of a secure connection. The WSAN Manager node may be an application server of a third party, and the WSAN Gateway will use a suitable protocol, e.g. the GBA (the Generic Boostrap Architecture) to bootstrap and enroll to the application server of the third party.
Figure 3 illustrates schematically a WAN (Wide Area Network) 14, including a WSAN Manager 16, a sensor database 35 and a software database 34 of the manufacturer. This figure also illustrates a WSAN 12, including one existing sensor 33, as well as the WSAN Gateway 15 connecting the WSAN to the applications of the WAN. When a user has registered a new sensor with the WSAN Manager 16, for attachment to the WSAN 12, the WSAN Manager will retrieve the private identity, IS_S, and a secret sensor key of the new sensor from the sensor database 35, using the open identifier, ID_SO, of the sensor. The WSAN Manager will also retrieve contact information pointers, e.g. URL, to the software database 34 from the sensor database 35. At this point in time, the sensor database 35 may erase the private identity and the secret sensor key of the new sensor. The contact information pointers to the software database 34 of the sensor manufacturer is used by the WSAN Manager 16 to retrieve the sensor description, such as capabilities and services, as well as the sensor software, such as drivers and service software, from the software database for instalment in the WSAN Gateway 15. The new sensor and the WSAN Gateway 15 may use e.g. the AKA-protocol (Authentication and Key Agreement) to perform the mutual authentication and the key establishment.
When the WSAN Manager 16 has retrieved the private identity of a new sensor from the sensor database 35, it sets up a secure channel to the WSAN Gateway 15 of the user and transmits the private identity, and the WSAN Gateway will transmit it further to each existing sensor 33 in the WSAN 12. When the new sensor is inserted in its final environment in the WSAN 12 and switched on, it immediately starts to search for a WSAN by emitting beacons containing an indication of its private identity, such as e.g. the private sensor identity ID_S, or the tuple (r, f(r, ID_S) ) where r is a random number and f a cryptographically strong one-way function. When a beacon is picked up by an existing sensor 33 in the WSAN, the receiving existing sensor will check that it comes from an eligible new sensor, by comparing the indication of the private identity included in the beacon with the private identity previously received from the WSAN Gateway. If the beacon includes said tuple, the existing sensor 33 is configured to calculate the function f(r, IS_S) in order to verify that the new sensor is eligible. Upon verification of the eligibility of the new sensor, the WSAN Gateway will be notified by an existing sensor 33 of the insertion of the new sensor, and the WSAN Gateway will check that it no beacon has been received previously from that particular sensor. If so, the WSAN Gateway sets up a secure connection to the WSAN Manager and transmits an authentication request to the WSAN Manager containing an indication of the private identity of the new sensor, the indication being e.g. the private identity, ID_S, or the tuple described above.
When the WSAN Manager receives the authentication request concerning a particular sensor from the WSAN Gateway, the WSAN Manager will check that the private identity, ID_S, of the sensor is linked with the identity of the requesting WSAN Gateway, ID_G, and if so, the WSAN Manager computes an authentication vector. According to an exemplary embodiment of the authentication procedure, the WSAN Manager uses a sequence number NR, the secret sensor key plus an additional nonce NONCE generated by the WSAN Manager itself to compute the authentication vector. The authentication vector contains a key, KS, an expected response, XRES, and an authentication token, AUTN, which are returned to the WSAN Gateway, together with NONCE. The WSAN Gateway now forwards the NONCE and the AUTN to the new sensor, which uses the NONCE together with its secret sensor key to verify that the AUTN comes from a trusted source and that the message is freshly generated.
If the new sensor is out of range of a direct radio communication with the WSAN Gateway, the communication of the authentication token may use a path over the existing sensor 33 that transmitted the notification of the new sensor to the WSAN Gateway. Possibly, said path may use several existing sensors in order to establish a point-to-point connection between the new sensor and the WSAN Gateway. The new sensor also computes the key, KS, and a response, RES, and RES is then transmitted to the WSAN Gateway to be compared with XRES received previously from the WSAN Manager. If they match, the WSAN gateway proceeds with establishing local keys in the WSAN.
The above-described exemplary authentication procedure could e.g. be based on the MILENAGE algorithm. The local keys in the WSAN are often based on different group keys, and specific applications or geographically close sensors could also have different keys. However, these keys are all bootstrapped from the key, KS, shared between the WSAN gateway and the sensor, as described above.
Figure 4 is a signalling diagram illustrating the above- described exemplary authentication procedure between a new sensor 39 and the WSAN Gateway 15, after the insertion of the new sensor 39 in the WSAN, the attachment and authentication assisted by at least one existing sensor 33 in the WSAN, the WSAN Manager 16 and the software database 34.
In step S410 in figure 4, when the new sensor 39 has been switched on after insertion in the WSAN, the new sensor transmits a beacon indicating its private identity, ID_S, e.g. the tuple (r, f(r, ID_S) to the existing sensor/s/ 33 in the WSAN. In step S411, the receiving existing sensor compares the received private identity with the stored private identity of an eligible new sensor previously received from the WSAN Gateway, or alternatively, calculates the function f(r, ID_S) . If there is a match, said receiving existing sensor 33 transmits the private identity of the new sensor, in step S412, in a notification message to the WSAN Gateway. In step S413, a secure connection is established between the WSAN Gateway 15 and the WSAN Manager 16, and the WSAN Gateway sends an authentication request to the WSAN Manager in step S414, the request forwarding the private identity, ID_S, of the new sensor. In step S415, the WSAN Manager computes the authentication vector, and retrieves the sensor node description and sensor node software from the software database of the sensor node manufacturer, in step S416. In step S417, the WSAN Manager transmit KS, XRES, AUTN, NONCE to the WSAN Gateway, and may also push the sensor node description and sensor node software to the WSAN Gateway, as well. In step S418, the WSAN Gateway transmit AUTN, NONCE to the new sensor 39, and the new sensor verifies AUTN and compute KS and RES, in step S419, and transmits RES to the WSAN Gateway, in step S420. In step S421, the WSAN Gateway determines if RES=XRES, and if yes, establishes a new key based on KS. If no, it drops the contact, removes the sensor node descriptions and software, and informs the user and the WSAN Manager. In step S422, the attachment of the new sensor is continued, using KS as a security bootstrapper, and in step S423, the WSAN Gateway installs the new sensor description and sensor node software in order to handle the new sensor.
