WO2015082607A1 - Measurement sensor, measurement installation comprising such a sensor and a server, method of exchanging data and computer program product associated therewith - Google Patents

Measurement sensor, measurement installation comprising such a sensor and a server, method of exchanging data and computer program product associated therewith Download PDF

Info

Publication number
WO2015082607A1
WO2015082607A1 PCT/EP2014/076560 EP2014076560W WO2015082607A1 WO 2015082607 A1 WO2015082607 A1 WO 2015082607A1 EP 2014076560 W EP2014076560 W EP 2014076560W WO 2015082607 A1 WO2015082607 A1 WO 2015082607A1
Authority
WO
WIPO (PCT)
Prior art keywords
sensor
computer server
gateway
communication
server
Prior art date
Application number
PCT/EP2014/076560
Other languages
French (fr)
Inventor
Thierry Chiche
Laurent PLATEL
Original Assignee
Schneider Electric Industries Sas
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Schneider Electric Industries Sas filed Critical Schneider Electric Industries Sas
Publication of WO2015082607A1 publication Critical patent/WO2015082607A1/en

Links

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01DMEASURING NOT SPECIALLY ADAPTED FOR A SPECIFIC VARIABLE; ARRANGEMENTS FOR MEASURING TWO OR MORE VARIABLES NOT COVERED IN A SINGLE OTHER SUBCLASS; TARIFF METERING APPARATUS; MEASURING OR TESTING NOT OTHERWISE PROVIDED FOR
    • G01D21/00Measuring or testing not otherwise provided for
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network

