|Publication number||USRE38899 E1|
|Application number||US 09/377,724|
|Publication date||Nov 29, 2005|
|Filing date||Aug 19, 1999|
|Priority date||Sep 22, 1994|
|Also published as||US5659617|
|Publication number||09377724, 377724, US RE38899 E1, US RE38899E1, US-E1-RE38899, USRE38899 E1, USRE38899E1|
|Inventors||Addison M. Fischer|
|Original Assignee||Fischer Addison M|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (16), Non-Patent Citations (2), Referenced by (11), Classifications (9), Legal Events (1)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The invention relates to methods and apparatus for providing reliable location certificates which are used to prove the geographic location of a particular object or event. More particularly, the invention relates to establishing to a requestor that an object is being used in its restricted area of use, that an object being tracked is in a particular geographical location, or that an event is confined to a particular area.
It is frequently desirable or imperative to reliably know the precise location of an object, and to be able to determine that location on a reoccurring basis. The object may be highly mobile or relegated to use in a confined area or confined areas.
Objects being transported by vehicle are highly mobile. With respect to such objects which are dangerous or controlled, as for example toxic waste and nuclear materials, it is desirable to be able to reliably monitor their location during transport between locations. Such monitoring may be continuous or may be from point-to-point.
Digital signatures represent objects which may be intended to be used only in Highly localized areas. Digital signatures involve the use of cryptographic keys to sign messages. For legal or security reasons it is at times important to prove or establish that these digital signatures are being generated within a particular jurisdiction, a specific complex, building or room. For example, a digital signature of a bank employee that is used in various bank transactions would advantageously be confined to the location of a guarded bank facility. An employee's computer sign-on token may be limited to use at a specified location such as home or the office. For audit and billing purposes the location of requestors for access to sensitive material or databases is needed.
There are other environments in which it is important to reliably know the location of an object. A supplier of electronic broadcasts may need to screen certain locales to black-out reception of certain sports broadcasts, concerts, etc., or other signals such as electronic gambling events. In other instances, satellite decoder boxes limited to use in licensed areas are needed.
The present invention uses unique location certificates to track goods and wares during shipment, establish the location of participants in a network, determine the location at which a digital signature was performed, ascertain the validity of objects which are expected or mandated to be present within certain geographic bounds and control the use of security or sensitive devices by limiting their operation to certain locations.
Determining the location of an object or event involves the employment of a position determination unit. In accordance with an exemplary embodiment of the present invention, the position determination unit operates on the reception of Loran or Global Positioning System (GPS) signals to establish its location. The unit may continuously determine its position or compute its position on request. A secure authorization unit functions to authenticate the location information reported to a requestor. Specifically, the secure authorization unit, through the use of its private digital signature key and a certificate authenticates that the requested position information is provided by a trusted location certification unit.
Three basic systems are set forth as exemplary embodiments of the present invention, one with a basic location certification unit (LCU), a second using a sensor, and a third operating on a two-way communication link between beacons and a sensor in the LCU. In addition, many variations and modifications of these systems are disclosed, and others would be readily apparent to those skilled in this art. In these systems, there is the ever present danger of attempts by unauthorized individuals to breach the security of the system, as for example, by the use of sophisticated spoofing techniques where false radio broadcasts on Loran or GPS frequencies may be employed to cause the position determination unit to compute a position other than its actual position. The systems of the present invention use techniques and procedures to safeguard against such eventualities.
In public key encryption systems, the public keys of a user are the encryption keys published by the user that may be used for privately communicating with the user. Anyone wanting to privately communicate with the user simply encrypts the message employing the users public encryption key. Only that user's secret decryption key can be used to decipher the encrypted message.
In order to ensure that a specified public key is one that has actually been created by the specified individual, certificates are provided. Certificates can be thought of as brief messages which are signed by the trusted authority, and which contain, either explicitly or implicitly, a reference to the public key which is being therein certified, and the identity of the public key's owner. In such an implementation, if “C” has provided a certificate for “A”; then recipient “B” can trust the use of “A's” public key, provided that “B” trusts “C”.
A location certification unit (LCU) as shown if
The PDU 1 includes conventional position determining apparatus for receiving Loran and/or GPS signals and for computing its position. The current location or position may be continuously computed and maintained, or it may be computed only in response to a request.