Figure 5 - 7 are flow diagrams illustrating the steps performed by a WSAN Gateway 15, by an additional sensor 39, by an existing sensor 33, and by a WSAN Manager 16, during the attachment of an additional sensor 39 to a WSAN, according to a first exemplary embodiment of this invention.
In figure 5, the WSAN Gateway receives an indication of the private identity of a potential additional sensor that eventually will be attached to the WSAN from the WSAN Manager, in step 51. In step 52, the WSAN Gateway forwards an indication of the private identity of the additional sensor to the existing sensors in the WSAN. When the additional sensor has been inserted in the WSAN, it will emit a beacon comprising an indication of its private identity, e.g. a tuple, and this beacon will be received by at least one of the existing sensors. The receiving existing sensor will check the eligibility by comparing the received private identity with the private identity previously received from the WSAN Gateway in step 52, and if the private identities match, the existing sensor will send a notification of the insertion of the additional sensor to the WSAN Gateway. If a tuple is received, the existing sensor must calculate the tuple and compare it with the one transmitted by the additional sensor. If these two match, the existing sensor will send a notification of the insertion of the additional sensor to the WSAN Gateway. When the WSAN Gateway receives the notification, in step 53, it performs an authentication procedure, in step 54, based on an authentication vector received from the WSAN Manager.
In figure 6a, when an additional sensor 39 has been inserted in the WSAN, in step 61, the additional sensor emits a beacon, in step 62, comprising an indication of its private identity. This beacon will be received by an existing sensor, which will forward the notification to the WSAN Gateway, if the indication of a private identity received in the beacon matches a stored indication of a private identity previously received from the WSAN Gateway. When the WSAN Gateway receives the notification, it performs an authentication procedure with the additional sensor, in step 63, based on an authentication vector from the WSAN Manager.
Figure 6b is a flow diagram illustrating the steps performed by an existing sensor in the WSAN when an additional sensor is attached to the WSAN. In step 64, the existing sensor receives and stores an indication of the private identity, e.g. the tuple, of a potential additional sensor from the WSAN Manager, via the WSAN Gateway. When an additional sensor has been inserted in the WSAN, as illustrated by the determining step 65, the existing sensor will receive a beacon from the additional sensor, in step 66, the beacon comprising an indication of private identity of the additional sensor. In step 67, the existing sensor will determine if the additional sensor is eligible to be attached to the WSAN, by comparing the received private identity with the private identity previously received from the WSAN Gateway, (or the tuples), in step 64, and if the private identities, or the tuples, are equal, the existing sensor will send a notification of the insertion of an eligible additional sensor to the WSAN Gateway, the notification comprising an indication of the private identity of the sensor, in step 68.
In figure 7, the WSAN Manager registers a new sensor of a user, in step 71, to be attached to the WSAN. In step 72, the WSAN Manager retrieves the private identity of the additional sensor, as well as the secret sensor key, from the sensor database, and in step 73, the WSAN Manager forwards the private identity of the additional sensor to the appropriate WSAN
Gateway associated with the user. When the additional sensor has been inserted in the WSAN, it will emit a beacon comprising an indication of its private identity, and this beacon will be received by at least one of the existing sensors. The receiving existing sensor will compare the received indication of the private identity with a stored private identity previously received from the WSAN Gateway, and if the private identities are equal, the existing sensor will send a notification of the insertion of an additional eligible sensor to the WSAN Gateway. When the WSAN Gateway receives this notification of the insertion of an eligible sensor in the WSAN, the WSAN Manager will receive an authentication request from the WSAN Gateway, in step 74, and in response compute an authentication vector and transmit to the WSAN Gateway, in step 75. Further, figure 8 illustrates schematically a WSAN Manager 16, a WSAN Gateway 15 and a WSAN sensor 33, 39, according to exemplary embodiments of the invention, the WSAN Manager and the sensor arranged to communicate with the WSAN Gateway.
The WSAN Manager 16 is provided with an arrangement 810 for attaching an additional sensor to a WSAN comprising at least one existing sensor. The arrangement 810 comprises means 811 for retrieving the private identity and the secret sensor key of said additional sensor from a sensor database, after registering a user of the sensor, and forwarding the private identity to the WSAN Gateway. The arrangement also comprises means 812 for computing an authentication vector for authentication of the additional sensor, based on the secret sensor key, after receiving an authentication request from the WSAN Gateway, and forwarding the authentication vector to the WSAN gateway. The arrangement is further provided with means (not illustrated in the figure) for storing the user identity, together with the identity of the WSAN Gateway, and the private identity of the new sensor.
It should be noted that the means illustrated in figure 8 may be implemented by physical or logical entities using software functioning in conjunction with a programmed microprocessor or general purpose computer, and/or using an application specific integrated circuit (ASIC) .
The WSAN Gateway 15 is provided with an arrangement 820 for attaching an additional sensor to a WSAN comprising at least one existing sensor, the additional sensor transmitting an indication of its private identity to the existing sensors after insertion in the WSAN. The arrangement comprises means 821 for receiving the private identity of the additional sensor from the WSAN Manager, and forwarding an indication of the private identity to the existing sensors in the WSAN, means 822 for receiving a notification from an existing sensor of the insertion of an eligible additional sensor in the WSAN, and means 823 for authentication of the inserted additional sensor, based on an authentication vector received from the WSAN Manager. The arrangement is further provided with means (not illustrated in the figure) for storing the software of the new sensor.