Definitions

  • Measurement sensor measuring installation comprising such a sensor and a server, data exchange method and computer program product
  • the present invention relates to a sensor for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, intended to be connected to a computer server via a communication gateway.
  • the communication gateway is connected to the computer server via a communication network, such as the Internet network.
  • the sensor comprises an information processing unit comprising a memory, radio communication means with the gateway, and data exchange means with the computer server, the data exchange means being connected to the radio communication means. .
  • the invention also relates to a measuring installation comprising at least one such measuring sensor and a computer server connected to each measuring sensor.
  • the invention also relates to a method for exchanging data between such a measurement sensor and the computer server, via the communication gateway.
  • the invention also relates to a computer program product comprising software instructions which, when implemented by an information processing unit, implements such a data exchange method.
  • the invention relates to the field of secure data transmission between the measurement sensor, such as an industrial measurement equipment, and the computer server via the communication gateway, the latter being mobile, the communication gateway being for example integrated into a mobile electronic device.
  • a measuring sensor and a measuring installation of the aforementioned type are known.
  • a communication gateway is connected to a computer server via the Internet, and is responsible for securely connecting to the computer server, for example via the implementation of a virtual private network, also called VPN (from English). Virtual Private Network), between the gateway and the server.
  • VPN virtual private network
  • the communication gateway is also connected to each measurement sensor. It collects information about the measured variables from each measuring sensor and transmits them securely to the computer server.
  • the communication gateway is considered to be a trusted component, known by the computer server and having the necessary information to establish the secure communication, such as a unique identifier, keys encryption associated with the gateway, ensuring the confidentiality and integrity of the exchanges.
  • the object of the invention is therefore to propose a measurement sensor making it possible to overcome this constraint and to authorize the use of one or more communication gateways without these being known to the server beforehand. computer as a trusted component.
  • the subject of the invention is a measurement sensor of the aforementioned type, in which the memory includes secure connection information to the computer server, said connection information comprising an authentication code of the sensor.
  • the measurement sensor comprises one or more of the following characteristics, taken separately or in any technically possible combination:
  • the sensor further comprises means for generating a response to a request from the computer server, the response being developed according to the authentication code;
  • the sensor further comprises data encryption means, the encrypted data being intended to be transmitted to the computer server by the data exchange means;
  • connection information is protected by a password in the memory.
  • the invention also relates to a measuring installation comprising at least one sensor for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, and a computer server connected to each measurement sensor, in which each sensor of measurement is as defined above.
  • the measuring installation comprises one or more of the following characteristics, taken separately or in any technically possible combination:
  • the computer server comprises first means for sending an authentication request to each measurement sensor and means for authenticating the response produced by each measurement sensor following the reception of said request;
  • the computer server comprises second means of sending, to each authenticated sensor, an encryption key adapted for the encryption of data exchanged between the computer server and the authenticated sensor;
  • the installation furthermore comprises a communication gateway, the communication gateway being connected to the computer server via a communication network, such as the Internet, and each measuring sensor being connected to the computer server via the communication gateway; and
  • the communication gateway is integrated in a mobile electronic device, such as a mobile phone, a tablet or a laptop.
  • the subject of the invention is also a method for exchanging data between a sensor for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, and a computer server via a communication gateway, the communication gateway being connected to the computer server via a communication network,
  • the method being implemented by the measurement sensor, the sensor comprising radio communication means with the gateway, and an information processing unit comprising a memory,
  • the method comprising the exchange of data with the computer server, via the radio communication means,
  • the method further comprises securely connecting to the computer server using an authentication code of the sensor, said authentication code being stored in the sensor memory.
  • the data exchange method comprises the following characteristic:
  • the step of secure connection to the computer server comprises the development of a response to a request from the computer server, the response being developed according to the authentication code.
  • the invention also relates to a computer program product comprising software instructions, which, when implemented by an information processing unit, implements the data exchange method as defined above.
  • FIG. 1 is a schematic representation of a measuring installation according to the invention, comprising several measurement sensors and a computer server connected to each measurement sensor via a mobile communication gateway, the communication gateway being connected to the server via a communication network, and
  • FIG. 2 is a flowchart of a secure data exchange method, according to the invention, between the measurement sensors and the computer server, via the mobile communication gateway of FIG. 1.
  • a measurement installation 10 comprises a plurality of measuring sensors 12 and a computer server 14 connected to each measurement sensor 12 via a communication gateway 16.
  • the communication gateway 16 is connected to the computer server 14 via a communication network 18.
  • the measuring installation 10 is adapted to perform automatic measurement readings, these measurements being carried out by the measurement sensors 12.
  • Each measuring sensor 12 is adapted to measure a quantity, such as an electrical quantity or a thermodynamic quantity.
  • the electrical quantity is for example the voltage of an electrical conductor, respectively the intensity of an electric current, and the measurement sensor 12 is then called voltage sensor, respectively current sensor.
  • thermodynamic quantity is, for example, a temperature, respectively a pressure
  • the measurement sensor 12 is then called a temperature sensor, or a pressure sensor, respectively.
  • the measurement sensor 12 is adapted to measure an environmental quantity, such as a pH, an oxygen content, a particle density (carbon monoxide, carbon dioxide, dust).
  • an environmental quantity such as a pH, an oxygen content, a particle density (carbon monoxide, carbon dioxide, dust).
  • Each measurement sensor 12 comprises a first radio transceiver 20 able to communicate with the communication gateway 16 via a first data link 22.
  • Each measurement sensor 12 comprises a first information processing unit 24, formed for example of a first processor 26 and a first memory 28 associated with the first processor 26, as shown in FIG. 1, where a single measurement sensor 12 is shown in detail for the sake of simplification of the drawings.
  • the first information processing unit 24 is connected to the first radio transceiver 20.
  • the computer server 14 comprises a first data transmission member 30 able to communicate with the communication gateway 16 via the communication network 18 forming a second data link 32.
  • the computer server 14 comprises a second information processing unit 34, formed for example of a second processor 36 and a second memory 38 associated with the second processor 36.
  • the second information processing unit 34 is connected to the second processor 36. transmission member 30.
  • the computer server 14 is able to receive data relating to the different quantities measured by each of the measurement sensors 12. In other words, the computer server 14 makes it possible to centralize the different values measured by the sensors 12 in order to centrally monitor these measured values.
  • the computer server 14 is for example a web server.
  • the references of the computer server 14, such as the name or the IP address of the server, are for example stored in the first memory 28 of the sensor, to be transmitted by the sensor 12 to the gateway 16 when the sensor 12 asks the gateway 16 to establish a communication with the server 14.
  • the communication gateway 16 is connected, on the one hand, to each of the measurement sensors 12 via the first data links 22 respectively, and on the other hand, to the computer server 14 via the second data link 32 formed by the network Communication.
  • the communication gateway 16 functionally forms a communication router between a respective measurement sensor 12 and the computer server 14, the data exchanged between the corresponding measurement sensor 12 and the computer server 14 only passing through the communication gateway 16, after establishment of a communication between the communication gateway 16 and the computer server 14.
  • the communication gateway 16 comprises a second radio transceiver 40 able to communicate with each sensor 12 via the corresponding first data link 22, in particular with the first radio transceiver 20 of each measurement sensor.
  • the communication gateway 16 is connected to the measurement sensor 12 via a local communication network formed by the first transceiver 20, the first link 22 and the respective second transceiver 40.
  • the local network is, for example , compliant with the IEEE 802.15.1 standard, also known as the Bluetooth standard, or the IEEE 802.15.4 standard, also known as the ZigBee standard.
  • the communication gateway 16 also includes a second data transmission member 42 able to communicate with the computer server 14, in particular with the first transmission member 30 of the computer server. The communication gateway 16 is then able to communicate remotely with the server 14.
  • the communication gateway 16 comprises means 44 for transferring data between the sensor 12 and the computer server 14.
  • the data transmission between the gateway 16 and the server 14 is preferably carried out on the basis of the IP protocol. English Internet Protocol).
  • the data transmission between the gateway 16 and the sensor 12 is preferably carried out on the basis of a local communication protocol, such as the ZigBee or ZigBee Green Power protocols in accordance with the IEEE 802.15.4 standard.
  • a local communication protocol such as the ZigBee or ZigBee Green Power protocols in accordance with the IEEE 802.15.4 standard.
  • MODBUS protocol the CAN protocol (of the English Controller Area Network) compliant with the ISO 1 1898 standard, the BACnet protocol, or the KNX protocol.
  • the gateway 16 only provides the necessary transformation between the protocols used, on the one hand between the sensor 12 and the gateway 16, and on the other hand between the gateway 16 and the server 14, and focuses on transmitting the useful information without modification.
  • the modifications made by the gateway 16 concern only the transition from one protocol to another.
  • the transfer means 44 are also responsible for establishing an initial connection between the gateway 16 and the server 14 at the initiative of the sensor 12, in order to allow the secure connection of the measurement sensor 12 to the computer server. 14, the entire chain of communication between the sensor 12 and the server 14 via the gateway 16 is then secure.
  • the communication gateway 16 is, for example, integrated in a mobile electronic device 46, such as a mobile phone, a tablet or a laptop.
  • the transfer means 44 are then preferably in the form of software capable of being stored in a memory 48 of the mobile phone 46.
  • the references of the computer server 14, such as the IP address of the server, are alternatively stored in the memory.
  • the communication network 18 is known per se.
  • the communication network 18 is for example the Internet network.
  • the first data link 22 is a radio link, preferably a short-range radio link, i.e. for distances of the order of a few meters or a few tens of meters.
  • the first data link 22 is, for example, in accordance with the IEEE standard
  • the first data link 22 complies with the IEEE 802.1 1 standard, also called the Wi-Fi standard, the measurement sensors 12 and the communication gateway 16 forming, for example, an ad hoc network.
  • the first and second radio transceivers 20, 40 are known per se, and conform to the same radio standard as the first data link 22.
  • the first memory 28 is able to store a first software 50 of data exchange with the computer server 14, preferably via the gateway 16, the data exchange software 50 being connected to the first radio transceiver 20.
  • the first memory 28 comprises according to the invention secure connection information to the computer server 14, said connection information comprising a 52 sensor authentication code.
  • the connection information is preferably protected by an access control member, not shown.
  • the access control member is adapted to be stored in the first memory 28, and is for example able to require the provision of a password to allow access to the connection information.
  • the first memory 28 is able to store software 54 for generating a response to a request from the computer server 14, the response being developed according to the authentication code 52.
  • the first memory 28 is able to store a first cryptographic software 56 capable of encrypting data intended to be transmitted to the computer server 14 by the data exchange software 50 and / or to decrypt encrypted data received from the data server. computer server 14.
  • the first data exchange means 50, the response generation means 54 and the first cryptographic means 56 are implemented in the form of programmable logic components or in the form of dedicated integrated circuits.
  • the first data transmission member 30 is adapted to receive data from each measurement sensor 12 via the communication gateway 16 and the communication network 18, and also to send data to each measurement sensor 12 via said gateway 16 and said network 18.