SAU 2 contains its own private digital signature key stored in a secure probe-resistant memory 3. This private key has a public aspect which is digitally signed by the manufacturer, using its well guarded private key, thus providing a certificate indicating to the requestor that the public key used to communicate with the SAU belongs to a trusted LCU. This certificate may be presented to the requestor R as a part of the location certificate. The SAU includes a processor 4 for processing data and control of internal functions, and a send/receive unit 5 for communicating with the requestor R.
While the invention is not limited to any particular digital signature key technique, one technique which can be used is the RSA technique of using a private digital signature key to sign a message which the requestor or receiving party can validate using the originator's public key, as described in U.S. Pat. No. 4,405,829 issued to Rivest et al. In brief, an intended receiver's public key is made available to the sender, i.e., requestor, and is used for sending an encrypted message. Only the private decryption key at the LCU's receiver can decipher the message. The decryption key is then used to digitally sign a message which is sent to the original sender or requestor. The recipient or requestor can verify the signature by encrypting it with the LCU's public key. While anyone having the LCU's public key can read the signature, only the LCU signing the message could have created it.
The certification is provided by the manufacturer's digital signature which may be stored in memory at the SAU and sent to the requestor. That is, the manufacture provides a digital signature indicating that the public key, used by the requestor, belongs to a trusted LCU, as described, for example, in U.S. Pat. No. 5,214,702 issued to the inventor (which is hereby incorporated by reference). This certificate presented to the requestor serves as a part of the authenticated location certificate.
In operation, the LCU (
Verification of the digitally signed message is effected by use of the trusted manufacturer's public key. The manufacturer's public key is used by the requestor to determine that a unit's public key is, in fact, in a certification hierarchy and is associated with a trusted LCU. This validation of the unit's public key is then used to verify the digital signature. Any alteration of the digital signature is immediately detected. Where multiple levels of certification are used, as in inventor's U.S. Pat. No. 5,005,002 (which is hereby incorporated by reference), the trusted key is used to chain through the certification hierarchy to ultimately determine that the unit's public key is, in fact, associated with a trusted LCU.
Installing LCUs in objects, e.g., digital signing devices, computer log-on cards, controls for broadcast receivers, or smart cards for use with broadcast receivers, in combination with means for disabling the use of such objects, provides for control over the location at which the objects can be used. Incorporating a LCU in a computer log-on card designed to be limited to use at either the office or home, means that the defeat of the LCU would require sophisticated techniques such as generating false Loran or GPS signals to cause the PDU of the LCU to compute a false position. Moreover, the presence of other conventional safe-guards such as personal identification number (PIN) or password requirements to activate the card would provide significant layers of protection against the ordinary thief successfully using the card.
A second embodiment of a LCU is particularly useful for monitoring the location of a moving object. Illustrated in F1G. 2, the LCU is incorporated in a system having features which make the location certificate spoof resistant, i.e., resistant to being deceived into computing a false position. The use of a highly accurate clock 6 in the sensor 7 of the LCU synchronized with a clock 12 of the beacon 10 serves to defeat spoofing of the system. In this embodiment, each beacon 10 is equipped with a private key or a shared private key that is common among the beacons. Where beacons share a common key, then each beacon is provided with its own unique identification. The keys or identifications are maintained in a memory associated with processor 11. The LCU has one or more sensors 7 that have access to the beacons' public keys. A beacon's transmission includes digital authentication of the broadcast time and an indicator of the beacon's identity.
Under the foregoing conditions, and without the synchronized highly accurate clocks, a would-be spoofer, cannot substitute or cause a sensor to confuse one beacon's signal with that of another, nor accelerate or formulate signals. One can, however, copy a beacon's transmission and rebroadcast it at some delayed interval or intervals. The system then has need of means to prevent the reception or action on signals that are too distant or at wrong angular locations. This is the function of the synchronized clocks.
When beacons are in orbiting satellites as in the GPS or are in Loran stations, position is determined using two, three or more beacons. A delayed rebroadcast of a true satellite beacon's message from a false beacon would mean that the false beacon is located further out in space or on the other side of the Earth. In the latter case, sensing a different beacon lying in a direction away from the apparent position of the first observed beacons suffices to determine whether the computed position is true or false. In the former case, the aforementioned synchronized clocks are used to inhibit the reception and use of the false beacon.
With the synchronized clock system, each beacon pre-computes the digital signature and its time duration that is due to be transmitted at some precise time in the future. At the prescribed moment, the first bit of the precomputed digital signature is transmitted. The balance of the message, including an authenticated time stamp, is of predictable duration and is transmitted with each bit coming at a precisely timed interval. The sensor or receiver at the LCU determines, based on its internal clock, the exact moment the transmission was received, and that each bit after the first bit arrived on schedule. This need not be done in real time but the message may be stored and processed after it has been fully received. The authenticated time stamps are verified using the public key associated with each beacon and compared with the sensor clocked time of receipt of the message. An additional time check can be made by considering the differentials between beacons. The position of the LCU is determined by using the time differentials between each of the beacons, and the result is checked for consistency. The position computed by the differentials must agree with the time difference between the sensor's internal clock and that time broadcast by each of the beacons. The position of each beacon is known, from authenticated broadcasts or tables stored in the sensor, the speed of the transmitted radio signal is known, then the purported distance/time to each beacon can be calculated. The calculated times and the measured time differentials are compared to see that they are the same.
The degree of accuracy of the clocks sets the degree of accuracy to which true or false signals can be detected. Therefore, the clocks must have accurate time intervals and must not drift over long periods of time. Drift problems can be minimized by resetting the clocks periodically, recalibrating the sensor clocks from master clocks at the beacons, using temperature controlled clock environments, and using very high quality accurate clocks or a multiple clock system. Where the clocks are subject to strong gravitational fields or acceleration and run slower, the fact that the clock runs slower can be taken into consideration. Since the speed of light is one foot per nanosecond, the degree to which spoofing can be controlled is one mile per 5 microseconds of drift.
In a third embodiment, illustrated in
The sensor generates a random challenge number and transmits it to the beacon. The beacon constructs a response, including its digital signature, the sensor's random challenge number and the beacon's position. The beacon's clock value and other beacon operating characteristics may also be included in the response.
As illustrated in
Given these variables, the timing, illustrated in
In the above example of this embodiment, the response includes the beacon's certificate in its transmission. However, the beacon's public key may be embedded in the sensor, or may be ascertained in other manners. Other authenticated digital information may include, the beacon's identity, expected response time, means by which the location information has been determined, the expected accuracy of the positional information, the authority responsible for determining the beacon's position, the level of security ascribed to the device, the time associated with the response mark signal, and the authority responsible for determining the beacon's clock.
In this embodiment, the precise position of the beacon is a limiting factor on the correctness of determined position of the PDU. The position of the beacon can be determined by Loran, GPS or other radio based techniques, and it can be confirmed by a trusted calibrating authority. To insure that the beacon remains stationary once its position is established, movement sensors may be provided to generate an alert signal upon the sensing of movement or tampering. Where such a stationary beacon is moved for any reason, deliberately or by an earthquake, then the position must be redetermined and reconfirmed.
Where the beacon's position is confirmed by a calibrating authority, then the authority is responsible for certifying the accuracy of the position information. If the beacon determines it own position from radio signals, then the calibrating authority can only be viewed as a confirming entity that the beacon is a trusted beacon, and not one that may have been spoofed. Hence, certificates by calibrating authorities are constructed and appraised in accordance with the function of the calibrating authority, which may be indicated in the certificate. Moreover, identification of the calibrating authority in the certificate serve to inform the user of same the degree to which position information may be trustworthy.
A stationary beacon may advantageously be used as a source to set a highly accurate clock in mobile LCUs. As in the example above, where the beacon includes its clock value B4 as part of its response, then the mobile LCU can set its clock to a trusted accuracy with known error. With reject respect to high acceleration of the LCUs, an acceleration fuse would provide a part of the tamper resistant construction.
While the digital signature has been described using the RSA algorithm, other algorithms such as DSA, symmetric, or the protocols developed by Goldwasser and Micali or by Chaum may be employed. Moreover, the algorithms and/or protocols may be used in combination.
While the invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not to be limited to the disclosed embodiment, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US3774215 *||Nov 23, 1970||Nov 20, 1973||Gen Systems Dev Corp||Position locating system|
|US4077005 *||Jun 18, 1971||Feb 28, 1978||The United States Of America As Represented By The Secretary Of The Navy||Secure position identity and time reporting system|
|US4707699 *||Feb 14, 1985||Nov 17, 1987||Halliburton Company||Method and apparatus for positioning a satellite antenna from a remote well logging location|
|US4819053 *||Apr 17, 1987||Apr 4, 1989||Halavais Richard A||Single-point locating system|
|US4860352 *||May 20, 1985||Aug 22, 1989||Satellite Financial Systems Corporation||Satellite communication system and method with message authentication suitable for use in financial institutions|
|US4972431 *||Sep 25, 1989||Nov 20, 1990||Magnavox Government And Industrial Electronics Company||P-code-aided global positioning system receiver|
|US4993067 *||Dec 27, 1988||Feb 12, 1991||Motorola, Inc.||Secure satellite over-the-air rekeying method and system|
|US5101208 *||Feb 24, 1967||Mar 31, 1992||Parker Carlyle V||IFF authentication system|
|US5155490 *||Oct 15, 1990||Oct 13, 1992||Gps Technology Corp.||Geodetic surveying system using multiple GPS base stations|
|US5221925 *||Jul 25, 1991||Jun 22, 1993||Cross Anthony D||Position identification system|
|US5243652 *||Sep 30, 1992||Sep 7, 1993||Gte Laboratories Incorporated||Location-sensitive remote database access control|
|US5434789 *||Oct 6, 1993||Jul 18, 1995||Fraker; William F.||GPS golf diagnostic system|
|US5459473 *||Sep 12, 1991||Oct 17, 1995||Sigtec Navigation Pty Ltd.||GPS receiver|
|US5499294 *||May 24, 1995||Mar 12, 1996||The United States Of America As Represented By The Administrator Of The National Aeronautics And Space Administration||Digital camera with apparatus for authentication of images produced from an image file|
|US5568119 *||Dec 21, 1993||Oct 22, 1996||Trimble Navigation Limited||Arrestee monitoring with variable site boundaries|
|US5577122 *||Dec 29, 1994||Nov 19, 1996||Trimble Navigation Limited||Secure communication of information|
|1||*||Simmons, Contemporary Cryptography, IEEE Press, pp. 221-222, 1992.|
|2||*||Simmons, Contemporary Cryptology, the Science of information integrity, IEEE Press1992, p. 182, 185-187, 193-194, 197-199.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7739741 *||Mar 25, 2003||Jun 15, 2010||British Telecommunications Public Limited Company||Method and apparatus for network security|
|US8531334 *||Nov 6, 2009||Sep 10, 2013||Microsoft Corporation||Location proofs|
|US8997243 *||Dec 5, 2012||Mar 31, 2015||Koninklijke Philips N.V.||Temporal proximity to verify physical proximity|
|US20020023010 *||Mar 20, 2001||Feb 21, 2002||Rittmaster Ted R.||System and process for distribution of information on a communication network|
|US20030145214 *||Jan 28, 2003||Jul 31, 2003||Kabushiki Kaisha Toshiba||Communication device and communication control device with limited copyright protection range|
|US20030217267 *||May 16, 2002||Nov 20, 2003||Kindberg Timothy P.J.G.||Authenticating a web hyperlink associated with a physical object|
|US20040059914 *||Dec 9, 2002||Mar 25, 2004||Broadcom Corporation||Using signal-generated location information to identify and authenticate available devices|
|US20050132166 *||Mar 25, 2003||Jun 16, 2005||Saffre Fabrice T.P.||Method and apparatus for network security|
|US20050160274 *||May 17, 2004||Jul 21, 2005||Takanori Yukimatsu||Content transmission apparatus and content reception apparatus|
|US20110109508 *||May 12, 2011||Microsoft Corporation||Location proofs|
|US20130103947 *||Apr 25, 2013||Koninklijke Philips Electronics N.V.||Temporal proximity to verify physical proximity|
|U.S. Classification||380/258, 713/156, 380/270|
|Cooperative Classification||H04L9/3297, H04L9/3263, H04L2209/805, H04L9/3271|