The WSAN sensor 33, 39 is provided with an arrangement 840 for attaching an additional sensor to a WSAN. The arrangement 840 comprises means 841 for receiving and storing an indication of the private identity of a potential additional sensor from the WSAN Gateway, means 842 for receiving a beacon comprising an indication of the private identity of an additional sensor, the beacon emitted by the additional sensor when it is inserted in the WSAN, means 843 for determining the eligibility of the additional sensor by comparing the private identity received in a beacon with a stored private identity previously received from the WSAN Gateway, and means 844 for sending a notification of the insertion of the new eligible sensor to the WSAN Gateway, if the private identities are equal.
The WSAN sensor 33, 39 is further provided with an arrangement 830 for attaching to a WSAN comprising at least one existing sensor, the arrangement 830 comprising means 831 for emitting a beacon including an indication of its private identity after insertion into the WSAN, to be received by the existing sensors within radio contact, and means 832 for performing an authentication with the WSAN Gateway, based on an authentication vector from the WSAN Manager and transmitted to the new sensor by the WSAN Gateway. The WSAN sensor 33, 39 is further provided with means (not illustrated in the figure) for storing sensor data installed by the manufacturer, such as its private identity, ID_S, open identifier, IS_S, and secret sensor key.
According to an exemplary embodiment of this invention, a WSAN sensor is described by an Ontology, according to the Semantic Web Technology, and figure 9 illustrates the "grafting" of an Ontology of a new temperature sensor 92 on a previous WSAN Sensor Ontology 96, only including a humidity sensor 91.
Normally, a new sensor node includes new hardware and offers new sensor data and services that are not described in the WSAN Ontology of the WSAN Gateway. Thus, according to a further exemplary embodiment of this invention, the WSAN Gateway will receive the sensor node description, as well as drivers and service software associated with the new sensor node from the WSAN Manager, when a new sensor is attached to a WSAN and authenticated. The WSAN Gateway "grafts" the Ontology 95 of a new temperature sensor 92 to the WSAN sensor Ontology 96, the Ontology 95 describing the hardware, software and services of the new temperature sensor, thereby updating the sensor node description.
The WSAN Gateway will also ask the WSAN Manager if there exist any software regarding the WSAN as a whole, and not only for the new sensor. If so, the WSAN Gateway will download and store this software, as well. If the WSAN Gateway specifies important details, such as the hardware, the operating system and the software, the WSAN Manager will return the appropriate software to the WSAN Gateway, and the WSAN Gateway will store the software into a software repository. The WSAN Manager can also mediate the grafting between the two descriptions by the WSAN Gateway sending both the existing Ontology and the new sensor Ontology to the WSAN Manager, which can contact a 3rd party Ontology composition service to assist the grafting.
Figure 10 illustrates a WSAN Gateway 15, a WSAN Ontology database 101 for storing the sensor node descriptions, and a software database repository 102 for storing the drivers and service software associated with the sensors. A description of a new sensor node includes an identification, i.e. SW16894, of the new software drivers and services, and the WSAN gateway 15 stores the binary code of these software components in the repository 102, and the identification and the location of the software in a lookup table 103. The WSAN Gateway also stores in the software database repository the services that are not associated with a specific sensor, but to a group of sensors in the WSAN. The insertion of an additional sensor will normally result in the downloading of software services associated with the new sensor and a few existing sensors.
Figure 11 is a signalling diagram illustrating the handling of the software for an additional sensor attached to a WSAN, involving the above-described WSAN Ontology database 101, the SWDB Repository 102, and the lookup table 103. In step SIlO, the sensor is authenticated and a secure communication is established between the additional sensor 39 and the WSAN Gateway 15. In step Sill, the WSAN Gateway updates the WSAN
Ontology database 101, the SWDB Repository 102, and the lookup table 103 with the description of the new sensor node, as well as with the new software drivers and services, in step S112. The sensor node description and the software has been previously obtained by the WSAN Manager from the software database of the sensor manufacturer, and pushed down to the WSAN Gateway. Since the WSAN Manager knows the composition of the WSAN after the insertion of the additional sensor, it can contact a 3rd party sensor software service 104, in step S113, which is able to retrieve software services and sell to the WSAN Manager, if it is provided with a description of the WSAN. Thereafter, the WSAN Manager can push these aggregate software services to the WSAN Gateway, as well.
When the WSAN Gateway receives a request for sensor data, the appropriate sensor node and software identification, e.g. SW 16894, is retrieved by the WSAN Gateway from the WSAN Ontology in the WSAN Ontology database 101, the appropriate location, e.g. swdb: //16894.code, is retrieved by the WSAN Gateway from the look-up table 103, and the binary code is retrieved from the SWDB Repository 102, in step S114. Thereafter, in step S115, the WSAN Gateway uses the binary code to request the data from the sensor node, and the sensor responds with the appropriate data.
Thus, this invention offers an automatic attachment of an addition sensor in a WSAN, involving authentication and establishment of a secure communication between the sensor and the WSAN Gateway. Moreover, the new sensor could be used almost instantly, by means of an automatic updating of the WSAN service description and software in the WSAN Gateway based on the new sensor, as well as based on the composition of the whole WSAN, according to a further embodiment of this invention. Since this invention enables an automatic and network-assisted attachment of sensors to WSANs, involving different roles, such as the manufacturer of the sensor, the owner of the sensor node, and the WSAN Manager, the mapping of these roles onto different legal entities can be very flexible.
While the invention has been described with reference to specific exemplary embodiments, the description is in general only intended to illustrate the inventive concept and should not be taken as limiting the scope of the invention.

