The present invention relates to an access control system for a people conveyor control system, and to an access control method for a people conveyor control system.
Nowadays operation of people conveyors like elevators, escalators or moving walkways is typically controlled by an electronic control system comprising at least one microcontroller, but usually several microcontrollers in communication with each other and controlled by a main controller, and the corresponding periphery like RAM/ROM memories, interfaces, I/O devices, bus systems, etc. Maintenance of such people conveyor control systems typically requires to carry out specific procedures, and therefore interaction with, and manipulation of, the conveyor control system. More and more for carrying out maintenance operations, external maintenance tools are used which communicate with the conveyor control system via suitable connectors, and access the people conveyor control system from outside to perform various maintenance routines and manipulate operation parameters stored in the conveyor control system. External maintenance tools often are PC based computer devices, e.g. laptop computers or palms.
It is a strong desire to restrict access to the conveyor control system for maintenance purposes to qualified and authorized personnel only, and moreover for specifically dedicated maintenance routines only. Maintenance usually requires the access to proprietary operational data of the conveyor control system, and the manipulation of such data, with the result that maintenance not only requires read access to the conveyor control system, but both read and write access. Maintenance further often requires to carry out very special operation procedures (e.g test runs of the conveyor at specific speeds and in specific moving patterns for calibrating new devices or testing performance of critical devices like brakes). Clearly such operation procedures are to be kept strictly non-accessible to non-authorized users.
Passwords can be used for restricting grant of access to the conveyor control system, at least with respect to those functions and/or data relevant for maintenance (in the following such data/functions will also be called maintenance data/functions). However, passwords, on the one hand, are inconvenient, since the passwords have to be assigned to the specific conveyor installations, respectively, and the service persons have to remember the passwords to be used for a specific installation. This restricts the number of password that can be used and requires the use of simple, probably non-unique passwords that cannot be changed easily. It will be comparatively easy to find out these passwords, and therefore only poor protection of the proprietary control software can be achieved. Alternatively, more complicated passwords or even encryption keys could be used. For efficiency purposes such passwords/encryption keys would have to be stored in some form in connection with the external tools. Such approach, however, leads to severe data safety problems, because owing to the external tools being PC based devices, it is not too difficult for unauthorized persons to read out such passwords/encryption keys from the external tool's memory. Similar problems apply to any encryption approaches as long as a key is to be stored in a PC based external device.
It is known to grant access to an elevator control system by use of memory cards that are to be inserted into a corresponding slot provided somewhere at the elevator (e.g. at a control panel), see e.g EP 0 615 945 A1. Inserting a memory card storing information on maintenance procedures to be carried out, and relevant parameters, allows to read the relevant data for carrying out a maintenance operation from the memory card into the elevator control system, and therefore a control of maintenance procedures can be effected by simply handing out to a service person the memory card required for providing desired maintenance operations at a specific elevator installation. However, in case the memory card gets lost, the data thereon will enable any person to have access to the elevator control. Moreover, meanwhile efficient procedures exist by which the data structures on such memory cards can be read out by unauthorized persons.
It would be beneficial to have an improved possibility of preventing unauthorized access to the control system of a people conveyor. It would be particularly beneficial if such prevention of unauthorized access would be more secure, but nevertheless not involve significantly more efforts in practical use.
An exemplary embodiment of the invention provides an access control system for a people conveyor control system, comprising an authentication prooving device adapted to communicate—directly or indirectly via at least one further device—with a people conveyor control system, said authentication prooving device having a central processor unit (CPU) and a read protected memory being protected from read and write access by external applications, said authentication prooving device storing in its read protected memory program code to carry out a verification procedure in response to a verification request from said people conveyor control system, and to send a verification signal to said people conveyor control system, said people conveyor control system in response to receipt of said verification signal selectively allowing or denying access to specific sections of said people conveyor control system and/or to specific functions implemented in said people conveyor control system.
Another exemplary embodiment provides a method for controlling access to a people conveyor control system, comprising the steps of providing an authentication prooving device having a central processor unit CPU and a read protected memory being protected from read and write access by external applications; storing in said read protected memory of said authentication prooving device program code to carry out a verification procedure in response to a verification request, and to output a verification signal; communicating said authentication prooving device—directly or indirectly via at least one further device—with said people conveyor control system; sending a verification request from said people conveyor control system to said authentication prooving device; in said authentication prooving device, in response to receipt of said verification request, determining a verification signal, and sending said verification signal to said people conveyor control system; and in said people conveyor control system, in response to receipt of said verification signal, selectively allowing or denying access to specific sections of said people conveyor control system and/or to specific functions implemented in said people conveyor control system.
Exemplary embodiments of the invention will be described in greater detail below taking reference to the accompanying drawings.
In all Figs. components of respective embodiments being identical or having corresponding functions are denoted by the same reference numerals. In the following description such components are described only with respect to one of the embodiments comprising such components. It is to be understood that the same description applies in respective following embodiments where the same component is included and denoted by the same reference numeral. Insofar, unless anything is stated to the contrary, it is generally referred to the corresponding description of that component in the respective earlier embodiment.
All
By interconnecting the pass-through dongle 14 in between the external tool 12 and the conveyor control system 10, any older maintenance tools 12 basically not equipped for access to modern conveyor control systems 10 involving management of access to the control system according to a dedicated structure of access rights, can still be used for purpose of providing maintenance. The procedures necessary for granting access to the conveyor control system 10, and interrupting data flow, if necessary, are included in the dongle device 14.
Also the add-on dongle device 16 of
As outlined above, the embodiments described herein allow to prevent unauthorized access to the control system of a people conveyor. Particularly with respect to known approaches such prevention of unauthorized access can be more secure, but nevertheless does not require significantly more efforts in practical use.
An exemplary embodiment of the invention provides an access control system for a people conveyor control system, comprising an authentication prooving device adapted to communicate—directly or indirectly via at least one further device—with of a people conveyor control system (e.g with an an I/O section thereof), the authentication prooving device having a central processor unit (CPU) and a read protected memory being protected from read and write access by external applications, said authentication prooving device storing in its read protected memory program code to carry out a verification procedure in response to a verification request from the people conveyor control system, and to send a verification signal to said people conveyor control system, the people conveyor control system in response to receipt of the verification signal selectively allowing or denying access to specific sections of the people conveyor control system and/or to specific functions implemented in the people conveyor control system.
Access to specific sections of the people conveyor control system may involve to read out data stored in the conveyor control system and/or to write data into the conveyor control system, even replacing existing data. Access to specific functions implemented in the people conveyor control system may involve to call specific control routines, such that these routines are carried out by the conveyor control system.
The authentication prooving device may include a read protected memory in which software code is stored enabling the authentication prooving device to carry out, upon receipt of a verification request, calculation of a verification response. Particularly, this protected memory may be protected against any access by external applications, i.e. against write access as well as against read access. Similarly, also the CPU of the authentication prooving device may be non-accessible by any external applications, thereby forming a protected microcontroller section. Blocking of access may well be achieved by hardware, e.g. by using read and/or write protected memory circuits, and even one-time programmable memory circuits, and by restricting a data bus to communications between the protected memory and the CPU of the authentication prooving device. For receipt of verification requests and output of a verification signal according to a calculated verification response, in an embodiment the authentication prooving device can be provided with one or more specifically dedicated I/O ports, which I/O ports have lock functionalities, i.e. data can be put to the I/O ports from the protected memory/protected microcontroller section and/or from the conveyor control system, and data can be read from the I/O ports by the protected memory/protected microcontroller section and/or by the conveyor control system, but exchange of such data is realized via data links different from the internal data bus of the protected microcontroller section communicating the protected memory with the CPU of the authentication prooving device. A number of various realizations of such concepts are readily available to skilled persons.
In an embodiment the people conveyor control system may comprise at least one microcontroller having a protected section including a CPU and at least one read protected memory (including RAM and ROM sections), and having at least one I/O section, in particular a serial I/O section and/or a wireless communications (e.g. Bluetooth or RFID) I/O section. The protected section of the microcontroller may comprise at least one cryptoprocessor, in particular an asymmetric cryptoprocessor.
In a further embodiment the request for verification may include input data from the people conveyor control system, the input data being specific for the people conveyor control system (e.g. referring to a serial number of the conveyor control system and/or conveyor installation).
