METHOD AND APPARATUS FOR AUTHENTICATING A USER OF A COMPARTMENT INSTALLATION

Abstract

A method comprising performing a process for authenticating a user of a compartment installation vis--vis a backend system managing the compartment installation. A necessary condition for performing the process for authenticating the user is that a proximity check has revealed that a mobile device of the user is situated at the location of the compartment installation, and/or that an occupancy check has revealed that the compartment installation contains at least one shipment assigned to the user. A corresponding apparatus, a corresponding system and a corresponding computer program are furthermore disclosed.

Claims

1. An apparatus comprising at least one processor and at least one memory that includes program code, wherein the memory and the program code are configured to cause an apparatus with the at least one processor to implement and/or to control at least: performing a process for authenticating a user of a compartment installation vis--vis a backend system managing the compartment installation, wherein a necessary condition for performing the process for authenticating the user is that a proximity check has revealed that a mobile device of the user is situated at the location of the compartment installation, and/or that an occupancy check has revealed that the compartment installation contains at least one shipment assigned to the user.

2. The apparatus according to claim 1, wherein under the condition that a close-range data communication connection between the compartment installation and the mobile device is establishable or has been established, the proximity check reveals that the mobile device is situated at the location of the compartment installation.

3. The apparatus according to claim 1, wherein under the condition that the backend system may decrypt a message encrypted by the compartment installation and/or that the backend system has ascertained the integrity and authenticity of a message provided with a signature by the compartment installation, the proximity check reveals that the mobile device is situated at the location of the compartment installation.

4. The apparatus according to claim 1, wherein the result of the proximity check is determined not solely by means of a position determination performable independently by the mobile device, preferably without independent position determination by the mobile device.

5. The apparatus according to claim 1, wherein the result of the proximity check and the result of the occupancy check are taken into account in a cascaded manner as the necessary condition for performing the process for authenticating the user.

6. The apparatus according to claim 1, wherein the result of the occupancy check is only determined and/or taken into account as the necessary condition for performing the process for authenticating the user if the proximity check has revealed or reveals that the mobile device is situated at the location of the compartment installation.

7. The apparatus according to claim 1, wherein the result of the occupancy check is defined by the backend system on the basis of one or more pieces of access request information provided by the mobile device.

8. The apparatus according to claim 1, wherein a data communication connection between the backend system and the compartment installation is operated, preferably only, by means of relaying through the mobile device.

9. The apparatus according to claim 8, wherein the data communication connection between the backend system and the compartment installation is established and operated only under the necessary condition that the occupancy check has revealed that the mobile device is situated at the location of the compartment installation, and/or that the occupancy check has revealed that the compartment installation contains at least one shipment assigned to the user.

10. The apparatus according to claim 8, wherein the data communication connection between the backend system and the compartment installation is established and operated only under the necessary condition that the user was successfully authenticated.

11. The apparatus according to claim 1, wherein the memory and the program code are further configured to cause the apparatus with the at least one processor to implement and/or to control: generating a temporary session key; encrypting the temporary session key generated, preferably by means of asymmetric encryption; and transmitting the encrypted session key to the backend system.

12. The apparatus according to claim 1, wherein the memory and the program code are further configured to cause the apparatus with the at least one processor to implement and/or to control: receiving an encrypted session key, preferably encrypted by means of asymmetric encryption, from the compartment installation; decrypting the encrypted session key; and end-to-end encrypting, using the decrypted session key, of a data communication between the backend system and the compartment installation, preferably by means of symmetric encryption.

13. The apparatus according to claim 1, wherein the memory and the program code are further configured to cause the apparatus with the at least one processor to implement and/or to control: generatingupon successful authentication of a usertoken information assigned to the user and outputting it to the mobile device for storage for a future process for authenticating the user.

14. The apparatus according to claim 1, wherein the memory and the program code are further configured to cause the apparatus with the at least one processor to implement and/or to control: receiving token information assigned to a previous successful authentication of the user from the mobile device; checking the received token information for validity; and relaxing or cancelling a limitation, for the user specified by the valid token information, of a maximum number of processes for authenticating the user that are performable with a negative authentication result.

15. The apparatus according to claim 1, wherein an additional necessary condition for performing the process for authenticating the user is that an authentication enquiry that is intended to initiate the process for authenticating the user has not been classified as suspicious on the basis of a counter.

16. The apparatus according to claim 1, wherein the apparatus comprising the at least one processor and the at least one memory is an apparatus of the backend system.

17. A method, comprising: performing a process for authenticating a user of a compartment installation vis--vis a backend system managing the compartment installation, wherein a necessary condition for performing the process for authenticating the user is that a proximity check has revealed that a mobile device of the user is situated at the location of the compartment installation, and/or that an occupancy check has revealed that the compartment installation contains at least one shipment assigned to the user.

18. The method according to claim 17, wherein under the condition that a close-range data communication connection between the compartment installation and the mobile device is establishable or has been established, the proximity check reveals that the mobile device is situated at the location of the compartment installation.

19. The method according to claim 17, wherein under the condition that the backend system may decrypt a message encrypted by the compartment installation and/or that the backend system has ascertained the integrity and authenticity of a message provided with a signature by the compartment installation, the proximity check reveals that the mobile device is situated at the location of the compartment installation.

20. A computer program, comprising program instructions that cause a processor to perform and/or control the following when the computer program runs on the processor: performing a process for authenticating a user of a compartment installation vis--vis a backend system managing the compartment installation, wherein a necessary condition for performing the process for authenticating the user is that a proximity check has revealed that a mobile device of the user is situated at the location of the compartment installation, and/or that an occupancy check has revealed that the compartment installation contains at least one shipment assigned to the user.

Description

[0056] In the figures:

[0057] FIG. 1 shows a schematic illustration of an exemplary embodiment of a system according to the present invention;

[0058] FIG. 2 shows a flow diagram of an exemplary embodiment of a method according to the present invention;

[0059] FIG. 3 shows a flow diagram of an exemplary embodiment of a method according to the present invention;

[0060] FIG. 4 shows a flow diagram of an exemplary embodiment of a method according to the present invention;

[0061] FIG. 5 shows a flow diagram of an exemplary embodiment of a method according to the present invention;

[0062] FIG. 6 shows a flow diagram of an exemplary embodiment of a method according to the present invention; and

[0063] FIG. 7 shows a flow diagram of an exemplary embodiment of a method according to the present invention.

DETAILED DESCRIPTION OF SOME EXEMPLARY EMBODIMENTS OF THE INVENTION

[0064] FIG. 1 schematically shows a system 1 in accordance with an exemplary embodiment of the present invention.

[0065] The system 1 comprises a compartment installation 3 having a plurality of compartments, one compartment of which is provided with reference sign 30 in FIG. 1. Each of the compartments 30 of the compartment installation 3 is provided for receiving a shipment for an individual user. A plurality of compartments may also be assigned to an individual user. Each compartment is locked or closed in the basic state and may be electrically unlocked or opened in an instruction-controlled manner and individually by, for example, a lock control unit provided in the compartment installation 3. One example of such a compartment installation is a compartment installation in accordance with the applicant's known package station concept.

[0066] The compartment installation 3 is equipped with one or more communication interface(s) 9 comprising for example an interface for wireless communication with the mobile device 4, for example by means of optical transmission and/or by means of communication based on electrical, magnetic or electromagnetic signals or fields, in particular close-range communication e.g. based on Bluetooth, WLAN, ZigBee, NFC and/or RFID. The compartment installation 3 is not configured for direct communication with the backend system 2, for example, that is to say does not have for example a communication interface that enables access to the internet or to some other network to which the backend system 2 is connected. The compartment installation is not configured for long-range communication, in particular, that is to say does not have in particular an interface to a cellular mobile radio system, a DSL interface or a local area network (LAN) interface.

[0067] The current occupancy of the compartments 30 of the compartment installation 3 with the user/compartment assignment is managed centrally by a backend system 2, for example. Alternatively or optionally, the current compartment occupancy with the user/compartment assignment may be stored in the compartment installation 3. The backend system 2 provides central management in respect of which user should be granted access to which compartment 30 of the compartment installation 3, said compartment being locked in the basic state. Users may be understood to mean for example persons who use the compartment installation for receiving and/or sending shipments (e.g. parcels, letters, meals, food, etc.), and deliverers who deliver such shipments into the compartment installation or collect them from the compartment installation. A user may be a human being or a machine, e.g. a vehicle, a robot or a drone, to name just a few examples.

[0068] For the user 5 to identify himself/herself vis--vis the backend system 2 as a user who has access authorization for a compartment 30, said user, by using a mobile device 4 (which may be for example a mobile phone, in particular a smartphone, or a handheld scanner of a deliverer), must provide pieces of access request information which are to be checked for their validity and which are transmitted to the backend system 2. On the mobile device 4, for example a smartphone, an app, that is to say a complex program, is implemented, for example, which the user installed and started on the mobile device 4 at an earlier point in time, for example upon his/her registration to use the system 1. The mobile device 4 is configured to establish a close-range data communication connection 6, for example Bluetooth, ZigBee, NFC, RFID or WLAN, to the compartment installation 3 or the communication interface 9 thereof and to establish a long-range data communication connection 7, for example via a data communication connection of a cellular mobile radio system, to the backend system 2 or the communication interface 10 thereof, as illustrated by respective arrows in FIG. 1. By way of example, the communication between the mobile device 4 and the backend system 2 is based on the Internet Protocol (IP), wherein the backend system 2 is reachable via the internet, and the mobile device 4 accesses the internet via a wireless radio connection (e.g. a cellular mobile radio connection). The communication between the mobile device 4 and the backend system 2 may be effected in partly or fully encrypted fashion. An app or a program that controls communication with the compartment installation 3, the user 5 and also with the backend system 2 may be installed on the mobile device 4. As a result, the user 5 may use a commercially available smartphone as mobile device 4, for example, on which such an app then merely has to be installed and activatedfor example by means of registration in the backend system 2.

[0069] The backend system 2 is formed by at least one server apparatus (having at least one processor) 21 and at least one storage apparatus 22, which are coupled to one another for data exchange. Pieces of access authorization information which are assigned to registered users of the system 1 and which are at least in part static or variable over time are stored in the storage apparatus 22. By way of example, a user identifier is static, while a collection code (e.g. an mTAN) is allocated anew for each shipment. The server apparatus 21 performs a process for authenticating the user 5 by comparing the pieces of access request information provided by the user 5 with pieces of access authorization information stored for this user 5 in the storage apparatus 22. Under the necessary condition of correspondence between the pieces of access request information provided and the pieces of access authorization information stored for the user 5 seeking access, the user 5 is authenticated by the backend system 2 and authorized for access to one or more compartments 30 of the compartment installation 3. Otherwise, the backend system 2 denies the user 5 access to compartment(s). The authorization is effected by the backend system 2 instructing the compartment installation 3 to electrically unlock or open the compartment or compartments 30 assigned (in particular temporarily) to the user 5. In the embodiment illustrated in FIG. 1, the instruction from the backend system 2 to the compartment installation 3 is transmitted firstly via the long-range data communication connection 7 to the mobile device 4 and then from the mobile device 4 to the compartment installation 3 via the close-range data communication connection 6. In accordance with the embodiment illustrated in FIG. 1, there is no direct data communication connection between the backend system 2 and the compartment installation 3, rather they may communicate with one another only by way of data relaying via the mobile device 4.

[0070] FIG. 2 to FIG. 5 are in each case flow diagrams for illustrating exemplary embodiments of the method according to the present invention.

[0071] In the exemplary method illustrated in FIG. 2, firstly a step 200 involves checking whether the result of the proximity check is that the mobile device of the user is situated at the location of the compartment installation. If this is not the case, then the method is ended. Otherwise, if the result of the proximity check is positive, that is to say that the mobile device is situated at the location of the compartment installation, step 200 is followed by step 250, in which the process for authenticating the user is performed.

[0072] In the exemplary method illustrated in FIG. 3, in comparison with the method illustrated in FIG. 2, the result of the occupancy check replaces the result of the proximity check. Step 310 involves checking whether the result of the occupancy check is that the compartment installation contains at least one shipment assigned to the user. If the compartment installation does not contain a shipment assigned to the user, the method is ended. Otherwise, if the result of the occupancy check is positive, that is to say that the compartment installation contains at least one shipment assigned to the user, step 310 is followed by step 350, in which the process for authenticating the user is performed.

[0073] In the exemplary methods illustrated in FIG. 4 and FIG. 5, the result of the proximity check in step 400 and 500, respectively, and the result of the occupancy check in step 410 and 510, respectively, are evaluated in a cascaded manner. If the result of the check taken into account first, that is to say the proximity check in step 400 in FIG. 4 and respectively the occupancy check in step 510 in FIG. 5, is negative, then the method is ended without taking account of the result of the second check, that is to say the occupancy check in step 410 in FIG. 4 and respectively the proximity check in step 500 in FIG. 5. It is only if the result of the proximity check and the result of the occupancy check are both positive that the method is not terminated, and the process for authenticating the user is performed in step 450 and 550, respectively.

[0074] FIG. 6 is a flow diagram of an exemplary embodiment of a method according to the present invention with a detailed illustration of individual steps and of the data exchange respectively associated therewith between the mobile device, the compartment installation and the backend system.

[0075] In step 601, the user 5 operates the app implemented on the mobile device 4 to initiate an access request ZA for the compartment installation 3. Afterward, in step 602, the mobile device 4 or the app asks the user 5 to input pieces of access request information ZAI, specifically in the form of a user identifier BK and a collection code AC, which the user 5 inputs into the mobile device 4 or provides for the latter in the subsequent step 603.

[0076] After the pieces of access request information have been provided by the user, the proximity check NP follows, beginning with step 610. Specifically, in step 610 the mobile device 4 directs a request to the compartment installation 3 to establish a close-range data communication connection, such as Bluetooth, ZigBee, NFC, RFID or WLAN, for example, as illustrated by the connection line provided with reference sign 6 in FIG. 1. Alternatively, the request to establish the close-range data communication connection may also originate from the compartment installation 3. If the requested close-range data communication connection cannot be established (for example because the distance between the mobile device 4 and the compartment installation 3 is too great), the mobile device 4 terminates the method sequence and notifies the user 5 of the termination of his/her access request in step 611.

[0077] Otherwise, that is to say in the case where the close-range data communication connection between the mobile device 4 and the compartment installation 3 is established or arises successfully, the compartment installation 3 generates a random temporary session key Sin step 612. Afterward, in step 614, the temporary session key S is subjected to asymmetric encryption, for example using RSA with a 2048-bit key, by the compartment installation. The public key required for this purpose has been stored in the compartment installation 3 for this purpose, for example during the manufacture or start-up thereof, or during installation of the firmware or during the last firmware update. In step 616, the mobile device 4 ascertains successful establishment of the close-range data communication connection as the result of the proximity check E(NP). In addition, in step 616, the encrypted session key A_S is transmitted from the compartment installation to the mobile device 4 via the close-range data communication connection established. In another embodiment, the encrypted session key A_S is transmitted from the compartment installation 3 to the mobile device 4 for example only after a positive occupancy check separately, that is to say not in association with the proximity check.

[0078] Since the proximity check has revealed that the mobile device 4 is situated at the location of the compartment installation 3, since the close-range data communication connection between the compartment installation 3 and the mobile device 4 was able to be established, the mobile device 4 or the app next initiates the determination of the result of the occupancy check BP by means of transmitting the user identifier BK provided as access request information by the user 5 (or the user identifier extracted from the token information) to either the compartment installation 3 (wherein in this case, as already explained, even the interface used for the proximity check is used for a close-range data communication connection, or some other interface is used for a close-range data communication connection) or the backend system 2. If the current occupancy of the compartments 30 of the compartment installation 3 with the user/compartment assignment is also stored in the compartment installation 3 with which the mobile device 4 has already established the close-range data communication connection, in step 620A the mobile device 4 transmits an occupancy check enquiry together with the user identifier BK to the compartment installation 3. For an alternative embodiment in which the current occupancy of the compartments 30 of the compartment installation 3 with the user/compartment assignment is managed and stored exclusively centrally in the backend system 2, in step 620B the mobile device 4 establishes a long-range data communication connection, for example via a cellular mobile radio system, as illustrated by the connection line provided with reference sign 7 in FIG. 1, to the backend system 2 and transmits an occupancy check enquiry together with the user identifier BK to the backend system 2 via the long-range data communication connection established. This transmission may advantageously be encrypted, for example on the basis of cryptographic keys which were agreed between the mobile device 4 or the app and the backend system 2, for example during the installation of the app. Afterward, in step 622, the recipient of the occupancy check enquiry, that is to say either the compartment installation 3 or the backend system 2, checks on the basis of the received user identifier BK whether at least one shipment for the user 5 specified thereby is present in the compartment installation 3. The result of the occupancy check E(BP) is transmitted from the compartment installation 3 or the backend system 2 to the mobile device 4 in step 624A or 624B, respectively. If the result of the occupancy check E(BP) indicates that the compartment installation does not contain a shipment assigned to the user 5, the mobile device 4 terminates the method sequence and notifies the user 5 of the termination of his/her access request ZA in step 626.

[0079] By contrast, if the result of the occupancy check E(BP) indicates that the compartment installation contains at least one shipment assigned to the user 5, the process for authenticating the user is initiated in accordance with the method presented. For this purpose, in step 630, the mobile device 4 transmits an access request ZA(BK, AC) specifying the user identifier and the collection code together with the encrypted session key A_S to the backend system 2 via the long-range data communication connection already established in step 620B or now to be established in step 630. The backend system 2 subsequently performs the process for authenticating the user beginning with step 640. For this purpose, step 642 involves checking whether the pieces of access request information BK and AC received from the mobile device 4 correspond to the pieces of access authorization information ZBI(B) stored for the user B in the backend system 2. Alternatively, the collection code AC may also already have been transmitted to the backend system 2 in step 620B (in encrypted fashion, for example, as mentioned), in which case, however, the pieces of access request information BK and AC are not yet evaluated, rather this takes place only after a successful occupancy check E(BP).

[0080] If, in the course of performing the process for authenticating the user, the backend system 2 ascertains that the pieces of access request information BK and AC do not correspond to the pieces of access authorization information ZBI(B) (see FIG. 6: 642->no), then the user is not authenticated by the backend system 2, rather the backend system 2 notifies the mobile device 4 in step 668 that the user B has not been authenticated, whereupon the mobile device 4 outputs an error message to the user 5 in step 670. The content of said error message depends on a current value of a user-identifier-specific blocking counter SP(BK), which, each time the process for authenticating the user is performed without resultant successful authentication of the user specified by the user identifier BK, is incremented by one in step 666 and, upon successful authentication of the user 5, is set to zero again, see step 665. If the current value of the blocking counter SP(BK) exceeds a value of 2, the backend system 2 blocks the user identifier BK for further authentication attempts, for example until unblocking by the operator of the backend system, and the mobile device 4 notifies the user 5 of this blocking in step 670.

[0081] On the other hand, if, in the course of performing the process for authenticating the user, the backend system 2 ascertains that the pieces of access request information BK and AC correspond to the pieces of access authorization information ZBI(B) (see FIG. 6: 642->yes), then the user is authenticated by the backend system 2. In order to establish secure data exchange with symmetric end-to-end encryption with the session key S (for example using AES with a 256-bit key) between the backend system 2 and the compartment installation 3 during the current session or the current authentication, the backend system 2 firstly decrypts the asymmetrically encrypted session key A_S received from the mobile device 4 with the aid of the private key of the backend system 2 in order to obtain the session key S. Afterward, in steps 650 and 651, the backend system 2 transmits a command S_unlocking encrypted with the session key S and/or signed with said session key to the compartment installation 3 for the purpose of unlocking one compartment or a plurality of compartments 30 assigned to the currently authenticated user B and specifically identified for example in the command S_unlocking (for example on the basis of one or more compartment identifiers). Firstly in step 650, the encrypted and/or signed command S_unlocking is transmitted from the backend system 2 to the mobile device 4 via the long-range data communication connection and then, in step 651, the mobile device 4 transmits the encrypted and/or signed command S_unlocking to the compartment installation 3. For embodiments in which there is a direct data communication connection between the backend system 2 and the compartment installation 3, the encrypted and signed command S_unlocking can also be transmitted directly via this data communication connection without relaying through the mobile device 4. Once the compartment installation 3 has obtained the encrypted and/or signed command S_unlocking, the compartment installation 3 decrypts it with the session key S to form the command unlocking and/or checks the authenticity/integrity of the command S_unlocking and (for example only in the case of a check of the authenticity and integrity with a positive result) unlocks the specified compartment(s), such that the user 5 obtains access to the compartment or compartments assigned to said user. Afterward, the compartment installation 3 generates feedback for the backend system 2, encrypts and/or signs said feedback with the session key S to form S_feedback and transmits the encrypted and/or signed feedback from the compartment installation 3 to the backend system 2 via the mobile device 4 in steps 654 and 655. The backend system 2 receives the message S_feedback, decrypts it with the session key S and/or checks the authenticity/integrity of the command S_feedback, and updates the stored current occupancy of the compartments 30 of the compartment installation 3 with the user/compartment assignment taking account of the current change in compartment occupancy.

[0082] To conclude the process for authenticating the user, upon the successful authentication of the user 5, the backend system may optionally generate token information TI(BK), which contains the user identifier BK of the user and security data coupled to the mobile device 4 storing the token information, to the time of installation and/or the version of the app implemented on the mobile device 4, and/or to the time of generation of the token information. The security data included in the token information TI(BK) generated are additionally stored in a user-identifier-specific manner in the backend system 2 in order that token information communicated by a mobile device during a later authentication may be checked for its validity (and also its integrity, for example). In step 658, the token information TI(BK) generated is transmitted from the backend system 2 to the mobile device 4 and stored on the mobile device 4 in a retrievable fashion for the app.

[0083] To conclude the successful authentication, in step 659, the mobile device 4 explicitly informs the user of the successful authentication.

[0084] FIG. 7 is a flow diagram of an exemplary embodiment of a method according to the present invention with a detailed illustration of individual steps, which substantially correspond to the steps illustrated in FIG. 6, wherein in the transition from FIG. 6 to FIG. 7, for identical or mutually corresponding steps, the leading digit of the step numbering was changed from 6 to 7. The exemplary embodiment of the method illustrated in FIG. 7 will be explained below principally on the basis of the differences with respect to the embodiment illustrated by way of example in FIG. 6.

[0085] In contrast to the exemplary embodiment of the method illustrated in FIG. 6, in the exemplary embodiment of the method for authenticating the user as illustrated in FIG. 7, token information TK(BI) stored in the mobile device and containing the user identifier BK is read out. In contrast to steps 602, 603, the mobile device 4 only asks the user 5 to input the collection code AC in step 702 and accepts the collection code AC that has been input in step 703. In the method in FIG. 7, the mobile device 4 reads out the user identifier BK from the token information TI(BK) stored on the mobile device 4.

[0086] Unlike in step 630 of the method illustrated in FIG. 6, in step 730 of the method illustrated in FIG. 7, the token information TI(BK) read out from the mobile device 4 and the collection code AC are transmitted as pieces of access request information to the backend system 2. In the process for authenticating the user in accordance with the method in FIG. 7, therefore, step 742 involves checking whether the received token information TI(BK) and the collection code AC correspond to the pieces of access authorization information ZIB(B). In contrast to the method illustrated in FIG. 6, the user-specific pieces of access authorization information ZIB(B) also represent or contain the token information TI(BK) whose data were included in the pieces of access authorization information ZIB (B) during the last performed authentication of the user with the user identifier. In the case where the backend system 2 does not ascertain correspondence in step 742, the user is not authenticated, as in step 642 in FIG. 6. Unlike in step 666 in FIG. 6, however, in step 766 of the embodiment illustrated in FIG. 7, the blocking of the user with the user identifier BK is performed less restrictively. If it was ascertained in step 742 that the token information TI(BK) and the collection code AC are invalid, then as in step 666, in step 766 as well the user with the user identifier BK is blocked if the blocker counter SP(BK) is greater than 2, for example. However, if it was ascertained in step 742 that the token information TI(BK) is valid and only the collection code AC is invalid, then the user with the user identifier BK is blocked only when the blocking counter SP(BK) has exceeded a significantly higher value than the comparison basis mentioned previously with regard to step 666, for example only when the blocking counter SP(BK) is greater than 10. This reflects the fact that a user 5 who has already been successfully authenticated once is shown greater trust than an unknown user.

[0087] In the exemplary methods in FIGS. 6 and 7, the proximity check takes place before the occupancy check. This order may also be interchanged in alternative embodiments of the method according to the invention. An occupancy check with a negative result then leads to the termination of the respective method, such that a proximity check is no longer performed, while an occupancy check with a positive result has the consequence that the proximity check is performed. Depending on the outcome of the proximity check, the rest of the respective method is then performed (positive result of the proximity check) or is not performed (negative result of the proximity check).

[0088] Furthermore, an additional check may optionally be provided in the exemplary methods in FIGS. 6 and 7. This involves checking whether or not an authentication enquiry that is intended to initiate the process for authenticating the user is classified as suspicious on account of a counter. The authentication enquiry may be for example the enquiry directed to the backend system 2 in step 620B and 720B, respectively, or the enquiry directed to the backend system 2 in step 630 and 730, respectively. The counter is controlled in a user-identifier-specific manner by the backend system 2, for example, and detects, for example, how often within a predefined time interval, or time interval adapted dynamically according to a predefined rule, the authentication enquiry was made to the backend system 2. If the counter exceeds a predefined threshold value, or threshold value adapted dynamically according to a predefined rule, a decision is taken, for example, that the authentication enquiry should be classified as suspicious since it has taken place too frequently within the time interval. This has the consequence that the process for authenticating the user is not performed, that is to say that the method in FIGS. 6 and 7 then terminates, and the user 5 is notified accordingly by the mobile device 4. This additional check is preferably performed before the occupancy check, such that if the result of the check is negative, the occupancy check (and also the downstream steps of the method in FIGS. 6 and 7) need no longer be performed.

[0089] The components of the system 1 that are presented in this application should also be understood to be disclosed in each case in their own right. This applies specifically to the backend system 2, the compartment installation 3 and the mobile device 4 and also the methods performed by them:

[0090] In accordance with one aspect, the present invention comprises a backend system (in particular as explained by way of example above), for example having at least one server apparatus and at least one storage apparatus coupled thereto for data exchange, which backend system is configured in particular for one or more of the following steps: [0091] managing and granting (optionally also blocking) in particular compartment-specific and/or user-specific access to compartments of one or more compartment installations described above, said compartments being individually unlockable by means of an instruction by the backend system, [0092] storing and managing user-specific pieces of access authorization information, [0093] receiving pieces of access request information provided by a user, [0094] data exchange with the managed compartment installation(s), [0095] data exchange with at least one mobile device of a user, [0096] performing a process for authenticating a user on the basis of the pieces of access request information provided by the user and the pieces of access authorization information stored in the backend system, wherein a necessary condition for performing the process for authenticating the user is that a proximity check has revealed that a mobile device of the user is situated at the location of the compartment installation, and/or that an occupancy check has revealed that the compartment installation contains at least one shipment assigned to the user.

[0097] Developments of a backend system in accordance with this aspect are configured to perform method steps from the group of claims 2 to 10 and 12 to 15.

[0098] In accordance with a further aspect, the present invention encompasses a compartment installation (in particular as described above) having a plurality of compartments that are individually unlockable in particular by a lock control apparatus of the compartment installation, wherein the compartment installation is configured in particular to perform one or more of the following steps: [0099] establishing a close-range data communication connection to a mobile device of a user of the compartment installation, [0100] generating a temporary session key, [0101] encrypting the temporary session key generated, preferably by means of asymmetric encryption, [0102] outputting the encrypted session key for use by a backend system that manages the compartment installation and is configured as described above, [0103] performing data communication with the backend system with end-to-end encryption and/or signing of messages using the temporary session key for the purpose of controlling the compartment installation by means of the backend system.

[0104] In accordance with a further aspect, the present invention encompasses a mobile device (in particular as described above) configured to perform one or more of the following steps: [0105] receiving pieces of access request information from a user, [0106] establishing data communication with a compartment installation via a close-range data communication connection between the mobile device and the compartment installation, [0107] establishing data communication with a backend system via a long-range data communication connection between the mobile device and the backend system, [0108] transmitting the pieces of access request information received to the backend system, [0109] establishing data communication between the compartment installation and the backend system by means of data relaying through the mobile device for the purpose of controlling the compartment installation by means of the backend system.

[0110] The following exemplary embodiments of the invention shall also be understood to be disclosed (therein, the reference signs given in brackets are exemplary and shall not be considered limiting in any way):

Embodiment 1

[0111] Method, comprising: [0112] performing a process for authenticating a user (250, 350, 450, 550) of a compartment installation (3) vis--vis a backend system (2) managing the compartment installation, wherein a necessary condition for performing the process for authenticating the user (250, 350, 450, 550) is that a proximity check (200, 400, 500) has revealed that a mobile device (4) of the user (5) is situated at the location of the compartment installation (3), and/or that an occupancy check (310, 410, 510) has revealed that the compartment installation (3) contains at least one shipment assigned to the user (5).

Embodiment 2

[0113] Method according to Embodiment 1, wherein under the condition that a close-range data communication connection (6, 610, 616, 710, 716) between the compartment installation (3) and the mobile device (4) is establishable or has been established, the proximity check (200, 400, 500) reveals that the mobile device is situated at the location of the compartment installation.

Embodiment 3

[0114] Method according to Embodiment 1 or 2, wherein under the condition that the backend system (2) may decrypt a message (A_S) encrypted by the compartment installation (3) and/or that the backend system (2) has ascertained the integrity and authenticity of a message provided with a signature by the compartment installation, the proximity check (200, 400, 500) reveals that the mobile device is situated at the location of the compartment installation.

Embodiment 4

[0115] Method according to any of Embodiments 1 to 3, wherein the result of the proximity check (200, 400, 500) is determined not solely by means of a position determination performable independently by the mobile device (4), preferably without independent position determination by the mobile device (4).

Embodiment 5

[0116] Method according to any of Embodiments 1 to 4, wherein the result of the proximity check (400, 500) and the result of the occupancy check (410, 510) are taken into account in a cascaded manner as the necessary condition for performing the process for authenticating the user (250, 350, 450, 550).

Embodiment 6

[0117] Method according to any of Embodiments 1 to 5, wherein the result of the occupancy check (410) is only determined and/or taken into account as the necessary condition for performing the process for authenticating the user (250, 350, 450, 550) if the proximity check (400) has revealed or reveals that the mobile device is situated at the location of the compartment installation.

Embodiment 7

[0118] Method according to any of Embodiments 1 to 6, wherein the result of the occupancy check (310, 410, 510) is defined (620B) by the backend system on the basis of one or more pieces of access request information (BK) provided by the mobile device (4).

Embodiment 8

[0119] Method according to any of Embodiments 1 to 7, wherein a data communication connection (6, 7) between the backend system (2) and the compartment installation (3) is operated, preferably only, by means of relaying through the mobile device (4).

Embodiment 9

[0120] Method according to Embodiment 8, wherein the data communication connection (6, 7) between the backend system (2) and the compartment installation (3) is established and operated only under the necessary condition that the occupancy check (200, 400, 500) has revealed that the mobile device is situated at the location of the compartment installation, and/or that the occupancy check (310, 410, 510) has revealed that the compartment installation contains at least one shipment assigned to the user.

Embodiment 10

[0121] Method according to Embodiment 8 or 9, wherein the data communication connection (6, 7) between the backend system (2) and the compartment installation (3) is established and operated (650-655, 750-755) only under the necessary condition that the user (5) was successfully authenticated (642, 742).

Embodiment 11

[0122] Method according to any of Embodiments 1 to 10, furthermore comprising: [0123] generating (612, 712) a temporary session key (S); [0124] encrypting (614, 714) the temporary session key (S) generated, preferably by means of asymmetric encryption; and [0125] transmitting (616, 716) the encrypted session key (A_S) to the backend system (2).

Embodiment 12

[0126] Method according to any of Embodiments 1 to 11, furthermore comprising: [0127] receiving (616, 630, 716, 730) an encrypted session key (A_S), preferably encrypted by means of asymmetric encryption, from the compartment installation (3); [0128] decrypting the encrypted session key (A_S); and [0129] end-to-end encrypting, using the decrypted session key (S), of a data communication (S_unlocking, S_feedback) between the backend system (2) and the compartment installation (3), preferably by means of symmetric encryption.

Embodiment 13

[0130] Method according to any of Embodiments 1 to 12, furthermore comprising: [0131] generatingupon successful authentication of a usertoken information (TI(BK)) assigned to the user and outputting (658, 758) it to the mobile device (4) for storage for a future process for authenticating the user.

Embodiment 14

[0132] Method according to any of Embodiments 1 to 13, furthermore comprising: [0133] receiving (730) token information (TI(BK)) assigned to a previous successful authentication of the user from the mobile device (4); [0134] checking the received token information for validity (742); and [0135] relaxing or cancelling a limitation, for the user specified by the valid token information, of a maximum number of processes for authenticating the user that are performable with a negative authentication result (766).

Embodiment 15

[0136] Method according to any of Embodiments 1 to 14, wherein an additional necessary condition for performing the process for authenticating the user is that an authentication enquiry that is intended to initiate the process for authenticating the user has not been classified as suspicious on the basis of a counter.

Embodiment 16

[0137] Apparatus (2, 3, 4) or system (1) comprising at least two apparatuses, configured for performing and/or controlling the method according to any of Embodiments 1 to 15 or comprising respective means for performing and/or controlling the steps of the method according to any of Embodiments 1 to 15.

Embodiment 17

[0138] An apparatus comprising at least one processor and at least one memory that includes program code, wherein the memory and the program code are configured to cause an apparatus, in particular an authentication apparatus, with the at least one processor to implement and/or to control at least the method of any of Embodiments 1 to 15. The apparatus comprising the at least one processor and the at least one memory may for instance be or comprise the authentication apparatus, or be different therefrom.

Embodiment 18

[0139] Computer program, comprising program instructions that cause a processor to perform and/or control the method according to any of Embodiments 1 to 15 when the computer program runs on the processor.

[0140] The embodiments/exemplary embodiments of the present invention that are described in this specification should also be understood to be disclosed in all combinations with one another. In particular, the description of a feature that an embodiment comprises should also notunless explicitly explained to the contrarybe understood in the present case to mean that the feature is indispensable or essential for the function of the exemplary embodiment. The sequence of the method steps outlined in this specification in the individual flow diagrams is not mandatory; alternative sequences of the method steps are conceivable. The method steps may be implemented in various ways, and so implementation using software (through program instructions), hardware or a combination of the two is conceivable for implementing the method steps. Terms used in the patent claims such as comprise, have, include, contain and the like do not exclude further elements or steps. The wording at least partly encompasses both the case partly and the case completely. The wording and/or should be understood to the effect that both the alternative and the combination are intended to be disclosed, that is to say that A and/or B means (A) or (B) or (A and B). In the context of this specification, a plurality of units, persons or the like means two or more units, persons or the like. The use of the indefinite article does not exclude a plurality. A single device may perform the functions of a plurality of units or devices mentioned in the patent claims. Reference signs indicated in the patent claims should not be regarded as limitations for the means and steps used.

[0141] All references, including publications, patent applications, and patents cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein.

[0142] The use of the terms a and an and the and similar referents in the context of describing the invention (especially in the context of the following claims) is to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms comprising, having, including, and containing are to be construed as open-ended terms (i.e., meaning including, but not limited to,) unless otherwise noted. Recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., such as) provided herein, is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.

[0143] Preferred embodiments of this invention are described herein, including the best mode known to the inventors for carrying out the invention. Variations of those preferred embodiments may become apparent to those of ordinary skill in the art upon reading the foregoing description. The inventors expect skilled artisans to employ such variations as appropriate, and the inventors intend for the invention to be practiced otherwise than as specifically described herein. Accordingly, this invention includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the invention unless otherwise indicated herein or otherwise clearly contradicted by context.

METHOD AND APPARATUS FOR AUTHENTICATING A USER OF A COMPARTMENT INSTALLATION

Assignee

Inventors

Cpc classification

Classification Explorer

H04L63/0435

ELECTRICITY

Classification Explorer

G07C2209/08

PHYSICS

Classification Explorer

G07C2009/00484

PHYSICS

Classification Explorer

H04L9/0825

ELECTRICITY

Classification Explorer

G07C9/28

PHYSICS

Classification Explorer

G07C9/215

PHYSICS

Classification Explorer

G07C9/00571

PHYSICS

Classification Explorer

G06F2221/2111

PHYSICS

Classification Explorer

G06F21/34

PHYSICS

Classification Explorer

G07C2009/00412

PHYSICS

Classification Explorer

G07C9/00896

PHYSICS

Classification Explorer

G07C9/00309

PHYSICS

Classification Explorer

G07C9/20

PHYSICS

Classification Explorer

H04L9/3247

ELECTRICITY

Classification Explorer

G06Q10/0836

PHYSICS

Classification Explorer

G07C2009/00753

PHYSICS

Classification Explorer

G07C9/27

PHYSICS

Classification Explorer

G07C2209/63

PHYSICS

International classification

Classification Explorer

G06F21/34

PHYSICS

Classification Explorer

G06Q10/08

PHYSICS

Classification Explorer

H04L29/06

ELECTRICITY

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

H04L9/32

ELECTRICITY

Abstract

Claims

Description