Claims

1. A method for attaching an additional sensor (39) to a WSAN comprising at least one existing WSAN sensor (33), the method characterized by the following steps, performed by an existing WSAN sensor:
- Receiving and storing (64) an indication of the private identity of a potential additional sensor from a WSAN Gateway;
- Receiving (66), from an additional sensor, a beacon comprising an indication of the private identity of the additional sensor, when the additional sensor has been inserted in the WSAN;
- Determining (67) if the additional sensor is eligible for attachment to the WSAN by comparing the indication of the private identity received in the beacon with a previously stored indication of the private identity of a potential additional sensor;
- Sending (68) a notification of the insertion of an eligible additional sensor to the WSAN Gateway, the notification comprising an indication of the private identity of the inserted eligible additional sensor.
2. A method for attaching an additional sensor, according to claim 1, wherein the step of determining (67) if the additional sensor is eligible for attachment further comprises a check that a activation time interval of the additional sensor has not expired, the activating time interval received and stored in connection with the indication of the private identity of the additional sensor.
3. A method for attaching an additional sensor, according to claim 1 or 2, characterized by an existing WSAN sensor (33) receiving a listening request from the WSAN Gateway, the listening request indicating a listening status for the detection of a beacon from an additional sensor.
4. A method according to any of the preceding claims, the method characterized by an additional sensor (39) performing the following steps, after insertion in the WSAN:
- Transmitting an indication of its private identity in a beacon to the existing WSAN sensors;
- Performing authentication (63) with the WSAN Gateway, based on an authentication vector computed by the WSAN Manager.
5. A method according to claim 4, wherein the authentication comprises the establishment of key shared between the additional sensor and the WSAN Gateway, based on said authentication vector.
6. A method according to claim 4 or 5, wherein the authentication is performed according to the AKA protocol.
7. A method according to any of the claims 1 - 6, wherein a private identity, ID_S and a secret sensor key of a sensor is pre-stored in a sensor database by the manufacturer, in connection with pointers to a software database.
8. A method for attaching an additional sensor (39) to a WSAN (12) comprising at least one existing WSAN sensor (33), the additional sensor transmitting an indication of its private identity to the existing WSAN sensors after insertion in the WSAN, the method characterized by a WSAN Gateway performing the following steps: - Receiving (51) an indication of the private identity of an additional sensor (39) from a WSAN Manager;
- Transmitting (52) said received indication of the private identity of an additional sensor to the existing WSAN sensors; - Receiving (53) a notification from an existing WSAN sensor of the insertion of an eligible additional sensor in the WSAN, the notification comprising an indication of the private identity of the inserted eligible additional sensor; - Performing authentication (54) of the inserted additional eligible sensor, based on authentication information received from the WSAN Manager.
9. A method according to claim 8, characterized by the WSAN Gateway further transmitting a listening request to the existing WSAN sensors, the listening request indicating a listening status for detecting a beacon from an additional sensor.
10. A method according to claim 8 or 9, characterized by the WSAN Gateway further receiving an activation time interval for an additional sensor from a WSAN manager and forwarding the activation time interval to the existing WSAN sensors, in connection with the transmission of the indication of the private identity of the additional sensor.
11. A method according to any of the claims 8 - 10, characterized by the WSAN Gateway further transmitting an authentication request comprising the private identity of the additional sensor (39) to the WSAN Manager, after receiving the notification (53) of the insertion of the additional eligible sensor in the WSAN.
12. A method according to any of the claims 8 - 11, characterized by the WSAN Gateway receiving a sensor description and sensor related software from the WSAN Manager, together with the authentication information.
13. A method according to any of the claims 8 - 12, characterized by the WSAN Gateway performing the further steps of:
- Updating a WSAN ontology based on the received sensor description, if the sensor node description comprises an WSAN sensor ontology (21);
- Storing the sensor related software in a local software database repository (102) .
14. A method for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the method characterized by a WSAN Manager performing the following steps:
- Registering (71) the additional sensor;
- Retrieving (72) the private identity and the secret sensor key of the additional sensor from a sensor database (35);
- Transmitting (73) an indication of the private identity of the additional sensor to a WSAN Gateway;
- Computing (75) an authentication vector for authentication of the additional sensor, based on the secret sensor key, after receiving an authentication request (74), comprising the private identity of the additional sensor, from the WSAN Gateway;
- Transmitting (75) the authentication vector to the WSAN Gateway.
15. A method according to claim 14, wherein the WSAN Manager determines an activation time interval for an additional sensor, and transmits the activation time interval to the WSAN Gateway, together with the indication of the private identity of the additional sensor.
16. A method according to claim 14 or 15 , wherein the WSAN manager sets up a secure communication channel to the WSAN Gateway, after receiving the private identity of the additional sensor.
17. A method according to any of the claims 14 - 16, characterized by the WSAN Manager retrieving the sensor description and the sensor related software from a software database (34) of the manufacturer, after receiving a request from the WSAN Gateway.
18. A method according to claim 17, characterized by the WSAN Manager transmitting the sensor description and the sensor related software to the WSAN Gateway, together with the authentication vector.
19. A WSAN sensor (33,39) adapted to communicate with a WSAN Gateway (15) and characterized by an arrangement (840) for attaching an additional sensor to a WSAN, the arrangement (840) comprising:
- Means (841) for receiving and storing an indication of the private identity of a potential additional sensor from the WSAN Gateway; - Means (842) for receiving a beacon comprising an indication of the private identity of an additional sensor, the beacon emitted by an additional sensor after insertion in the WSAN;
- Means (843) for determining if the additional sensor is eligible for attachment to the WSAN, by comparing the indication of the private identity received in the beacon with a stored indication, and
- Means (844) for sending a notification of the insertion of an eligible additional sensor to the WSAN Gateway, the notification comprising an indication of the private identity of the eligible additional sensor.
20. A WSAN sensor according to claim 19, wherein the means for determining if an additional sensor is eligible is further arranged to check that an activation time interval of the additional sensor has not expired, the activating time interval received and stored in connection with the indication of the private identity of the additional sensor.
21. A WSAN sensor according to claim 19 or 20, further arranged to activate a listening status depending on a listening request received from the WSAN Gateway.
22. A WSAN sensor (33, 39) according to any of the claims 19 - 21, further characterized by an arrangement (830) for attachment to a WSAN comprising at least one existing WSAN sensor, the WSAN sensor arrangement (830) comprising:
- Means (831) for transmitting an indication of the private identity in a beacon to the existing WSAN sensors, after insertion into the WSAN;
- Means (832) for performing an authentication with the WSAN Gateway, based on an authentication vector from the WSAN Manager .
23. A WSAN sensor, according to any of the claims 19 - 22, wherein the means for performing authentication is arranged to establish a shared key with the WSAN Gateway, based on said authentication vector.
24. A WSAN Gateway (15) arranged to communicate with a WSAN Manager (16) and WSAN sensors, and characterized by an arrangement (820) for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the additional sensor transmitting an indication of its private identity to the existing WSAN sensors after insertion in the WSAN, the WSAN Gateway arrangement (820) comprising:
- Means (821) for receiving an indication of the private identity of the additional sensor from the WSAN Manager, and forwarding the indication to the existing WSAN sensors; - Means (822) for receiving a notification from an existing WSAN sensor of the insertion of an eligible additional sensor in the
WSAN ;
- Means (823) for authentication the inserted additional sensor, based on an authentication vector received from the WSAN
Manager.
25. A WSAN Gateway according to claim 24, further arranged to transmit a listening request to the existing WSAN sensors, the listening request indicating a listening status for detecting a beacon from an additional sensor.
26. A WSAN Gateway according to claim 24 or 25, further arranged to receive an activation time interval for an additional sensor from the WSAN Manager and forward to the existing WSAN sensors, in connection with the transmission of the indication of the private identity.
27. A WSAN Gateway (15), according to any of the claims 24 - 26, characterized in that the WSAN Gateway arrangement (920) comprises means for transmitting an authentication request to the WSAN Manager, after receiving the notification of the insertion of an eligible additional sensor in the WSAN.
28. A WSAN Gateway, according to any of the claims 24 - 27, wherein the authentication comprises the establishment of a shared security key, KS, with the inserted additional sensor.
29. A WSAN Gateway, according to any of the claims 24 - 28, characterized in that the WSAN Gateway arrangement comprises means for receiving a sensor description and sensor related software from the WSAN Manager, together with the authentication vector.
30. A WSAN Gateway, according to claim 29, characterized in that the WSAN Gateway arrangement comprises means for:
- updating a WSAN ontology based on the received sensor description, if the sensor node description comprises a WSAN sensor ontology;
- storing the sensor related software in a local software database repository (102) .
31. A WSAN Manager (16) for managing a WSAN and arranged to communicate with a WSAN Gateway (15), the WSAN Manager (16) characterized by an arrangement (810) for attaching an additional sensor to a WSAN comprising at least one existing WSAN sensor, the arrangement comprising:
- Means (811) for retrieving the private identity and the secret sensor key of the additional sensor from a sensor database, after registering the additional sensor, and forwarding an indication of the private identity of the additional sensor to a WSAN Gateway;
- Means (812) for computing an authentication vector for authentication of the additional sensor, based on the secret sensor key, after receiving an authentication request from the
WSAN Gateway, and forwarding the authentication vector to the WSAN gateway.
32. A WSAN Manager, according to claim 31, further arranged to determine an activation time interval for the additional sensor, and to transmit the activation time interval to the WSAN Gateway, together with the indication of the private identity.
33. A WSAN Manager according to claim 31 or 32, the arrangement (810) further adapted to pre-store the identity of a WSAN Gateway associated with a user subscription.
34. A WSAN Manager according to any of the claims 31 - 33, the WSAN Manager arrangement (810) further characterized by means for retrieving the sensor description and the sensor related software from the software database (34) of the manufacturer, after receiving a request from the WSAN Gateway.
35. A WSAN Manager according to claim 34, the WSAN Manager arrangement further characterized by means for transmitting the sensor description and the sensor related software to the WSAN Gateway, together with the authentication vector.
PCT/SE2009/050361 2009-04-07 2009-04-07 Attaching a sensor to a wsan WO2010117310A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP09843127.3A EP2417827A4 (en) 2009-04-07 2009-04-07 Attaching a sensor to a wsan
PCT/SE2009/050361 WO2010117310A1 (en) 2009-04-07 2009-04-07 Attaching a sensor to a wsan
US13/260,826 US9154476B2 (en) 2009-04-07 2009-04-07 Attaching a sensor to a WSAN
CN200980158336.8A CN102365901B (en) 2009-04-07 2009-04-07 Attaching a sensor to a WSAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2009/050361 WO2010117310A1 (en) 2009-04-07 2009-04-07 Attaching a sensor to a wsan