In the embodiments described, the conveyor control system permits access from external devices or external applications according to an authentication procedure, i.e. the external device or external application has to provide a verification signal in response to a specific verification request. The response signal will typically involve a calculation on the basis of specific input data provided with the verification request by the conveyor control system. In case the authentication prooving device comprises a cryptoprocessor, such calculation can be done in the authentication prooving device, and only the verification request and the verification signal need to be communicated, if desired in encrypted form. The verification procedure may use an asymmetric encryption scheme using private and public keys.
The verification request can be determined according to specific classes of requests for access to the conveyor control system received from external devices or external applications. In this way, it is possible to manage grant of access with respect to various sections of the conveyor control system in response to specific requests for access. E.g. the conveyor control system may be adapted to grant a restricted form of access by external devices or external applications without the need of any verification procedure (such access might be access for ordinary use of the people conveyor, or access to bring the conveyor into a safe position in an emergency situation). Other forms of access, e.g. for carrying out predetermined maintenance procedures or for enabling predetermined additional operational functions of the conveyor, may only be allowed in response to receipt of a valid verification signal.
The embodiments of an access control system and corresponding access control method disclosed herein are applicable to various types of people conveyors like elevators, escalators or moving walkways.
The authentication prooving device may be connectable to an external device, e.g. a portable maintenance tool, this external device being a physically external device adapted to access the conveyor control system and to manipulate data stored in the conveyor control system and/or to call functions implemented in the conveyor control system.
Data as is used in this disclosure may refer to operational parameters of the people conveyor system, among others. Maintenance functions of the conveyor control system, as is used in this disclosure, may basically refer to operational routines for carrying out specific procedures for maintenance and test purposes of the people conveyor, like calibration runs at commissioning, runs for testing braking performance, etc. Further the present disclosure may be applicable to activation and/or deactivation of so-called “add-on functions” of the people conveyor control system which enable/disable operational functionalities of a people conveyor beyond the standard operational functionalities.
The authentication prooving device may be adapted to carry out, if desired with the aid of a cryptoprocessor, an asymmetric encryption/decryption procedure using private keys and public keys. Particularly, in this case the authentication prooving device may store in its read protected memory at least one private key assigned to at least one public key. The public key will be available to the conveyor control system, e.g. stored in a memory of the authentication prooving device that is accessible by the elevator control system for read access, or be stored in a—local or remote—database accessible by the elevator control system. Since in such asymmetric encryption/decryption procedure the private key cannot be inferred from knowledge of the public key, there is no need to protect the public key, and therefore the public key can be exchanged via any data communication path, including public networks. The private key is stored in the read protected memory only and cannot be read out from that memory.
The authentication prooving device may further be adapted to carry out a so-called interactive proof authentication procedure in response to a request for verification from the people conveyor control system. An interactive proof system may be understood in the sense of an abstract machine that models computation as the exchange of messages between two parties, the verifier (in the present case the conveyor control system) and the prover (in the present case the authentication prooving device). In the context of the present disclosure the conveyor control system and the authentication prooving device interact by exchanging verification requests and verification signals, respectively, in order to ascertain whether a given request for access to the conveyor control system is authenticated or not. Verification requests and verification signals are sent between the conveyor control system and the authentication prooving device repeatedly, until the conveyor control system has “convinced” itself that the request for access is authorized. A characteristic of such interactive approach is that for authentication purposes no direct exchange of any pass phrases is required. Rather, such pass phrases are always kept within the read protected memory of the authentication prooving device.
A typical interactive proof authentication procedure may proceed as follows: in a verification request the conveyor control system requests the authentication prooving device to carry out a specific calculation on the basis of input data randomly chosen by the conveyor control system, and to send the result of this calculation, included in a verification signal, back to the conveyor control system. The requested calculation is selected such that the result depends on the input data and on a specific pass phrase stored in the read protected memory of the authentication prooving device. The calculation is carried out within the read protected CPU and memory of the authentication prooving device. Only the result of this calculation is sent back with the verification signal from the authentication prooving device to the conveyor control system. The pass phrase is not given to outside the read protected sections of the authentication prooving device's CPU/memory. The conveyor control system, after receiving the verification signal, is able to verify whether the result of the calculation is correct, but is not able to infer the pass phrase from the verification signal.
When carrying out this procedure only once, depending on the difficulty of the calculation, there is a possibility that an authentication prooving device not knowing the correct pass phrase nevertheless is able to produce, by accident, a correct result, and hence a verification signal that is considered true (in this case a false authorization would result). In case a difficult calculation is requested, the chance of such accidentally correct result can be close to zero, but in case of a simpler calculation this chance can be much higher. By repeating the interactive proof sequence, as described before, a plurality of times, each time using different input parameters chosen randomly, the probability of an accidentally successful authorization will decrease with increasing number of times the calculation is repeated. Therefore the number of suitable types of calculations becomes larger in case the interactive proof sequence is repeated a sufficient number of times.
In a particular embodiment the authentication prooving device may be adapted to carry out a so-called zero knowledge interactive proof (ZKIP) authentication procedure in response to a request for verification from the people conveyor control system. Such zero-knowledge proof or zero-knowledge protocol may be implemented by an interactive procedure in which the authentication prooving device calculates a (usually mathematical) statement, and sends the statement to the conveyor control system which proves whether this statement is true. No further information is sent to the conveyor control system than the trueness or falseness of the statement. There are several ways to implement zero knowledge interactive proof verification procedures, e.g. the ones disclosed in U.S. Pat. No. 4,748,668 (published in 1988) and U.S. Pat. No. 4,926,479 (published in 1990), the disclosure of which is incorporated herein by reference.
A particular characteristic of zero knowledge interactive proof verification procedures as described above is that no knowledge about a private sequence or private encryption key stored in the read protected memory of the authentication prooving device can be inferred from the messages communicated between the conveyor control system and the authentication prooving device, in particular from the verification signal, and any program code stored in the memory of the conveyor control system.
As an alternative or additional measure any other asymmetric encryption scheme, e.g. encryption and decryption of a password sequence by public and private keys, may be considered.
In an embodiment the authentication prooving device may comprise a dongle device and/or a smartcard.
A dongle device as used herein may describe a physical security device (a piece of hardware) that connects in some way to the people conveyor control system and is able to carry or create any physical electronic key or transferable ID required for a specific section of the people conveyor control system to function. A dongle device according to this disclosure may connect to the people conveyor control system via a wired connection, e.g. a serial connector, or via a wireless connection, e.g. using Bluetooth or RFID techniques. It is even conceivable that such dongle devices connect to the people conveyor control system remotely via a wired or wireless network. Such network may be a public network, like the internet, or a proprietary network.
In recent time smartcards including an own central processing unit and memory have become popular to provide functions that formerly had been provided by “classical” dongles, and therefore may be regarded as dongle devices in the sense of the present disclosure. Particularly with smartcards wireless connection techniques like Bluetooth or RFID may be realized. A particular advantage of smartcards is the possibility of cost efficient manufacturing of such smartcards in large numbers, each smartcard including the required circuitry for a read/write protected microcontroller including the corresponding read/write protected memories, at prices of only few cents per smartcard. Further, the format of smartcards is ideal for being distributed among service persons.
There are conceivable some alternatives or additional components to the provision of dongle devices: E.g. in a possible embodiment a central server may be provided as an external device which builds up connection to the people conveyor control system via a wired network (public network like the internet, or proprietary network) or via a mobile communications network, once a maintenance procedure is to be carried out. The authentication prooving device may be integrated in the central server or may be a device external to the server and adapted to communicate with the server and/or with the conveyor control system.
The access control system as described above allows to define a set of different access levels and/or different classes of access to the conveyor control system (e.g. routine maintenance, upgrades, overhaulings, etc.) which can each be assigned to different classes of service persons. Specific parameters of a particular installation are accessible only for the specific class of service persons that need to have access to do specific maintenance work. This can be achieved very simply by merely distributing respective dongles devices to service persons according to their different access levels and in accordance with maintenance procedures scheduled for an installation.
In an embodiment the authentication prooving device may be adapted to store the information and/or data in the read protected memory in a temporally limited way. This provides for even better protection, as access rights to the conveyor control system granted once will expire after lapse of a predetermined time. This further allows to regularly update access rights with respect to service persons and installations under service.
A dongle, a smartcard or other alternatives as mentioned above, provide an easy to handle and transparent hardware solution to the complex structures of access rights. Further, dongles and particularly smart cards are efficient to produce and therefore cost effective.
The dongle device may have a first terminal connectable to a terminal of the people conveyor control system. The dongle device can simply be plugged in on-site, e.g. via USB-connection, other suitable serial connection or parallel connection, or via a smart card reading device. Alternative, the dongle device may communicate with a wireless port of the conveyor control system, e.g. a Bluetooth connection.
Further the dongle device may have a second terminal connectable to a terminal of an external device, e.g. a PC based maintenance tool.
Particularly, the external device may a portable maintenance tool, e.g. a maintenance tool based on standard PC components (typically in the form of a laptop computer or a similar portable device including a microprocessor and peripheral components). The second terminal may be connectable to a serial I/O port of the external device.
In an embodiment the first and second terminals of the dongle device may be connected in series. In this way a so called “pass through dongle device” is realized. The particular advantage of such “pass-through dongle device” is that external devices not equipped for carrying out a verification procedure and providing a verification signal in response to a conveyor control system's verification request, in particular older maintenance tools, can still be used for servicing, in case a dongle device is connected in the line connecting the maintenance tool with the conveyor control system. For purposes of the authentication procedure, the pass-through dongle device then simulates the maintenance tool, such that for the conveyor control system the situation is identical as in the case it was connected to a maintenance tool including an authentication processor. A pass-through dongle device may be constructed such that all other data communication between the external device and the conveyor control system will not be obstructed or modified, but rather pass through the dongle device.
A pass-through dongle device can further have the first terminal being of a different type than the second terminal, and thereby accommodate for different terminals of the external device and the people conveyor control system.
Alternatively, it is conceivable that the dongle device has only a first terminal, or that the dongle device has first and second terminals being connected in parallel. In this way a so-called “add-on dongle device” can be realized. Also such add-on dongle device may be useful for connecting to external devices not equipped for carrying out an authentication procedure, like older maintenance tools. In this case the external device will be connected to the conveyor control system directly, and the dongle device will be connected to a suitable terminal of the external device. The direct connection between the external device and the elevator control can be realized by way of suitable connectors (e.g. via USB, other serial connectors, parallel connectors) or wirelessly (e.g. via Bluetooth, RFID), but also in a remote form by use of any suitable networks, being wired or wireless. Such networks may be public networks, like the internet, or proprietary networks. A direct link of the dongle device to the conveyor control system is not necessary, as the external device will redirect a verification request from the conveyor control system to the dongle device, and the dongle device will send the verification signal to the external device from which it is redirected to the conveyor control system.
A principal advantage of an access control system according to the embodiments described above is the possibility of controlling, by way of handing out specific authentication prooving devices to different users (e.g. service persons), a variety of different access rights to access different sections and/or levels of the conveyor control system. This can be implemented for a variety of different purposes and to a variety of very differently skilled users, e.g. service persons.
In a further particular embodiment providing the same advantages and possibilities as outlined above, a method for controlling access to a people conveyor control system is provided, comprising the steps of providing an authentication prooving device having a central processor unit (CPU) and a read protected memory being protected from read and write access by external applications; storing in the read protected memory of the authentication prooving device program code to carry out a verification procedure in response to a verification request, and to output a verification signal; communicating the authentication prooving device—directly or indirectly via at least one further device—with the people conveyor control system; sending a verification request from the people conveyor control system to the authentication prooving device; in the authentication prooving device, in response to receipt of the verification request, determining a verification signal, and sending the verification signal to the people conveyor control system; and in the people conveyor control system, in response to receipt of the verification signal, selectively allowing or denying access to specific sections of the people conveyor control system and/or to specific functions implemented in the people conveyor control system.
While the invention has been described with reference to exemplary embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In addition, many modifications may be made to adapt the particular situation or material to the teachings of the invention without departing from the essential scope thereof. Therefore it is intended that the invention not be limited to the particular embodiments disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2008/010846 | 12/18/2008 | WO | 00 | 6/17/2011 |