METHOD OF OPERATING A COMPUTER-CONTROLLED DEVICE FOR ESTABLISHING A SECURE DATA COMMUNICATION IN A DISTRIBUTED CONTROL SYSTEM OF A PASSENGER TRANSPORTATION ARRANGEMENT

Abstract

A method of operating a computer-controlled first device for establishing a secure data communication with a computer-controlled second device in a passenger transportation arrangement distributed control system includes: generating an encryption key including a public and private key pair; creating credentials (e.g. X.509 certificate) based on the generated encryption key; preparing a certificate signing request CSR and dispatching the CSR via a secured data communication path to a certificate authority CA that is based on a public key infrastructure PKI operated by the passenger transportation arrangement operator; receiving the certificate from the CA with a signature using a private key held secret by the operator; establishing the secure data communication with the second device by transmitting the credentials to the second device, wherein the second device accepts establishing the secure data communication upon verification of the signature of the credentials executed using a public key of the operator.

Claims

1-13. (canceled)

14. A method of operating a computer-controlled first device for establishing a secure data communication between the first device and a computer-controlled second device in a distributed control system of a passenger transportation arrangement, the method comprising the steps of: generating an encryption key; creating credentials in certificate form based on the generated encryption key; preparing a certificate signing request and dispatching the certificate signing request to a certificate authority via a secured data communication path, wherein the certificate authority is based on a public key infrastructure operated by an operator of the passenger transportation arrangement; receiving a signed certificate from the certificate authority, wherein the signed certificate is signed by the certificate authority with a signature using a private key being a secret held by the operator of the passenger transportation arrangement; establishing the secure data communication with the second device by transmitting the credentials including the signed certificate to the second device, wherein the second device accepts establishing the secure data communication upon verification of the signature of the credentials, and wherein the verification of the signature of the credentials is executed using a public key of the operator of the passenger transportation arrangement.

15. The method according to claim 14 wherein the encryption key comprises a key pair including a public key and a private key.

16. The method according to claim 15 including creating the credentials in a form of an X.509 certificate by using the key pair.

17. The method according to claim 14 wherein the secured data communication path at least temporarily connects the first device with the certificate authority.

18. The method according to claim 17 including establishing the secured data communication path via the internet.

19. The method according to claim 17 including establishing the secured data communication path via a virtual private network configured on an internet gateway.

20. The method according to claim 14 wherein, after receiving the signed certificate from the certificate authority, storing the signed certificate in a secured memory of the first device.

21. The method according to claim 14 wherein the first device includes a copy of the public key of the operator of the passenger transportation arrangement stored internally in the first device.

22. The method according to claim 14 including limiting a validity of the signed certificate to a predetermined maximum duration and wherein, after expiry of the validity, repeating the preparing, receiving and establishing steps.

23. A passenger transportation arrangement comprising: a distributed control system with a computer-controlled first device and a computer-controlled second device; and wherein the passenger transportation arrangement is adapted to one of execute and control the method according to claim 14.

24. The passenger transportation arrangement according to claim 23 being an elevator and wherein the second device is an elevator controller controlling the elevator.

25. The passenger transportation arrangement according to claim 23 wherein the first device is configured to be retrofitted into the passenger transportation arrangement and to then communicate with the second device.

26. The passenger transportation arrangement according to claim 23 wherein at least one of the first device and the second device at least temporarily has internet access and is adapted to establish the secured data communication path for establishing secure data communication with the certificate authority.

Description

DESCRIPTION OF THE DRAWINGS

[0044] FIG. 1 shows a passenger transportation arrangement in which a secure data communication between computer-controlled first and second devices may be established in accordance with an embodiment of the present invention.

[0045] The FIGURE is only schematic and not to scale. Same reference signs refer to same or similar features.

DETAILED DESCRIPTION

[0046] FIG. 1 shows a passenger transportation arrangement 1 embodied as an elevator 3. The elevator 3 comprises an elevator car 5 which may be displaced throughout an elevator shaft using a drive engine 7. The drive engine's operation may be controlled by an elevator controller 9. Furthermore, passengers may actuate a car operation panel 11 and/or landing operation panels 13 for entering calls requesting the elevator car 5 to be displaced to a destination level.

[0047] The elevator controller 9, the car operation panel 11, the landing operation panels 13 and possibly other components may be implemented using computer-controlled devices which may form nodes in a distributed control system 27 of the elevator 3. Particularly, the elevator controller 9 may for example form a computer-controlled second device 17 with which other first devices 15 such as the car operation panel 11 or the landing operation panels 13 may have to communicate in a secure manner.

[0048] In order to establish such a secure data communication 23 (as indicated in the FIGURE by dotted lines) between the computer-controlled first devices 15 and the computer-controlled second device 17, a respective first device 15 initially generates its own encryption key including for example a key pair with a private encryption key and a public encryption key. Using such key pair, the first device 15 may then create own credentials in form of e.g. an X.509 certificate.

[0049] The approach proposed herein then benefits from the fact that, in modern elevators, the computer-controlled first and second devices 15, 17 generally have at least temporarily access to a network such as the Internet via which they may create a secured data communication path 25 (as indicated in the FIGURE by dotted lines) for example with an external server 29. The secured data communication path 25 may for example use a virtual private network connecting the first and second devices 15, 17 with the external server 29. The external server 29 may be operated for example by an operator of the passenger transportation arrangement 1 such as a manufacturer of the elevator 3. The server 29 may establish a public key infrastructure (PKI) 19 on which a certification authority (CA) 21 may be based.

[0050] The computer-controlled first device 15 may then prepare a certificate signing request (CSR) and transmit this certificate signing request via the secured data communication path 25 towards the certification authority 21. As the certification authority 21 assumes that every device which is capable of communicating via such secured data communication path 25 may be trusted, the certification authority 21 then signs the certificate transmitted together with the certificate signing request and sends it back to the computer-controlled first device 15.

[0051] Upon having received the signed certificate back from the certificate authority 21, the computer-controlled first device 15 may store the final credentials for example in a secured memory and may simultaneously or later transmit the credentials including the signed certificate to the computer-controlled second device 17. The second device 17 may then verify the signature included in such credentials by using a public key of the operator of the passenger transport system stored for example in the firmware of the second device. As a result of a successful verification of the signature, the secure data communication 23 between the first and second devices 15, 17 may be established in a fully automated manner.

[0052] Finally, it should be noted that the term “comprising” does not exclude other elements or steps and the “a” or “an” does not exclude a plurality. Also elements described in association with different embodiments may be combined.

[0053] In accordance with the provisions of the patent statutes, the present invention has been described in what is considered to represent its preferred embodiment. However, it should be noted that the invention can be practiced otherwise than as specifically illustrated and described without departing from its spirit or scope.

LIST OF REFERENCE SIGNS

[0054] 1 passenger transportation arrangement [0055] 3 elevator [0056] 5 elevator car [0057] 7 drive engine [0058] 9 elevator controller [0059] 11 car operation panel [0060] 13 landing operation panels [0061] 15 computer-controlled first device [0062] 17 computer-controlled second device [0063] 19 public key infrastructure [0064] 21 certification authority [0065] 23 secure data communication [0066] 25 secured data communication path [0067] 27 distributed control system [0068] 29 external server