Publications (1)

Publication Number Publication Date
WO2010117310A1 true WO2010117310A1 (en) 2010-10-14

Family

ID=42936422

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2009/050361 WO2010117310A1 (en) 2009-04-07 2009-04-07 Attaching a sensor to a wsan

Country Status (4)

Country Link
US (1) US9154476B2 (en)
EP (1) EP2417827A4 (en)
CN (1) CN102365901B (en)
WO (1) WO2010117310A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103118046A (en) * 2011-11-17 2013-05-22 中国移动通信集团公司 Method and system of code matching for sensor
WO2013137787A1 (en) * 2012-03-15 2013-09-19 Telefonaktiebolaget L M Ericsson (Publ) A configuration provision device and corresponding m2m device, system, method, computer program and computer program product
CN103688563A (en) * 2011-05-26 2014-03-26 诺基亚公司 Performing a group authentication and key agreement procedure
EP2736301A4 (en) * 2011-07-20 2015-04-08 Zte Corp Method for communication between gateways in wsn, initiator gateway, and target gateway

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130114582A1 (en) * 2011-11-03 2013-05-09 Digi International Inc. Wireless mesh network device protocol translation
TW201328401A (en) * 2011-12-28 2013-07-01 Univ Nat Central Wireless sensing braking network and operating method thereof
US9392446B1 (en) * 2013-08-05 2016-07-12 Sprint Communications Company L.P. Authenticating environmental sensor systems based on security keys in communication systems
US9516141B2 (en) * 2013-08-29 2016-12-06 Verizon Patent And Licensing Inc. Method and system for processing machine-to-machine sensor data
US20170076300A1 (en) * 2014-03-12 2017-03-16 Philips Lighting Holding B.V. City data marektplace
WO2016017995A1 (en) * 2014-07-31 2016-02-04 Samsung Electronics Co., Ltd. System and method of controlling data transmission of external apparatus connected to gateway
CN105490930A (en) * 2014-09-17 2016-04-13 中兴通讯股份有限公司 Sensor code matching processing method and device, network platform device, and gateway of internet of things
JP6586909B2 (en) * 2016-03-09 2019-10-09 富士通株式会社 Data management method and data management system
CN105933397B (en) * 2016-04-15 2019-04-12 河海大学常州校区 The improvement distribution auction Ik-SAAP method that task is distributed in WSAN
US10972259B2 (en) 2016-09-05 2021-04-06 Lg Electronics Inc. Lightweight and escrow-less authenticated key agreement for the internet of things
US10129760B2 (en) * 2016-09-26 2018-11-13 King Fahd University Of Petroleum And Minerals Restoring connectivity in partitioned wireless sensor and actor networks
EP3617663A1 (en) * 2018-08-29 2020-03-04 Siemens Aktiengesellschaft Method for verifying sensors in a network of sensors and sensor network
CN109996204B (en) * 2019-03-26 2021-07-13 东北大学 WSAN-based optimized deployment method for complex pipe network information controller

