WO2018162397A1 - Dispositif de commande, appareil destiné à être utilisé dans un luminaire, procédés de fonctionnement et serveur - Google Patents

Dispositif de commande, appareil destiné à être utilisé dans un luminaire, procédés de fonctionnement et serveur Download PDF

Info

Publication number
WO2018162397A1
WO2018162397A1 PCT/EP2018/055318 EP2018055318W WO2018162397A1 WO 2018162397 A1 WO2018162397 A1 WO 2018162397A1 EP 2018055318 W EP2018055318 W EP 2018055318W WO 2018162397 A1 WO2018162397 A1 WO 2018162397A1
Authority
WO
WIPO (PCT)
Prior art keywords
luminaire
time
key
control device
session
Prior art date
Application number
PCT/EP2018/055318
Other languages
English (en)
Inventor
Ulrich Pinsdorf
Marco Haverlag
Natarajan Ganapathy Subramanian
Original Assignee
Philips Lighting Holding B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Philips Lighting Holding B.V. filed Critical Philips Lighting Holding B.V.
Publication of WO2018162397A1 publication Critical patent/WO2018162397A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H05ELECTRIC TECHNIQUES NOT OTHERWISE PROVIDED FOR
    • H05BELECTRIC HEATING; ELECTRIC LIGHT SOURCES NOT OTHERWISE PROVIDED FOR; CIRCUIT ARRANGEMENTS FOR ELECTRIC LIGHT SOURCES, IN GENERAL
    • H05B47/00Circuit arrangements for operating light sources in general, i.e. where the type of light source is not relevant
    • H05B47/10Controlling the light source
    • H05B47/175Controlling the light source by remote control
    • H05B47/19Controlling the light source by remote control via wireless transmission
    • HELECTRICITY
    • H05ELECTRIC TECHNIQUES NOT OTHERWISE PROVIDED FOR
    • H05BELECTRIC HEATING; ELECTRIC LIGHT SOURCES NOT OTHERWISE PROVIDED FOR; CIRCUIT ARRANGEMENTS FOR ELECTRIC LIGHT SOURCES, IN GENERAL
    • H05B47/00Circuit arrangements for operating light sources in general, i.e. where the type of light source is not relevant
    • H05B47/10Controlling the light source
    • H05B47/175Controlling the light source by remote control
    • H05B47/196Controlling the light source by remote control characterised by user interface arrangements
    • H05B47/1965Controlling the light source by remote control characterised by user interface arrangements using handheld communication devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • Control device apparatus for use in a luminaire, methods of operation and server
  • the present disclosure relates to a control device for wirelessly communicating with a luminaire, apparatus for use in a luminaire, methods of operation, and a server.
  • Luminaires are increasingly "connected", that is, the luminaire can be controlled and/or maintained by a separate device, in addition to or instead of the traditional on/off switch, dimmer switch, photo detector switch, etc. It is often important to ensure that communication between the luminaire and the device is secure to avoid for example tampering or hacking by third parties, particularly in the case that the connection between the luminaire and the control device is a wireless connection.
  • known techniques for secure communication are often not suitable for communicating with luminaires.
  • luminaires may be installed or configured or maintained, etc. by third parties and it is important to control the access of the third parties to the luminaires.
  • WO2012/168888 discloses a wireless network used for lighting control between a service center and lighting node through segment controller wherein the messages are authenticated between the service center and the lighting node.
  • the transmission between the service center and the segment controller and between the segment controller and a lighting node are perform only after a local mutual authentication that provide a session key.
  • US 6,292,896 discloses the time derivation of a master key for creating session key.
  • the time is a public information shared by all devices connected to the network and the reliability of the time is warrant by its public use. Nevertheless and anti- replay mechanism is planned in such a way to prevent the reuse of key or of a password.
  • a control device for communicating with a server and for wirelessly communicating with a luminaire, the control device comprising:
  • a processor arranged to identify a luminaire by receiving from the luminaire a unique identifier for the luminaire;
  • the data storage storing a time-bound key previously received from the server for the identified luminaire, the time-bound key having been generated from a device key for the luminaire and a time slot for which the time-bound key may validly be used;
  • the processor being arranged to generate a predetermined message that is encrypted using the time-bound key and to wirelessly transmit the encrypted predetermined message to the luminaire.
  • this allows secure wireless communication between a luminaire and a control device to be achieved without requiring a reliable or accurate real time clock to be running on the luminaire and without requiring that for example the luminaire has a backup power source to cope with power loss or outages or that the luminaire can update the clock using say an internet connection (which may not (always) be available).
  • the control device is arranged to communicate with a server to receive from the server the time-bound key for the identified luminaire to be used in encrypting communications with the identified luminaire.
  • the time-bound key comprises a session key and a session nonce.
  • the session key received from the server is obtained from a hash function carried out on a device key for the luminaire and a time slot for which the session key may validly be used.
  • the session nonce received from the server is obtained from a hash function carried out on a device key for the luminaire and a time slot for which the session nonce may validly be used.
  • the hash function will normally be carried out in the server, or some other remote apparatus, and not in the control device as the control device does not know and does not have access to DK.
  • the time-bound key that is used by the processor to encrypt the predetermined message is a function of the session key received from the server and a session random number received from the luminaire.
  • the session nonce that is used by the processor to encrypt the predetermined message is a function of a session nonce received from the server and a session random number received from the luminaire.
  • the processor is arranged to generate an authentication tag as a function of the predetermined message and the time-bound key and to encrypt the predetermined message and the authentication tag using the time-bound key.
  • control device is arranged to wirelessly transmit a current time to the identified luminaire to enable the luminaire to update a previously stored current time with the current time transmitted by the control device.
  • a control device for wirelessly communicating with a luminaire comprising:
  • time-bound key for the identified luminaire, the time-bound key having been previously generated by a server from a device key for the luminaire and a time slot for which the time-bound key may validly be used;
  • apparatus for use in a luminaire comprising:
  • the data storage storing a device key for the luminaire
  • a secure clock arranged to generate a time which is stored as a current time
  • a processor arranged to generate a time-bound key as a function of the device key and a time slot based on the stored current time
  • a wireless communications interface for wirelessly communicating with a control device
  • the apparatus being arranged to engage in a secure wireless communication with a control device via the wireless communications interface after having received from the control device a predetermined message that is encrypted using the time-bound key and that has been authenticated as having been validly created.
  • the "time slot based on the stored current time” may be for example the "current" time slot (e.g. today), or a previous time slot (e.g. yesterday) or a next time slot (e.g. tomorrow), etc.
  • the time-bound key comprises a session key and a session nonce.
  • the session key is obtained from a hash function carried out on the device key for the luminaire and a time slot based on the stored current time.
  • the session nonce is obtained from a hash function carried out on the device key for the luminaire and a time slot based on the stored current time.
  • the processor is arranged to attempt to decrypt the predetermined message by using a session key that is a function of a session random number generated by the luminaire and a session key obtained from a hash function carried out on the device key for the luminaire and a time slot based on the stored current time.
  • the processor is arranged to attempt to decrypt the predetermined message by using a session nonce that is a function of a session random number generated by the luminaire and a session nonce obtained from a hash function carried out on the device key for the luminaire and a time slot based on the stored current time.
  • the processor is arranged to generate an authentication tag as a function of the predetermined message that has been decrypted by the processor and a time slot based on the stored current time, the authentication tag being used to authenticate the decrypted message.
  • the processor is arranged to generate plural time-bound keys as a function of the device key and respective plural time slots based on the stored current time, to generate plural authentication tags as a function of the predetermined message that has been decrypted by the processor and the plural time slots respectively, and to authenticate the predetermined message if one of the plural authentication tags matches an authentication tag used by a control device to encrypt the predetermined message that was transmitted to the apparatus.
  • the secure clock of the apparatus is capable of receiving a current time from a control device and is arranged to update the stored current time with the current time received from a said control device only if the current time received from a said control device is more recent than the previously stored current time.
  • the apparatus is arranged to check whether the current time received from the control device is more recent than the last stored current time and, if so, update the stored current time with the current time received from the control device, else, if not, then the apparatus ceases communication with the control device.
  • a method of operating a luminaire comprising:
  • the data storage storing a device key for the luminaire
  • a server storing a device key DK and a corresponding unique identifier UID for each of a plurality of luminaires, the server being arranged to generate a time-bound key for a luminaire, the time- bound key being generated from a device key DK for the luminaire and a time slot for which the time-bound key may validly be used, the server being arranged to provide the time-bound key for a luminaire to a control device that has been authenticated with the server and that has provided the unique identifier UID for the luminaire to the server.
  • FIG. 1 shows schematically an example of an overall system according to the present disclosure
  • Fig. 2 shows schematically an example of generation of an authentication tag
  • Fig. 3 shows schematically an example of encryption at a control device
  • Fig. 4 shows schematically an example of decryption at a luminaire 1 ;
  • Fig. 5 shows schematically an example of a method of operating a luminaire
  • Fig. 6 shows schematically an example of a method of operating a control device.
  • a luminaire is a device or structure arranged to emit light suitable for illuminating an environment, providing or substantially contributing to the illumination on a scale adequate for that purpose.
  • a luminaire comprises at least one light source or lamp, such as an LED-based lamp, gas-discharge lamp or filament bulb, etc., plus any associated support, casing or other such housing.
  • luminaires are increasingly "connected", that is, the luminaire can be controlled by a separate device, in addition to or instead of the traditional on/off switch, dimmer switch, photo detector switch, etc.
  • a control device can be used when commissioning the luminaire and/or to update the luminaire (for example, especially in the case of street lighting, lighting in public or other large buildings, etc.). It is often important to ensure that communication between the luminaire and the control device is secure to avoid tampering or hacking by third parties, particularly in the case that the connection between the luminaire and the control device is a wireless connection.
  • known techniques for secure communication are often not suitable for communicating with luminaires.
  • each luminaire in a system is allocated a unique PIN (personal identification number) which a user can enter into a control device in order to be able to communicate with the luminaire.
  • PIN personal identification number
  • this is not always practical or convenient, especially when there is a large number of luminaires in the system (as is often the case in street lighting, lighting in public or other large buildings, etc.).
  • this requires for example that the luminaire and the control device have a shared symmetric key for the encryption and decryption of the communications.
  • This means that the control device has to obtain the symmetric key for the particular luminaire somehow.
  • the control device could for example obtain the shared key from some central database, which stores shared keys for all of the luminaires that are possibly to be controlled by the control device, once the control device has identified the particular luminaire to be controlled.
  • this requires that the control device have access to the central database in order to obtain the shared encryption key, and this may not always be possible (for example, in remote or rural areas or in tunnels, etc., where there is no wireless (e.g.
  • the shared encryption keys for plural luminaires may instead be pre-stored on the control device. However, this is risky as the control device itself may be hacked or stolen. An encryption key that can only be used for a specified period of time could be used. However, this in turn means that the luminaire must have an accurate real-time clock which is always powered. This is often not the case, especially in the case of street lighting or other outdoor lighting, where there may be no internal clock or the clock may be low quality and therefore inaccurate, and in any event power outages may occur meaning that the clock does not accurately show the current time. It is also often the case that street lighting or other outdoor lighting is not provided with any connection to a network (including a local or wide area network and the Internet) via which it could in principle obtain the current time accurately.
  • a network including a local or wide area network and the Internet
  • Figure 1 shows schematically an example of an overall system which includes a luminaire 1 and a control device 2.
  • the luminaire 1 and the control device 2 can communicate with each other wirelessly via a wireless link 3.
  • the control device 2 may be used for example to control and configure operational parameters of the luminaire 1 , including for example parameters such as dimming schedule, lumen output, etc.
  • the control device 2 may additionally or alternatively be used for example to obtain diagnostic data such as burning hours, energy consumption, power consumption, surge count, etc. from the luminaire 1.
  • the luminaire 1 comprises at least one light source or lamp 11, such as an LED lamp
  • the luminaire 1 is a street light which has a lamp 11 supported on a light pole 12.
  • the luminaire 1 has a wireless communications interface 13 for wirelessly communicating with the control device 2.
  • the wireless communications interface 13 in this example includes the necessary circuitry 14 to provide for wireless communications and an antenna 15.
  • the luminaire 1 further has a processor or processors, data storage and a clock.
  • the data storage includes at least a persistent (non- volatile) storage, such as a hard disk, non- volatile semiconductor memory, etc.
  • One or more of the wireless communications interface 13 and the processor(s), data storage and clock may be provided as a single connectivity module 16 that can be fitted into the luminaire 1.
  • communications interface 13 are sometime referred to herein collectively as apparatus for the luminaire 1.
  • the wireless communication between the luminaire 1 and the control device 2 is convenient for users, installers, etc., as it means that a physical, wired connection to the luminaire 1 is not necessary. This is useful in many cases, such as when the luminaire 1 is a street light or is otherwise mounted in a relatively inaccessible place (such as in the ceiling of a tall building or tunnel roof, etc.).
  • the wireless communication may use a protocol of any suitable type, including for example BluetoothTM, ZigBeeTM or Wi-FiTM, with the luminaire 1 and the control device 2 having appropriate corresponding circuitry for the protocol that is used.
  • the control device 2 may be a portable device having a processor and data storage (shown schematically by the reference numeral 21), in addition to the wireless circuity for communicating with the luminaire 1.
  • the data storage includes at least a persistent (non- volatile) storage, such as a hard disk, non- volatile semiconductor memory, etc.
  • the control device 2 preferably has a screen 22.
  • the control device 2 in some examples has cellular communications circuity for enabling the control device 2 to communicate via cellular networks (such as for example a GSM (Group Special Mobile or 2G (second generation) network, a 3G network, or a 4G or LTE (Long Term Evolution) network).
  • GSM Group Special Mobile or 2G (second generation) network
  • 3G network a 3G network
  • 4G or LTE Long Term Evolution
  • the control device 2 may be for example a smartphone, a laptop computer, a tablet computer, a personal digital assistant (PDA) or some other mobile computing device.
  • the control device 2 may be part of or incorporated into a "drone", i.e. a self-propelled flying vehicle which is typically unmanned.
  • the luminaire 1 is provided with a device key DK, which is stored in the data storage of the luminaire 1.
  • the device key DK is preferably unique to the particular luminaire (or at least is unique amongst luminaires in the geographical region of the luminaire 1 in question).
  • the device key DK may be for example a number.
  • the device key DK may be for example at least 128 bits. As is well known, the larger the number of bits for a key of this type, the greater the security.
  • the luminaire 1 is provided with an identifier, which is preferably unique to the particular luminaire (or at least is unique amongst luminaires in the
  • UID geographical region of the luminaire 1 in question). This will be referred to herein as a unique identifier UID.
  • a suitable and convenient unique identifier UID is the MAC (media access control) address of the wireless communications interface 13, or at least the UID may be derived from the MAC address of the wireless communications interface 13.
  • the UID may be for example a 64 bit number.
  • the UID is stored in the data storage of the luminaire 1.
  • the device key DK and the unique identifier UID may each be assigned to the luminaire 1 during manufacture of the relevant components at the factory or factories 4 that manufacture the relevant components, as shown schematically at 5 in Figure 1.
  • the device key DK and the unique identifier UID are also stored in a database which is accessible by the control device 2. This is shown schematically by the factory or factories 4 providing the device key DK and the unique identifier UID to a remote database 6 stored in some server operating under control of a service 7 in the "cloud" via a wired and/or wireless connection 8. It will be understood that the server for storing the database 6 and the computer(s) providing the service 7 may be physically located at the factory 4 or at some other physical location.
  • the accessibility of the database 6 to the control device 2 is indicated schematically by the reference numeral 9.
  • the control device 2 can access the database 6 in any suitable way.
  • the control device 2 can access the database 6 via a wireless connection 9.
  • the connection 9 between the control device 2 and the database 6 may be via a cellular network and, typically, also the Internet.
  • the clock of the luminaire 1 acts as a notional time counter NT.
  • the notional time counter NT may be incremented by for example software running on the processor of the connectivity module 16 of the luminaire 1 using ticks from a clock crystal which may be provided internally or externally of the connectivity module 16. The counting is calibrated such that the counter is incremented as accurately as possible relatively quickly, say once per second or so.
  • the notional time counter NT is stored at regular intervals (for example every 2 hours say) to the persistent storage in the connectivity module 16. The stored value may be used to initialize the counter after a power cycle of the connectivity module 16, such as following a loss of power to the luminaire 1 or if the connectivity module 16 is rebooted for some reason.
  • the "time” that is generated by the clock typically includes or corresponds to the date (e.g. 1 January 2017) and time of day (such as 3pm, etc.).
  • a user of the control device 2 who may for example be installing or maintaining or updating the luminaire 1 , sets up login credentials to obtain access to the database 6 by following a registration process. This may be accessible via for example a Web-based portal.
  • the user can then download and install a configuration "app" (software application) using an appropriate distribution method (for example, directly from the factory 4 or via for example Google Play or the like).
  • the functionality of the configuration app only becomes exposed and available to the user after providing valid login credentials.
  • the user then causes the configuration app on the control device 2 to perform a wireless scan to identify luminaires 1 that are within range.
  • the control device 2 carries out a Bluetooth scan.
  • the scan enables the control device 2 to obtain the unique identifiers UID of the luminaires 1 within range.
  • the unique identifier UID is the MAC address of the wireless communications interface 13 of the luminaires 1.
  • the configuration app on the control device 2 provides that only white listed devices (i.e. the known wireless communications interfaces 13 of the luminaires 1 in the database in the example described above) are displayed on the screen 22 of the control device 2 by the configuration app.
  • the user selects from the list of displayed devices the particular luminaire
  • the configuration app on the control device 2 then communicates with the database 6 using the unique identifier UID of the selected luminaire 1 and retrieves a time-bound session key SK and, in this example, a session nonce SN for the selected luminaire 1.
  • the user 1 may have previously downloaded or otherwise obtained session keys SK and session nonces SN for a set of luminaires 1 maintained by the user onto the control device 2.
  • the session SK and session nonce SN for the selected luminaire 1 is looked up from the previously downloaded list.
  • a nonce is typically an arbitrary number which is (typically) used only once in a cryptographic communication (or a series of related communications) to improve security.
  • a nonce may be for example a random or
  • the cloud service 7 associated with the database 6 (or at least some software having access to the details stored in the database 6) generates a session key SK and a session nonce SN for a specific luminaire 1 (identified by its unique identifier UID, which as mentioned may be the MAC address of the wireless communications interface 13 of the luminaire 1).
  • the session key SK is time-bound, i.e. is in effect only valid for a predetermined period of time.
  • a time-bound session key SK may be generated by for example combining the corresponding device key DK of the luminaire 1 and a time slot T access. The time slot T access ensures that the session key SK is time-bound as its value is related to the time slot T access.
  • the time slot T access in an example identifies the instant in time when the session key SK was generated by the software associated with the database 6.
  • the time resolution of the time slot can be chosen based on for example the resolution of the time for which the session key SK is to be bound (e.g. one hour or a few hours, a day or a few days, a week of a few weeks, etc.). In practical terms, this determines for how long the session key SK is useable by the control device 1. A shorter time is more secure, but a longer time is more convenient for the user wanting to access the luminaire 1.
  • a possible way to generate the time slot T access is to use the Unix time UT at the moment of generating session credentials expressed in day resolution, e.g.
  • T access to take into account the GMT (Greenwich Meant Time) offset and daylight savings offset based on the location information of the user.
  • GMT Greenwich Meant Time
  • Unix time is a system for describing instants in time defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), Thursday, 1 January 1970, not counting leap seconds.
  • control device 2 retrieves only the time-bound session key SK and the session nonce SN for the luminaires 1 from the database 6 and does not obtain and is not provided with the device key DK for the luminaires 1.
  • the retrieved session key SK is valid only for a stipulated duration, e.g., for 1 hour or 3 or 6 hours, 1 day, 3 days, etc., etc.). This ensures that a stolen or otherwise compromised control device 2 with locally stored sets of session keys SK and session nonces SN is unusable after this time is passed.
  • the luminaires 1 are arranged to advertise their presence, using for example Bluetooth or some other wireless protocol.
  • each luminaire 1 (or, more precisely, the connectivity module 16 of the luminaire 1 in the present example) advertises a random number SRN as part of the payload of the advertisement messages (or offers a characteristic from which the random number SRN can be read in a "challenge- response" authentication).
  • the random number SRN is refreshed by the connectivity module 16 as soon as a new (unsecured) connection is established with control device 2 to avoid the same random number SRN being given out repeatedly and therefore to improve security.
  • the random number SRN should be a large number to improve security and may be for example a 16-byte number.
  • the configuration app on the control device 2 initially reads out the random number SRN from the advertisement message or from the read-only characteristic as the case may be.
  • the configuration app on the control device 2 also sends the current time CT (for example, the UTC expressed as Unix time as discussed above) to the connectivity module 16 of the selected luminaire 1.
  • the current date and time CT as sent by the configuration app on the control device 2 may be encrypted, using for example a pre-shared fixed key FK that is shared by all of the connectivity modules 16 of the luminaires 1 and the control device(s) 2 that are intended to communicate with the connectivity modules 16 of the luminaires 1.
  • the connectivity module 16 of the selected luminaire 1 authenticates the incoming current time CT by checking if it is larger than (i.e. more recent than) the current time CT that is currently internally stored in the data storage of the connectivity module 16 (which, as noted above, may be regarded as only being a notional time NT given inaccuracies in the clock of the luminaire 1 and the possibility of power to the luminaire 1 having been lost). If the authentication fails (i.e. the incoming current time CT is not later than the current time CT that is already stored in the data storage of the connectivity module 16 of the luminaire 1), then the connection with the control device 2 is severed by connectivity module 16 of the selected luminaire 1. If the authentication succeeds then the incoming current time CT is stored in the data storage of the connectivity module 16 to replace the previously stored current time CT so as to update the stored current time CT.
  • the configuration app on the control device 2 combines the session key SK and the session nonce SN for the selected luminaire 1 (which have already been retrieved from the database 6 or pre-loaded onto the control device 2 as discussed above) and the random number SRN (obtained from the advertisement message from the selected luminaire 1 as discussed above) to encrypt a pre-defined bootstrap message (i.e. a session "hello" message).
  • the encrypted bootstrap message is then sent by the control device 2 to the connectivity module 16 of the luminaire 1.
  • the control device 2 could just use the session key SK and the session nonce SN as received from the cloud service 7 directly. However, using these in combination with the random number SRN obtained from the advertisement message from the selected luminaire 1 provides additional security.
  • the connectivity module 16 of the luminaire 1 uses the stored current time CT (which may be the originally stored current time CT or the updated current time CT) to generate a time slot T access. Mirroring what took place in the cloud service 7, the connectivity module 16 then generates at least a session key SK using a time slot T access based on the current time CT.
  • the time resolution of the time slot can be chosen based on for example the resolution of the time for which the session key SK is to be bound (e.g.
  • the session key SK and corresponding session nonce SN are generated using the same process or algorithm that is used by the software associated with the database 6 when generating the time-bound session key SK and session nonce SN for a specific luminaire 1 and that are provided to the control device 2 as discussed above.
  • the connectivity module 16 of the luminaire 1 attempts to decrypt the bootstrap message received from the control device 2. If decryption succeeds then the session key SK and corresponding session nonce SN are used for encrypting further communications with the control device 2. Additionally, the notional time NT may be initialized with the current time CT. This allows for the fact that the clock in the luminaire 1 may still be inaccurate and for example losing time. If decryption fails then the connection with the control device 2 is severed by the connectivity module 16 of the luminaire 1.
  • the session key SK is time-bound (in an example, being formed as a function of the device key DK and a time slot relating to the stored current time CT).
  • the luminaire 1 and the database 6 may not have a shared, accurate "current time”.
  • the database 6 may generate plural time-bound session keys SKs, each time-bound to a different, optionally successive, time slot covering a time period when the control device 2 may wish to communicate with the luminaire 1.
  • the various time slots may for example start one minute apart.
  • the plural time-bound session keys SKs are provided to the control device 2, which can then use the plural time-bound session keys SKs in turn to attempt to communicate with the luminaire 1.
  • the session nonce SN may also be time- bound, in addition to the session key SK being time-bound.
  • a time-bound session nonce SN may be formed as a function of the device key DK and a time slot relating to the stored current time CT. This may be similar to the generation of a time-bound session key SK discussed above.
  • the database 6 may generate plural time-bound session nonces SNs, each time-bound to a different, optionally successive, time slot covering a time period when the control device 2 may wish to communicate with the luminaire 1.
  • the various time slots may for example start one minute apart but in any event are preferably the same as the time slots used for generating plural time-bound session keys SKs.
  • the plural time-bound session nonces SNs are provided to the control device 2, which can then use the plural time-bound session keys SKs and the plural time-bound session nonces SNs in turn to attempt to communicate with the luminaire 1.
  • a session key SK is generated as a function of the device key DK and a time slot for which the session key SK may validly be used
  • a session nonce SN is generated as a function of the device key DK (and in some examples also as a function of a time slot for which the session nonce SN may validly be used).
  • a number of techniques for generating the key or the like are possible.
  • Particularly suitable examples include the use of hashing functions, which are well known per se, including as a particular example SHA (Secure Hash Algorithm) 256.
  • the random number SRN which the luminaire 1 has made available to the control device 2 may also be used in the encryption and decryption of subsequent messages between the luminaire 1 and the control device 2, i.e. messages sent and received after the initial, successful bootstrap or "hello" message.
  • the session key SK and session nonce SN that are initially generated in the luminaire 2 and that are initially provided to the control device 2 from the database 6 respectively are XOR'd with the random number SRN in order to generate the session key SK' and session nonce SN' that are actually used as part of the encryption and/or decryption of subsequent messages between the luminaire 1 and the control device 2.
  • SRN) and SN' hash(SN
  • the connectivity module 16 of the luminaire 1 may generate a set of session keys SK*, with each session key being a function of the device key DK and a respective time slot of a succession of time slots TS, TS-1, TS-2, TS+1,. TS+2, etc.
  • the connectivity module 16 may generate a set of corresponding session nonces SN*, with each session nonce being a function of the device key DK and a respective time slot of the succession of time slots TS, TS-1, TS-2, TS+1,. TS+2, etc.
  • the session keys SK* and session nonces SN* are again generated using the same process or algorithm that is used by the software associated with the database 6 when generating the time-bound session key SK and session nonce SN for a specific luminaire 1 and that are provided to the control device 2 as discussed above.
  • the number of time slots as well as the resolution of the time slots used by the connectivity module 16 of the luminaire 1 for generating the set of session keys SK* and corresponding session nonces SN* determines the time-bound upper limit during which the respective session keys SK and session nonces SN can be used. That is, in practice, this use of a succession of time slots for T access enables secure communication between the control device 2 and the luminaire 1 for periods of time that are judged to be close enough to the time stored by the luminaire 1.
  • the connectivity module 16 of the luminaire 1 attempts to decrypt the bootstrap message received from the control device 2. If decryption succeeds for one of the
  • notional time NT may be initialized with CT, again to allow for the fact that the clock in the luminaire 1 may still be inaccurate and for example losing time. If decryption fails for all combinations session keys SK and session nonces SN then the connection with the control device 2 is severed by the connectivity module 16 of the luminaire 1. Accordingly, in some examples, secure wireless communication between a luminaire 1 and a control device 2 can be achieved without requiring a reliable or accurate real time clock to be running on the luminaire 1 and without requiring that for example the luminaire 1 has a back-up power source to cope with power loss or outages.
  • a time-bound encryption key (for example, the session key SK) that can be retrieved "on-the-fly" or obtained previously "offline" from a remote database 6 is used to encrypt communications between the luminaire 1 and the control device 2.
  • the session key SK is time-bound, this minimizes the risk of the luminaire 1 being hacked in the case that the control device 2 is lost or stolen or hacked after having obtained the session key SK.
  • the current time CT that is stored by the luminaire 1 can be updated if necessary, for example in the case that the clock of the luminaire 1 has drifted or lost power.
  • a session nonce SN may also be used. The session nonce SN may also be time-bound for yet further security.
  • a random number (for example, the session random number SRN) may be used only once in the series of related communications between the control device 2 and the luminaire 1; this avoids or at least minimizes the risk of hacking using so-called replay attacks in which a hacker can otherwise capture the previously transmitted session key SK and session nonce SN for use in encrypting communications in subsequent attacks on the luminaire 1.
  • the session nonce SN is time-bound as it is generated as a function of the time slot for which the session nonce SN may be used. However, this is not always necessary. Instead, a "simple" nonce being just a random number, generated at both the luminaire 1 and obtained by the control device 2 from the database 6, may be used, without being time-bound. Nevertheless, a time-bound session nonce SN is preferred for added security.
  • a unique device key DK gets programmed or stored into the luminaire 1 (i.e. in an example, in the data storage of the connectivity module 16 of the luminaire 1).
  • the device key DK is also recorded in the database 6 operated by the cloud service 7 together with a unique identifier UID (for example, a serial number, such as the MAC address of the wireless communications interface 13) of the luminaire 1 2.
  • UID for example, a serial number, such as the MAC address of the wireless communications interface 13
  • a given luminaire 1 in the street knows a) its unique identifier UID, b) its own unique device key DK, and c) the current notional time (which, as mentioned, can diverge from the real time).
  • the installer or maintenance person has a mobile control device 2 which contains software (an "app") for adjusting for example the luminaire's light levels, driver configuration, wattage, etc.
  • the installer is not trusted, not least because the control device 2 may be lost or stolen for example. Accordingly, it is desired to establish a trusted and secure communication between the installer's control device 2 and the luminaire 1 without ever disclosing the device key DK, not even to the control device 2. That is, preferably, the device key DK shall stay in the central database 6 and in the luminaire 1 only. Moreover, the installer is only granted access to the luminaire 1 only for a defined amount of time, for example 4 hours or 1 day say.
  • the installer uses the mobile app on the control device 2 to select a single luminaire 1 he/she wants to do maintenance on. It may be noted that only a single luminaire 1 is discussed here for simplicity. In practice, the installer would likely select a larger number of luminaires 1, e.g. of an entire street or village, etc.
  • the control device 2 communicates with the remote database 6 to download security credentials which are necessary for a secure connection to the selected luminaire 1
  • Inputs from the control device 2 to the cloud service 7 are the luminaire's unique identifier UID and a time-range (e.g. "tomorrow").
  • the time period for which the credentials are valid are referred to as T access.
  • the cloud service 7 reads the secret device key DK from the database 6 for the specific luminaire 1.
  • the cloud service 7 computes a time-bound credential, that is, some credential that is a function of both the device key DK and the time period T access for which the credentials are valid.
  • the time-bound credential may be formed as a hash function of a concatenation of the device key DK and the time period T access.
  • a 32-byte number is formed, in which the first 16 bytes are the device DK and the second 16 bytes are the time period T access (with additional zeros as necessary).
  • a hash function is then applied to the 32-byte number.
  • the hash function may in principle be any hash function, including for example SHA-256.
  • time-bound credential X is just a sequence of bits which can be interpreted in an arbitrary way.
  • this bit sequence is split into two parts. A first part is used as a session key SK and the second part is used as a session nonce SN:
  • both the session key SK and the session nonce SN are each also time-bound in this example:
  • the cloud service 7 sends the session key SK and the session nonce SN to the app on the control device 2.
  • control device 2 may for example obtain the session key SK and the session nonce SN as described above in advance, i.e. before setting out on a field trip to the location of the luminaire 1 or may for example obtain these contemporaneously whilst at the location of the luminaire 1.
  • the app on the control device 2 stores the session key SK and the session nonce SN for this particular luminaire 1 (as identified by its unique identifier UID) and the requested time T access.
  • the luminaire 1 publicly advertises (e.g. via Bluetooth) its own identifier UID and a random number SRN.
  • SRN gets updated by the luminaire 1 from time to time, e.g. after each successful or unsuccessful connection attempt, so that each new communication operates using a different random number SRN.
  • the installer uses app on the control device 2 to read the advertisement which is broadcast by the luminaire 1.
  • the app shows that it has the time-bound credentials for this particular luminaire 1 available, because the luminaire's identifier UID is stored in the app together with the corresponding session SK and session SN.
  • the app sends the current time CT to the luminaire 1.
  • the luminaire 1 receives the current time CT and compares it to its current notional time NT stored in the data striated of the luminaire 1. If CT > NT then the luminaire 1 takes the current time CT received from the control device 2 and stores it as the stored current time CT in the data storage of the luminaire 1. It may be noted that other ways of validation for the current time CT received from the control device 2 are possible. For example, the current time CT received from the control device 2 may be judged to be valid if for example it is not too far ahead in time of the notional current time currently stored in the luminaire 1. As another example, the communication of the current time CT from the control device 2 can be encrypted with a fixed pre-shared key FK that is available to the factory, the app on the control device 2 and the luminaire 1.
  • FK fixed pre-shared key
  • the app on the control device 2 then starts the encrypted communication with the luminaire 1.
  • the app on the control device 2 has four data items available: the session key SK, the session nonce SN, the random number SRN publicly advertised by the luminaire 1 and a predetermined message M to be sent.
  • the message M may be for example an adjustment command for the luminaire 1 or part of some
  • CBC cipher block chaining mode
  • CTR counter mode
  • the encryption algorithm AES is the same in each mode.
  • the different modes define the way in which the algorithm it uses inputs and outputs.
  • Both CBC and CTR modes split the input message M into several blocks (MO, Ml, M2, ...), in for example blocks of 16 bytes, and encrypt each block independently, where the mode defines how to combine message blocks, keys, and outputs. 2.
  • the app on the control device 2 could use the session key SK and the session nonce SN directly.
  • the session key SK and the session nonce SN are modified by the app on the control device 2 using the advertised random number SRN, to provide a modified session key SK' and modified session nonce SN'.
  • an XOR function is used:
  • the AES CBC mode is used to compute a validation token or authentication tag T.
  • the authentication tag T may be interpreted as a digital signature.
  • the authentication tag T is arbitrarily defined to be 4 bytes in length (32 bits), with the rest of the encryption result being discarded.
  • the process to compute the authentication tag T in this example is shown schematically in Figure 2, with the message M being split into two blocks MO and Ml in this example.
  • the input for AES in CBC mode here are the (modified) session key SK', the (modified) session nonce SN' and the message M.
  • a concatenation M' of the message M and the authentication tag T is encrypted, this time using AES in CTR mode.
  • AES in CTR mode.
  • the input for the AES are the (modified) session key SK', the (modified) session nonce SN' and the message M plus the authentication tag T obtained above.
  • the output is a cipher C.
  • the receiving luminaire 1 is later able to revert that computation and validate T, as discussed below.
  • the cipher blocks CO', CI ' ... are respectively concatenated with the 2-byte counter e to form the cipher messages that are sent to the luminaire 1 by the control device 2.
  • the control device 2 sends the cipher messages to the luminaire 1. It may be noted that the control device 2 does not send the authentication tag T to the luminaire 1 because the luminaire 1 has to repeat the computation of the authentication tag T itself, as discussed further below.
  • the luminaire 1 receives the cipher messages.
  • the luminaire 1 has three data items available: the current time CT, the secret device key DK and the publicly advertised random number SR it had previously broadcast.
  • the luminaire 1 has the cipher messages C.
  • the luminaire 1 computes the "time period" of CT. For example, the current time can be rounded to the start of the day (e.g. midnight or 00:00).
  • the luminaire 1 decrypts the encrypted message C using AES in CTR mode, with SK' and SN' as keys. The result is interpreted as a concatenation of the message M and the authentication tag T, namely (M
  • the luminaire 1 knows the message, yet needs to validate if the operation was correct.
  • the current time CT was part of the computation and the luminaire 1 cannot or does not want to rely on its own real-time clock as that may be inaccurate.
  • the radio transmission may have been corrupted or the sender used an incorrect session nonce SN and/or session key SK.
  • the luminaire 1 computes T in the same way as the app on the control device 2 did in step C. 9.3 above.
  • the luminaire 1 assumes M is correct and uses SK' and SN' in CBC mode. The last 4 bytes of the result are taken as T*.
  • control device 2 and the luminaire 1 have established a secure communication channel with SK' and SN' as the session key and session nonce respectively.
  • the control device 2 and the luminaire 1 can now exchange messages in both directions using the same method as above.
  • the luminaire 1 may retry steps C. 11.1 to
  • the luminaire 1 After the communication with this mobile app ends, the luminaire 1 advertises a fresh SRN and waits for the next connection.
  • the luminaire 1 stores a device key for the luminaire 1.
  • the luminaire 1 generates a time which is stored as a current time in data storage of the luminaire.
  • the luminaire 1 generates a time-bound key as a function of a device key DK stored in the data storage and a time slot based on the stored current time.
  • the luminaire 1 engages in a secure wireless communication with a control device after having received from the control device a predetermined message that is encrypted using the time-bound key and that has been authenticated as having been validly created by a control device.
  • the control device 2 identifies a luminaire 1 by receiving from the luminaire 1 a unique identifier UID for the luminaire 1.
  • the control device 2 stores a time-bound key for the identified luminaire, the time- bound key having been generated from a device key for the luminaire and a time slot for which the time-bound key may validly be used.
  • the control device 2 generates a predetermined message that is encrypted using the time-bound key.
  • the control device 2 wirelessly transmits the encrypted predetermined message to the luminaire.
  • the data storage storing a device key DK for the luminaire
  • a clock arranged to generate a time which is stored as a current time
  • a processor arranged to generate a session key SK as a function of the device key DK and a time slot for which the session key SK may validly be used;
  • a wireless communications interface for wirelessly communicating with a control device; the apparatus being arranged to engage in a secure wireless communication with a control device via the wireless communications interface after having received from the control device a predetermined message that is encrypted as a function of the session key SK;
  • the apparatus is capable of receiving a current time from a control device and is arranged to update the stored current time with the current time received from a said control device in the case that the current time received from a said control device is more recent than the previously stored current time.
  • this allows secure wireless communication between a luminaire and a control device to be achieved without requiring a reliable or accurate real time clock to be running on the luminaire and without requiring that for example the luminaire has a backup power source to cope with power loss or outages or that the luminaire can update the clock using say an internet connection (which may not (always) be available).
  • the apparatus is arranged to check whether the current time received from the control device is more recent than the last stored current time and, if so, update the stored current time with the current time received from the control device, else, if not, then the apparatus ceases communication with the control device.
  • the processor is arranged to generate a session nonce SN as a function of the device key DK, the apparatus being arranged to engage in a secure wireless communication with a control device via the wireless communications interface after having received from the control device a predetermined message that is encrypted as a function of the session key SK and the session nonce SN.
  • a nonce is used to increase security.
  • a nonce may be for example an arbitrary number which is
  • the processor is arranged to generate the session nonce SN as a function of the device key DK and a time slot for which the session key SK may validly be used.
  • a nonce is in effect time-bound.
  • the processor is arranged to generate plural session keys SK as a function of the device key DK and respective plural time slots, the processor being arranged to attempt to decrypt the predetermined message received from the control device using the session keys SK in turn and, in the case that the processor is able to decrypt the
  • the wireless communications interface being arranged to engage in a secure wireless communication with the control device using the particular session key SK.
  • the processor may be arranged to generate plural session keys SK and plural corresponding session nonces SN as a function of the device key DK and respective plural time slots, the processor being arranged to attempt to decrypt the predetermined message received from the control device using the session keys SK and corresponding session nonces SN in turn and, in the case that the processor is able to decrypt the predetermined message using a particular session key SK and corresponding session nonce SN, then the wireless communications interface being arranged to engage in a secure wireless communication with the control device using the particular session key SK and corresponding session nonce SN.
  • the data storage is arranged to store a unique identifier UID for the luminaire and the apparatus is arranged to wirelessly broadcast the unique identifier to enable a control device to identify the luminaire.
  • the processor is arranged to generate a random number SRN which may be received by a control device to enable the control device to generate the predetermined message which is encrypted as a function of the session key SK and the random number SRN.
  • a new random number SRN may be generated when/if a new
  • the control device may generate the predetermined message which is encrypted as a function of the session key SK, the session nonce SN and the random number SRN.
  • the processor is arranged to decrypt subsequent messages that are received from and that have been encrypted by a control device as a function of the session key SK and the random number SRN (and also the session nonce in the case that a session nonce is used).
  • a method of operating a luminaire comprising:
  • a session key SK as a function of a device key DK which is stored in the luminaire and a time slot for which the session key SK may validly be used;
  • the luminaire is capable of receiving a current time from a control device and updates the stored current time with the current time received from the control device in the case that the current time received from a said control device is more recent than the previously stored current time.
  • the method comprises, prior to engaging in a secure wireless communication with the control device:
  • the method comprises:
  • the session nonce SN may be generated as a function of the device key DK and a time slot for which the session key SK may validly be used.
  • the method comprises:
  • the predetermined message can be decrypted using a particular session key SK, engaging in a secure wireless communication with the control device using the particular session key SK.
  • the method may comprise:
  • the method comprises:
  • a control device for wirelessly communicating with a luminaire comprising:
  • a processor arranged to identify a luminaire by receiving from the luminaire a unique identifier UID for the luminaire;
  • the data storage storing a session key SK for the identified luminaire
  • the processor being arranged to generate a predetermined message that is encrypted as a function of the session key SK and to wirelessly transmit the predetermined message to the luminaire;
  • control device being arranged to wirelessly transmit a current time to the identified luminaire to enable the luminaire to update a previously stored current time with the current time transmitted by the control device.
  • the data storage stores a session nonce SN for the identified luminaire; the processor being arranged such that the generated predetermined message is encrypted as a function of the session key SK and the session nonce SN.
  • control device is arranged to communicate with a server to receive from the server the session key SK for the identified luminaire to be used in encrypting communication with the identified luminaire.
  • control device is arranged to communicate with a server to receive from the server the session nonce SN for the identified luminaire to be used in encrypting communication with the identified luminaire.
  • the session key SK and, if used, the session nonce SN for the identified luminaire may for example be obtained "on-the-fly", for example from some non-local server, once the luminaire has been identified by the control device.
  • the control device may have already had session keys SK and, if used, session nonces SN for a number of luminaires already pre-stored. In that case, the control device uses the specific session key SK and, if used, the specific session nonce SN for the particular luminaire once the luminaire has been identified.
  • the session key SK and, if used, the session nonce SN for the identified luminaire may be time-bound, that is, valid only for a specific time slot.
  • control device is arranged to receive a random number SRN from the identified luminaire, and the control device being arranged such that the predetermined message that is generated is encrypted as a function of the session key SK and the random number SRN.
  • the predetermined message that is generated is encrypted as a function of the session key SK, the session nonce SN and the random number SRN.
  • a control device to wirelessly communicate with a luminaire, the method comprising:
  • the session key SK and, if used, the session nonce SN for the identified luminaire may be obtained on-the-fly once the luminaire has been identified by the control device.
  • the control device may have already had session keys SK and, if used, session nonces SN for a number of luminaires already pre-stored. In that case, the control device uses the specific session key SK and, if used, session nonce SN for the particular luminaire once the luminaire has been identified.
  • the method comprises:
  • the generating a predetermined message comprises generating a predetermined message that is encrypted as a function of the session key SK, the session nonce SN (if used) and the random number SRN.
  • a server storing a device key DK and a corresponding unique identifier UID for each of a plurality of luminaires, the server being arranged to generate a time-bound session key SK for a luminaire as a function of the device key DK for the luminaire, the server being arranged to provide the time-bound session key SK for a luminaire to a control device that has been authenticated with the server and that has provided the unique identifier UID for the luminaire to the server.
  • the server may be arranged to generate a time-bound session nonce SN for a luminaire as a function of the device key DK for the luminaire.
  • processor or processing system or circuitry referred to herein may in practice be provided by a single chip or integrated circuit or plural chips or integrated circuits, optionally provided as a chipset, an application-specific integrated circuit (ASIC), field-programmable gate array (FPGA), digital signal processor (DSP), graphics processing units (GPUs), etc.
  • the chip or chips may comprise circuitry (as well as possibly firmware) for embodying at least one or more of a data processor or processors, a digital signal processor or processors, baseband circuitry and radio frequency circuitry, which are configurable so as to operate in accordance with the exemplary embodiments.
  • the exemplary embodiments may be implemented at least in part by computer software stored in (non-transitory) memory and executable by the processor, or by hardware, or by a combination of tangibly stored software and hardware (and tangibly stored firmware).
  • a computer program may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems. Any reference signs in the claims should not be construed as limiting the scope.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Circuit Arrangement For Electric Light Sources In General (AREA)

Abstract

Un dispositif de commande (2) destiné à communiquer sans fil avec un luminaire (1) est conçu pour identifier un luminaire (1) au moyen de la réception d'un identifiant unique du luminaire (1) en provenance du luminaire (1). Une clé temporaire destinée au luminaire identifié (1) est stockée. La clé temporaire est générée à partir d'une clé de dispositif destinée au luminaire (1) et d'un intervalle de temps durant lequel la clé temporaire peut être utilisée de manière valide. Le dispositif de commande (2) est conçu pour générer un message prédéterminé qui est chiffré à l'aide de la clé temporaire et pour transmettre sans fil le message prédéterminé chiffré au luminaire (1).
PCT/EP2018/055318 2017-03-08 2018-03-05 Dispositif de commande, appareil destiné à être utilisé dans un luminaire, procédés de fonctionnement et serveur WO2018162397A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP17159882 2017-03-08
EP17159882.4 2017-03-08

Publications (1)

Publication Number Publication Date
WO2018162397A1 true WO2018162397A1 (fr) 2018-09-13

Family

ID=58314105

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/055318 WO2018162397A1 (fr) 2017-03-08 2018-03-05 Dispositif de commande, appareil destiné à être utilisé dans un luminaire, procédés de fonctionnement et serveur

Country Status (1)

Country Link
WO (1) WO2018162397A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11147145B2 (en) 2018-06-05 2021-10-12 Signify Holding B.V. System, method and devices for implementing a factory reset of a luminaire
EP4142325A1 (fr) * 2021-08-23 2023-03-01 Siteco GmbH Accès sécurisé à une commande d'un luminaire

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6292896B1 (en) 1997-01-22 2001-09-18 International Business Machines Corporation Method and apparatus for entity authentication and session key generation
EP2117200A1 (fr) * 2008-05-08 2009-11-11 NTT DoCoMo, Inc. Procédé et appareil pour l'authentification de la diffusion
WO2012090122A1 (fr) * 2010-12-30 2012-07-05 Koninklijke Philips Electronics N.V. Système d'éclairage, source de lumière, dispositif et procédé d'autorisation du dispositif par la source de lumière
WO2012168888A1 (fr) 2011-06-10 2012-12-13 Koninklijke Philips Electronics N.V. Transmission de données sécurisée à des nœuds de réseau dans un réseau

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6292896B1 (en) 1997-01-22 2001-09-18 International Business Machines Corporation Method and apparatus for entity authentication and session key generation
EP2117200A1 (fr) * 2008-05-08 2009-11-11 NTT DoCoMo, Inc. Procédé et appareil pour l'authentification de la diffusion
WO2012090122A1 (fr) * 2010-12-30 2012-07-05 Koninklijke Philips Electronics N.V. Système d'éclairage, source de lumière, dispositif et procédé d'autorisation du dispositif par la source de lumière
WO2012168888A1 (fr) 2011-06-10 2012-12-13 Koninklijke Philips Electronics N.V. Transmission de données sécurisée à des nœuds de réseau dans un réseau

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11147145B2 (en) 2018-06-05 2021-10-12 Signify Holding B.V. System, method and devices for implementing a factory reset of a luminaire
EP4142325A1 (fr) * 2021-08-23 2023-03-01 Siteco GmbH Accès sécurisé à une commande d'un luminaire

Similar Documents

Publication Publication Date Title
US11626974B2 (en) System and method for securely configuring a new device with network credentials
US10721208B2 (en) System and method for automatic wireless network authentication in an internet of things (IOT) system
US10177911B2 (en) Secure PKI communications for “machine-to-machine” modules, including key derivation by modules and authenticating public keys
US10178579B2 (en) Internet of things (IoT) system and method for selecting a secondary communication channel
US20220239474A1 (en) ECDHE Key Exchange for Mutual Authentication Using a Key Server
US10498530B2 (en) Secure PKI communications for “machine-to-machine” modules, including key derivation by modules and authenticating public keys
US10419930B2 (en) System and method for establishing secure communication channels with internet of things (IoT) devices
US8738907B2 (en) Wireless device authentication and security key management
ES2877358T3 (es) Transmisión de un mensaje de baliza
JP6072782B2 (ja) ネットワークにおける安全なプロトコルの実行
US10779296B2 (en) System and method for intelligent communication channel selection for an internet of things (IoT) device
WO2019246206A1 (fr) Échange de clés ecdhe pour authentification de serveur, et serveur de clés
US11522840B2 (en) Automatic client device registration
US10009760B2 (en) Providing network credentials
US20160323100A1 (en) Key generation device, terminal device, and data signature and encryption method
EP3794852B1 (fr) Procédés et systèmes sécurisés permettant d'identifier des dispositifs connectés bluetooth avec application installée
EP3811583B1 (fr) Systèmes et procédés sécurisés de résolution d'identité de dispositif audio à l'aide d'une application à distance
ES2816379T3 (es) Transmisión de datos
US10805344B2 (en) Apparatus and method for obscuring wireless communication patterns
US11804972B2 (en) Fluid meter communicating with an electromechanical valve
WO2018162397A1 (fr) Dispositif de commande, appareil destiné à être utilisé dans un luminaire, procédés de fonctionnement et serveur
JP6426581B2 (ja) 無線システム、基地局装置、端末装置および識別情報報知方法
US11962575B2 (en) Data transmission method, communication processing method, device, and communication processing program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18707388

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18707388

Country of ref document: EP

Kind code of ref document: A1