  • the first data transmission device 30 is adapted to establish a secure connection with the communication gateway 16 on request of the communication gateway 16 and without it being authenticated. Securing the connection between the gateway 16 and the server 14 does not involve information from the sensor 12.
  • the second memory 38 is able to store a first software 60 for sending an authentication request to each measurement sensor 12, and a software 62 for authentication of the response elaborated by each measurement sensor 12 following reception. of said request.
  • the second memory 38 is able to store a second software
  • the second memory 38 is capable of storing a second cryptographic software 66 capable of encrypting data intended to be transmitted to a corresponding measurement sensor 12 and / or of decrypting encrypted data received from said measurement sensor 12.
  • the second memory 38 is able to store a second data exchange software 68 with each measurement sensor 12, the second data exchange software 68 being connected to the first transmission element 30.
  • first sending means 60, the authentication means 62, the second sending means 64, the second cryptographic means 66 and the second data exchange means 68 are made in the form of programmable logic components. , or in the form of dedicated integrated circuits.
  • the second memory 38 includes a database 70 containing information relating to each of the measurement sensors 12, including the authentication codes 52 of the different sensors.
  • the second data transmission device 42 is adapted to receive data from the computer server 14 via the communication network 18, and also to send data to the server 14 via the said network 18.
  • the communication gateway 16 is preferably connected to the communication network 18 by radio waves, and the second transmission member 42 is for example in accordance with the standard IEEE 802.1 1 (Wi-Fi standard), or UMTS (Universal Mobile Telecommunications System), Also referred to as the 3G standard for the third generation mobile telephony standard, or the LTE (Long Term Evolution) standard, also known as the 4G standard for the fourth generation mobile telephony standard.
  • FIG. 2 representing a flowchart of the data exchange method according to the invention, between a corresponding measuring sensor 12 and the computer server 14 via the communication gateway 16.
  • the sensor 12 searches if a gateway 16 is available nearby to be able to send its data.
  • the sensor 12 for example sends a "broadcast" gateway search message to determine the available gateways 16. This message can be sent at regular intervals or randomly.
  • the sensor 12 has for example the ability to store a specific time range on which the sensor 12 has already transmitted data previously and is able to send a search message on this time slot.
  • the measurement sensor 12 starts by requesting from the gateway 16 the establishment of a connection between the sensor 12 and the gateway 16, this connection may not be secure.
  • the communication gateway 16 validates that the communication is well established between the sensor 12 and the gateway 16.
  • the gateway 16 will ask, during a step 96, the establishment of a secure communication with the server 14 with which the sensor 12 wants to exchange data.
  • the name and / or the address of the server 14 are provided by the gateway 16.
  • the server 14 validates the secure connection between it and the gateway 16, and informs the gateway 16 with its second sending software 64.
  • the communication gateway 16 transmits, during the step 98 and the server 14, the authentication code 52 associated with the sensor, the latter having been previously supplied to the gateway 16 by the sensor 12.
  • the server 14 verifies that the sensor 12 is well known and authorized.
  • step 1 10 a specific request for this sensor 12 using the information contained in its database 70
  • this step 1 corresponds to the preparation of a challenge by the server 14 for the measurement sensor 12 concerned with a view to encrypting the data that will subsequently be exchanged between the sensor 12 and the server 14.
  • the server 14 then sends, using its first sending software 60 and during step 120, the authentication request created in the previous step, via the communication gateway 16 to the measurement sensor 12 having sent his request for connection.
  • This step 120 corresponds in other words to the sending, by the server 14, the challenge prepared in step 1 10 sensor 12 concerned.
  • the measurement sensor 12 After receiving this authentication request from the computer server 14, the measurement sensor 12 then elaborates, by means of its production software 54 and in step 130, the response to said request for authentication, this response being developed according to the authentication code 52 associated with the sensor 12.
  • the elaboration of the response consists, for example, in encrypting the authentication request received with said authentication code 52 as a key encryption.
  • this step 130 consists, after receiving the challenge by the sensor 12, the generation of the response and the encryption thereof from the sensor 12.
  • the measurement sensor 12 then transmits, using its first exchange software 50 and during step 140, the response developed in the previous step, to the computer server 14 and via the communication gateway 16
  • This step 140 corresponds in other words to the sending by the sensor 12, via the gateway 16 and to the computer server 14, the encrypted response to the previously received challenge.
  • the server 14 checks, in step 150 and using its authentication software 62, whether the response received is in accordance or not, by comparing the authentication code 52 that made it possible to elaborate the response with the authentication code contained in its database 70 for this sensor 12.
  • the step 150 corresponding to the validation by the server 14 of the response to the challenge sent by the sensor 12, and in the case of a positive validation to maintain a secure connection between the gateway 16 and the server 14 on the one hand, and between the gateway 16 and the sensor 12 on the other hand.
  • the verification of the response received consists, for example, in decrypting the response received with the authentication code contained in the base 70 as a decryption key, and then comparing the decrypted response with the authentication request sent. In this case, the check is positive when the decrypted response is identical to the authentication request previously sent.
  • a data exchange session is then opened between the server 14 and the authenticated sensor 12, and the secure connection between the gateway 16 and the server 14 is maintained.
  • the server 14 sends, to the sensor 12 which has just been authenticated, a specific encryption key of said authenticated sensor, using its second sending software 64 and in step 160.
  • the gateway 16 only plays a role of transformation of communication protocols, between the communication protocol used between the sensor 12 and the gateway 16 on the one hand and the communication protocol used between the gateway 16 and the server 14 on the other hand.
  • This encryption key also called session key, is for example a symmetric key adapted for the encryption / decryption of the data that will be exchanged during the data exchange session.
  • the session key is preferably sent in encrypted form by the server 14, the encryption of the session key being for example carried out using the authentication code 52.
  • the authenticated sensor 12 then stores the encryption key received in its first memory 28, for later use during the sending of encrypted data to the computer server 14.
  • the measurement sensor 12 is connected to the computer server 14, and is then able to transmit regularly to the computer server 14 successive values of the measured quantity, and this in an encrypted manner using the session key.
  • the measurement sensor 12 then sends to the computer server 14, during the step
  • step 210 following receipt of this encrypted message from the authenticated sensor 12, the server 14 begins by decrypting the received message using its second cryptography software 66 and with the session key previously sent to said sensor. The server 14 then records, in its second memory 38, the value or values of the measured quantity contained in the message that has just been decrypted.
  • the server 14 finally sends, during step 220, an acknowledgment message to the corresponding sensor 12.
  • said sensor 12 Following receipt of this acknowledgment message, said sensor 12 returns to step 200 to subsequently send at least one other value of the measured quantity.
  • steps 1 and 10 are grouped, and steps 120 and 160 are also grouped together.
  • the steps of the method are then linked in the following manner starting from step 1 10.
  • Step 1 10, grouped with step 150 comprises the verification of the identity of the sensor 12 and of preparing the challenge, this challenge comprising the encryption key to be used for the subsequent step 200.
  • Step 120, grouped with step 160 comprises sending the challenge containing the encryption key.
  • Step 130 comprises the validation of the challenge by the sensor 12, as well as the recording, by the sensor 12 in its memory 28, of the encryption key contained in the challenge received, and for the purpose of subsequent communications between the sensor 12 and the server 14 from step 200.
  • the measurement sensor 12 no longer has a measured value to be transmitted to the computer server 14, the sensor 12 closes, during the step 230, the connection with the communication gateway 16 which itself closes its connection with the server 14.
  • the measuring installation 10 according to the invention and the associated data exchange method thus allow a secure exchange of data from the measurement sensor 12 to the computer server 14, and vice versa from the server 14. to the sensor 12, this being due to the fact that the connection information, in particular the authentication code 52, is contained directly in the first memory 28 of the measurement sensor.
  • the measuring installation 10 according to the invention and the associated data exchange method thus make it possible to establish a secure communication from the sensor 12 to the server 14, and not only between the gateway 16 and the server 14. They also make it possible to propose this secure communication between the sensor 12 and the server 14 via the communication gateway 16 which is not a trusted component, and to allow the communication gateway 16 to establish the secure connection with the server 14 by using security parameters associated with the sensor 12, that is to say the connection information comprising the authentication code 52.
  • the communication gateway 16 has an ability to communicate locally with the sensor 12, an aptitude communicating remotely with the computer server 14, an ability to execute an application capable of establishing a secure communication between the sensor 12 and the server 14 following the establishment of one or more secure connections. In the embodiment of Figure 2, two secure connections are established, a first between the sensor 12 and the gateway 16, and a second between the gateway 16 and the server 14 on the basis of the connection information stored in the first memory 28 of the sensor.
  • the mobile communication gateway 16 is not necessarily always the same, a new gateway 16 being able to be used at each new data transmission by the sensor (s) 12.
  • the authentication mechanism with the development according to the authentication code 52 of the response to the authentication request from the server 14 also makes it easier to implement the security of this data exchange, and it In particular, it is not necessary to configure a virtual private network between the communication gateway 16 and the computer server 14.
  • the data exchange method according to the invention requires a minimum interaction between the measurement sensor 12 and the communication gateway 16, since it is only necessary for the sensor 12 to open a connection with the gateway. communication 16 prior to sending the request for connection to the server 14, then close this connection with the gateway 16 when the data exchange with the server 14 is completed, the data only passing through the communication gateway 16 during this data exchange.
  • the measurement sensor 12 makes it possible to improve the security of the data exchanged with the computer server 14 via the communication gateway 16, while simplifying the implementation of this security of the data exchange. .
  • the communication gateway 16 used in the installation 10 is not a trusted component.
  • the gateway 16 is therefore neither known to the sensor 12 nor to the server 14.
  • the communication gateway 16 does not then contain secure connection information to the server 14.
  • the gateway 16 alone does not make it possible to ensure confidentiality and the integrity of the data exchanges between the server 14 and the sensor 12.
  • the choice of the gateway 16 is made by the sensor 12, for example, depending on the proximity of the gateway 16 with respect to the sensor 12.
  • the authentication code 52 includes a private encryption key and an identification code.
  • the private encryption key has the same functionalities and characteristics as the authentication code 52 described in the previous embodiment, with the difference that the private encryption key is stored in the memory 28 of the sensor 12.
  • the encryption private key is not sent to the computer server 14 via the communication gateway 16.
  • the private encryption key makes it possible to encrypt, that is to say encrypt, the data coming out of the sensor 12.
  • the private encryption key makes it possible to encrypt the data sent to the server 14 from the sensor 12 via the gateway 16.
  • the identification code makes it possible to identify the sensor 12.
  • the identification code is, for example, the name of the sensor 12, each sensor 12 having a specific name, different from that of the other sensors 12.
  • the identification code is suitable for sending to the server 14 via the communication gateway 16.
  • the sensor 12 sends a request to identify a communication gateway 16 located near the sensor 12. Then, once the gateway 16 is identified, the sensor 12 uses the gateway 16 to communicate with the server 14. The sensor 12 sends in particular its identification code to the server 14 via the gateway 16.
  • the server 14 identifies the sensor 12 by means of the identification code of the sensor 12, and then authorizes data exchanges with the sensor 12.
  • the encryption private key of the sensor 12 then serves to encrypt the data sent from the sensor 12 to the server 14 via the communication gateway 16, the server 14 also knowing a decryption key.
  • the decryption key enables the server 14 to decrypt the encrypted data received from the sensor 12 via the communication gateway 16.

Abstract

This sensor (12) for measuring a quantity, such as an electric quantity or a thermodynamic quanity, is intended to be linked to a computer server (14) via a communication gateway (16), the communication gateway (16) being linked to the computer server (14) via a communication network (18). The sensor (12) comprises an information processing unit (24) comprising a memory (28), radioelectric means (20) of communication with the gateway (16), and means (50) for exchanging data with the computer server (14), the means for exchanging data (50) being linked to the radioelectric means of communication (20). The memory (28) comprises information regarding secure connection to the computer server (14), said information regarding connection comprising a sensor authentication code (52).

Description

Capteur de mesure, installation de mesure comprenant un tel capteur et un serveur, procédé d'échange de données et produit programme d'ordinateur associés  Measurement sensor, measuring installation comprising such a sensor and a server, data exchange method and computer program product
La présente invention concerne un capteur de mesure d'une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique, destiné à être relié à un serveur informatique via une passerelle de communication. La passerelle de communication est reliée au serveur informatique via un réseau de communication, tel que le réseau Internet. The present invention relates to a sensor for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, intended to be connected to a computer server via a communication gateway. The communication gateway is connected to the computer server via a communication network, such as the Internet network.
Le capteur comprend une unité de traitement d'informations comportant une mémoire, des moyens radioélectriques de communication avec la passerelle, et des moyens d'échange de données avec le serveur informatique, les moyens d'échange de données étant reliés aux moyens radioélectriques de communication.  The sensor comprises an information processing unit comprising a memory, radio communication means with the gateway, and data exchange means with the computer server, the data exchange means being connected to the radio communication means. .
L'invention concerne également une installation de mesure comprenant au moins un tel capteur de mesure et un serveur informatique relié à chaque capteur de mesure.  The invention also relates to a measuring installation comprising at least one such measuring sensor and a computer server connected to each measuring sensor.
L'invention concerne également un procédé d'échange de données entre un tel capteur de mesure et le serveur informatique, via la passerelle de communication.  The invention also relates to a method for exchanging data between such a measurement sensor and the computer server, via the communication gateway.
L'invention concerne également un produit programme d'ordinateur comportant des instructions logicielles qui, lorsque mis en œuvre par une unité de traitement d'informations, met en œuvre un tel procédé d'échange de données.  The invention also relates to a computer program product comprising software instructions which, when implemented by an information processing unit, implements such a data exchange method.
L'invention concerne le domaine de la transmission de données sécurisées entre le capteur de mesure, tel qu'un équipement industriel de mesure, et le serveur informatique via la passerelle de communication, celle-ci étant mobile, la passerelle de communication étant par exemple intégrée dans un appareil électronique mobile.  The invention relates to the field of secure data transmission between the measurement sensor, such as an industrial measurement equipment, and the computer server via the communication gateway, the latter being mobile, the communication gateway being for example integrated into a mobile electronic device.
On connaît un capteur de mesure et une installation de mesure du type précité. Une passerelle de communication est reliée à un serveur informatique via le réseau Internet, et est chargée de se connecter de manière sécurisée au serveur informatique, par exemple via la mise en œuvre d'un réseau privé virtuel, également appelé VPN (de l'anglais Virtual Private Network), entre la passerelle et le serveur.  A measuring sensor and a measuring installation of the aforementioned type are known. A communication gateway is connected to a computer server via the Internet, and is responsible for securely connecting to the computer server, for example via the implementation of a virtual private network, also called VPN (from English). Virtual Private Network), between the gateway and the server.
La passerelle de communication est par ailleurs connectée à chaque capteur de mesure. Elle recueille, auprès de chaque capteur de mesure, des informations relatives aux grandeurs mesurées, puis les transmet de manière sécurisée au serveur informatique.  The communication gateway is also connected to each measurement sensor. It collects information about the measured variables from each measuring sensor and transmits them securely to the computer server.
Toutefois, dans ce type de communication sécurisée, la passerelle de communication est considérée comme étant un composant de confiance, connu par le serveur informatique et disposant des informations nécessaires à l'établissement de la communication sécurisée, telles qu'un identifiant unique, des clés de chiffrement associées à la passerelle, permettant d'assurer la confidentialité et l'intégrité des échanges. However, in this type of secure communication, the communication gateway is considered to be a trusted component, known by the computer server and having the necessary information to establish the secure communication, such as a unique identifier, keys encryption associated with the gateway, ensuring the confidentiality and integrity of the exchanges.
Le but de l'invention est donc de proposer un capteur de mesure permettant de s'affranchir de cette contrainte et d'autoriser l'emploi d'une ou plusieurs passerelles de communication sans que celles-ci ne soient connues au préalable par le serveur informatique en tant que composant de confiance.  The object of the invention is therefore to propose a measurement sensor making it possible to overcome this constraint and to authorize the use of one or more communication gateways without these being known to the server beforehand. computer as a trusted component.
À cet effet, l'invention a pour objet un capteur de mesure du type précité, dans lequel la mémoire comporte des informations de connexion sécurisée au serveur informatique, lesdites informations de connexion comportant un code d'authentification du capteur.  For this purpose, the subject of the invention is a measurement sensor of the aforementioned type, in which the memory includes secure connection information to the computer server, said connection information comprising an authentication code of the sensor.
Suivant d'autres aspects avantageux de l'invention, le capteur de mesure comprend une ou plusieurs des caractéristiques suivantes, prises isolément ou suivant toutes les combinaisons techniquement possibles :  According to other advantageous aspects of the invention, the measurement sensor comprises one or more of the following characteristics, taken separately or in any technically possible combination:
- le capteur comporte en outre des moyens d'élaboration d'une réponse à une requête du serveur informatique, la réponse étant élaborée en fonction du code d'authentification ;  - The sensor further comprises means for generating a response to a request from the computer server, the response being developed according to the authentication code;
- le capteur comporte en outre des moyens de chiffrement de données, les données chiffrées étant destinées à être transmises au serveur informatique par les moyens d'échange de données ; et  the sensor further comprises data encryption means, the encrypted data being intended to be transmitted to the computer server by the data exchange means; and
- les informations de connexion sont protégées par un mot de passe dans la mémoire.  - the connection information is protected by a password in the memory.
L'invention a également pour objet une installation de mesure comprenant au moins un capteur de mesure d'une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique, et un serveur informatique relié à chaque capteur de mesure, dans laquelle chaque capteur de mesure est tel que défini ci-dessus.  The invention also relates to a measuring installation comprising at least one sensor for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, and a computer server connected to each measurement sensor, in which each sensor of measurement is as defined above.
Suivant d'autres aspects avantageux de l'invention, l'installation de mesure comporte une ou plusieurs des caractéristiques suivantes, prises isolément ou suivant toutes les combinaisons techniquement possibles :  According to other advantageous aspects of the invention, the measuring installation comprises one or more of the following characteristics, taken separately or in any technically possible combination:
- le serveur informatique comporte des premiers moyens d'envoi d'une requête d'authentification à chaque capteur de mesure et des moyens d'authentification de la réponse élaborée par chaque capteur de mesure suite à la réception de ladite requête ;  the computer server comprises first means for sending an authentication request to each measurement sensor and means for authenticating the response produced by each measurement sensor following the reception of said request;
- le serveur informatique comporte des deuxièmes moyens d'envoi, à chaque capteur authentifié, d'une clé de chiffrement adaptée pour le chiffrement de données échangées entre le serveur informatique et le capteur authentifié ;  the computer server comprises second means of sending, to each authenticated sensor, an encryption key adapted for the encryption of data exchanged between the computer server and the authenticated sensor;
- l'installation comprend en outre une passerelle de communication, la passerelle de communication étant reliée au serveur informatique via un réseau de communication, tel que le réseau Internet, et chaque capteur de mesure étant relié au serveur informatique via la passerelle de communication ; et the installation furthermore comprises a communication gateway, the communication gateway being connected to the computer server via a communication network, such as the Internet, and each measuring sensor being connected to the computer server via the communication gateway; and
- la passerelle de communication est intégrée dans un appareil électronique mobile, tel qu'un téléphone mobile, une tablette ou un ordinateur portable.  - The communication gateway is integrated in a mobile electronic device, such as a mobile phone, a tablet or a laptop.
L'invention a également pour objet un procédé d'échange de données entre un capteur de mesure d'une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique, et un serveur informatique via une passerelle de communication, la passerelle de communication étant reliée au serveur informatique via un réseau de communication,  The subject of the invention is also a method for exchanging data between a sensor for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, and a computer server via a communication gateway, the communication gateway being connected to the computer server via a communication network,
le procédé étant mis en œuvre par le capteur de mesure, le capteur comprenant des moyens radioélectriques de communication avec la passerelle, et une unité de traitement d'informations comportant une mémoire,  the method being implemented by the measurement sensor, the sensor comprising radio communication means with the gateway, and an information processing unit comprising a memory,
le procédé comprenant l'échange de données avec le serveur informatique, via les moyens radioélectriques de communication,  the method comprising the exchange of data with the computer server, via the radio communication means,
dans lequel le procédé comprend en outre la connexion sécurisée au serveur informatique à l'aide d'un code d'authentification du capteur, ledit code d'authentification étant stocké dans la mémoire du capteur.  wherein the method further comprises securely connecting to the computer server using an authentication code of the sensor, said authentication code being stored in the sensor memory.
Suivant un autre aspect avantageux de l'invention, le procédé d'échange de données comprend la caractéristique suivante :  According to another advantageous aspect of the invention, the data exchange method comprises the following characteristic:
- l'étape de connexion sécurisée au serveur informatique comporte l'élaboration d'une réponse à une requête du serveur informatique, la réponse étant élaborée en fonction du code d'authentification.  - The step of secure connection to the computer server comprises the development of a response to a request from the computer server, the response being developed according to the authentication code.
L'invention a également pour objet un produit programme d'ordinateur comportant des instructions logicielles, qui, lorsque mis en œuvre par une unité de traitement d'informations, met en œuvre le procédé d'échange de données tel que défini ci-dessus.  The invention also relates to a computer program product comprising software instructions, which, when implemented by an information processing unit, implements the data exchange method as defined above.
Ces caractéristiques et avantages de l'invention apparaîtront à la lecture de la description qui va suivre, donnée uniquement à titre d'exemple non limitatif, et faite en référence aux dessins annexés, sur lesquels :  These features and advantages of the invention will become apparent on reading the description which follows, given solely by way of nonlimiting example, and with reference to the appended drawings, in which:
- la figure 1 est une représentation schématique d'une installation de mesure selon l'invention, comprenant plusieurs capteurs de mesure et un serveur informatique relié à chaque capteur de mesure via une passerelle mobile de communication, la passerelle de communication étant reliée au serveur via un réseau de communication, et  FIG. 1 is a schematic representation of a measuring installation according to the invention, comprising several measurement sensors and a computer server connected to each measurement sensor via a mobile communication gateway, the communication gateway being connected to the server via a communication network, and
- la figure 2 est un organigramme d'un procédé d'échange sécurisé de données, conforme à l'invention, entre les capteurs de mesure et le serveur informatique, via la passerelle mobile de communication de la figure 1 . Sur la figure 1 , une installation de mesure 10 comprend une pluralité de capteurs de mesure 12 et un serveur informatique 14 relié à chaque capteur de mesure 12 via une passerelle de communication 16. La passerelle de communication 16 est reliée au serveur informatique 14 via un réseau de communication 18. FIG. 2 is a flowchart of a secure data exchange method, according to the invention, between the measurement sensors and the computer server, via the mobile communication gateway of FIG. 1. In FIG. 1, a measurement installation 10 comprises a plurality of measuring sensors 12 and a computer server 14 connected to each measurement sensor 12 via a communication gateway 16. The communication gateway 16 is connected to the computer server 14 via a communication network 18.
L'installation de mesure 10 est adaptée pour effectuer des relevés automatiques de mesure, ces mesures étant réalisées par les capteurs de mesure 12.  The measuring installation 10 is adapted to perform automatic measurement readings, these measurements being carried out by the measurement sensors 12.
Chaque capteur de mesure 12 est adapté pour mesurer une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique. La grandeur électrique est par exemple la tension d'un conducteur électrique, respectivement l'intensité d'un courant électrique, et le capteur de mesure 12 est alors appelé capteur de tension, respectivement capteur de courant.  Each measuring sensor 12 is adapted to measure a quantity, such as an electrical quantity or a thermodynamic quantity. The electrical quantity is for example the voltage of an electrical conductor, respectively the intensity of an electric current, and the measurement sensor 12 is then called voltage sensor, respectively current sensor.
En variante, la grandeur thermodynamique est par exemple une température, respectivement une pression, et le capteur de mesure 12 est alors appelé capteur de température, respectivement capteur de pression.  As a variant, the thermodynamic quantity is, for example, a temperature, respectively a pressure, and the measurement sensor 12 is then called a temperature sensor, or a pressure sensor, respectively.
En variante encore, le capteur de mesure 12 est adapté pour mesurer une grandeur environnementale, tel qu'un pH, un taux d'oxygène, une densité de particules (monoxyde de carbone, dioxyde de carbone, poussière).  In another variant, the measurement sensor 12 is adapted to measure an environmental quantity, such as a pH, an oxygen content, a particle density (carbon monoxide, carbon dioxide, dust).
Chaque capteur de mesure 12 comprend un premier émetteur-récepteur radioélectrique 20 apte à communiquer avec la passerelle de communication 16 via une première liaison de données 22.  Each measurement sensor 12 comprises a first radio transceiver 20 able to communicate with the communication gateway 16 via a first data link 22.
Chaque capteur de mesure 12 comprend une première unité de traitement d'informations 24, formée par exemple d'un premier processeur 26 et d'une première mémoire 28 associée au premier processeur 26, comme représenté sur la figure 1 où un seul capteur de mesure 12 est représenté en détail par souci de simplification des dessins. La première unité de traitement d'informations 24 est connectée au premier émetteur-récepteur radioélectrique 20.  Each measurement sensor 12 comprises a first information processing unit 24, formed for example of a first processor 26 and a first memory 28 associated with the first processor 26, as shown in FIG. 1, where a single measurement sensor 12 is shown in detail for the sake of simplification of the drawings. The first information processing unit 24 is connected to the first radio transceiver 20.
Le serveur informatique 14 comprend un premier organe 30 de transmission de données apte à communiquer avec la passerelle de communication 16 via le réseau de communication 18 formant une deuxième liaison de données 32.  The computer server 14 comprises a first data transmission member 30 able to communicate with the communication gateway 16 via the communication network 18 forming a second data link 32.
Le serveur informatique 14 comprend une deuxième unité de traitement d'informations 34, formée par exemple d'un deuxième processeur 36 et d'une deuxième mémoire 38 associée au deuxième processeur 36. La deuxième unité de traitement d'information 34 est connectée à l'organe de transmission 30.  The computer server 14 comprises a second information processing unit 34, formed for example of a second processor 36 and a second memory 38 associated with the second processor 36. The second information processing unit 34 is connected to the second processor 36. transmission member 30.
Le serveur informatique 14 est propre à recevoir des données relatives aux différentes grandeurs mesurées par chacun des capteurs de mesure 12. Autrement dit, le serveur informatique 14 permet de centraliser les différentes valeurs mesurées par les capteurs 12, afin d'effectuer un suivi de manière centralisée de ces valeurs mesurées. Le serveur informatique 14 est par exemple un serveur Web. Les références du serveur informatique 14, telles que le nom ou l'adresse IP du serveur, sont par exemple stockées dans la première mémoire 28 du capteur, pour être transmises par le capteur 12 à la passerelle 16 lorsque le capteur 12 demande à la passerelle 16 d'établir une communication avec le serveur 14. The computer server 14 is able to receive data relating to the different quantities measured by each of the measurement sensors 12. In other words, the computer server 14 makes it possible to centralize the different values measured by the sensors 12 in order to centrally monitor these measured values. The computer server 14 is for example a web server. The references of the computer server 14, such as the name or the IP address of the server, are for example stored in the first memory 28 of the sensor, to be transmitted by the sensor 12 to the gateway 16 when the sensor 12 asks the gateway 16 to establish a communication with the server 14.
La passerelle de communication 16 est reliée, d'une part, à chacun des capteurs de mesure 12 via les premières liaisons de données 22 respectives, et d'autre part, au serveur informatique 14 via la deuxième liaison de données 32 formée par le réseau de communication. La passerelle de communication 16 forme fonctionnellement un routeur de communication entre un capteur de mesure 12 respectif et le serveur informatique 14, les données échangées entre le capteur de mesure 12 correspondant et le serveur informatique 14 ne faisant que transiter par la passerelle de communication 16, après établissement d'une communication entre la passerelle de communication 16 et le serveur informatique 14.  The communication gateway 16 is connected, on the one hand, to each of the measurement sensors 12 via the first data links 22 respectively, and on the other hand, to the computer server 14 via the second data link 32 formed by the network Communication. The communication gateway 16 functionally forms a communication router between a respective measurement sensor 12 and the computer server 14, the data exchanged between the corresponding measurement sensor 12 and the computer server 14 only passing through the communication gateway 16, after establishment of a communication between the communication gateway 16 and the computer server 14.
La passerelle de communication 16 comprend un deuxième émetteur-récepteur radioélectrique 40 apte à communiquer avec chaque capteur 12 via la première liaison de données 22 correspondante, en particulier avec le premier émetteur- récepteur radioélectrique 20 de chaque capteur de mesure. Autrement dit, la passerelle de communication 16 est reliée au capteur de mesure 12 via un réseau de communication local formé par le premier émetteur-récepteur 20, la première liaison 22 respective et le deuxième émetteur-récepteur 40. Le réseau local est, par exemple, conforme à la norme IEEE 802.15.1 , également appelée norme Bluetooth, ou encore à la norme IEEE 802.15.4, également appelée norme ZigBee.  The communication gateway 16 comprises a second radio transceiver 40 able to communicate with each sensor 12 via the corresponding first data link 22, in particular with the first radio transceiver 20 of each measurement sensor. In other words, the communication gateway 16 is connected to the measurement sensor 12 via a local communication network formed by the first transceiver 20, the first link 22 and the respective second transceiver 40. The local network is, for example , compliant with the IEEE 802.15.1 standard, also known as the Bluetooth standard, or the IEEE 802.15.4 standard, also known as the ZigBee standard.
La passerelle de communication 16 comprend également un deuxième organe 42 de transmission de données apte à communiquer avec le serveur informatique 14, en particulier avec le premier organe de transmission 30 du serveur informatique. La passerelle de communication 16 est alors apte à communiquer de manière distante avec le serveur 14.  The communication gateway 16 also includes a second data transmission member 42 able to communicate with the computer server 14, in particular with the first transmission member 30 of the computer server. The communication gateway 16 is then able to communicate remotely with the server 14.
La passerelle de communication 16 comprend des moyens 44 de transfert de données entre le capteur 12 et le serveur informatique 14. La transmission de données entre la passerelle 16 et le serveur 14 s'effectue de manière préférentielle sur la base du protocole IP (de l'anglais Internet Protocol).  The communication gateway 16 comprises means 44 for transferring data between the sensor 12 and the computer server 14. The data transmission between the gateway 16 and the server 14 is preferably carried out on the basis of the IP protocol. English Internet Protocol).
La transmission de données entre la passerelle 16 et le capteur 12 s'effectue de manière préférentielle sur la base d'un protocole de communication local, tel que les protocoles ZigBee ou ZigBee Green Power conformes à la norme IEEE 802.15.4, le protocole MODBUS, le protocole CAN (de l'anglais Controller Area Network) conforme à la norme ISO 1 1898, le protocole BACnet, ou encore le protocole KNX. The data transmission between the gateway 16 and the sensor 12 is preferably carried out on the basis of a local communication protocol, such as the ZigBee or ZigBee Green Power protocols in accordance with the IEEE 802.15.4 standard. MODBUS protocol, the CAN protocol (of the English Controller Area Network) compliant with the ISO 1 1898 standard, the BACnet protocol, or the KNX protocol.
Une fois la communication établie entre la passerelle 16 et le serveur 14, la passerelle 16 assure uniquement la transformation nécessaire entre les protocoles utilisés, d'une part entre le capteur 12 et la passerelle 16, et d'autre part entre la passerelle 16 et le serveur 14, et s'attache à transmettre l'information utile sans modification. Les modifications effectuées par la passerelle 16 concernent uniquement le passage d'un protocole à l'autre.  Once communication is established between the gateway 16 and the server 14, the gateway 16 only provides the necessary transformation between the protocols used, on the one hand between the sensor 12 and the gateway 16, and on the other hand between the gateway 16 and the server 14, and focuses on transmitting the useful information without modification. The modifications made by the gateway 16 concern only the transition from one protocol to another.
En complément, les moyens de transfert 44 sont également responsables de l'établissement d'une connexion initiale entre la passerelle 16 et le serveur 14 à l'initiative du capteur 12, afin de permettre la connexion sécurisée du capteur de mesure 12 au serveur informatique 14, l'ensemble de la chaîne de communication entre le capteur 12 et le serveur 14 via la passerelle 16 étant alors sécurisé.  In addition, the transfer means 44 are also responsible for establishing an initial connection between the gateway 16 and the server 14 at the initiative of the sensor 12, in order to allow the secure connection of the measurement sensor 12 to the computer server. 14, the entire chain of communication between the sensor 12 and the server 14 via the gateway 16 is then secure.
La passerelle de communication 16 est, par exemple, intégrée dans un appareil électronique mobile 46, tel qu'un téléphone mobile, une tablette ou un ordinateur portable. Les moyens de transfert 44 sont alors de préférence en forme d'un logiciel apte à être stocké dans une mémoire 48 du téléphone mobile 46. Les références du serveur informatique 14, telles que l'adresse IP du serveur, sont en variante stockées dans la mémoire 48 du téléphone mobile  The communication gateway 16 is, for example, integrated in a mobile electronic device 46, such as a mobile phone, a tablet or a laptop. The transfer means 44 are then preferably in the form of software capable of being stored in a memory 48 of the mobile phone 46. The references of the computer server 14, such as the IP address of the server, are alternatively stored in the memory. mobile phone memory 48
Le réseau de communication 18 est connu en soi. Le réseau de communication 18 est par exemple le réseau Internet.  The communication network 18 is known per se. The communication network 18 is for example the Internet network.
La première liaison de données 22 est une liaison radioélectrique, de préférence une liaison radioélectrique à courte distance, c'est-à-dire pour des distances de l'ordre de quelques mètres ou quelques dizaines de mètres.  The first data link 22 is a radio link, preferably a short-range radio link, i.e. for distances of the order of a few meters or a few tens of meters.
La première liaison de données 22 est, par exemple, conforme à la norme IEEE The first data link 22 is, for example, in accordance with the IEEE standard
802.15, également appelée norme Bluetooth®. En variante, la première liaison de données 22 est conforme à la norme IEEE 802.1 1 , également appelée norme Wi-Fi, les capteurs de mesure 12 et la passerelle de communication 16 formant, par exemple, un réseau ad hoc. Les premier et deuxième émetteurs-récepteurs radioélectriques 20, 40 sont connus en soi, et sont conformes à la même norme radioélectrique que la première liaison de données 22. 802.15, also known as the Bluetooth® standard. In a variant, the first data link 22 complies with the IEEE 802.1 1 standard, also called the Wi-Fi standard, the measurement sensors 12 and the communication gateway 16 forming, for example, an ad hoc network. The first and second radio transceivers 20, 40 are known per se, and conform to the same radio standard as the first data link 22.
La première mémoire 28 est apte à stocker un premier logiciel 50 d'échange de données avec le serveur informatique 14, de préférence via la passerelle 16, le logiciel d'échange de données 50 étant relié au premier émetteur-récepteur radioélectrique 20.  The first memory 28 is able to store a first software 50 of data exchange with the computer server 14, preferably via the gateway 16, the data exchange software 50 being connected to the first radio transceiver 20.
La première mémoire 28 comporte selon l'invention des informations de connexion sécurisée au serveur informatique 14, lesdites informations de connexion comportant un code 52 d'authentification du capteur. Les informations de connexion sont de préférence protégées par un organe de contrôle d'accès, non représenté. L'organe de contrôle d'accès est apte à être stocké dans la première mémoire 28, et est par exemple apte à requérir la fourniture d'un mot de passe pour autoriser l'accès aux informations de connexion. The first memory 28 comprises according to the invention secure connection information to the computer server 14, said connection information comprising a 52 sensor authentication code. The connection information is preferably protected by an access control member, not shown. The access control member is adapted to be stored in the first memory 28, and is for example able to require the provision of a password to allow access to the connection information.
La première mémoire 28 est apte à stocker un logiciel 54 d'élaboration d'une réponse à une requête du serveur informatique 14, la réponse étant élaborée en fonction du code d'authentification 52.  The first memory 28 is able to store software 54 for generating a response to a request from the computer server 14, the response being developed according to the authentication code 52.
En complément, la première mémoire 28 est apte à stocker un premier logiciel de cryptographie 56 apte à chiffrer des données destinées à être transmises au serveur informatique 14 par le logiciel d'échange de données 50 et/ou à déchiffrer des données chiffrées reçues depuis le serveur informatique 14.  In addition, the first memory 28 is able to store a first cryptographic software 56 capable of encrypting data intended to be transmitted to the computer server 14 by the data exchange software 50 and / or to decrypt encrypted data received from the data server. computer server 14.
En variante, les premiers moyens d'échange de données 50, les moyens d'élaboration de la réponse 54 et les premiers moyens de cryptographie 56 sont réalisés sous forme de composants logiques programmables, ou encore sous forme de circuits intégrés dédiés.  As a variant, the first data exchange means 50, the response generation means 54 and the first cryptographic means 56 are implemented in the form of programmable logic components or in the form of dedicated integrated circuits.
Le premier organe de transmission de données 30 est adapté pour recevoir des données de la part de chaque capteur de mesure 12 via la passerelle de communication 16 et le réseau de communication 18, et également pour envoyer des données à chaque capteur de mesure 12 via ladite passerelle 16 et ledit réseau 18.  The first data transmission member 30 is adapted to receive data from each measurement sensor 12 via the communication gateway 16 and the communication network 18, and also to send data to each measurement sensor 12 via said gateway 16 and said network 18.
Le premier organe de transmission de données 30 est adapté pour établir une connexion sécurisée avec la passerelle de communication 16 sur demande de la passerelle de communication 16 et sans que celle-ci soit authentifiée. La sécurisation de la connexion entre la passerelle 16 et le serveur 14 ne met pas en jeu d'information issue du capteur 12.  The first data transmission device 30 is adapted to establish a secure connection with the communication gateway 16 on request of the communication gateway 16 and without it being authenticated. Securing the connection between the gateway 16 and the server 14 does not involve information from the sensor 12.
La deuxième mémoire 38 est apte à stocker un premier logiciel 60 d'envoi d'une requête d'authentification à chaque capteur de mesure 12, et un logiciel 62 d'authentification de la réponse élaborée par chaque capteur de mesure 12 suite à la réception de ladite requête.  The second memory 38 is able to store a first software 60 for sending an authentication request to each measurement sensor 12, and a software 62 for authentication of the response elaborated by each measurement sensor 12 following reception. of said request.
En complément, la deuxième mémoire 38 est apte à stocker un deuxième logiciel In addition, the second memory 38 is able to store a second software
64 d'envoi, à chaque capteur authentifié 12, d'une clé de chiffrement adaptée pour le chiffrement ultérieur de données échangées entre le serveur informatique 14 et le capteur authentifié 12. En complément, le deuxième logiciel d'envoi 64 est apte à envoyer la clé de chiffrement à la passerelle 16 dès le début de la communication entre le capteur 12 et le serveur 14 pour le chiffrement ultérieur de données échangées entre le serveur informatique 14 et la passerelle 16. La deuxième mémoire 38 est apte à stocker un deuxième logiciel de cryptographie 66 apte à chiffrer des données destinées à être transmises à un capteur de mesure 12 correspondant et/ou à déchiffrer des données chiffrées reçues depuis ledit capteur de mesure 12. La deuxième mémoire 38 est apte à stocker un deuxième logiciel 68 d'échange de données avec chaque capteur de mesure 12, le deuxième logiciel d'échange de données 68 étant relié au premier organe de transmission 30. 64 sending to each authenticated sensor 12, an encryption key adapted for the subsequent encryption of data exchanged between the computer server 14 and the authenticated sensor 12. In addition, the second sending software 64 is able to send the encryption key at the gateway 16 from the beginning of the communication between the sensor 12 and the server 14 for the subsequent encryption of data exchanged between the computer server 14 and the gateway 16. The second memory 38 is capable of storing a second cryptographic software 66 capable of encrypting data intended to be transmitted to a corresponding measurement sensor 12 and / or of decrypting encrypted data received from said measurement sensor 12. The second memory 38 is able to store a second data exchange software 68 with each measurement sensor 12, the second data exchange software 68 being connected to the first transmission element 30.
En variante, les premiers moyens d'envoi 60, les moyens d'authentification 62, les deuxièmes moyens d'envoi 64, les deuxièmes moyens de cryptographie 66 et les deuxièmes moyens d'échange de données 68 sont réalisés sous forme de composants logiques programmables, ou encore sous forme de circuits intégrés dédiés.  Alternatively, the first sending means 60, the authentication means 62, the second sending means 64, the second cryptographic means 66 and the second data exchange means 68 are made in the form of programmable logic components. , or in the form of dedicated integrated circuits.
La deuxième mémoire 38 comporte une base de données 70 contenant des informations relatives à chacun des capteurs de mesure 12, notamment les codes d'authentification 52 des différents capteurs.  The second memory 38 includes a database 70 containing information relating to each of the measurement sensors 12, including the authentication codes 52 of the different sensors.
Le deuxième organe de transmission de données 42 est adapté pour recevoir des données de la part du serveur informatique 14 via le réseau de communication 18, et également pour envoyer des données au serveur 14 via ledit réseau 18. La passerelle de communication 16 est de préférence reliée au réseau de communication 18 par ondes radioélectriques, et le deuxième organe de transmission 42 est par exemple conforme à la norme IEEE 802.1 1 (norme Wi-Fi), ou à la norme UMTS (de l'anglais Universal Mobile Télécommunications System), également appelée norme 3G s'agissant de la norme de téléphonie mobile de troisième génération, ou encore à la norme LTE (de l'anglais Long Term Evolution), également appelée norme 4G s'agissant de la norme de téléphonie mobile de quatrième génération.  The second data transmission device 42 is adapted to receive data from the computer server 14 via the communication network 18, and also to send data to the server 14 via the said network 18. The communication gateway 16 is preferably connected to the communication network 18 by radio waves, and the second transmission member 42 is for example in accordance with the standard IEEE 802.1 1 (Wi-Fi standard), or UMTS (Universal Mobile Telecommunications System), Also referred to as the 3G standard for the third generation mobile telephony standard, or the LTE (Long Term Evolution) standard, also known as the 4G standard for the fourth generation mobile telephony standard.
Le fonctionnement de l'installation de mesure 10 selon l'invention va être à présent décrit à l'aide de la figure 2 représentant un organigramme du procédé d'échange de données selon l'invention, entre un capteur de mesure 12 correspondant et le serveur informatique 14 via la passerelle de communication 16.  The operation of the measuring installation 10 according to the invention will now be described with reference to FIG. 2 representing a flowchart of the data exchange method according to the invention, between a corresponding measuring sensor 12 and the computer server 14 via the communication gateway 16.
Initialement, le capteur 12 recherche si une passerelle 16 est disponible à proximité pour pouvoir envoyer ses données. Le capteur 12 envoie par exemple un message de recherche de passerelle de type « broadcast » pour déterminer les passerelles 16 disponibles. Ce message peut être envoyé à intervalles réguliers ou de manière aléatoire. Le capteur 12 a par exemple la faculté de mémoriser une plage horaire déterminée sur laquelle le capteur 12 a déjà transmis des données antérieurement et est à même d'envoyer un message de recherche sur cette plage horaire.  Initially, the sensor 12 searches if a gateway 16 is available nearby to be able to send its data. The sensor 12 for example sends a "broadcast" gateway search message to determine the available gateways 16. This message can be sent at regular intervals or randomly. The sensor 12 has for example the ability to store a specific time range on which the sensor 12 has already transmitted data previously and is able to send a search message on this time slot.
Lors d'une étape 90, le capteur de mesure 12 commence par requérir auprès de la passerelle 16 l'établissement d'une connexion entre le capteur 12 et la passerelle 16, cette connexion pouvant ne pas être sécurisée. Lors de l'étape suivante 95, la passerelle de communication 16 valide que la communication est bien établie entre le capteur 12 et la passerelle 16. During a step 90, the measurement sensor 12 starts by requesting from the gateway 16 the establishment of a connection between the sensor 12 and the gateway 16, this connection may not be secure. In the next step 95, the communication gateway 16 validates that the communication is well established between the sensor 12 and the gateway 16.
Sur demande de communication du capteur 12 qui lui transmet à cette occasion le code d'authentification 52, la passerelle 16 va demander, lors d'une étape 96, l'établissement d'une communication sécurisée auprès du serveur 14 avec lequel le capteur 12 souhaite échanger des données. En variante, le nom et/ou l'adresse du serveur 14 sont fournis par la passerelle 16.  At the request of the communication of the sensor 12 which transmits thereto the authentication code 52, the gateway 16 will ask, during a step 96, the establishment of a secure communication with the server 14 with which the sensor 12 wants to exchange data. In a variant, the name and / or the address of the server 14 are provided by the gateway 16.
Lors de l'étape suivante 97, le serveur 14 valide la connexion sécurisée entre lui et la passerelle 16, et en informe la passerelle 16 à l'aide de son deuxième logiciel d'envoi 64.  In the next step 97, the server 14 validates the secure connection between it and the gateway 16, and informs the gateway 16 with its second sending software 64.
Suite à la validation de l'établissement de la connexion sécurisée avec le serveur 14, la passerelle de communication 16 transmet, lors de l'étape 98 et au serveur 14, le code d'authentification 52 associé au capteur, celui-ci ayant été préalablement fourni à la passerelle 16 par le capteur 12.  Following the validation of the establishment of the secure connection with the server 14, the communication gateway 16 transmits, during the step 98 and the server 14, the authentication code 52 associated with the sensor, the latter having been previously supplied to the gateway 16 by the sensor 12.
Lors de l'étape suivante 99 et suite à la réception du code d'authentification 52 associé au capteur, le serveur 14 vérifie que le capteur 12 est bien connu et autorisé.  In the next step 99 and following receipt of the authentication code 52 associated with the sensor, the server 14 verifies that the sensor 12 is well known and authorized.
Suite à la réception de cette demande de connexion initiale de la part du capteur de mesure 12, le serveur 14 prépare lors de l'étape 1 10 une requête spécifique pour ce capteur 12 à l'aide des informations contenues dans sa base de données 70. Autrement dit, cette étape 1 10 correspond à la préparation d'un défi de la part du serveur 14 pour le capteur de mesure 12 concerné en vue du chiffrement des données qui seront ultérieurement échangées entre le capteur 12 et le serveur 14.  Following receipt of this initial connection request from the measurement sensor 12, the server 14 prepares in step 1 10 a specific request for this sensor 12 using the information contained in its database 70 In other words, this step 1 corresponds to the preparation of a challenge by the server 14 for the measurement sensor 12 concerned with a view to encrypting the data that will subsequently be exchanged between the sensor 12 and the server 14.
Le serveur 14 envoie alors, à l'aide de son premier logiciel d'envoi 60 et durant l'étape 120, la requête d'authentification créée lors de l'étape précédente, via la passerelle de communication 16 à destination du capteur de mesure 12 ayant envoyé sa demande de connexion. Cette étape 120 correspond en d'autres termes à l'envoi, par le serveur 14, du défi préparé lors de l'étape 1 10 au capteur 12 concerné.  The server 14 then sends, using its first sending software 60 and during step 120, the authentication request created in the previous step, via the communication gateway 16 to the measurement sensor 12 having sent his request for connection. This step 120 corresponds in other words to the sending, by the server 14, the challenge prepared in step 1 10 sensor 12 concerned.
Après réception de cette requête d'authentification de la part du serveur informatique 14, le capteur de mesure 12 élabore ensuite, à l'aide de son logiciel d'élaboration 54 et lors de l'étape 130, la réponse à ladite requête d'authentification, cette réponse étant élaborée en fonction du code d'authentification 52 associé à ce capteur 12. L'élaboration de la réponse consiste, par exemple, à chiffrer la requête d'authentification reçue avec ledit code d'authentification 52 en tant que clé de chiffrement. Autrement dit, cette étape 130 consiste, après réception du défi par le capteur 12, à la génération de la réponse et au chiffrement de celle-ci de la part du capteur 12. Le capteur de mesure 12 transmet alors, à l'aide de son premier logiciel d'échange 50 et durant l'étape 140, la réponse élaborée lors de l'étape précédente, à destination du serveur informatique 14 et via la passerelle de communication 16. Cette étape 140 correspond en d'autres termes à l'envoi par le capteur 12, via la passerelle 16 et à destination du serveur informatique 14, de la réponse chiffrée au défi précédemment reçu. After receiving this authentication request from the computer server 14, the measurement sensor 12 then elaborates, by means of its production software 54 and in step 130, the response to said request for authentication, this response being developed according to the authentication code 52 associated with the sensor 12. The elaboration of the response consists, for example, in encrypting the authentication request received with said authentication code 52 as a key encryption. In other words, this step 130 consists, after receiving the challenge by the sensor 12, the generation of the response and the encryption thereof from the sensor 12. The measurement sensor 12 then transmits, using its first exchange software 50 and during step 140, the response developed in the previous step, to the computer server 14 and via the communication gateway 16 This step 140 corresponds in other words to the sending by the sensor 12, via the gateway 16 and to the computer server 14, the encrypted response to the previously received challenge.
Lorsque le serveur 14 reçoit cette réponse de la part du capteur 12 auquel la requête a été envoyée, le serveur 14 vérifie, lors de l'étape 150 et à l'aide de son logiciel d'authentification 62, si la réponse reçue est conforme ou non, en comparant le code d'authentification 52 ayant permis d'élaborer la réponse avec le code d'authentification contenu dans sa base de données 70 pour ce capteur 12. Autrement dit, l'étape 150 correspondant à la validation par le serveur 14 de la réponse au défi envoyée par le capteur 12, et dans le cas d'une validation positive au maintien d'une connexion sécurisée entre la passerelle 16 et le serveur 14 d'une part, et entre la passerelle 16 et le capteur 12 d'autre part.  When the server 14 receives this response from the sensor 12 to which the request has been sent, the server 14 checks, in step 150 and using its authentication software 62, whether the response received is in accordance or not, by comparing the authentication code 52 that made it possible to elaborate the response with the authentication code contained in its database 70 for this sensor 12. In other words, the step 150 corresponding to the validation by the server 14 of the response to the challenge sent by the sensor 12, and in the case of a positive validation to maintain a secure connection between the gateway 16 and the server 14 on the one hand, and between the gateway 16 and the sensor 12 on the other hand.
La vérification de la réponse reçue consiste, par exemple, à déchiffrer la réponse reçue avec le code d'authentification contenu dans la base 70 en tant que clé de déchiffrement, puis à comparer la réponse déchiffrée avec la requête d'authentification envoyée. Dans ce cas, la vérification est positive lorsque la réponse déchiffrée est identique à la requête d'authentification précédemment envoyée.  The verification of the response received consists, for example, in decrypting the response received with the authentication code contained in the base 70 as a decryption key, and then comparing the decrypted response with the authentication request sent. In this case, the check is positive when the decrypted response is identical to the authentication request previously sent.
En cas de vérification positive, une session d'échange de données est alors ouverte entre le serveur 14 et le capteur authentifié 12, et la connexion sécurisée entre la passerelle 16 et le serveur 14 est maintenue. En variante, le serveur 14 envoie, à destination du capteur 12 qui vient d'être authentifié, une clé de chiffrement spécifique dudit capteur authentifié, à l'aide de son deuxième logiciel d'envoi 64 et lors de l'étape 160.  In case of positive verification, a data exchange session is then opened between the server 14 and the authenticated sensor 12, and the secure connection between the gateway 16 and the server 14 is maintained. Alternatively, the server 14 sends, to the sensor 12 which has just been authenticated, a specific encryption key of said authenticated sensor, using its second sending software 64 and in step 160.
À partir de cette étape 160, la passerelle 16 joue uniquement un rôle de transformation de protocoles de communication, entre le protocole de communication utilisé entre le capteur 12 et la passerelle 16 d'une part et le protocole de communication utilisé entre la passerelle 16 et le serveur 14 d'autre part.  From this step 160, the gateway 16 only plays a role of transformation of communication protocols, between the communication protocol used between the sensor 12 and the gateway 16 on the one hand and the communication protocol used between the gateway 16 and the server 14 on the other hand.
Cette clé de chiffrement, également appelée clé de session, est par exemple une clé symétrique adaptée pour le chiffrement/déchiffrement des données qui vont être échangées lors de la session d'échange de données. La clé de session est de préférence envoyée sous forme chiffrée par le serveur 14, le chiffrement de la clé de session étant par exemple effectué à l'aide du code d'authentification 52.  This encryption key, also called session key, is for example a symmetric key adapted for the encryption / decryption of the data that will be exchanged during the data exchange session. The session key is preferably sent in encrypted form by the server 14, the encryption of the session key being for example carried out using the authentication code 52.
Lors de l'étape suivante 170, le capteur authentifié 12 enregistre alors la clé de chiffrement reçue dans sa première mémoire 28, afin de l'utiliser ultérieurement lors de l'envoi de données chiffrées à destination du serveur informatique 14. Le capteur de mesure 12 est connecté au serveur informatique 14, et est alors en mesure de transmettre régulièrement au serveur informatique 14 des valeurs successives de la grandeur mesurée, et ce de manière chiffrée en utilisant la clé de session. In the next step 170, the authenticated sensor 12 then stores the encryption key received in its first memory 28, for later use during the sending of encrypted data to the computer server 14. The measurement sensor 12 is connected to the computer server 14, and is then able to transmit regularly to the computer server 14 successive values of the measured quantity, and this in an encrypted manner using the session key.
Le capteur de mesure 12 envoie alors au serveur informatique 14, lors de l'étape The measurement sensor 12 then sends to the computer server 14, during the step
200 à l'aide de son premier logiciel d'échange 50 via la passerelle de communication 16, un message chiffré contenant une ou plusieurs valeurs de la grandeur mesurée, le message ayant été chiffré par le premier logiciel de cryptographie 56 avec la clé de session reçue précédemment. 200 using its first exchange software 50 via the communication gateway 16, an encrypted message containing one or more values of the measured quantity, the message having been encrypted by the first cryptography software 56 with the session key previously received.
Lors de l'étape 210, suite à la réception de ce message chiffré de la part du capteur authentifié 12, le serveur 14 commence par déchiffrer le message reçu à l'aide de son deuxième logiciel de cryptographie 66 et avec la clé de session précédemment envoyée audit capteur. Le serveur 14 enregistre ensuite, dans sa deuxième mémoire 38, la ou les valeurs de la grandeur mesurée contenues dans le message qui vient d'être déchiffré.  In step 210, following receipt of this encrypted message from the authenticated sensor 12, the server 14 begins by decrypting the received message using its second cryptography software 66 and with the session key previously sent to said sensor. The server 14 then records, in its second memory 38, the value or values of the measured quantity contained in the message that has just been decrypted.
Le serveur 14 envoie enfin, lors de l'étape 220, un message d'acquittement à destination du capteur 12 correspondant.  The server 14 finally sends, during step 220, an acknowledgment message to the corresponding sensor 12.
Suite à la réception de ce message d'acquittement, ledit capteur 12 retourne à l'étape 200 afin d'envoyer ultérieurement au moins une autre valeur de la grandeur mesurée.  Following receipt of this acknowledgment message, said sensor 12 returns to step 200 to subsequently send at least one other value of the measured quantity.
En variante, suivant les technologies de chiffrements mises en œuvre, les étapes 1 10 et 150 sont regroupées, et les étapes 120 et 160 sont également regroupées. Selon cette variante, les étapes du procédé s'enchaînent alors de la manière suivante à partir de l'étape 1 10. L'étape 1 10, regroupée avec l'étape 150, comporte la vérification de l'identité du capteur 12 et en la préparation du défi, ce défi comportant la clé de chiffrement à utiliser pour l'étape 200 ultérieure. L'étape 120, regroupée avec l'étape 160, comporte l'envoi du défi comportant la clé de chiffrement. L'étape 130 comporte la validation du défi par le capteur 12, ainsi que l'enregistrement, par le capteur 12 dans sa mémoire 28, de la clé de chiffrement contenue dans le défi reçu, et ce en vue des communications ultérieures entre le capteur 12 et le serveur 14 à partir de l'étape 200.  Alternatively, depending on the encryption technologies implemented, steps 1 and 10 are grouped, and steps 120 and 160 are also grouped together. According to this variant, the steps of the method are then linked in the following manner starting from step 1 10. Step 1 10, grouped with step 150, comprises the verification of the identity of the sensor 12 and of preparing the challenge, this challenge comprising the encryption key to be used for the subsequent step 200. Step 120, grouped with step 160, comprises sending the challenge containing the encryption key. Step 130 comprises the validation of the challenge by the sensor 12, as well as the recording, by the sensor 12 in its memory 28, of the encryption key contained in the challenge received, and for the purpose of subsequent communications between the sensor 12 and the server 14 from step 200.
Si le capteur de mesure 12 n'a plus de valeur mesurée à transmettre au serveur informatique 14, le capteur 12 clôt, lors de l'étape 230, la connexion avec la passerelle de communication 16 qui elle-même clôt sa connexion avec le serveur 14.  If the measurement sensor 12 no longer has a measured value to be transmitted to the computer server 14, the sensor 12 closes, during the step 230, the connection with the communication gateway 16 which itself closes its connection with the server 14.
L'installation de mesure 10 selon l'invention et le procédé d'échange de données associé permettent ainsi un échange de données de manière sécurisée depuis le capteur de mesure 12 jusqu'au serveur informatique 14, et inversement depuis le serveur 14 jusqu'au capteur 12, ceci étant dû au fait que les informations de connexion, en particulier le code d'authentification 52, sont contenues directement dans la première mémoire 28 du capteur de mesure. The measuring installation 10 according to the invention and the associated data exchange method thus allow a secure exchange of data from the measurement sensor 12 to the computer server 14, and vice versa from the server 14. to the sensor 12, this being due to the fact that the connection information, in particular the authentication code 52, is contained directly in the first memory 28 of the measurement sensor.
Avec l'installation de mesure de l'état de la technique, les échanges de données sont sécurisés seulement entre la passerelle de communication et le serveur, et les échanges de données ne sont pas protégés entre la passerelle de communication et le capteur de mesure.  With the state-of-the-art measuring system, data exchange is secured only between the communication gateway and the server, and the data exchanges are not protected between the communication gateway and the measurement sensor.
L'installation de mesure 10 selon l'invention et le procédé d'échange de données associé permettent ainsi d'établir une communication sécurisée depuis le capteur 12 jusqu'au serveur 14, et pas seulement entre la passerelle 16 et le serveur 14. Ils permettent également de proposer cette communication sécurisée entre le capteur 12 et le serveur 14 via la passerelle de communication 16 qui n'est pas un composant de confiance, et de permettre à la passerelle de communication 16 d'établir la connexion sécurisée avec le serveur 14 en utilisant des paramètres de sécurité associés au capteur 12, c'est-à-dire les informations de connexion comportant le code d'authentification 52. La passerelle de communication 16 présente une aptitude à communiquer de manière locale avec le capteur 12, une aptitude à communiquer de manière distante avec le serveur informatique 14, une aptitude à exécuter une application propre à établir une communication sécurisée entre le capteur 12 et le serveur 14 suite à l'établissement d'une ou plusieurs connexions sécurisées. Dans l'exemple de réalisation de la figure 2, deux connexions sécurisées sont établies, une première entre le capteur 12 et la passerelle 16, et une seconde entre la passerelle 16 et le serveur 14 sur la base des informations de connexion stockées dans la première mémoire 28 du capteur.  The measuring installation 10 according to the invention and the associated data exchange method thus make it possible to establish a secure communication from the sensor 12 to the server 14, and not only between the gateway 16 and the server 14. They also make it possible to propose this secure communication between the sensor 12 and the server 14 via the communication gateway 16 which is not a trusted component, and to allow the communication gateway 16 to establish the secure connection with the server 14 by using security parameters associated with the sensor 12, that is to say the connection information comprising the authentication code 52. The communication gateway 16 has an ability to communicate locally with the sensor 12, an aptitude communicating remotely with the computer server 14, an ability to execute an application capable of establishing a secure communication between the sensor 12 and the server 14 following the establishment of one or more secure connections. In the embodiment of Figure 2, two secure connections are established, a first between the sensor 12 and the gateway 16, and a second between the gateway 16 and the server 14 on the basis of the connection information stored in the first memory 28 of the sensor.
L'homme du métier comprendra également que, pour un même capteur 12 ou un même groupe de capteurs 12, la passerelle de communication mobile 16 n'est pas nécessairement toujours la même, une nouvelle passerelle 16 étant susceptible d'être employée à chaque nouvelle émission de données par le ou les capteurs 12.  Those skilled in the art will also understand that for the same sensor 12 or the same group of sensors 12, the mobile communication gateway 16 is not necessarily always the same, a new gateway 16 being able to be used at each new data transmission by the sensor (s) 12.
Le mécanisme d'authentification avec l'élaboration en fonction du code d'authentification 52 de la réponse à la requête d'authentification issue du serveur 14 permet en outre de faciliter la mise en œuvre de la sécurisation de cet échange de données, et il n'est notamment pas nécessaire de configurer un réseau privé virtuel entre la passerelle de communication 16 et le serveur informatique 14.  The authentication mechanism with the development according to the authentication code 52 of the response to the authentication request from the server 14 also makes it easier to implement the security of this data exchange, and it In particular, it is not necessary to configure a virtual private network between the communication gateway 16 and the computer server 14.
De manière générale, le procédé d'échange de données selon l'invention nécessite une interaction minimale entre le capteur de mesure 12 et la passerelle de communication 16, puisqu'il suffit seulement pour le capteur 12 d'ouvrir une connexion avec la passerelle de communication 16 préalablement à l'envoi de la demande de connexion au serveur 14, puis de clore cette connexion avec la passerelle 16 lorsque l'échange de données avec le serveur 14 est terminé, les données ne faisant que transiter par la passerelle de communication 16 lors de cet échange de données. In general, the data exchange method according to the invention requires a minimum interaction between the measurement sensor 12 and the communication gateway 16, since it is only necessary for the sensor 12 to open a connection with the gateway. communication 16 prior to sending the request for connection to the server 14, then close this connection with the gateway 16 when the data exchange with the server 14 is completed, the data only passing through the communication gateway 16 during this data exchange.
On conçoit ainsi que le capteur de mesure 12 selon l'invention permet d'améliorer la sécurisation des données échangées avec le serveur informatique 14 via la passerelle de communication 16, tout en simplifiant la mise en œuvre de cette sécurisation de l'échange de données.  It is thus conceivable that the measurement sensor 12 according to the invention makes it possible to improve the security of the data exchanged with the computer server 14 via the communication gateway 16, while simplifying the implementation of this security of the data exchange. .
Comme décrit précédemment, la passerelle de communication 16 utilisée dans l'installation 10 n'est pas un composant de confiance. La passerelle 16 n'est donc connue ni du capteur 12, ni du serveur 14. La passerelle de communication 16 ne contient alors pas d'informations de connexion sécurisée au serveur 14. La passerelle 16 seule ne permet pas d'assurer la confidentialité et l'intégrité des échanges de données entre le serveur 14 et le capteur 12.  As previously described, the communication gateway 16 used in the installation 10 is not a trusted component. The gateway 16 is therefore neither known to the sensor 12 nor to the server 14. The communication gateway 16 does not then contain secure connection information to the server 14. The gateway 16 alone does not make it possible to ensure confidentiality and the integrity of the data exchanges between the server 14 and the sensor 12.
Lorsque plusieurs passerelles 16 sont présentes au voisinage du capteur 12, le choix de la passerelle 16 est effectué par le capteur 12, par exemple, en fonction de la proximité de la passerelle 16 par rapport au capteur 12.  When several gateways 16 are present in the vicinity of the sensor 12, the choice of the gateway 16 is made by the sensor 12, for example, depending on the proximity of the gateway 16 with respect to the sensor 12.
En variante, le code d'authentification 52 comprend une clé privée de cryptage et un code d'identification.  Alternatively, the authentication code 52 includes a private encryption key and an identification code.
La clé privée de cryptage a les mêmes fonctionnalités et caractéristiques que le code d'authentification 52 décrit dans le mode de réalisation précédent, à la différence que la clé privée de cryptage est conservée dans la mémoire 28 du capteur 12. La clé privée de cryptage n'est donc pas envoyée au serveur informatique 14 via la passerelle de communication 16.  The private encryption key has the same functionalities and characteristics as the authentication code 52 described in the previous embodiment, with the difference that the private encryption key is stored in the memory 28 of the sensor 12. The encryption private key is not sent to the computer server 14 via the communication gateway 16.
La clé privée de cryptage permet de crypter, c'est-à-dire de chiffrer, les données sortant du capteur 12. En particulier, la clé privée de cryptage permet de crypter les données envoyées au serveur 14 depuis le capteur 12 via la passerelle 16.  The private encryption key makes it possible to encrypt, that is to say encrypt, the data coming out of the sensor 12. In particular, the private encryption key makes it possible to encrypt the data sent to the server 14 from the sensor 12 via the gateway 16.
Le code d'identification permet d'identifier le capteur 12. Le code d'identification est, par exemple, le nom du capteur 12, chaque capteur 12 ayant un nom spécifique, différent de celui des autres capteurs 12.  The identification code makes it possible to identify the sensor 12. The identification code is, for example, the name of the sensor 12, each sensor 12 having a specific name, different from that of the other sensors 12.
Le code d'identification est propre à être envoyé au serveur 14 via la passerelle de communication 16.  The identification code is suitable for sending to the server 14 via the communication gateway 16.
Dans ce qui suit, seules les différences de fonctionnement de l'installation 10 présentée selon cette variante par rapport au mode de réalisation précédent sont décrites.  In what follows, only the differences in operation of the installation 10 presented according to this variant with respect to the previous embodiment are described.
Initialement, le capteur 12 envoie une requête pour identifier une passerelle de communication 16 située à proximité du capteur 12. Puis, une fois que la passerelle 16 est identifiée, le capteur 12 utilise la passerelle 16 pour communiquer avec le serveur 14. Le capteur 12 envoie notamment son code d'identification au serveur 14 via la passerelle 16. Initially, the sensor 12 sends a request to identify a communication gateway 16 located near the sensor 12. Then, once the gateway 16 is identified, the sensor 12 uses the gateway 16 to communicate with the server 14. The sensor 12 sends in particular its identification code to the server 14 via the gateway 16.
Ensuite, le serveur 14 identifie le capteur 12 grâce au code d'identification du capteur 12, et autorise alors les échanges de données avec le capteur 12.  Then, the server 14 identifies the sensor 12 by means of the identification code of the sensor 12, and then authorizes data exchanges with the sensor 12.
La clé privée de cryptage du capteur 12 sert alors au chiffrement des données envoyées depuis le capteur 12 vers le serveur 14 via la passerelle de communication 16, le serveur 14 connaissant par ailleurs une clé de déchiffrement.  The encryption private key of the sensor 12 then serves to encrypt the data sent from the sensor 12 to the server 14 via the communication gateway 16, the server 14 also knowing a decryption key.
La clé de déchiffrement permet au serveur 14 de déchiffrer les données chiffrées reçues du capteur 12 via la passerelle de communication 16.  The decryption key enables the server 14 to decrypt the encrypted data received from the sensor 12 via the communication gateway 16.

Claims

REVENDICATIONS
1 . - Capteur (12) de mesure d'une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique, destiné à être relié à un serveur informatique (14) via une passerelle de communication (16), la passerelle de communication (16) étant reliée au serveur informatique (14) via un réseau de communication (18), 1. - Sensor (12) for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, intended to be connected to a computer server (14) via a communication gateway (16), the communication gateway (16) being connected to the computer server (14) via a communication network (18),
le capteur (12) comprenant :  the sensor (12) comprising:
- une unité de traitement d'informations (24) comportant une mémoire (28), an information processing unit (24) comprising a memory (28),
- des moyens radioélectriques (20) de communication avec la passerelle (16), et - des moyens (50) d'échange de données avec le serveur informatique (14) via la passerelle de communication (16), les moyens d'échange de données (50) étant reliés aux moyens radioélectriques de communication (20), - radio means (20) for communication with the gateway (16), and - means (50) for exchanging data with the computer server (14) via the communication gateway (16), the means for exchanging data. data (50) being connected to the radio communication means (20),
caractérisé en ce que la mémoire (28) comporte des informations de connexion sécurisée au serveur informatique (14), lesdites informations de connexion comportant un code (52) d'authentification du capteur.  characterized in that the memory (28) includes secure connection information to the computer server (14), said connection information including a sensor authentication code (52).
2. - Capteur (12) selon la revendication 1 , dans lequel le capteur (12) comporte en outre des moyens (54) d'élaboration d'une réponse à une requête du serveur informatique (14), la réponse étant élaborée en fonction du code d'authentification (52). 2. - Sensor (12) according to claim 1, wherein the sensor (12) further comprises means (54) for generating a response to a request from the computer server (14), the response being developed according to the authentication code (52).
3. - Capteur (12) selon la revendication 1 ou 2, dans lequel le capteur (12) comporte en outre des moyens (56) de chiffrement de données, les données chiffrées étant destinées à être transmises au serveur informatique (14) par les moyens d'échange de données (50). 3. - Sensor (12) according to claim 1 or 2, wherein the sensor (12) further comprises means (56) of data encryption, the encrypted data being intended to be transmitted to the computer server (14) by the data exchange means (50).
4. - Capteur (12) selon l'une quelconque des revendications précédentes, dans lequel les informations de connexion sont protégées par un organe de contrôle d'accès. 4. - Sensor (12) according to any one of the preceding claims, wherein the connection information is protected by an access control member.
5. - Installation de mesure (10) comprenant au moins un capteur (12) de mesure d'une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique, et un serveur informatique (14) relié à chaque capteur de mesure (12), 5. - Measuring installation (10) comprising at least one sensor (12) for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, and a computer server (14) connected to each measurement sensor (12). )
caractérisée en ce que chaque capteur de mesure (12) est conforme à l'une quelconque des revendications précédentes.  characterized in that each measuring sensor (12) is in accordance with any one of the preceding claims.
6.- Installation (10) selon la revendication 5, dans laquelle le serveur informatique6. Installation (10) according to claim 5, wherein the computer server
(14) comporte des premiers moyens (60) d'envoi d'une requête d'authentification à chaque capteur de mesure (12) et des moyens (62) d'authentification de la réponse élaborée par chaque capteur de mesure (12) suite à la réception de ladite requête. (14) comprises first means (60) for sending an authentication request to each measuring sensor (12) and means (62) for authenticating the response developed by each measurement sensor (12) following receipt of said request.
7. - Installation (10) selon la revendication 6, dans laquelle le serveur informatique (14) comporte des deuxièmes moyens (64) d'envoi, à chaque capteur authentifié (12), d'une clé de chiffrement adaptée pour le chiffrement de données échangées entre le serveur informatique (14) et le capteur authentifié (12). 7. - Installation (10) according to claim 6, wherein the computer server (14) comprises second means (64) for sending, to each authenticated sensor (12), an encryption key adapted for the encryption of data exchanged between the computer server (14) and the authenticated sensor (12).
8. - Installation (10) selon l'une quelconque des revendications 5 à 7, dans laquelle l'installation (10) comprend en outre une passerelle de communication (16), la passerelle de communication (16) étant reliée au serveur informatique (14) via un réseau de communication (18), tel que le réseau Internet, et chaque capteur de mesure (12) étant relié au serveur informatique (14) via la passerelle de communication (16). 8. - Installation (10) according to any one of claims 5 to 7, wherein the installation (10) further comprises a communication gateway (16), the communication gateway (16) being connected to the computer server ( 14) via a communication network (18), such as the Internet, and each measurement sensor (12) being connected to the computer server (14) via the communication gateway (16).
9.- Installation (10) selon la revendication 8, dans laquelle la passerelle de communication (16) est intégrée dans un appareil électronique mobile (46), tel qu'un téléphone mobile, une tablette ou un ordinateur portable. 9. Installation (10) according to claim 8, wherein the communication gateway (16) is integrated in a mobile electronic device (46), such as a mobile phone, a tablet or a laptop.
10. - Procédé d'échange de données entre un capteur (12) de mesure d'une grandeur, telle qu'une grandeur électrique ou une grandeur thermodynamique, et un serveur informatique (14) via une passerelle de communication (16), la passerelle de communication (16) étant reliée au serveur informatique (14) via un réseau de communication (18), 10. - Method for exchanging data between a sensor (12) for measuring a quantity, such as an electrical quantity or a thermodynamic quantity, and a computer server (14) via a communication gateway (16), the communication gateway (16) being connected to the computer server (14) via a communication network (18),
le procédé étant mis en œuvre par le capteur de mesure (12), le capteur (12) comprenant des moyens radioélectriques (20) de communication avec la passerelle (16), et une unité de traitement d'informations (24) comportant une mémoire (28),  the method being implemented by the measuring sensor (12), the sensor (12) comprising radio means (20) for communication with the gateway (16), and an information processing unit (24) having a memory (28)
le procédé comprenant l'échange (200) de données avec le serveur informatique (14), via les moyens radioélectriques de communication (20),  the method comprising exchanging (200) data with the computer server (14) via the radio communication means (20),
le procédé étant caractérisé en ce qu'il comprend en outre la connexion sécurisée (130, 140) au serveur informatique (14) à l'aide d'un code (52) d'authentification du capteur, ledit code d'authentification (52) étant stocké dans la mémoire (28) du capteur.  the method being characterized in that it further comprises the secure connection (130, 140) to the computer server (14) using a sensor authentication code (52), said authentication code (52). ) being stored in the memory (28) of the sensor.
1 1 . - Procédé selon la revendication 10, dans lequel l'étape de connexion sécurisée au serveur informatique (130, 140) comporte l'élaboration (130) d'une réponse à une requête du serveur informatique (14), la réponse étant élaborée en fonction du code d'authentification (52). 1 1. - The method of claim 10, wherein the step of secure connection to the computer server (130, 140) comprises the development (130) of a response to a query of the computer server (14), the response being developed based the authentication code (52).
12.- Produit programme d'ordinateur comportant des instructions logicielles qui, lorsque mis en œuvre par une unité de traitement d'informations (24), met en œuvre le procédé d'échange de données selon la revendication 10 ou 1 1 . 12. A computer program product comprising software instructions which, when implemented by an information processing unit (24), implements the data exchange method according to claim 10 or 11.
PCT/EP2014/076560 2013-12-04 2014-12-04 Measurement sensor, measurement installation comprising such a sensor and a server, method of exchanging data and computer program product associated therewith WO2015082607A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1362108 2013-12-04
FR1362108A FR3014188B1 (en) 2013-12-04 2013-12-04 MEASURING SENSOR, MEASURING INSTALLATION COMPRISING SUCH SENSOR AND SERVER, DATA EXCHANGE METHOD, AND COMPUTER PROGRAM PRODUCT THEREOF

Publications (1)

Publication Number Publication Date
WO2015082607A1 true WO2015082607A1 (en) 2015-06-11

Family

ID=50179769

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2014/076560 WO2015082607A1 (en) 2013-12-04 2014-12-04 Measurement sensor, measurement installation comprising such a sensor and a server, method of exchanging data and computer program product associated therewith

Country Status (2)

Country Link
FR (1) FR3014188B1 (en)
WO (1) WO2015082607A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3229399A1 (en) * 2016-04-06 2017-10-11 Sagemcom Energy & Telecom SAS Method for shared-key encryption between a server and a smart meter
US10142336B2 (en) 2015-02-02 2018-11-27 Schneider Electric Industries Sas Communication system and method
DE102021002082A1 (en) 2021-04-20 2021-07-08 Daimler Ag System, procedure and motor vehicle

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3039308B1 (en) * 2015-07-21 2017-08-18 Sagemcom Energy & Telecom Sas DATA TRANSMISSION FIGURES FROM INTELLIGENT ELECTRIC COUNTERS
DE102017008593A1 (en) * 2017-09-13 2019-03-14 Diehl Metering Systems Gmbh Method for operating a consumption meter system
EP3709671A1 (en) * 2019-03-13 2020-09-16 Sagemcom Energy & Telecom SAS Centralising meter for automated management of metering of a power distribution service

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2482326A (en) * 2010-07-29 2012-02-01 Toshiba Res Europ Ltd Transfer of a utility usage meter reading to a user device associated with the meter and verifying the information received from the device
EP2506392A1 (en) * 2009-11-26 2012-10-03 Kabushiki Kaisha Toshiba Energy management apparatus and energy management system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2506392A1 (en) * 2009-11-26 2012-10-03 Kabushiki Kaisha Toshiba Energy management apparatus and energy management system
GB2482326A (en) * 2010-07-29 2012-02-01 Toshiba Res Europ Ltd Transfer of a utility usage meter reading to a user device associated with the meter and verifying the information received from the device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10142336B2 (en) 2015-02-02 2018-11-27 Schneider Electric Industries Sas Communication system and method
EP3229399A1 (en) * 2016-04-06 2017-10-11 Sagemcom Energy & Telecom SAS Method for shared-key encryption between a server and a smart meter
FR3050085A1 (en) * 2016-04-06 2017-10-13 Sagemcom Energy & Telecom Sas SHARED KEY ENCRYPTION METHOD BETWEEN A SERVER AND A COMMUNICATOR COUNTER
DE102021002082A1 (en) 2021-04-20 2021-07-08 Daimler Ag System, procedure and motor vehicle

Also Published As

Publication number Publication date
FR3014188B1 (en) 2017-05-26
FR3014188A1 (en) 2015-06-05

Similar Documents

Publication Publication Date Title
WO2015082607A1 (en) Measurement sensor, measurement installation comprising such a sensor and a server, method of exchanging data and computer program product associated therewith
EP3152860B1 (en) Method for the authentication of a first electronic entity by a second electronic entity, and electronic entity implementing such a method
EP3174241B1 (en) Method for establishing secure end-to-end communication between a user terminal and a connected object
WO2017055716A1 (en) Improved method and device for authentication
WO2006125885A1 (en) Method for controlling connection of a peripheral to an access point, corresponding access point and peripheral
FR2923337A1 (en) METHOD AND SYSTEM FOR EXCHANGING DATA BETWEEN REMOTE SERVERS.
FR3066666A1 (en) METHOD FOR SECURING COMMUNICATION WITHOUT STATE MANAGEMENT
WO2014064353A1 (en) Method of providing a secured service
FR2883115A1 (en) METHOD OF ESTABLISHING SECURE COMMUNICATION LINK
WO2017081208A1 (en) Method for securing and authenticating a telecommunication
EP3991381B1 (en) Method and system for generating encryption keys for transaction or connection data
CN105471896A (en) Agent method, device and system based on SSL (Secure Sockets Layer)
EP3229399B1 (en) Method for shared-key encryption between a server and a smart meter
CA3100170C (en) Method for securing data flow between communication equipment and a remote terminal, equipment implementing the method
WO2019207231A1 (en) Method for formulating usage data in respect of relays used in the course of a communication between two devices, for searching said data, and associated devices
WO2012156365A1 (en) Method for securing an authentication platform, and corresponding hardware and software
WO2017060624A1 (en) Means for managing access to data
FR2901084A1 (en) User`s identity protecting method for e.g. mobile telephone, involves ensuring protection of identity of client device user, and deriving encryption key from less weightage bits of key generated from premaster secret and random values
WO2007101941A1 (en) Method for secure pairing of two systems prior to setting up communication between them
WO2020089565A1 (en) System for improved monitoring of connected sensors
FR3018021A1 (en) METHOD AND SYSTEM FOR SECURING TRANSACTIONS PROVIDED BY A PLURALITY OF SERVICES BETWEEN A MOBILE DEVICE OF A USER AND A POINT OF ACCEPTANCE
EP4007290A1 (en) Method and electronic device for controlling a communication system for an electric meter, related computer program and electronic transmission installation
WO2019048119A1 (en) Improved enrolment of a piece of equipment in a secure network
FR3087981A1 (en) SECURE METHOD FOR TRANSMITTING DATA WITHIN A SUPERVISION SYSTEM
FR3041841A1 (en) METHOD AND DEVICE FOR ACCESSING A RESOURCE USING A NUMBERED TOKEN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14809810

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14809810

Country of ref document: EP

Kind code of ref document: A1