Family Cites Families (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7797367B1 (en) * 1999-10-06 2010-09-14 Gelvin David C Apparatus for compact internetworked wireless integrated network sensors (WINS)
US7176808B1 (en) * 2000-09-29 2007-02-13 Crossbow Technology, Inc. System and method for updating a network of remote sensors
US20030151513A1 (en) * 2002-01-10 2003-08-14 Falk Herrmann Self-organizing hierarchical wireless network for surveillance and control
US20050152305A1 (en) * 2002-11-25 2005-07-14 Fujitsu Limited Apparatus, method, and medium for self-organizing multi-hop wireless access networks
US20050028001A1 (en) * 2003-07-29 2005-02-03 Jian Huang Secured software patching and upgrade method for densely deployed networks having spanning-tree topology
US7530113B2 (en) * 2004-07-29 2009-05-05 Rockwell Automation Technologies, Inc. Security system and method for an industrial automation system
US7304976B2 (en) * 2004-10-13 2007-12-04 Virginia Tech Intellectual Properties, Inc. Method and apparatus for control and routing of wireless sensor networks
JP4808409B2 (en) * 2005-01-14 2011-11-02 株式会社日立製作所 Sensor network system, sensor data search method and program
US8051489B1 (en) * 2005-03-18 2011-11-01 Oracle America, Inc. Secure configuration of a wireless sensor network
US7760109B2 (en) * 2005-03-30 2010-07-20 Memsic, Inc. Interactive surveillance network and method
US7814322B2 (en) * 2005-05-03 2010-10-12 Sri International Discovery and authentication scheme for wireless mesh networks
US7602918B2 (en) * 2005-06-30 2009-10-13 Alcatel-Lucent Usa Inc. Method for distributing security keys during hand-off in a wireless communication system
US7312703B2 (en) * 2005-10-20 2007-12-25 Hoogenboom Christopher L Initialization of a sensor for monitoring the structural integrity of a building
US20090222541A1 (en) * 2005-11-08 2009-09-03 Nortel Networks Limited Dynamic sensor network registry
US20100287623A1 (en) * 2005-11-23 2010-11-11 Thomas Banik Method for distributing a computer data structure to nodes of a network
US20070150565A1 (en) * 2005-12-22 2007-06-28 Arun Ayyagari Surveillance network system
JP4719034B2 (en) * 2006-03-07 2011-07-06 株式会社日立製作所 Sensor network system, base station, and sensing data relay method
US7877596B2 (en) * 2006-05-19 2011-01-25 Honeywell International Inc. Method and computer product to increase accuracy of time-based software verification for sensor networks
US8107397B1 (en) * 2006-06-05 2012-01-31 Purdue Research Foundation Protocol for secure and energy-efficient reprogramming of wireless multi-hop sensor networks
WO2008011376A2 (en) * 2006-07-21 2008-01-24 General Electric Company System and method for providing network device authentication
US8305935B2 (en) * 2006-07-27 2012-11-06 Mobitrum Corporation Method and system for dynamic information exchange on location aware mesh network devices
US7801058B2 (en) * 2006-07-27 2010-09-21 Mobitrum Corporation Method and system for dynamic information exchange on mesh network devices
US8116243B2 (en) * 2006-10-05 2012-02-14 Electronics And Telecommunications Research Institute Wireless sensor network and adaptive method for monitoring the security thereof
EP2095579B1 (en) * 2006-12-13 2018-11-07 Telecom Italia S.p.A. Sensor network
EP2023528B1 (en) * 2007-08-08 2009-09-30 Sag Ag Method and system for performing an untraceable secret matching
US8280057B2 (en) * 2007-09-04 2012-10-02 Honeywell International Inc. Method and apparatus for providing security in wireless communication networks
GB2453383A (en) * 2007-10-05 2009-04-08 Iti Scotland Ltd Authentication method using a third party
KR100947286B1 (en) * 2007-10-31 2010-03-16 한국전자통신연구원 Apparatus and method for managing wireless sensor metwork
US20090147714A1 (en) * 2007-12-05 2009-06-11 Praval Jain Method and system for reducing power consumption in wireless sensor networks
AU2009251887A1 (en) * 2008-05-28 2009-12-03 Agency For Science, Technology And Research Authentication and key establishment in wireless sensor networks
US8576746B2 (en) * 2008-06-04 2013-11-05 Electronics And Telecommunications Research Institute Sensor node identification method for hierarchical sensor network, and component therefor
US8862872B2 (en) * 2008-09-12 2014-10-14 Qualcomm Incorporated Ticket-based spectrum authorization and access control
WO2010102259A2 (en) * 2009-03-06 2010-09-10 Interdigital Patent Holdings, Inc. Platform validation and management of wireless devices
US20110231535A1 (en) * 2010-03-18 2011-09-22 Ian Charles Starnes Wireless Sensor Network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Testbeds and Research Infrastructure for the Development of Networks and Communities, 2007. TridentCom 2007. 3rd International Conference on Publication Date: 21-23 May 2007", article GRUENWALD, C. ET AL.: "SWARMS: A Sensornet Wide Area Remote Management System", pages: 1 - 10, XP031211382 *
CHIN-LING CHEN ET AL.: "Dynamic Session-Key Generation for Wireless Sensor Networks", EURASIP JOURNAL ON WIRELESS COMMUNICATIONS AND NETWORKING, vol. 2008, 2008, XP003026723 *
See also references of EP2417827A4 *
SEYIT A. CAMTEPE ET AL.: "Key Distribution Mechanisms for Wireless Sensor Networks: a Survey (2005)ss: Rensselaer Polytechnic Institute", COMPUTER SCIENCE DEPARTMENT, 23 March 2005 (2005-03-23), XP002412961, Retrieved from the Internet <URL:http://www.cs.rpi.edu/research/pdf/05-07.pdf> *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103688563A (en) * 2011-05-26 2014-03-26 诺基亚公司 Performing a group authentication and key agreement procedure
EP2716093A1 (en) * 2011-05-26 2014-04-09 Nokia Corp. Performing a group authentication and key agreement procedure
EP2716093A4 (en) * 2011-05-26 2015-04-08 Nokia Corp Performing a group authentication and key agreement procedure
US9270672B2 (en) 2011-05-26 2016-02-23 Nokia Technologies Oy Performing a group authentication and key agreement procedure
EP2736301A4 (en) * 2011-07-20 2015-04-08 Zte Corp Method for communication between gateways in wsn, initiator gateway, and target gateway
CN103118046A (en) * 2011-11-17 2013-05-22 中国移动通信集团公司 Method and system of code matching for sensor
CN103118046B (en) * 2011-11-17 2016-03-30 中国移动通信集团公司 Transducer is to the method and system of code
WO2013137787A1 (en) * 2012-03-15 2013-09-19 Telefonaktiebolaget L M Ericsson (Publ) A configuration provision device and corresponding m2m device, system, method, computer program and computer program product

Also Published As

Publication number Publication date
EP2417827A1 (en) 2012-02-15
CN102365901A (en) 2012-02-29
EP2417827A4 (en) 2014-03-05
US20120023564A1 (en) 2012-01-26
CN102365901B (en) 2014-10-29
US9154476B2 (en) 2015-10-06

Similar Documents

Publication Publication Date Title
US9154476B2 (en) Attaching a sensor to a WSAN
US11770459B2 (en) Framework for IoT protocol identification and management
RU2735238C1 (en) Efficient communication for home network devices
CN111819875B (en) Device, system and method for connecting and authenticating a local device to a public gateway device
WO2018001128A1 (en) Data transmission system, method and device
US11461455B2 (en) Method and system of secure configuration of at least one electronic device
CN102577284B (en) The method of operating equipment management gateway in the communication system comprising equipment control gateway, device management server and equipment
US8706083B2 (en) Bluetooth authentication system and method
CN110506413B (en) System and method for network device security and trust score determination
CN109074251A (en) The local over-the-air updating of embedded system
JP2016510566A (en) Presence detection using Bluetooth and hybrid mode transmitters
KR20170017011A (en) Uniform communication protocols for communication between controllers and accessories
JP2012524502A (en) Multiple domain systems and domain ownership
US7561694B1 (en) Session mobility for wireless devices
KR20150048657A (en) A method and apparatus for registering a device based on an application supporting a home networking by multi users
CN108667601A (en) A kind of method, apparatus and equipment of transmission data
US20150271669A1 (en) Method for configuring wireless connection settings, wireless communications apparatus, and display method
CN109996229B (en) Data transmission method and device based on DHT network, electronic equipment and storage medium
CN107948339A (en) A kind of network addressing method, equipment and device
WO2016026282A1 (en) Application registration method and apparatus
WO2016023348A1 (en) User equipment registration method, entity and system and computer storage medium
CN106779881A (en) Member&#39;s sharing method and device
CN107667518B (en) Automatic discovery and online of electronic devices
US7370087B1 (en) Method and apparatus for providing access to a peripheral device management interface
KR20120065516A (en) Method and system of providing remote access information for device within home network

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980158336.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09843127

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 1499/MUMNP/2011

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 13260826

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2009843127

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE