WO2011064608A1 - Method for operating a data communication system, and data communication system - Google Patents

Method for operating a data communication system, and data communication system Download PDF

Info

Publication number
WO2011064608A1
WO2011064608A1 PCT/HU2010/000129 HU2010000129W WO2011064608A1 WO 2011064608 A1 WO2011064608 A1 WO 2011064608A1 HU 2010000129 W HU2010000129 W HU 2010000129W WO 2011064608 A1 WO2011064608 A1 WO 2011064608A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
server
data
data communication
communication system
Prior art date
Application number
PCT/HU2010/000129
Other languages
French (fr)
Inventor
Tamás OSZKÓ
Gábor VARGA
Tamás MEGYERI
István FAZEKAS
Original Assignee
Ceudata Kft.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ceudata Kft. filed Critical Ceudata Kft.
Publication of WO2011064608A1 publication Critical patent/WO2011064608A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention relates to an operating method for a data communication system as well as to a data communication system.
  • the data communication system comprises at least one server, preferably adapted for controlling by means of control commands and for carrying out administrative tasks, and at least one mobile client suitable for data communication with the server.
  • the data communication system further comprises preferably storage room belonging to the client, a communication channel connecting the client and the server, modules managing the control commands enabling control of the communication parameters of the client by means of the server, therein a module on the client suitable for authenticating the control commands, as well as software means enabling operation of the data communication system.
  • a significant and yet mainly unsatisfied demand presents itself towards the security applications of mobile apparatuses, due to the fact for example, that the mobile communication of corporate employees - unlike communication via landline phones - cannot appropriately be recorded. This problem is especially significant in the financial servicing sector. Furthermore, the problem may reduce the value of already existing landline phone and internet monitoring systems to a significant degree.
  • the monitoring of mobile phone communication may be a highly efficient legal risk management means in detecting and preventing misuse of business and misuse of information as well as market manipulation, furthermore potentially increasing reliability and efficiency by urging appropriate business behavior. Although it is impossible to eliminate all conceivable risk factors, the monitoring of mobile phone communication means an important step in establishing an increased security, which enables the company to face both external as well as internal security threats well-prepared.
  • Audio recordings recorded by mobile phones can be linked to speech-to-text converter applications or other speech recognition and analyzing applications, thereby enabling more efficient data transfer.
  • speech-to-text converter applications or other speech recognition and analyzing applications, thereby enabling more efficient data transfer.
  • speech-to-text converter applications or other speech recognition and analyzing applications, thereby enabling more efficient data transfer.
  • by gathering audio material into a database its content may be converted into written text, which becomes directly utilizable in its converted format.
  • an object of the invention to provide a data communication system operating method as well as to create the data communication system, which operating method and data communication system are exempt from the disadvantages of the prior art solutions. It is a further object of the invention to ensure efficiently the control command authentication, programmed management of the available storage. A further object of the invention also is to provide a solution wherein data recording, client data encryption, transfer of encrypted media files as well as safe server-side decryption of them are realized by high security and exempt from the prior art disadvantages.
  • Fig. 1 is a scheme showing the sequence and direction of the steps of the initial configuration constituting a part of a method according to the present invention
  • Fig. 2 is a scheme depicting the remote control process implementable according to the present invention
  • Figs. 3 and 4 are flow charts showing the reserve allocation and reserve utilization operating modes of reserve memory accumulating algorithm
  • Fig. 5 is a diagram showing the reserve allocation operating mode
  • Fig. 6 is a diagram showing the reserve utilization operating mode.
  • Data storage on the client is temporary, as soon as they are uploaded to the database of the server, the client deletes them.
  • the data stored by client may be pictures, videos made by means of the mobile phone client, short text messages, data about client location, data about the events of the client, as well as audio recordings, preferably audio recordings of conversations via the mobile client.
  • data interesting from the point of view of security are stored in an encrypted form by the client. Accordingly, the invention deals with various security aspects of the data communication system. These security aspects are presented herebelow.
  • the client is authenticated at the server, in the course of which a trusted relationship is established between the server and the client.
  • a trusted relationship is established between the server and the client.
  • the server and the client are vice versa identified to each other, and a shared secret is determined for server and client, i. e. preferably information identifying the server is being sent from the server to the client, and it is approved checked on the client.
  • the shared secret known and preferably uniquely generated by the server is stored on the client, as well as a public key is stored for the encryption of client-to-server data communication.
  • the control of communication parameters of the authenticated client by the server via control commands is enabled, and data communication from the authenticated client to the server is controlled from the server through setting of the communication parameters.
  • the control command is preferably sent from the server to the client in the form of a short text message or the client can be controlled by the server via an internet connection, preferably via a secure internet connection, as well.
  • the data communication system according to the invention ranges to data gathering, communication and management in order to ensure that data gathered by the system does not get lost on the one hand while on the other hand no unfitting data may get into the system from outside the system.
  • the data communication system further extends to ensure also that no party out of the system may take over the control of the data communication system, i. e. no unauthorized server may take the place of the server - or servers - being part of the data communication system and having controlling and administrative functionalities.
  • the data communication system according to the invention additionally extends to ensure that the data of the data communication system may not be available to unauthorized parties.
  • the data communication system according to the invention further ensures also that it is able to collect, transfer as well as manage data notwithstanding the circumstances.
  • the security system by way of example ensures that a memory of appropriate quantity is always available for data gathering.
  • the operating method of the data communication system according to the invention further extends to ensure that the data corresponding to each individual client event are symmetrically encrypted by means of a session key uniquely generated for each event, which session key is uploaded asymmetrically encrypted onto the server and is stored on the client in a safe place.
  • the security system ensures security aspects as follows. It enables safe installation and initialization of the data communication system, i.e. the installation method of the data communication system ensures that the data communication system is installed onto the telephone without any error, that all security settings are appropriate, as well as that the system is ready for operation. It protects against improper or unauthorized installation in such a way that the data communication system is installable on a given client only if approved by both the data communication system operator and client user. It also gives protection against undetected removal of the data communication system from the client as well as against undetected pull-out of the client from the system, by way of example by replacing the SIM card replacement.
  • the data communication system further protects against unauthorized control.
  • the data communication system is remotely controllable by means of short text messages (SMS) or via internet protocol (HTTP) based commands, but the data communication system receives intact commands arrived from pre-adjusted senders only.
  • SMS short text messages
  • HTTP internet protocol
  • the data communication system ensures safe data storage on the server and the client, safe client-to-server data upload, further guarantees full life-cycle data security, i. e. by recording or temporary storing data in internal memory or the memory card of the phone, by uploading onto server, by storing and managing on server as well as data access on the user interface.
  • the data communication system further ensures data access to appropriately authorized users only.
  • Data protection extends to unauthorized possession of (i.e. stolen or lost) clients as well as to databases stored on a server, in such a way that the data generated by the data communication system (e.g. audio recordings of client phone calls) is stored both on client and server in an encrypted manner, while the data of which the data communication system only made copies (e.g. SMSs) are not encrypted. Encrypted data cannot be decrypted even possessing the full knowledge of the system.
  • Data protection yet further extends to data integrity, namely to ensure that recorded data cannot be modified.
  • the above described security requirements are realized by the following software modules of the data communication system, which will be detailed later.
  • the module responsible for establishing the initial client-server connection the module responsible for remote control, the module responsible for data recording on client, module managing the storage part maintained for the data communication system, encryption module responsible for encrypting data stored on client, module responsible for upload, module responsible for server-side data storage and access as well as decryption module on server for the decryption of data transferred from client.
  • Certain security elements of the data communication system are optional and can be turned on or off dependent on user preference.
  • the client in the data communication system is typically a mobile phone and the task of the data communication system is generally the monitoring of mobile phones, therein especially the recording of conversations made by means of the mobile phone clients and uploading them onto a server.
  • the parties of the conversation are advisably notified of the monitoring of the given client, and of the conversation being recorded by means of a perceptible audio signal and/or by a notification message.
  • Use of the data communication system can be suspended by the client user or the data communication system operators, therefore it is possible that from certain conversations or in certain time periods no record is made.
  • the data communication system records the data related to the event into the file system of the telephone, which extends to the internal memory or the memory card of the client.
  • the recorded data contain a location as well as a time stamp.
  • the data communication system transfers the data to the server of the data communication system. While being stored and transferred, the data are encrypted.
  • the transmitted data are stored in a database on the server, which is accessible for the operator of data communication system via a browser-based user interface from any computer being on intra- or internet.
  • the user interface enables access to data stored in the database of the server, structural analysis of data, as well as data processing.
  • the user interface furthermore, enables remote control of the applications running on the clients. Remote control happens through secure channels, in this way eliminating any possible intervention of unauthorized persons, any overtaking of the control of the data communication system, unauthorized access to the date of data communication system.
  • Data stored in the server database can be accessed or retrieved according to various aspects.
  • the data communication system according to the invention can be integrated with other telecommunication monitoring, internal security solutions, which are possibly in use already.
  • the various users can be provided with various user authentications, the users can be organized into groups in the database, preferably along the actual corporate group structure.
  • the data of the group can be managed, retrieved and analyzed jointly.
  • the users can be organized into levels of hierarchy and among the groups overlapping can be realized, namely one user may belong to more groups, and the interrelationship of the groups can be managed on the level of the users.
  • the data communication system provides an effective mapping of the hierarchical, vertical and horizontal structure of any corporate organization. Accordingly, the data communication system provides monitoring of the data of the data communication system best fitting the company needs.
  • Exemplary advantageous functions of the data communication system connected to data arrangement, data and user management are as follows:
  • reporting function i.e. making reports, by way of example on the traffic of the client, search function in the database made up of data uploaded onto the server,
  • event logging i.e. logging of each event of the client and storing of data connected to such events
  • WiFi secure wireless internet network
  • WiFi open WiFi
  • home and roaming network connections i.e. providing adaptive access point selection algorithm
  • the function of management of forms can be used in the following way: application forms comprising questions and fields (with a filling mode of free text, constrained text or choosing from a list) to be filled in as answers can be created on the server. Having sent the forms to the client, the user of the client can fill them in, then after filling the forms are returned to the server. The status of the forms can be tracked on the server, i.e. whether they have been opened, filled in, closed, returned, etc. The data in the forms returned to the server can be utilized in various systematization.
  • a field of use of the forms can be as follows: in the case of insurance damage settling, the form contains questions arising in the course of damage assessment, and it has to be filled in by the damage inspector in the case of every event.
  • the function of joint management of matters can be used as follows.
  • a so-called workflow module of the data communication system matters can be created, which are basically files grouping all events connected to one specific matter.
  • the matters can be created on the server, from where they are downloaded onto an appropriate client, by opening it on the client, the user on one hand get the basic data of the matter, while on the other hand the user may directly record events, by way of example call records, audio memos, photos, forms, notes to the particular event.
  • After closing a particular matter all data recorded to each individual matter are uploaded to the server, where they are managed jointly, i.e. they are can be inlooked on the server by selecting the particular matter.
  • One possible field of use for joint management of matters is by way of example insurance damage settlement, where all photos, conversations, agreements and any other data may be viewed jointly assigned to a particular damage event.
  • the data communication system has the following main components:
  • the application of the data communication system running on the client operates on the monitored mobile device, which is preferably a mobile phone.
  • the client records and forwards to the server all data generated in the course of the communication using the mobile phone, such as phone calls, SMSs, mobile network cell information, contact lists, audio recordings and photos made by the phone, etc.
  • the server application of the data communication system operates on a central server or on proportioned servers.
  • the user interface of the server is accessible by means of a web browser through intranet or internet.
  • the server functions as the end point of the monitoring, which receives, processes and stores the data received from the corresponding mobile clients, and provides it in a structured format to the authorized user enabling the access, viewing, searching and filtering of them.
  • Another task of the server is to control the monitoring application running on the mobile clients, which includes the configuration thereof, the start-up or stopping of services on demand, furthermore the software update of applications running on the client.
  • the data gathered onto the server by the data communication system can be accessed according to various levels of authorization: basic users can view data collected from their own phones upon signing onto the server. Operators have access to data collected from the phones of their own employees and may retrieve various management purpose reports. Administrators are responsible for operating the data communication system, and have access to administrative functions, and have no access to any other such as business information. Those holding supervisor authorization have access to data uploaded by the clients and control the activity of the administrators.
  • Server-client connection The monitored devices (clients) and the monitoring end point (server) are connected to each other through two channels: through a mobile network channel and an internet-based data connection channel, which separately or jointly are hereinafter referred to as communication channel.
  • the server sends control commands to client through the mobile network channel in SMS.
  • SMSs are reliable, and offer the only reliable method for server to reach client.
  • the client is also able to send SMSs to the server, the client typically sends alerts to server in such SMSs when it is unable to connect thereto via internet-based data connection.
  • the client forwards the gathered and recorded information to the server as well as downloads the configuration settings comprising changed communication parameters arriving from the server through an internet-based data connection.
  • the communication parameters may, by way of example, be (types of) data expected by the server from the client, period of validity of the time stamp, the maximum size of allocable reserve of storage available for data recording, the minimum size of free memory to be maintained, the size of the memory gap (see below) or the checking frequency of free storage size.
  • the exemplary initial configuration making up a part of the method according to the present invention has steps as illustrated in Fig. 1.
  • the direction of the steps between administrator 12, mobile client 10 and server 11 as indicated in the figure are depicted by arrows.
  • the initial configuration has to be executed for the proper operation of the application running on the client 10.
  • the initial configuration is in all cases implemented by the administrator 12, both on the server 11 and on the client 10. It is prerequisite thereto, that administrator 12 has access to the initial configuration interface of the server 1 1 , to the service and to the client 10 to be configured all at once.
  • administrator 12 registers client 10 and its user on the server 11. During the registration the client 10 receives an identifier which will be used later. Then administrator 12 installs the application running on the client 10 onto the client 10.
  • installation is feasible be means of data cable or via sending an internet reference link to client 10 in an SMS-based control command as depicted in Figure 1.
  • the client 10 authenticates the control command, then requests permission from administrator 12 for opening the link received from the server 11.
  • Administrator 12 grants the permission, whereupon the client 10 downloads the installation files of the application running on the clients through a secure connection.
  • the application running on the client 10 After successful installation of the application running on the client 10 onto the client 10, it starts in a so-called standby or unregistered mode.
  • this operational mode of the client 10 most functions of the application running on the client 10 are not yet in operation, the only option when running the application running on the client 10 is the launching of the initial configuration procedure of the application running on the client 10 from the server.
  • the application running on the client 10 is able to receive SMS-based control commands arriving from server 1 1 , however, as no initial trusted relationship has yet been established between client 10 and server 1 1, the application running on the client 10 solely receives initial configuration SMS-based control command, and the authorization of the administrator 12 is required for the processing thereof.
  • Launching of the initial configuration procedure of the application running on the client 10 can be initiated by the administrator 12 from the server 11 by sending a special SMS-based control command, which comprises:
  • a character sequence identifying the SMS-based control command Any arbitrary number of characters, which differentiates the SMS-based control command from any regular SMS, by which we refer to all such SMSs that are not control command SMSs. These are possibly such a character sequences that are very rare in regular SMSs. This character sequence is known by client 10, based on which it will interpret the incoming SMS as SMS-based control command.
  • Time stamp At the moment of issuing the control command, the server 11 creates a time stamp which is sent in the SMS carrying the control command.
  • the time stamp is by way of example the number of seconds elapsed since 1 st January ofl970 0 hours 0 minute 0 second widely spread in informatics.
  • the client 10 While processing the SMS-based control command, the client 10 compares this time stamp with the actual time. If the time stamp included in the SMS carrying the SMS-based control command is older than the period of validity determined in a communication parameter in the client 10, which is practically a few minutes, it will then neglect the control command. In this way, duplicated SMS-based control commands as well as those caught from outside of the data communication system and replayed at a later time can be filtered out.
  • Control command separating character Any arbitrarily selected character, which is never included in the command text, such as semi-colon ';'.
  • Initial configuration control command and URL (Uniform Resource Locator- internet reference link): A predefined control command coding the initial configuration procedure of the application running on the client 10, as well as a URL used in the course of the initial configuration procedure, which specifies the availability of the initial configuration data located on the server 11. For the first time the client 10 connects onto this link in order to download the configuration parameters customized according to the exact configuration of the client 10.
  • the trusted relationship is established after which both the server 1 1 and the client 10 can be sure that they are communicating with the appropriate remote partner.
  • the initial trusted relationship is established in two steps, the server 11 first identifies itself to the client
  • the client 10 after the server 11 successfully identified itself, the client 10 also identifies itself to server
  • the SMS containing the initial configuration control command is arrived to client 10, it is then detected by the application running on the client 10, and as it starts with the already known character sequence identifying the SMS-based control command begins to process it. If, however, the identification character sequence is inappropriate, the client 10 will reject the control command. First, the time stamp is checked in the above-described manner. If the time- stamp is inappropriate, the client 10 neglects the SMS-based control command, if however, the time stamp is appropriate, it continues with the processing. In the course of the processing, it interprets the initial configuration control command and the URL. In unregistered operating mode the application running on the client 10 receives solely the initial configuration command out of the commands arriving from the server 11.
  • the phone number from which the SMS-based control command arrived, the configuration URL (as well as the most essential parts thereof, such as the name of the server) or optionally any other such information appears on the display of the client 10 mobile phone, by means of which the administrator 12 is made of the SMS-based control command arrived to the client 10 is exactly the one, which was sent from the server 11 by he/she. If the displayed data are correct, the administrator 12 proceeds with the initial configuration procedure of the application running on the client 10, in the opposite case, the progress of the procedure discontinues and the application running on the client 10 returns to an unregistered state. If the initial configuration can be continued, following an approval by administrator 12, the application running on the client 10 presumes that the server 1 1, with which it will communicate is effectively the server 11 within the data communication system and it is not an unauthorized server out-of the data communication system.
  • the next step involves the identification of the client 10 to server 11.
  • the administrator 12 marks on the server 1 1 that the SMS-based control command is successfully arrived to client 10, which is indicated by the appearance of the aforementioned security question on the display of the client 10 mobile phone.
  • the server 11 generates a unique random character sequence, which is visible to administrator 12 on the user interface of server 1 1.
  • the application running on the client 10 displays another dialog window, to be filled in by administrator 12 with the aforementioned unique random character sequence generated by the server 11. This unique random character sequence is exclusively known by the administrator 12.
  • the client 10 connects to the server 1 1 via a secure HTTPS (HyperText Transfer Protocol Secure - secure data transfer protocol on the internet) connection to the URL sent in the SMS-based control command, to which the filled in unique random character sequence is tagged.
  • HTTPS HyperText Transfer Protocol Secure - secure data transfer protocol on the internet
  • the server 1 1 checks whether the sent unique random character sequence is identical with the unique random character sequence generated on the server 1 1. If the unique random character sequence is appropriate, the server 11 presumes also that the client 10 it is in communication is really the appropriate client 10.
  • the server 11 generates a configuration to be applied by the given client 10, a part of which is the shared secret, to be later used for identification of the SMS-based control commands by client 10 as well as which functions as a symmetric key for signing the control command.
  • server 11 sends the configuration applicable on client 10 to client 10.
  • a configuration is downloaded from the server 11 to client 10 preferably for customizing the application running on the client 10, applicable by client 10.
  • the shared secret included in the configuration is unique for each individual client 10, it is securely stored by server 11.
  • the shared secret is a random character sequence to be used as key in cryptographic processes.
  • the configuration After the configuration is downloaded by the client 10, it stores in its storage space made available for data communication system data, which cannot be accessed by any of the other applications running on the client 10 mobile phone. This service can be ensured by most of the mobile phone platforms.
  • the thus stored configuration comprises all such settings that are necessary for enabling the application running on the client 10 to operate without any human intervention as well as to enable that it is suitable to receive and process SMS-based control commands sent from server 11.
  • client 10 downloads from server 11 the public keys of the asymmetrical encrypting key-pairs. These can be downloaded from the security service on the server, which sends the public keys according to the configuration applicable on the given client 10. After successful download of the public keys by the client 10, it stores them in a storage allocated for storing the data of data communication system.
  • the client 10 launches all application components necessary for normal operation and for the purposes of security testing it uploads a status file onto the server 11, namely a status report of completed authentication is sent from the client 10 to the server 1 1. This file is then uploaded in accordance with the configuration settings received from the server 1 1.
  • the application running on the client 10 starts normal operation.
  • the administrator 12 registers on the server 1 1 that the initial configuration is completed on the concerned client 10 and that the application running on the client 10 is operable. From security point of view, therefore, the following configuration parameters are required for the operation of the application running on the client 10:
  • URL of remote services located on the server 11 by way of example URL of data upload, where the client 10 can upload all data gathered thereby, URL of security module service, from where the client 10 can download security services such as the public keys, URL of HTTP remote management service in connection with control tasks,
  • SMS message sending module of server 1 1, the MSISDN (Mobile Station International Subscriber Directory Number - unique subscriber identification number on the actual mobile network, i.e. mobile phone number),
  • a significant key element of data communication system is the remote control of applications running on the client 10 from server 11, including also the remote configuration of communication parameters of the system, and the secure operation thereof is provided by the data communication system.
  • the above-described initial configuration is prerequisite for the secure operation of the remote control, during which the server 1 1 and the client 10 mutually identify each other, the client 10 receives from server 11 the configuration to be applied on the client 10 required for the client 10 operation, and the client 10 receives on the server 1 1 the status of operable and controllable device.
  • HTTP HyperText Transfer Protocol
  • SMS-based control commands Two widely applied solutions offer themselves for controlling the client 10 mobile phones from server 11 : Internet communication protocol-based control, e.g. HTTP (HyperText Transfer Protocol), as well as control by means of specially formulated SMS-based control commands.
  • HTTPS protocol HyperText Transfer Protocol
  • HTTPS protocol requires the server 11 to identify itself to client 10, and if it is unsuccessful, the connection for control will not be established.
  • the shared secret can be easily used, on which the client 10 and the server 11 agreed in the course of initial configuration.
  • the client 10 does not directly send the shared secret but a cryptographic hash thereof, which by way of example can be generated by means of SHA-1 (Secure Hash Algorithm, i. e. cryptographic hash algorithm).
  • the server 1 1 is able to check this, as the shared secret is also available on the server 1 1 , and the server 11 compares the hash calculated therefrom with the hash sent by the client 10. It is a significant disadvantage of HTTP protocol-based remote control that the server 11 is unable to reach the client 10 via this protocol, it is only the client 10 that can initiate connection with the server 1 1. In other words so-called push-based management cannot be achieved.
  • SMS-based control In the case of SMS-based control, however, the operator of a network do not provide security solutions for checking that the SMS is genuine and intact. Any person skilled in the art is able to generate an SMS-based control command that syntactically satisfies the format of an SMS- based control command expected by the application running on the client 10 and is able to fake the sender of the SMS carrying the control command as well as to put across to the client 10 that the SMS-based control command had been sent by the server 11. Moreover, any person skilled in the art is able to catch SMS-based control commands arriving from the server 1 1 , and by changing its contents, instructing the application running on the client 10 to behave undesirably.
  • SMS-based control has additional limitations also.
  • the size of one SMS depending on the coding of the SMS may range from 120 to 160 alphanumeric characters. Therefore, as in the case of outgoing SMSs, invoicing is based on the number of SMSs, sending of a high volume of SMSs may incur significant costs, therefore it is a basic requirement that one control command should fit into one SMS.
  • a further significant limitation of the solution is posed by the fact that most mobile service allow solely alphanumerical characters to be included in SMSs, thus arbitrary binary data cannot be sent in this case.
  • a time stamp as yet described above is tagged to each SMS-based control command by the server 11.
  • the client 10 compares this time stamp with the actual time. If the difference of the time stamp and the actual time falls outside of the validity period stored in the configuration settings of the client 10, the SMS-based control command is bypassed by client 10.
  • This solution may eliminate any re-sent, old, or of expired validity control commands.
  • the client 10 may store the time stamps of all successfully received control commands, as long as they fall into the validity period, and thus using this stored list one time stamp is accepted once only. If, therefore, any command have previously been received with the same time stamp, the client 10 rejects the control command.
  • This solution can eliminate any SMS-based control command caught and re-inputted by a party outside of the data communication system.
  • the client 10 checks in the case of each control command whether the MSISDN of the SMS sender agrees with the number included in its configuration.
  • the server 11 authenticates each individual sent SMS carrying control command, tagging a MAC (Message Authentication Code, short information generated from a message, authenticating the message), i.e. an authenticating code to the SMS, which then is checked by the client 10.
  • the authentication code may be generated by means of a HMAC generating process (Hash-based Message Authentication Code - specially generated MAC to which cryptographic hash algorithm and a private key was used) known by cryptography. It is an advantage of this solution that it solves two security issues at the same time. On one hand it identifies the server 11 to the client 10, as the key used for the HMAC process is the shared secret of both the client 10 and the server 1 1, which had been agreed in the course of the initial configuration.
  • HMAC does not only consist of alphanumeric characters, therefore HMAC is to be converted into an alphanumeric format so as to be reliably usable in SMS.
  • SHA-1 cryptographic hash function can be used by the data communication system for HMAC generation.
  • the secure SMS-based control commands are generated by the server 11 in the following steps, which messages therefore contain the identification character sequence, the time stamp as well as the control command in an encrypted manner:
  • time stamp of the SMS-based control command i.e. the number of seconds elapsed since 0 hours 0 minute, 0 second 1 st of January 1970 in an alphanumeric form, the format of which by way of example 'tl229904000', where the character 't' is the identifier of the time stamp, in turn ' 1229904000' is the number of seconds.
  • the HMAC is calculated for the thus generated control command character sequence by using the SHA-1 cryptographic hash algorithm, and the key used for HMAC is the shared secret of the client 10 and the server 11 , in which they agreed in the course of initial configuration.
  • the thus generated identification code is a binary data of the length of 20 byte, arbitrarily containing bytes between 0x00 and OxFF, where the Ox' prefix indicates that hexadecimal numeral system is used, and the range represented by one byte is confined between 00 and FF hexadecimal numbers.
  • the identification code obtained in the previous step is to be converted into an alphanumeric format so as to enable its delivery in SMS.
  • the server 11 simply uses the alphanumeric representation of the hexadecimal codes of the bytes. As every hexadecimal number may be represented by 2 alphanumeric characters, the identification code having the length of 20 byte can be represented on 40 alphanumeric characters, by way of example, in the form of '2F81A5A2424E56AEA8B69F6CD8AA506CBFFC2A79'. )
  • the server 11 generates the SMS-based control command from the character sequences generated according to points 3 and 5, which is according to the above example
  • the SMS-based control command generated as described hereabove comprises solely alphanumeric characters and is tagged with a time stamp, which enables the client 10 side inspection to filter out duplicated or expired commands.
  • the application running on the client 10 is ascertained that the message has arrived from the server 11 of the data communication system, and its contents have not been changed.
  • the client 10 executes the following steps in connection with the inspection of the SMS-based control command:
  • Checks the time stamp of the SMS-based control command calculates the difference between this time stamp and the one stored according to point 5, checks whether it fits into the validity period defined in the configuration, moreover it checks whether any command had been received from the server 1 1 with the time stamp stored according to point 5 hereof. If the validity period of the time stamp expired, or an SMS-based control command has already been received from the server 1 1 with the same time stamp, then the process of the SMS is aborted.
  • the block diagram of the remote control is depicted in Fig. 2.
  • the mobile phone communicates with the server 11 by means of SMSs through the mobile network.
  • a so-called Core module operates the remote control.
  • This module is in connection with a database 13, wherein the data of the mobile phone clients 10 are located, by way of example user, phone number, etc, as well as where by way of example the actual state of the initial configuration is also stored in the course of the above- described initial configuration.
  • Sending of the SMS-based control commands required for remote control is initiated by the Core module by using the SMS Daemon module.
  • This module moves the SMS-based control commands to be sent into the SMS Outbox folder in a file format appropriate for the SMS Modem.
  • the SMS Modem attends to this folder and once a file in appropriate file format is created in the SMS Outbox folder, it is then processed and sent to the specified mobile phone through the mobile network.
  • the system illustrated in Fig. 2 is suitable for receiving and processing SMSs arriving from a mobile phone, by way of example when the mobile phone sends out an alert in an SMS to the server 11.
  • the incoming SMSs are received by the SMS Modem and are stored in its own memory. At regular intervals, the SMS Daemon reads the SMSs stored in the memory of the SMS Modem, and saves them in appropriate file formats into the SMS Inbox folder.
  • the SMS Processing component reads the files from this folder, and stores them in the database 13 and sends a report of SMS receipt to the server 11 , and following the successful storage, the file is deleted from the folder. From the aspect of recording, there may be two types of the data managed by the data communication system:
  • Data generated by the data communication system such data, which would not be recorded or stored in the memory of the client 10 without the use of the data communication system.
  • audio recordings of phone calls belong to this category.
  • the processing of such data which are recorded in the course of using the data communication system are of essential importance, such as the aforementioned audio recordings, as the presence of these data means an increased risk factor for the mobile phone user as compared to the state where data communication system is not used, by way of example in the case of losing the mobile phone, these data would also be accessible. Therefore, the data communication system comprises cryptographic processes corresponding to the data generated in this way.
  • the application of the data communication system running on client 10 saves the recorded data into the internal memory of the mobile phone. If necessary, by way of example when the available internal memory is not enough, the data can also be saved to an external memory of the mobile phone by the application running on client 10.
  • the storage belonging to the client 10 therefore is the internal memory of the client 10 or if necessary its external memory.
  • the data are got in a part of the storage reserved for the data communication system, which cannot be accessed by any of the other applications running on the client 10 as well as the user of the client 10. Unauthorized possession of the mobile phone, unauthorized access to the stored files cannot fully be excluded, presuming above-average technical conditions, professional knowledge and arbitrary amount of expended time. Therefore and for reasons as detailed above, the data are stored in an encrypted form.
  • the cryptographic process used by the data communication system satisfies requirements as follows:
  • Data integrity Protects against unauthorized modification of the stored data.
  • Data loss exemption Notwithstanding encryption, the data are continuously and promptly recorded. If data recording unexpectedly abort, by way of example if energy source of the client 10 drains, the recorded portion of the actual recording in progress will not be lost and the recorded files can be uploaded after trouble-shooting.
  • Error-tolerance No unexpected error, by way of example draining of energy source of the client 10 will cause unencrypted storage of data.
  • One of the most significant fields of application of the data communication system is taking audio recordings of the mobile phone client 10 calls.
  • the encryption of audio recordings is done by means of so-called on-the-fly encryption.
  • Incoming audio stream is put into a temporary RAM location, where it is encrypted, then the encrypted data is stored in the internal memory or the external memory of the mobile phone client 10.
  • the size of the temporary memory location depends on implementation optimization, and typically contains audio recording data of a few tenth of a second or less.
  • the security system of the data communication system uses a hybrid encryption process for data encryption, by the combined use of symmetric and asymmetric encryption:
  • the session key is encrypted in an asymmetric way by means of the public keys, and solely the encrypted session key is then stored on the client 10. As the session key is stored in an encrypted form of this manner, it can only be decrypted in possession of the appropriate private key belonging to the public keys.
  • the specific session key are uploaded onto the server 1 1 in such an encrypted way.
  • the file comprising the data belonging to the individual events is encrypted by means of the session key and is uploaded to the server 11 in an encrypted format.
  • the public asymmetric keys used for session key encryption is downloaded by the client of the data communication system from the server 11 in the course of the initial configuration.
  • the session key used for file encryption is preferably a cryptographic random number, the SHA-1 hash value of the first 512 bytes of the file to be encrypted. If the size of the file to be encrypted is less than 512 byte, then the hash is calculated from the entire file. As the 512 byte equals to less than one second of an audio recording, this happens very rare.
  • the session key is generated in a known manner, by means of a public process, without the use of random numbers, the risk of any attack taking advantage of random-number-generator error can be eliminated.
  • the 'master key' function hidden in the session key generation may further be excluded.
  • 'master key' function means that by inputting any kind of supplemental information during encryption, developers or any unauthorized user may decrypt the audio recording. This is impossible by the applied encryption, as by means of public key encryption, the decryption of hash generation enables checking whether the hash of the beginning of the audio recording has really been used as session key. By means of applying the above solutions, it is ensured that if any confidential information should leak out, responsibility of the data communication system and that of the developers can be excluded through the inspection of the program code. Data integrity is provided for by generating the cryptographic checksum of the original data during recording, by way of example by using the SHA-1 cryptographic algorithm. At the end of the recording, the checksum is asymmetrically encrypted by means of the public key.
  • the integrity of the uploaded data is checked by the server 1 1.
  • the server 11 decrypts the uploaded data file, and generates a checksum in an identical manner as the client 10. Then the uploaded checksum is decrypted. If the checksum calculated on the server 11 and the uploaded checksum mismatch, the uploaded data are either damaged or modified.
  • the recorded files are stored in the internal memory or the external memory of the mobile phone client 10.
  • the original time stamp of the files is stored in the internal memory of the phone even if the audio recording is stored in the external memory.
  • the time stamp stored in the internal memory is compared to the time stamp stored together with the audio recording. If the two time stamps mismatch, it may indicate an attempted or accomplished data modification, namely the external memory has been manipulated, therefore an alert is sent by the client 10 of the data communication system to the server 11. Nevertheless, the client 10 executes the upload, as the integrity-check of the encrypted file is only possible on the server 11.
  • Data gathered and stored on the client 10, is uploaded by the client 10 of the data communication system via secure internet connection, HTTPS protocol to the server 11, namely the communication channel ensuring data transfer from the client 10 to the server 11 is an internet connection, preferably secure internet connection.
  • the HTTPS protocol automatically provides the client 10 with the identification of the server 11 , for which it is only required to install a certification issued by a reliable organization onto the server 1 1.
  • the identification of the client 10 to the server 11 is simply solved by the data communication system by means of sending an individual identifier.
  • the configuration received from the server 11 to be applied on the client 10 comprises an individual identifier unequivocally identifying the given client 10 on the server 1 1.
  • the individual identifier is the 'client_2F81A5A242' parameter.
  • data stored on the client 10 in an encrypted manner are stored - once uploaded - on the server 1 1 in an encrypted manner as well.
  • the private keys of asymmetric key pairs required for decryption are neither stored on the server 1 1 nor on the client 10 in the data communication system.
  • a given file by way of example an audio recording is decrypted solely while being played or opened on the computer used by user - from where the user accesses the web platform of the server 11 - in such a manner that the decrypted data is exclusively stored in the RAM of the computer, which is extraordinarily advantageous in terms of security.
  • each user having authentication to re-play the audio recording has a username-password combination, where the password is never stored in the data communication system.
  • This username-password pair is a pair applicable for the deciphering of encrypted files solely; therefore it has to differ from every other username-password pair used by the security system of the data communication system for user identification.
  • An asymmetric key pair can be calculated from this pair in a deterministic manner by means of known cryptographic process, which comprises a public as well as a private key.
  • the public key of the key pair is stored by the server 11 and is transferred to the appropriate clients 10, while the private key is stored solely in the computer RAM. This public key is used by the client 10 for file encryption in a way as described hereabove.
  • a user When a user connects onto the server 1 1 via internet connection, and desires to play an encrypted audio file, it is required to enter his/her username and password. From which the player calculates the private key, and the audio file is decrypted real-time while being played, and the decrypted audio samples are destroyed once played.
  • audio player requires certain cryptographic algorithms on the computer of the user, therefore it can be created by means of either a so-called 'thick client', i.e. by applying a software especially developed for this purpose, or via Java Applet (application which is able to run in a web browser, written in Java programming language) or Active-X (non-language specific frame system defining reusable software components) technologies in case of web-based so-called 'thin client'.
  • the intelligent storage method contributes to satisfying a requirement of great significance namely that a storage space of appropriate size should be always available for data recording, as any possible shortage of storage space would cause immediate data loss.
  • the application of the data communication system running on client 10 records the data into internal memory or external memory of the mobile phone.
  • a reserve is allocated by the client 10.
  • a portion of the client 10 storage is maintained which is determined by a communication parameter controlled by the server 11, and in order to ensure sufficient storage space available for the data recording, a reserve is created in the maintained portion.
  • the reserve is created in such a way that filling files are written onto the maintained portion so as to bar access to the maintained portion by any client- applications other than the data communication system application running on client 10.
  • the basis of the intelligent storage technology is the reserve memory allocation algorithm, providing always for sufficient storage availability for the storage of data recorded by the software, i.e. allocating data record reserve.
  • the client 10 utilizes the reserve as per demand, while in the liberated storage portion it re-allocates the reserve as soon as possible.
  • the aim is to maintain free memory space at a low level in order to bar use of the memory by other applications, by way of example, if production of photos fall outside the functions of the data communication system, then there should be not enough memory for taking pictures, as well as at the same time memory should be ensured for the purposes of data recording by the data communication system.
  • Figs. 3 and 4 are connected to each other in points (1) and (2).
  • the client 10 mobile phone memory may be divided into three categories from the aspect of usability of data communication system, which are the following:
  • the memory reserve allocation algorithm operates with the following parameters:
  • Maximum allocable reserve a communication parameter, the maximum value of the reserve. Its value is preferably set as a function of the expected data volume, by way of example to a 3-hour audio call record, 15 large-size photos, etc.
  • Minimum maintainable free memory space a communication parameter, the target value of free memory in case of low memory. Its value is preferably set to a level, where basic phone functions (phone call, SMS, contact list, etc.) operate undisturbed, but high memory usage applications, by way of example camera or video camera, if these are not belonging to the data communication system functions, cannot be used for reasons of memory shortage.
  • basic phone functions phone call, SMS, contact list, etc.
  • Gap a communication parameter, the target value of the free memory in the course of reserve-utilization operating mode, in case of low memory. Its value is preferably set to a level, where undisturbed recording of the data communication system data is ensured, but high memory usage applications, by way of example camera or video camera, if these are not belonging to the data communication system functions, cannot be used for reasons of memory shortage.
  • Checking frequency a communication parameter, the frequency of free memory checking in reserve-utilization operating mode.
  • the communication parameters of the reserve allocation operating mode can be freely configured or remotely controlled. In this way it is ensured that all mobile phone types and uses can be used with optimum parameters.
  • Fig. 3 shows a flow diagram of the reserve allocation operating mode of the reserve memory allocation algorithm.
  • the algorithm is entered at the point indicated with 'Start' mark.
  • it is inspected whether the existing reserve is less than the maximum allocable reserve. If so, and the available free memory space is lower than the minimum maintainable free memory space, the system goes into standby mode, and data recording may begin at any moment. If the free memory exceeds the minimum maintainable free space, the system creates filling files, by the use of which reserve is allocated as long as the maximum allocable reserve is reached, or the free memory becomes less than the minimum free value, and then the system goes into standby mode as described above. If meanwhile or already at the beginning of the process, the reserve exceeds the maximum allocable reserve, then the system will start to delete filling files until the reserve reaches the level of maximum allocable reserve, when the system goes into a standby mode as well.
  • data recording may commence at any moment, concurrently with the reserve utilization operating mode illustrated in Fig. 4. Then reserve allocation operating mode automatically switches to reserve utilization operating mode. By the completion of data recording, the reserve memory allocation algorithm of the data communication system automatically returns to reserve allocation operating mode.
  • the security system first inspects whether the free memory space is lower than a pre-set gap. If so, the security system deletes a filling file so as to ensure sufficient available memory for data recording, then it inspects whether the data recording is yet in progress. If not, the security system returns to reserve allocation operating mode, if so, it again inspects whether the free memory is lower than the gap.
  • the security system waits until the pre-set period of checking frequency expires, then checks whether the data recording is still in progress, and accordingly it will attend in a way as described above. If the free memory exceeds the gap, it is inspected whether the reserve is less than the maximum allocable reserve. If so, the reserve memory allocation algorithm creates a filling file and steps to inspect the data recording process, if not, then it steps directly to inspect the data recording process. The reserve utilization operating mode, therefore, is in progress during the of data recording process, and upon completion of data recording, the system returns to reserve allocation operating mode.
  • the reserve memory allocation algorithm has three operating modes, which manage the partitioned reserve memory as a function of the actual data recording operation of the client 10:
  • the reserve allocation operating mode presented in Fig. 5 is active, if no data recording is in progress, and the reserve is lower than the target value of the reserve, i.e. the maximum allocable reserve.
  • the reserve memory allocation algorithm of the security system starts in the reserve allocation operating mode.
  • the reserve allocation operating mode the reserve is set for the maximum allocable reserve prescribed of this mode of operation, if sufficient space is available. If less free memory is available, as much reserve is allocated as possible, up to the set minimum free memory value, leaving an appropriate amount of free memory. By reaching the target value, the system goes into standby mode. Prior to the start of any possible recording, the client 10 aborts the reserve allocation operating mode and moves to reserve utilization operating mode.
  • Fig. 5 the reserve allocation operating mode presented in Fig. 5 is active, if no data recording is in progress, and the reserve is lower than the target value of the reserve, i.e. the maximum allocable reserve.
  • the reserve memory allocation algorithm of the security system starts in the reserve allocation operating mode.
  • the target value of the reserve is indicated by a thick line as a function of the occupied memory ("X"), in the reserve allocation operating mode.
  • the target value of the reserve depends on how much of the memory is used, namely the size of the storage space used up by the files recorded by the data recording system as well as by other applications of the client 10.
  • the target value of the occupied memory therefore constitutes a trapeze-formed function. If the sum of the maximum allocable reserve plus the minimum maintainable free memory space deducted from the total storage space will result a value higher than that of the occupied storage space, then the target value of the memory will be found on the descending side of the trapeze form, and not enough reserve can be allocated corresponding to the maximum allocable reserve.
  • - Reserve utilization operating mode The reserve utilization operating mode depicted in Fig. 6 is active during data recording. Entering reserve utilization operating mode, the system promptly sets the size of the reserve so that at least the prescribed free space, the so-called gap is available.
  • FIG. 6 illustrates the reserve volume with a thick line as a function of the occupied memory ("X"), in reserve utilization operating mode. It is apparent that in this mode of operation, the function of minimum maintainable free memory parameter is taken over by the gap parameter in order to ensure continuous data recording.
  • the descending side of the trapeze starts by a lower X-value, as in this case the total memory size is given by the sum of the occupied area plus the gap plus the target value as opposed to the reserve allocation operating mode, where the total memory size is given by the sum of the occupied space plus the minimum maintainable free space plus the reserve target value.
  • - Standby mode The standby mode illustrated in Fig. 3 is active if no data recording is in progress, and if the reserve volume reached the target value. In the case of data recording, data utilization operating mode is entered directly prior to data recording.
  • Table 1 below lists the general preferred use potentials of the data communication system. Type of application Usage User Advantages
  • Telecommunication cost Telephone usage analysis reports • More transparent communication cutting • Redeeming landline phones activity, costs
  • Table 2 shows the use potentials of the data communication system and its security system for the financial sector. Problem Solution Favorably influenced indices, indicators
  • Asset financing significant • automatic (with no data • possible concealment of assets risk is posed in asset processing demand) real-time • degree of (financing) damages financing (inventory, recording of inventory, real arising from decisions based on leasing, real estate estate, motor vehicle status' with incorrect asset evaluation mortgage) by unrealistic authentic time and location • asset monitoring cost consideration of the quality determination into central
  • Liability insurance energy • continuous, authentic real-time • uncertainties and costs of industry: significant documentation of meeting the ascertaining liability (and amounts of required level of service during determining rate of rightful indemnifications may operation, maintenance, claim for indemnification) become necessary for troubleshooting (time, duration
  • Insurance agents • recording of customer • possibility of unlawful events, or documenting of sales and acquisition and consultancy events causing any potential marketing activity for transactions through mobile legal disputes or penalties preventing non-compliance phones into central database • agent efficiency
  • Table 3 below shows the additional potential uses of the data communication system and its security system.
  • Service qualify verification • customizable user platform • time of disputes, and legal verification of (compliance • customer may look into disputes - occupying time of of) service quality is often a database, on user decision management,

Abstract

The invention is a method for operating a data communication system, the system comprising a server (11) and a mobile client (10) suitable for data communication with the server (11), comprising the step of authenticating the client (10) at the server (11), wherein communication parameters of the authenticated client (10) are enabled to be controlled by the server (11) by means of control commands. In the course of the authentication, a trusted relationship is established between the server (11) and the client (10), in the course of which the server (11) and the client (10) are identified to each other, and a shared secret is determined for both the server (11) and the client (10), and a public key is stored on the client (10) for encrypting the data communication transferred from the client (10) to the server (11), and the data communication from the authenticated client (10) to the server (11) is controlled from the server (11) through setting the communication parameters. The invention also relates to a data communication system utilizing the inventive method.

Description

METHOD FOR OPERATING A DATA COMMUNICATION SYSTEM, AND DATA
COMMUNICATION SYSTEM
TECHNICAL FIELD
The invention relates to an operating method for a data communication system as well as to a data communication system. The data communication system comprises at least one server, preferably adapted for controlling by means of control commands and for carrying out administrative tasks, and at least one mobile client suitable for data communication with the server. The data communication system further comprises preferably storage room belonging to the client, a communication channel connecting the client and the server, modules managing the control commands enabling control of the communication parameters of the client by means of the server, therein a module on the client suitable for authenticating the control commands, as well as software means enabling operation of the data communication system. BACKGROUND ART
The role of mobile communication increases dramatically worldwide, half of the population globally is in possession of mobile phones. The convergence of information technology, telecommunication and media industry means an ever-growing amount of (company, governmental as well as private) information sent via mobile phones. It is especially true in regard to smartphones, which are mobile phones providing computer-like functionality.
Demand has appeared in more and more fields of life toward appropriate control of communication within a given organization. On the one hand, this demand is generated by external factors, (by way of example financial supervisory organizations, national security, consumer protection, risk of legal procedures against inappropriate business conduct), while on the other hand internal processes and objectives (e.g. quality assurance, human resources efficacy) as well.
A significant and yet mainly unsatisfied demand presents itself towards the security applications of mobile apparatuses, due to the fact for example, that the mobile communication of corporate employees - unlike communication via landline phones - cannot appropriately be recorded. This problem is especially significant in the financial servicing sector. Furthermore, the problem may reduce the value of already existing landline phone and internet monitoring systems to a significant degree. The monitoring of mobile phone communication may be a highly efficient legal risk management means in detecting and preventing misuse of business and misuse of information as well as market manipulation, furthermore potentially increasing reliability and efficiency by urging appropriate business behavior. Although it is impossible to eliminate all conceivable risk factors, the monitoring of mobile phone communication means an important step in establishing an increased security, which enables the company to face both external as well as internal security threats well-prepared.
Furthermore, it is important to note that there are several options for the management of all kinds of information forwarded via mobile phones. Audio recordings recorded by mobile phones can be linked to speech-to-text converter applications or other speech recognition and analyzing applications, thereby enabling more efficient data transfer. By way of example, by gathering audio material into a database, its content may be converted into written text, which becomes directly utilizable in its converted format.
In light of the above described demand, there are several known systems suitable to monitoring mobile phone communication, which will be delineated herebelow with special attention given to what extent the monitoring-related security issues are addressed by each.
In US 7,110,753 B2 document a system is disclosed wherein wireless devices are controlled remotely via wireless connection. In the course of the operation of the system, the wireless device receives control commands, which are appropriately processed by it. By transmitting the control commands authentication steps are applied which prevent from any intervention via unauthorized control commands.
In US 2009/01 10156 Al document such a mobile phone-based system is disclosed which is established at companies and corporations, wherein all mobile phone use is automatically tracked and stored at a collector station. The system principally processes the so-called detailed report of the mobile telephone data transfer, which may comprise by way of example the duration of a call, the telephone numbers of the two parties of the call, the used network or in the case of other data traffic (short text message (SMS), multimedia message (MMS), pictures, videos or other files) the type of data traffic, or the quantity of sent or received data. The connection between collector station and the mobile telephones can be any wireless connection, by way of example WiFi, infrared or Bluetooth™ connection. US 6,301,484 Bl, US 2005/0090239 Al, US 7,389,123 Bl and US 7,450,936 B2 documents disclose control or configuration by means of commands sent to the wireless device via SMS or any other form.
US 5,839,067, US 6,597,772 Bl, US 2005/0044165 Al , US 6,970,698 B2, US 2006/0183469 Al and US 7,116,996 B2 documents disclose such a system made up of a wireless device and center, where the center has a controlling, data synchronizing or data storing role.
US 2007/0211876 Al, US 2009/0110156 Al and WO 2005/009017 Al documents disclose such systems being made up of telephone and center wherein the audio material of the calls may be recorded by means of the center. The above described solutions - except document US 7,1 10,753 B2 describing protection against unauthorized control - do not lay emphasis on the security of monitoring systems, the safe installation and initialization of administrative, controlling or monitoring systems, as well as the safe data transfer within the systems. In light of the known solutions, therefore the demand arose for developing such data communication method and system in which security extends to all elements and which ensures safe data transfer especially between the end-points of the data communication system, by way of example between mobile client and server.
DESCRIPTION OF THE INVENTION
It is, therefore, an object of the invention to provide a data communication system operating method as well as to create the data communication system, which operating method and data communication system are exempt from the disadvantages of the prior art solutions. It is a further object of the invention to ensure efficiently the control command authentication, programmed management of the available storage. A further object of the invention also is to provide a solution wherein data recording, client data encryption, transfer of encrypted media files as well as safe server-side decryption of them are realized by high security and exempt from the prior art disadvantages.
The objects targeted according to the invention achieved by the operating method according to claim 1 as well as by the data communication system according to Claim 21. Preferred embodiments of the invention are defined in the dependent claims. BRIEF DESCRIPTION OF THE DRAWINGS
Exemplary preferred embodiments of the invention will be described hereunder with reference to drawings, where
Fig. 1 is a scheme showing the sequence and direction of the steps of the initial configuration constituting a part of a method according to the present invention,
Fig. 2 is a scheme depicting the remote control process implementable according to the present invention,
Figs. 3 and 4 are flow charts showing the reserve allocation and reserve utilization operating modes of reserve memory accumulating algorithm,
Fig. 5 is a diagram showing the reserve allocation operating mode, and
Fig. 6 is a diagram showing the reserve utilization operating mode.
MODES OF CARRYING OUT THE INVENTION
It is the object of the data communication system according to the invention to record data and information connecting to communication via mobile phone fleet belonging to companies, other organizations as well as private individuals, namely to store data originating from communication events of client mobile phone devices onto client mobile phones, to collect them and to make them available to the company in a central data storage, while putting the greatest emphasis on safety in data gathering, communication or management. Data storage on the client is temporary, as soon as they are uploaded to the database of the server, the client deletes them. By way of example, the data stored by client may be pictures, videos made by means of the mobile phone client, short text messages, data about client location, data about the events of the client, as well as audio recordings, preferably audio recordings of conversations via the mobile client. In favour of security, data interesting from the point of view of security are stored in an encrypted form by the client. Accordingly, the invention deals with various security aspects of the data communication system. These security aspects are presented herebelow.
In the course of the operating method of the data communication system according to the invention, the client is authenticated at the server, in the course of which a trusted relationship is established between the server and the client. In the course of establishing the trusted relationship the server and the client are vice versa identified to each other, and a shared secret is determined for server and client, i. e. preferably information identifying the server is being sent from the server to the client, and it is approved checked on the client. Then, the shared secret known and preferably uniquely generated by the server is stored on the client, as well as a public key is stored for the encryption of client-to-server data communication. The control of communication parameters of the authenticated client by the server via control commands is enabled, and data communication from the authenticated client to the server is controlled from the server through setting of the communication parameters. The control command is preferably sent from the server to the client in the form of a short text message or the client can be controlled by the server via an internet connection, preferably via a secure internet connection, as well. The data communication system according to the invention ranges to data gathering, communication and management in order to ensure that data gathered by the system does not get lost on the one hand while on the other hand no unfitting data may get into the system from outside the system.
The data communication system according to the invention further extends to ensure also that no party out of the system may take over the control of the data communication system, i. e. no unauthorized server may take the place of the server - or servers - being part of the data communication system and having controlling and administrative functionalities.
The data communication system according to the invention additionally extends to ensure that the data of the data communication system may not be available to unauthorized parties. The data communication system according to the invention further ensures also that it is able to collect, transfer as well as manage data notwithstanding the circumstances. The security system by way of example ensures that a memory of appropriate quantity is always available for data gathering.
The operating method of the data communication system according to the invention further extends to ensure that the data corresponding to each individual client event are symmetrically encrypted by means of a session key uniquely generated for each event, which session key is uploaded asymmetrically encrypted onto the server and is stored on the client in a safe place.
Along the above governing principles, the security system according to the invention ensures security aspects as follows. It enables safe installation and initialization of the data communication system, i.e. the installation method of the data communication system ensures that the data communication system is installed onto the telephone without any error, that all security settings are appropriate, as well as that the system is ready for operation. It protects against improper or unauthorized installation in such a way that the data communication system is installable on a given client only if approved by both the data communication system operator and client user. It also gives protection against undetected removal of the data communication system from the client as well as against undetected pull-out of the client from the system, by way of example by replacing the SIM card replacement.
The data communication system further protects against unauthorized control. The data communication system is remotely controllable by means of short text messages (SMS) or via internet protocol (HTTP) based commands, but the data communication system receives intact commands arrived from pre-adjusted senders only.
The data communication system ensures safe data storage on the server and the client, safe client-to-server data upload, further guarantees full life-cycle data security, i. e. by recording or temporary storing data in internal memory or the memory card of the phone, by uploading onto server, by storing and managing on server as well as data access on the user interface.
The data communication system further ensures data access to appropriately authorized users only. Data protection extends to unauthorized possession of (i.e. stolen or lost) clients as well as to databases stored on a server, in such a way that the data generated by the data communication system (e.g. audio recordings of client phone calls) is stored both on client and server in an encrypted manner, while the data of which the data communication system only made copies (e.g. SMSs) are not encrypted. Encrypted data cannot be decrypted even possessing the full knowledge of the system. Data protection yet further extends to data integrity, namely to ensure that recorded data cannot be modified.
The above described security requirements are realized by the following software modules of the data communication system, which will be detailed later. The module responsible for establishing the initial client-server connection, the module responsible for remote control, the module responsible for data recording on client, module managing the storage part maintained for the data communication system, encryption module responsible for encrypting data stored on client, module responsible for upload, module responsible for server-side data storage and access as well as decryption module on server for the decryption of data transferred from client. Certain security elements of the data communication system are optional and can be turned on or off dependent on user preference.
The client in the data communication system according to the invention is typically a mobile phone and the task of the data communication system is generally the monitoring of mobile phones, therein especially the recording of conversations made by means of the mobile phone clients and uploading them onto a server. The parties of the conversation are advisably notified of the monitoring of the given client, and of the conversation being recorded by means of a perceptible audio signal and/or by a notification message. Use of the data communication system can be suspended by the client user or the data communication system operators, therefore it is possible that from certain conversations or in certain time periods no record is made.
In case of a given mobile phone event (e.g. phone conversation, text message, audio recording, photo) the data communication system records the data related to the event into the file system of the telephone, which extends to the internal memory or the memory card of the client. The recorded data contain a location as well as a time stamp.
When a data network becomes available to the mobile client, the data communication system transfers the data to the server of the data communication system. While being stored and transferred, the data are encrypted. The transmitted data are stored in a database on the server, which is accessible for the operator of data communication system via a browser-based user interface from any computer being on intra- or internet. The user interface enables access to data stored in the database of the server, structural analysis of data, as well as data processing. The user interface, furthermore, enables remote control of the applications running on the clients. Remote control happens through secure channels, in this way eliminating any possible intervention of unauthorized persons, any overtaking of the control of the data communication system, unauthorized access to the date of data communication system.
Data stored in the server database can be accessed or retrieved according to various aspects. The data communication system according to the invention can be integrated with other telecommunication monitoring, internal security solutions, which are possibly in use already.
With regard to the operation and use of the data communication system, the various users can be provided with various user authentications, the users can be organized into groups in the database, preferably along the actual corporate group structure. The data of the group can be managed, retrieved and analyzed jointly. The users can be organized into levels of hierarchy and among the groups overlapping can be realized, namely one user may belong to more groups, and the interrelationship of the groups can be managed on the level of the users. In this way the data communication system provides an effective mapping of the hierarchical, vertical and horizontal structure of any corporate organization. Accordingly, the data communication system provides monitoring of the data of the data communication system best fitting the company needs.
There are several functions offered by the data communication system, which will be listed herebelow, some of which will be later described in detail. Exemplary advantageous functions of the data communication system in connection with data gathering are as follows:
recording of incoming, outgoing and conference calls, notification of participants of the call about the recording,
- recording of incoming and outgoing SMSs,
- recording of discussions and audio memos by using the mobile phone as a dictaphone, recording of pictures taken by the camera of the mobile phone,
management of forms,
recording of contact list shots,
recording of event calendar shots,
- recording of event location based on mobile network cell information,
recording of SIM-card replacement detection,
- recording of roaming network (foreign mobile network compatible with the mobile device) detection, and recording any connection thereto.
Exemplary advantageous functions of the data communication system connected to data arrangement, data and user management are as follows:
structural displaying of information connected to mobile phone actions and events,
- joint management of matters,
grouping of users , and user access management, data and function access authorization management ,
- management of the common contact list of the company and synchronization of contact lists, management of exemptions (white and black lists), by way of example blocking access to a specific contact in the contact list or favoring and granting preference to preferred contacts,
- management of private data, appropriate separation thereof from company data, - location detection based on network cell information and client tracking by using the cell information,
reporting function, i.e. making reports, by way of example on the traffic of the client, search function in the database made up of data uploaded onto the server,
event logging, i.e. logging of each event of the client and storing of data connected to such events,
data archiving.
Exemplary advantageous functions of the data communication system connected to control, data communication and encryption:
- remote activation and control of client applications,
- authentication of remote control,
- providing automatic prompt, delayed or intended data transmission,
separate transmission procedures for secure wireless internet network (WiFi), open WiFi, home and roaming network connections, i.e. providing adaptive access point selection algorithm,
- providing intelligent secure storage, onto pre-allocated disc space,
providing audio file encryption,
- providing time synchronization with the server,
- providing automatic start-up of the application of the data communication system running on the client, upon mobile phone power-on,
- sending alerts in connection with anomalous operation of the data communication system running on the client,
detection of removal of any client software,
self-checking and self-restart of the application of data communication system running on the client,
- ensuring of time -to-time login of client to the server to check whether new control commands are made,
version tracking and remote update of the applications of the data communication system running on the client, ensuring optional security modes and levels.
The function of management of forms can be used in the following way: application forms comprising questions and fields (with a filling mode of free text, constrained text or choosing from a list) to be filled in as answers can be created on the server. Having sent the forms to the client, the user of the client can fill them in, then after filling the forms are returned to the server. The status of the forms can be tracked on the server, i.e. whether they have been opened, filled in, closed, returned, etc. The data in the forms returned to the server can be utilized in various systematization. By way of example a field of use of the forms can be as follows: in the case of insurance damage settling, the form contains questions arising in the course of damage assessment, and it has to be filled in by the damage inspector in the case of every event.
The function of joint management of matters can be used as follows. By means of a so-called workflow module of the data communication system matters can be created, which are basically files grouping all events connected to one specific matter. The matters can be created on the server, from where they are downloaded onto an appropriate client, by opening it on the client, the user on one hand get the basic data of the matter, while on the other hand the user may directly record events, by way of example call records, audio memos, photos, forms, notes to the particular event. After closing a particular matter, all data recorded to each individual matter are uploaded to the server, where they are managed jointly, i.e. they are can be inlooked on the server by selecting the particular matter. One possible field of use for joint management of matters is by way of example insurance damage settlement, where all photos, conversations, agreements and any other data may be viewed jointly assigned to a particular damage event.
The data communication system has the following main components:
Client: The application of the data communication system running on the client operates on the monitored mobile device, which is preferably a mobile phone. The client records and forwards to the server all data generated in the course of the communication using the mobile phone, such as phone calls, SMSs, mobile network cell information, contact lists, audio recordings and photos made by the phone, etc.
Server: The server application of the data communication system operates on a central server or on proportioned servers. The user interface of the server is accessible by means of a web browser through intranet or internet. The server functions as the end point of the monitoring, which receives, processes and stores the data received from the corresponding mobile clients, and provides it in a structured format to the authorized user enabling the access, viewing, searching and filtering of them.
Another task of the server is to control the monitoring application running on the mobile clients, which includes the configuration thereof, the start-up or stopping of services on demand, furthermore the software update of applications running on the client.
The data gathered onto the server by the data communication system can be accessed according to various levels of authorization: basic users can view data collected from their own phones upon signing onto the server. Operators have access to data collected from the phones of their own employees and may retrieve various management purpose reports. Administrators are responsible for operating the data communication system, and have access to administrative functions, and have no access to any other such as business information. Those holding supervisor authorization have access to data uploaded by the clients and control the activity of the administrators.
Server-client connection: The monitored devices (clients) and the monitoring end point (server) are connected to each other through two channels: through a mobile network channel and an internet-based data connection channel, which separately or jointly are hereinafter referred to as communication channel.
The server sends control commands to client through the mobile network channel in SMS. Although more costly as compared to internet-based data connection, SMSs are reliable, and offer the only reliable method for server to reach client. The client is also able to send SMSs to the server, the client typically sends alerts to server in such SMSs when it is unable to connect thereto via internet-based data connection.
In a normal case, the client forwards the gathered and recorded information to the server as well as downloads the configuration settings comprising changed communication parameters arriving from the server through an internet-based data connection. The communication parameters may, by way of example, be (types of) data expected by the server from the client, period of validity of the time stamp, the maximum size of allocable reserve of storage available for data recording, the minimum size of free memory to be maintained, the size of the memory gap (see below) or the checking frequency of free storage size. When required - e.g. as when data connection channel is unavailable or is not promptly available - it is possible to control the clients by means of SMS messages more directly. The exemplary initial configuration making up a part of the method according to the present invention has steps as illustrated in Fig. 1. The direction of the steps between administrator 12, mobile client 10 and server 11 as indicated in the figure are depicted by arrows. The initial configuration has to be executed for the proper operation of the application running on the client 10. The initial configuration is in all cases implemented by the administrator 12, both on the server 11 and on the client 10. It is prerequisite thereto, that administrator 12 has access to the initial configuration interface of the server 1 1 , to the service and to the client 10 to be configured all at once.
In the course of the initial configuration, administrator 12 registers client 10 and its user on the server 11. During the registration the client 10 receives an identifier which will be used later. Then administrator 12 installs the application running on the client 10 onto the client 10. There are various exemplary options for the installation: installation is feasible be means of data cable or via sending an internet reference link to client 10 in an SMS-based control command as depicted in Figure 1. In this latter case, the client 10 authenticates the control command, then requests permission from administrator 12 for opening the link received from the server 11. Administrator 12 grants the permission, whereupon the client 10 downloads the installation files of the application running on the clients through a secure connection.
After successful installation of the application running on the client 10 onto the client 10, it starts in a so-called standby or unregistered mode. In this operational mode of the client 10, most functions of the application running on the client 10 are not yet in operation, the only option when running the application running on the client 10 is the launching of the initial configuration procedure of the application running on the client 10 from the server. Even in this operating mode, the application running on the client 10 is able to receive SMS-based control commands arriving from server 1 1 , however, as no initial trusted relationship has yet been established between client 10 and server 1 1, the application running on the client 10 solely receives initial configuration SMS-based control command, and the authorization of the administrator 12 is required for the processing thereof.
Launching of the initial configuration procedure of the application running on the client 10 can be initiated by the administrator 12 from the server 11 by sending a special SMS-based control command, which comprises:
1. A character sequence identifying the SMS-based control command: Any arbitrary number of characters, which differentiates the SMS-based control command from any regular SMS, by which we refer to all such SMSs that are not control command SMSs. These are possibly such a character sequences that are very rare in regular SMSs. This character sequence is known by client 10, based on which it will interpret the incoming SMS as SMS-based control command.
2. Time stamp: At the moment of issuing the control command, the server 11 creates a time stamp which is sent in the SMS carrying the control command. The time stamp is by way of example the number of seconds elapsed since 1st January ofl970 0 hours 0 minute 0 second widely spread in informatics. While processing the SMS-based control command, the client 10 compares this time stamp with the actual time. If the time stamp included in the SMS carrying the SMS-based control command is older than the period of validity determined in a communication parameter in the client 10, which is practically a few minutes, it will then neglect the control command. In this way, duplicated SMS-based control commands as well as those caught from outside of the data communication system and replayed at a later time can be filtered out.
3. Control command separating character: Any arbitrarily selected character, which is never included in the command text, such as semi-colon ';'.
4. Initial configuration control command and URL (Uniform Resource Locator- internet reference link): A predefined control command coding the initial configuration procedure of the application running on the client 10, as well as a URL used in the course of the initial configuration procedure, which specifies the availability of the initial configuration data located on the server 11. For the first time the client 10 connects onto this link in order to download the configuration parameters customized according to the exact configuration of the client 10.
At this point the trusted relationship is established after which both the server 1 1 and the client 10 can be sure that they are communicating with the appropriate remote partner. The initial trusted relationship is established in two steps, the server 11 first identifies itself to the client
10, after the server 11 successfully identified itself, the client 10 also identifies itself to server
11. This procedure is described in detail herebelow.
After the SMS containing the initial configuration control command is arrived to client 10, it is then detected by the application running on the client 10, and as it starts with the already known character sequence identifying the SMS-based control command begins to process it. If, however, the identification character sequence is inappropriate, the client 10 will reject the control command. First, the time stamp is checked in the above-described manner. If the time- stamp is inappropriate, the client 10 neglects the SMS-based control command, if however, the time stamp is appropriate, it continues with the processing. In the course of the processing, it interprets the initial configuration control command and the URL. In unregistered operating mode the application running on the client 10 receives solely the initial configuration command out of the commands arriving from the server 11. As an effect of this control command a security question, the phone number from which the SMS-based control command arrived, the configuration URL (as well as the most essential parts thereof, such as the name of the server) or optionally any other such information appears on the display of the client 10 mobile phone, by means of which the administrator 12 is made of the SMS-based control command arrived to the client 10 is exactly the one, which was sent from the server 11 by he/she. If the displayed data are correct, the administrator 12 proceeds with the initial configuration procedure of the application running on the client 10, in the opposite case, the progress of the procedure discontinues and the application running on the client 10 returns to an unregistered state. If the initial configuration can be continued, following an approval by administrator 12, the application running on the client 10 presumes that the server 1 1, with which it will communicate is effectively the server 11 within the data communication system and it is not an unauthorized server out-of the data communication system.
The next step involves the identification of the client 10 to server 11. The administrator 12 marks on the server 1 1 that the SMS-based control command is successfully arrived to client 10, which is indicated by the appearance of the aforementioned security question on the display of the client 10 mobile phone. Then the server 11 generates a unique random character sequence, which is visible to administrator 12 on the user interface of server 1 1. At the same time, having accepted the security question functioning as a security confirmation dialog by the administrator 12 on the client 10, the application running on the client 10 displays another dialog window, to be filled in by administrator 12 with the aforementioned unique random character sequence generated by the server 11. This unique random character sequence is exclusively known by the administrator 12. After the administrator 12 has filled in the unique random character sequence, the client 10 connects to the server 1 1 via a secure HTTPS (HyperText Transfer Protocol Secure - secure data transfer protocol on the internet) connection to the URL sent in the SMS-based control command, to which the filled in unique random character sequence is tagged. At the incoming connection, the server 1 1 checks whether the sent unique random character sequence is identical with the unique random character sequence generated on the server 1 1. If the unique random character sequence is appropriate, the server 11 presumes also that the client 10 it is in communication is really the appropriate client 10. Following these steps, the server 11 generates a configuration to be applied by the given client 10, a part of which is the shared secret, to be later used for identification of the SMS-based control commands by client 10 as well as which functions as a symmetric key for signing the control command. In a reply, server 11 sends the configuration applicable on client 10 to client 10. In this way, a configuration is downloaded from the server 11 to client 10 preferably for customizing the application running on the client 10, applicable by client 10. The shared secret included in the configuration is unique for each individual client 10, it is securely stored by server 11. The shared secret is a random character sequence to be used as key in cryptographic processes.
After the configuration is downloaded by the client 10, it stores in its storage space made available for data communication system data, which cannot be accessed by any of the other applications running on the client 10 mobile phone. This service can be ensured by most of the mobile phone platforms. The thus stored configuration comprises all such settings that are necessary for enabling the application running on the client 10 to operate without any human intervention as well as to enable that it is suitable to receive and process SMS-based control commands sent from server 11.
In the next step, client 10 downloads from server 11 the public keys of the asymmetrical encrypting key-pairs. These can be downloaded from the security service on the server, which sends the public keys according to the configuration applicable on the given client 10. After successful download of the public keys by the client 10, it stores them in a storage allocated for storing the data of data communication system.
Lastly, after completion of the authentication, the client 10 launches all application components necessary for normal operation and for the purposes of security testing it uploads a status file onto the server 11, namely a status report of completed authentication is sent from the client 10 to the server 1 1. This file is then uploaded in accordance with the configuration settings received from the server 1 1. After successful completion of status file upload, the application running on the client 10 starts normal operation. The administrator 12 registers on the server 1 1 that the initial configuration is completed on the concerned client 10 and that the application running on the client 10 is operable. From security point of view, therefore, the following configuration parameters are required for the operation of the application running on the client 10:
URL of remote services located on the server 11 , by way of example URL of data upload, where the client 10 can upload all data gathered thereby, URL of security module service, from where the client 10 can download security services such as the public keys, URL of HTTP remote management service in connection with control tasks,
- phone number of SMS message sending module of server 1 1, the MSISDN (Mobile Station International Subscriber Directory Number - unique subscriber identification number on the actual mobile network, i.e. mobile phone number),
validity period of time stamp of SMS-based control command,
- public keys of asymmetric key pairs used for data encryption.
A significant key element of data communication system is the remote control of applications running on the client 10 from server 11, including also the remote configuration of communication parameters of the system, and the secure operation thereof is provided by the data communication system. The above-described initial configuration is prerequisite for the secure operation of the remote control, during which the server 1 1 and the client 10 mutually identify each other, the client 10 receives from server 11 the configuration to be applied on the client 10 required for the client 10 operation, and the client 10 receives on the server 1 1 the status of operable and controllable device.
Two widely applied solutions offer themselves for controlling the client 10 mobile phones from server 11 : Internet communication protocol-based control, e.g. HTTP (HyperText Transfer Protocol), as well as control by means of specially formulated SMS-based control commands. From security aspects, the first solution holds not too many solvable tasks, control is to be maintained simply through secure internet connection, HTTPS protocol, which is nowadays supported by most mobile phones. In this solution HTTPS protocol requires the server 11 to identify itself to client 10, and if it is unsuccessful, the connection for control will not be established. For the identification of client 10 to server 1 1 the shared secret can be easily used, on which the client 10 and the server 11 agreed in the course of initial configuration. For the sake of security, the client 10 does not directly send the shared secret but a cryptographic hash thereof, which by way of example can be generated by means of SHA-1 (Secure Hash Algorithm, i. e. cryptographic hash algorithm). The server 1 1 is able to check this, as the shared secret is also available on the server 1 1 , and the server 11 compares the hash calculated therefrom with the hash sent by the client 10. It is a significant disadvantage of HTTP protocol-based remote control that the server 11 is unable to reach the client 10 via this protocol, it is only the client 10 that can initiate connection with the server 1 1. In other words so-called push-based management cannot be achieved. As an obvious solution to this problem offer itself that the client 10 logging in the server 1 1 at given time intervals, to enable the server 11 to send the control commands, if necessary. Another disadvantage of this solution is that the availability of internet-based package-switched service constituting the basis of HTTP protocol is not guaranteed under all circumstances. On account of the above listed reasons, the HTTP -based control cannot in itself guarantee for the server 11 to control the client 10 with high securely.
Therefore the data communication system combines this option with control via SMS-based control commands. An advantage of this solution is that the operator of most mobile networks guarantee the SMS-service, therefore its availability is significantly higher than thereof the internet access.
In the case of SMS-based control, however, the operator of a network do not provide security solutions for checking that the SMS is genuine and intact. Any person skilled in the art is able to generate an SMS-based control command that syntactically satisfies the format of an SMS- based control command expected by the application running on the client 10 and is able to fake the sender of the SMS carrying the control command as well as to put across to the client 10 that the SMS-based control command had been sent by the server 11. Moreover, any person skilled in the art is able to catch SMS-based control commands arriving from the server 1 1 , and by changing its contents, instructing the application running on the client 10 to behave undesirably. It is clear, that this problem poses an extraordinary high risk in case of data communication system, by way of example it can occur that any person from outside the data communication system by means of a faked SMS-based control command induce the client 10 to upload the data recorded by the client 10 to a server outside of the data communication system instead of the server 1 1 belonging to the data communication system. The SMS-based control has additional limitations also. On one hand, the size of one SMS, depending on the coding of the SMS may range from 120 to 160 alphanumeric characters. Therefore, as in the case of outgoing SMSs, invoicing is based on the number of SMSs, sending of a high volume of SMSs may incur significant costs, therefore it is a basic requirement that one control command should fit into one SMS. A further significant limitation of the solution is posed by the fact that most mobile service allow solely alphanumerical characters to be included in SMSs, thus arbitrary binary data cannot be sent in this case.
The listed requirements which are of extraordinary importance from security aspects of the data communication system are satisfied by the data communication system as described herebelow.
Similarly to the special SMS required by the initial configuration, a time stamp as yet described above is tagged to each SMS-based control command by the server 11. Upon arrival of the SMS, the client 10 compares this time stamp with the actual time. If the difference of the time stamp and the actual time falls outside of the validity period stored in the configuration settings of the client 10, the SMS-based control command is bypassed by client 10. This solution may eliminate any re-sent, old, or of expired validity control commands. For the purposes of further increased security, the client 10 may store the time stamps of all successfully received control commands, as long as they fall into the validity period, and thus using this stored list one time stamp is accepted once only. If, therefore, any command have previously been received with the same time stamp, the client 10 rejects the control command. This solution can eliminate any SMS-based control command caught and re-inputted by a party outside of the data communication system. Furthermore, the client 10 checks in the case of each control command whether the MSISDN of the SMS sender agrees with the number included in its configuration.
The server 11 authenticates each individual sent SMS carrying control command, tagging a MAC (Message Authentication Code, short information generated from a message, authenticating the message), i.e. an authenticating code to the SMS, which then is checked by the client 10. The authentication code may be generated by means of a HMAC generating process (Hash-based Message Authentication Code - specially generated MAC to which cryptographic hash algorithm and a private key was used) known by cryptography. It is an advantage of this solution that it solves two security issues at the same time. On one hand it identifies the server 11 to the client 10, as the key used for the HMAC process is the shared secret of both the client 10 and the server 1 1, which had been agreed in the course of the initial configuration. On the other hand it guarantees that the SMS remains intact, namely the client 10 can be sure that the received SMS is in exact agreement with the one sent by the server 11. A further advantage is that the generated HMAC is relatively short, thus meeting the criteria that one control command should fit into one SMS. Nevertheless, HMAC does not only consist of alphanumeric characters, therefore HMAC is to be converted into an alphanumeric format so as to be reliably usable in SMS. By way of example, SHA-1 cryptographic hash function can be used by the data communication system for HMAC generation.
The secure SMS-based control commands are generated by the server 11 in the following steps, which messages therefore contain the identification character sequence, the time stamp as well as the control command in an encrypted manner:
1. Generates the code of the control command to be sent, e.g. 'cmdl '.
2. Generates the time stamp of the SMS-based control command, i.e. the number of seconds elapsed since 0 hours 0 minute, 0 second 1st of January 1970 in an alphanumeric form, the format of which by way of example 'tl229904000', where the character 't' is the identifier of the time stamp, in turn ' 1229904000' is the number of seconds.
3. Tags the time stamp with the control command code, in such a way that a syntactically correct control command is created, by using the above example 'tl229904000;cmdl ;' is created, wherein the semicolon ';' character is the control command separator character.
4. The HMAC is calculated for the thus generated control command character sequence by using the SHA-1 cryptographic hash algorithm, and the key used for HMAC is the shared secret of the client 10 and the server 11 , in which they agreed in the course of initial configuration. The thus generated identification code is a binary data of the length of 20 byte, arbitrarily containing bytes between 0x00 and OxFF, where the Ox' prefix indicates that hexadecimal numeral system is used, and the range represented by one byte is confined between 00 and FF hexadecimal numbers.
5. The identification code obtained in the previous step is to be converted into an alphanumeric format so as to enable its delivery in SMS. For this purpose the server 11 simply uses the alphanumeric representation of the hexadecimal codes of the bytes. As every hexadecimal number may be represented by 2 alphanumeric characters, the identification code having the length of 20 byte can be represented on 40 alphanumeric characters, by way of example, in the form of '2F81A5A2424E56AEA8B69F6CD8AA506CBFFC2A79'. )
6. Finally, the server 11 generates the SMS-based control command from the character sequences generated according to points 3 and 5, which is according to the above example
"<*cmd*>2F81A5A2424E56AEA8B69F6CD8AA506CBFFC2A79tl229904000;cmd 1 ;". Here, the prefix of "<*cmd*>" identifies for the client 10 that the received SMS contains a control command.
The SMS-based control command generated as described hereabove comprises solely alphanumeric characters and is tagged with a time stamp, which enables the client 10 side inspection to filter out duplicated or expired commands. The application running on the client 10 is ascertained that the message has arrived from the server 11 of the data communication system, and its contents have not been changed.
On receipt of the SMS carrying the control command, the client 10 executes the following steps in connection with the inspection of the SMS-based control command:
1. Untag the control command prefix from the beginning of the SMS containing the control command, i.e. the '<*cmd*>' character sequence in the above example.
2. Checks whether the MSISDN of the sender of the SMS is identical with the MSISDN stored in the configuration setting of the client 10, if the two numbers differ, the process of the SMS is aborted.
3. Identifies and stores the character sequence corresponding to HMAC, which is in all cases the first 40 characters, , i.e. '2F81A5A2424E56AEA8B69F6CD8AA506CBFFC2A79' in the above example.
4. Identifies and stores the character sequence authenticated by the server 11, namely the time stamp and the text of the command, i.e. 'tl229904000;cmdl ;' in the above example.
5. From the character sequence received in point 4, it identifies and stores the time stamp tagged to the control command by the server 1 1, i.e. 'tl 229904000' in the above example.
6. Identifies and stores the command from the character sequence received in point 4, i.e.
'cmdl ' in the above example.
7. Checks the time stamp of the SMS-based control command: calculates the difference between this time stamp and the one stored according to point 5, checks whether it fits into the validity period defined in the configuration, moreover it checks whether any command had been received from the server 1 1 with the time stamp stored according to point 5 hereof. If the validity period of the time stamp expired, or an SMS-based control command has already been received from the server 1 1 with the same time stamp, then the process of the SMS is aborted.
8. On the basis of the shared secret agreed in the course of the initial configuration, it calculates the HMAC for the character sequence stored according to point 4. The calculated HMAC is then compared with the HMACs sent by the server 1 1 and stored according to point 3. If the two codes are not identical, the process of the SMS is aborted.
9. Forwards the identified control command stored according to point 6 hereof to the control command processing component of the application running on the client 10. The block diagram of the remote control is depicted in Fig. 2. The mobile phone communicates with the server 11 by means of SMSs through the mobile network. In the application running on the server 1 1, a so-called Core module operates the remote control. This module is in connection with a database 13, wherein the data of the mobile phone clients 10 are located, by way of example user, phone number, etc, as well as where by way of example the actual state of the initial configuration is also stored in the course of the above- described initial configuration. Sending of the SMS-based control commands required for remote control is initiated by the Core module by using the SMS Daemon module. This module moves the SMS-based control commands to be sent into the SMS Outbox folder in a file format appropriate for the SMS Modem. The SMS Modem attends to this folder and once a file in appropriate file format is created in the SMS Outbox folder, it is then processed and sent to the specified mobile phone through the mobile network. If necessary, the system illustrated in Fig. 2 is suitable for receiving and processing SMSs arriving from a mobile phone, by way of example when the mobile phone sends out an alert in an SMS to the server 11. The incoming SMSs are received by the SMS Modem and are stored in its own memory. At regular intervals, the SMS Daemon reads the SMSs stored in the memory of the SMS Modem, and saves them in appropriate file formats into the SMS Inbox folder. The SMS Processing component reads the files from this folder, and stores them in the database 13 and sends a report of SMS receipt to the server 11 , and following the successful storage, the file is deleted from the folder. From the aspect of recording, there may be two types of the data managed by the data communication system:
Data generated by the data communication system: such data, which would not be recorded or stored in the memory of the client 10 without the use of the data communication system. By way of example, audio recordings of phone calls belong to this category.
- Data copied by the data communication system: such data, which would be stored in the memory of the client 10 without the use of the data communication system. By way of example SMSs, photos, etc. belong to this category.
From the aspect of security system, the processing of such data which are recorded in the course of using the data communication system are of essential importance, such as the aforementioned audio recordings, as the presence of these data means an increased risk factor for the mobile phone user as compared to the state where data communication system is not used, by way of example in the case of losing the mobile phone, these data would also be accessible. Therefore, the data communication system comprises cryptographic processes corresponding to the data generated in this way.
The application of the data communication system running on client 10 saves the recorded data into the internal memory of the mobile phone. If necessary, by way of example when the available internal memory is not enough, the data can also be saved to an external memory of the mobile phone by the application running on client 10. Preferably, the storage belonging to the client 10 therefore is the internal memory of the client 10 or if necessary its external memory. The data are got in a part of the storage reserved for the data communication system, which cannot be accessed by any of the other applications running on the client 10 as well as the user of the client 10. Unauthorized possession of the mobile phone, unauthorized access to the stored files cannot fully be excluded, presuming above-average technical conditions, professional knowledge and arbitrary amount of expended time. Therefore and for reasons as detailed above, the data are stored in an encrypted form.
The cryptographic process used by the data communication system satisfies requirements as follows:
- Data security: Solely the cryptographic key is a secret in the system. The stored data cannot be decrypted without knowledge of the key even in the knowledge of every other information and the full knowledge of the system.
Data integrity: Protects against unauthorized modification of the stored data.
Data loss exemption: Notwithstanding encryption, the data are continuously and promptly recorded. If data recording unexpectedly abort, by way of example if energy source of the client 10 drains, the recorded portion of the actual recording in progress will not be lost and the recorded files can be uploaded after trouble-shooting.
Error-tolerance: No unexpected error, by way of example draining of energy source of the client 10 will cause unencrypted storage of data.
- Use of algorithms not exceeding the calculation capacity of the mobile phone: Use of encryption will not cause any hitch in the normal operation of the mobile phone, nor will it decrease the standby period of the mobile phone.
Consideration of mobile communication particularities: Encryption does not generate ill-proportioned excess traffic. We shall describe herebelow the cryptographic processes used in the data communication system.
One of the most significant fields of application of the data communication system is taking audio recordings of the mobile phone client 10 calls. The encryption of audio recordings is done by means of so-called on-the-fly encryption. Incoming audio stream is put into a temporary RAM location, where it is encrypted, then the encrypted data is stored in the internal memory or the external memory of the mobile phone client 10. The size of the temporary memory location depends on implementation optimization, and typically contains audio recording data of a few tenth of a second or less.
Due to the limitation of the calculation capacity of the mobile phone client 10, the security system of the data communication system uses a hybrid encryption process for data encryption, by the combined use of symmetric and asymmetric encryption:
For each encryptable file, which preferably comprises data originating from the individual communication events of the client 10, a unique key, the so-called session key is generated. In this way, for each event of the client 10 a separate session key is generated. The session key is not stored, it exists only in the RAM (Random Access
Memory - volatile memory) of the client 10, during the period of encryption.
- The session key is encrypted in an asymmetric way by means of the public keys, and solely the encrypted session key is then stored on the client 10. As the session key is stored in an encrypted form of this manner, it can only be decrypted in possession of the appropriate private key belonging to the public keys. The specific session key are uploaded onto the server 1 1 in such an encrypted way. - The file comprising the data belonging to the individual events is encrypted by means of the session key and is uploaded to the server 11 in an encrypted format.
The public asymmetric keys used for session key encryption is downloaded by the client of the data communication system from the server 11 in the course of the initial configuration. The session key used for file encryption is preferably a cryptographic random number, the SHA-1 hash value of the first 512 bytes of the file to be encrypted. If the size of the file to be encrypted is less than 512 byte, then the hash is calculated from the entire file. As the 512 byte equals to less than one second of an audio recording, this happens very rare. As the session key is generated in a known manner, by means of a public process, without the use of random numbers, the risk of any attack taking advantage of random-number-generator error can be eliminated. The 'master key' function hidden in the session key generation may further be excluded. Here, 'master key' function means that by inputting any kind of supplemental information during encryption, developers or any unauthorized user may decrypt the audio recording. This is impossible by the applied encryption, as by means of public key encryption, the decryption of hash generation enables checking whether the hash of the beginning of the audio recording has really been used as session key. By means of applying the above solutions, it is ensured that if any confidential information should leak out, responsibility of the data communication system and that of the developers can be excluded through the inspection of the program code. Data integrity is provided for by generating the cryptographic checksum of the original data during recording, by way of example by using the SHA-1 cryptographic algorithm. At the end of the recording, the checksum is asymmetrically encrypted by means of the public key. The integrity of the uploaded data is checked by the server 1 1. The server 11 decrypts the uploaded data file, and generates a checksum in an identical manner as the client 10. Then the uploaded checksum is decrypted. If the checksum calculated on the server 11 and the uploaded checksum mismatch, the uploaded data are either damaged or modified.
Until upload, the recorded files are stored in the internal memory or the external memory of the mobile phone client 10. The original time stamp of the files is stored in the internal memory of the phone even if the audio recording is stored in the external memory. By the beginning of the upload, the time stamp stored in the internal memory is compared to the time stamp stored together with the audio recording. If the two time stamps mismatch, it may indicate an attempted or accomplished data modification, namely the external memory has been manipulated, therefore an alert is sent by the client 10 of the data communication system to the server 11. Nevertheless, the client 10 executes the upload, as the integrity-check of the encrypted file is only possible on the server 11. Data gathered and stored on the client 10, is uploaded by the client 10 of the data communication system via secure internet connection, HTTPS protocol to the server 11, namely the communication channel ensuring data transfer from the client 10 to the server 11 is an internet connection, preferably secure internet connection. The HTTPS protocol automatically provides the client 10 with the identification of the server 11 , for which it is only required to install a certification issued by a reliable organization onto the server 1 1. In the opposite direction, namely the identification of the client 10 to the server 11 is simply solved by the data communication system by means of sending an individual identifier. In the course of the initial configuration, the configuration received from the server 11 to be applied on the client 10 comprises an individual identifier unequivocally identifying the given client 10 on the server 1 1. This unique identifier is tagged by the client 10 to the URL in the case of each upload in the URL query-parameter, by way of example: server.com/upload?filename=filel234.dat&uniqueId=client_2F81A5A242, where the query- parameter is the portion of the reference link following the question mark, wherein the individual parameters are separated by means of the '&' mark. In the example, the individual identifier is the 'client_2F81A5A242' parameter.
After data received from the client 10 are uploaded onto the server 11, and processed and stored by the server 11 , it is of extraordinary importance to ensure data integrity, security and regulated data access, namely that the given data may be accessed by those persons only holding appropriate authorization. Most server operating systems currently in use satisfy these requirements, thus it is sufficient to apply already known options on the server 1 1, by way of example, authorization settings, file system level encryption, etc.
In order for the data communication system to be suitable for security between the end points, data stored on the client 10 in an encrypted manner are stored - once uploaded - on the server 1 1 in an encrypted manner as well. The private keys of asymmetric key pairs required for decryption are neither stored on the server 1 1 nor on the client 10 in the data communication system. A given file, by way of example an audio recording is decrypted solely while being played or opened on the computer used by user - from where the user accesses the web platform of the server 11 - in such a manner that the decrypted data is exclusively stored in the RAM of the computer, which is extraordinarily advantageous in terms of security.
This is achieved by the data communication system as follows: each user having authentication to re-play the audio recording has a username-password combination, where the password is never stored in the data communication system. This username-password pair is a pair applicable for the deciphering of encrypted files solely; therefore it has to differ from every other username-password pair used by the security system of the data communication system for user identification. An asymmetric key pair can be calculated from this pair in a deterministic manner by means of known cryptographic process, which comprises a public as well as a private key. The public key of the key pair is stored by the server 11 and is transferred to the appropriate clients 10, while the private key is stored solely in the computer RAM. This public key is used by the client 10 for file encryption in a way as described hereabove. When a user connects onto the server 1 1 via internet connection, and desires to play an encrypted audio file, it is required to enter his/her username and password. From which the player calculates the private key, and the audio file is decrypted real-time while being played, and the decrypted audio samples are destroyed once played. As such audio player requires certain cryptographic algorithms on the computer of the user, therefore it can be created by means of either a so-called 'thick client', i.e. by applying a software especially developed for this purpose, or via Java Applet (application which is able to run in a web browser, written in Java programming language) or Active-X (non-language specific frame system defining reusable software components) technologies in case of web-based so-called 'thin client'.
For the secure storage of files a so-called intelligent storage method is further required in the data communication system. The intelligent storage method contributes to satisfying a requirement of great significance namely that a storage space of appropriate size should be always available for data recording, as any possible shortage of storage space would cause immediate data loss. The application of the data communication system running on client 10 records the data into internal memory or external memory of the mobile phone. In order that the storage required for the recording should always be available, a reserve is allocated by the client 10. For the data communication system, therefore, a portion of the client 10 storage is maintained which is determined by a communication parameter controlled by the server 11, and in order to ensure sufficient storage space available for the data recording, a reserve is created in the maintained portion. The reserve is created in such a way that filling files are written onto the maintained portion so as to bar access to the maintained portion by any client- applications other than the data communication system application running on client 10.
The basis of the intelligent storage technology is the reserve memory allocation algorithm, providing always for sufficient storage availability for the storage of data recorded by the software, i.e. allocating data record reserve. By recording the data, the client 10 utilizes the reserve as per demand, while in the liberated storage portion it re-allocates the reserve as soon as possible. In the case of reserve allocation and reserve utilization, the aim is to maintain free memory space at a low level in order to bar use of the memory by other applications, by way of example, if production of photos fall outside the functions of the data communication system, then there should be not enough memory for taking pictures, as well as at the same time memory should be ensured for the purposes of data recording by the data communication system.
The operation of reserve memory allocation algorithm is detailed in Figs. 3 and 4, which are connected to each other in points (1) and (2). Prior to giving in-depth description of the drawings, we shall first outline that the client 10 mobile phone memory may be divided into three categories from the aspect of usability of data communication system, which are the following:
Occupied: such portion of the memory, which is occupied by files stored by data communication system as well as other applications.
- Free: such portion of the memory, which is available for storing new files.
Reserve: portion of the memory occupied by filling files generated by the reserve memory allocating algorithm in order to ensure sufficient amount of memory for the data communication system.
The memory reserve allocation algorithm operates with the following parameters:
- Maximum allocable reserve: a communication parameter, the maximum value of the reserve. Its value is preferably set as a function of the expected data volume, by way of example to a 3-hour audio call record, 15 large-size photos, etc.
Minimum maintainable free memory space: a communication parameter, the target value of free memory in case of low memory. Its value is preferably set to a level, where basic phone functions (phone call, SMS, contact list, etc.) operate undisturbed, but high memory usage applications, by way of example camera or video camera, if these are not belonging to the data communication system functions, cannot be used for reasons of memory shortage.
Gap: a communication parameter, the target value of the free memory in the course of reserve-utilization operating mode, in case of low memory. Its value is preferably set to a level, where undisturbed recording of the data communication system data is ensured, but high memory usage applications, by way of example camera or video camera, if these are not belonging to the data communication system functions, cannot be used for reasons of memory shortage.
Checking frequency: a communication parameter, the frequency of free memory checking in reserve-utilization operating mode.
The communication parameters of the reserve allocation operating mode can be freely configured or remotely controlled. In this way it is ensured that all mobile phone types and uses can be used with optimum parameters.
Fig. 3 shows a flow diagram of the reserve allocation operating mode of the reserve memory allocation algorithm. The algorithm is entered at the point indicated with 'Start' mark. At the first branch, it is inspected whether the existing reserve is less than the maximum allocable reserve. If so, and the available free memory space is lower than the minimum maintainable free memory space, the system goes into standby mode, and data recording may begin at any moment. If the free memory exceeds the minimum maintainable free space, the system creates filling files, by the use of which reserve is allocated as long as the maximum allocable reserve is reached, or the free memory becomes less than the minimum free value, and then the system goes into standby mode as described above. If meanwhile or already at the beginning of the process, the reserve exceeds the maximum allocable reserve, then the system will start to delete filling files until the reserve reaches the level of maximum allocable reserve, when the system goes into a standby mode as well.
In the standby mode of the data communication system, data recording may commence at any moment, concurrently with the reserve utilization operating mode illustrated in Fig. 4. Then reserve allocation operating mode automatically switches to reserve utilization operating mode. By the completion of data recording, the reserve memory allocation algorithm of the data communication system automatically returns to reserve allocation operating mode. In the course of data recording, the security system first inspects whether the free memory space is lower than a pre-set gap. If so, the security system deletes a filling file so as to ensure sufficient available memory for data recording, then it inspects whether the data recording is yet in progress. If not, the security system returns to reserve allocation operating mode, if so, it again inspects whether the free memory is lower than the gap. If so, the previous step is repeated, so long as the free memory reaches or exceeds the size of the gap. If the free memory equals the size of the gap, then the security system waits until the pre-set period of checking frequency expires, then checks whether the data recording is still in progress, and accordingly it will attend in a way as described above. If the free memory exceeds the gap, it is inspected whether the reserve is less than the maximum allocable reserve. If so, the reserve memory allocation algorithm creates a filling file and steps to inspect the data recording process, if not, then it steps directly to inspect the data recording process. The reserve utilization operating mode, therefore, is in progress during the of data recording process, and upon completion of data recording, the system returns to reserve allocation operating mode.
The reserve memory allocation algorithm, according to the above has three operating modes, which manage the partitioned reserve memory as a function of the actual data recording operation of the client 10:
- Reserve allocation mode: the reserve allocation operating mode presented in Fig. 5 is active, if no data recording is in progress, and the reserve is lower than the target value of the reserve, i.e. the maximum allocable reserve. The reserve memory allocation algorithm of the security system starts in the reserve allocation operating mode. In the reserve allocation operating mode, the reserve is set for the maximum allocable reserve prescribed of this mode of operation, if sufficient space is available. If less free memory is available, as much reserve is allocated as possible, up to the set minimum free memory value, leaving an appropriate amount of free memory. By reaching the target value, the system goes into standby mode. Prior to the start of any possible recording, the client 10 aborts the reserve allocation operating mode and moves to reserve utilization operating mode. In Fig. 5, the target value of the reserve is indicated by a thick line as a function of the occupied memory ("X"), in the reserve allocation operating mode. The target value of the reserve depends on how much of the memory is used, namely the size of the storage space used up by the files recorded by the data recording system as well as by other applications of the client 10. The target value of the occupied memory therefore constitutes a trapeze-formed function. If the sum of the maximum allocable reserve plus the minimum maintainable free memory space deducted from the total storage space will result a value higher than that of the occupied storage space, then the target value of the memory will be found on the descending side of the trapeze form, and not enough reserve can be allocated corresponding to the maximum allocable reserve. If the occupied memory exceed a critical level, no reserve at all can be allocated, this range means the X-values above where the descending side of the trapeze reaches the X axis. The maximum allocable reserve can be attained at X values corresponding to the horizontal side of the trapeze, as the memory usage is suitably low. The minimum maintainable free storage space is by all means intended to be maintained, since if this portion is also filled, the phone is unable to attend its basic functions. - Reserve utilization operating mode: The reserve utilization operating mode depicted in Fig. 6 is active during data recording. Entering reserve utilization operating mode, the system promptly sets the size of the reserve so that at least the prescribed free space, the so-called gap is available. Inspection of the gap as well as setting of the reserve in this mode of operation is continuously done, repeated according to a preset checking frequency. After completion of the data recording, the reserve allocation operating mode is entered. Fig. 6 illustrates the reserve volume with a thick line as a function of the occupied memory ("X"), in reserve utilization operating mode. It is apparent that in this mode of operation, the function of minimum maintainable free memory parameter is taken over by the gap parameter in order to ensure continuous data recording. In order to maintain a gap of appropriate size, the descending side of the trapeze starts by a lower X-value, as in this case the total memory size is given by the sum of the occupied area plus the gap plus the target value as opposed to the reserve allocation operating mode, where the total memory size is given by the sum of the occupied space plus the minimum maintainable free space plus the reserve target value.
- Standby mode: The standby mode illustrated in Fig. 3 is active if no data recording is in progress, and if the reserve volume reached the target value. In the case of data recording, data utilization operating mode is entered directly prior to data recording.
Table 1 below lists the general preferred use potentials of the data communication system. Type of application Usage User Advantages
Audio recording in • Financial mediation (agents, • Ensures compliance with legal accordance with legal brokers, private bankers, fund provisions
provisions as well as managers, etc.) • Legal, reputational risk
mitigating risk • Decentralized call centers mitigation
• Oral business transactions • More comfortable performance
of work
• Higher level of availability
• Opportunity for part-time, work- at-home employment
Recording and storage (as • Real estate and motor vehicle • Lower cost customer
well as communication to insurance damage settlement management and data processing clients 10) of complex • Investigation and documentation procedure
mobile content (picture, of financial institution margin • Quality management
audio, text) for work status' • Legal dispute risk mitigation process optimization (one- • Public utilities meter reading • Quicker billing, better cash-flow step authentic database • Maintenance (road, machinery, • Possibility of objective,
establishment, with building, etc.) authentic performance
information regarding On- • Construction project assessment (contracted
site' data and agreements) documentation maintenance service level,
• Merchant activity documentation satisfying payment terms for
• Promotional campaign construction and maintenance documentation works, checking fulfillment of
• Status report - for security promotion, etc.)
companies • Increased data security
• Central availability of salesman • Client loss risk reduction
mobile phone contact list • Ecological footprint reduction database (CRM integration)
Data saving, data traffic • Organizations handling • Extended protection of
recording, remote data confidential information confidential data protected in destruction, for the purposes (financial organizations, other ways for mobile phones of reducing the risk of data pharmaceutical companies, (endpoint protection with special leakage development companies, data traffic surveillance, as well governmental organizations, as protection of data stored on etc.) mobile phones got into
unauthorized possession)
Telecommunication cost • Telephone usage analysis reports • More transparent communication cutting • Redeeming landline phones activity, costs
• Lower cost call center, on-site activity
Establishment of • Remote diagnostics (e.g. in case • Wider availability of specialized professional systems, new of skin cancer). knowledge, reducing health- services related costs
Table 1
Table 2 below shows the use potentials of the data communication system and its security system for the financial sector. Problem Solution Favorably influenced indices, indicators
Data protection: • outgoing photos, videos • possibility of unauthorized unauthorized access to bank dictaphone audio records from possession of confidential data secrets, private data when financial institutions • possibility of bank secret camera, dictaphone is used automatically sent to central infringement detection and or in case of unauthorized database (as well), preset alert authentic proving thereof possession of mobile phone option from database • probability of losing significant
• saving data from mobile phones data
getting into unauthorized
possession to central database,
and deleting data from phone,
finding out phone location
Continuous course of • location and accessibility of • required time of troubleshooting business: hampered in competent troubleshooting • possible compliance with service quality if in case of error, experts can be promptly quality
the competent experts determined • simplicity of proving any cannot be promptly • continuous and authentic violation of contract contacted or if operation tracking of predefined„service
and maintenance quality of quality" fulfillment, without
the critical devices fails the unnecessary administration,
planned level objective and authentic data is
available for any possible
dispute
Financial transactions: • authentic (encrypted) recording • possibility of legal disputes, significant risk is posed if in of all desired event of mobile harmful media news negatively the course of financial phone conversation, SMS influencing corporate identity, mediations or advisory sending in the central database, supervisory penalties services (private bankers, later useable, if necessary • inflexible work of customer brokers, fund managers, • private or business call service representatives etc.) phone communication classification can be defined in • customer satisfaction is not recorded full harmony with the legal (accessibility of contact person) provisions
Asset financing: significant • automatic (with no data • possible concealment of assets risk is posed in asset processing demand) real-time • degree of (financing) damages financing (inventory, recording of inventory, real arising from decisions based on leasing, real estate estate, motor vehicle status' with incorrect asset evaluation mortgage) by unrealistic authentic time and location • asset monitoring cost consideration of the quality determination into central
or quantity or state of assets database (together with photo,
(deposit), monitoring incurs audio and written comments)
significant costs
Motor vehicle and real • providing authentic, practically • time required for procedure estate insurance frauds: real-time recording of photos (customer satisfaction) motor vehicle insurance and other documents comprising • degree of undetected fraud fraud attempts are time and location data saved into • processing fee of documents significant in terms of central database at the time of • proportion of time spent with value, while real estate contract signing and damage basic functions by customer insurance fraud attempts are filing service representatives significant in terms of
frequency Liability insurance (energy • continuous, authentic real-time • uncertainties and costs of industry): significant documentation of meeting the ascertaining liability (and amounts of required level of service during determining rate of rightful indemnifications may operation, maintenance, claim for indemnification) become necessary for troubleshooting (time, duration
damages arising from of activity, statuses) into the
inappropriate operation central database (audio
and/or maintenance recording, photos, SMSs - with
time and location)
Motor vehicle and real • route planning, travel expense • rate of reimbursable travel estate damage settlement: control, one-step authentic realexpenditure
motor vehicle and real time damage information • documentation processing fee estate damage settlement is recording into central database • risk of central data accessibility a complex activity of for insurance assessors (agents), • time required for procedure insurance companies, a authentic documentation and (customer satisfaction)
process involving central recording of oral
significant costs and high- compensation settlements
risk concluded with customers
Insurance agents: • recording of customer • possibility of unlawful events, or documenting of sales and acquisition and consultancy events causing any potential marketing activity for transactions through mobile legal disputes or penalties preventing non-compliance phones into central database • agent efficiency
with provisions or legal (recordable communications
disputes may be set), agent activity
analysis from database
Establishment • transparent and analyzable • specific energy consumption of Management: Maintenance documentation of maintenance buildings
and public utilities' costs of activity and energy consumption • transparent maintenance activity used buildings may • quality of information for essentially influence decision-making
operating expenses as well • controllability of decision as the corporate identity implementation
Table 2
Table 3 below shows the additional potential uses of the data communication system and its security system.
Problem Solution (in all cases) Favorably influenced indices,
indicators
Documentation of • direct, almost real-time • construction quality of
construction work phases: transmission of text, audio, completed establishments this function is of key visual information comprising • performance certificates,
importance in terms of authentic time and location data licensing risks
quality management, to central database • legal disputes, no-payment risks billing, performance • data connected to a particular • transparent worker efficiency certificates, legal dispute person, location, task, institution • proportion of high added- value prevention, performance can be searched and displayed activity on the part of experts' analysis, licensing, from database time (expert opinion,
conventional" solutions (in • audio recordings, pictures, date consultation)
reference to all those and location cannot be • transparent activity, and coupled concerned) incur significant manipulated or processed by costs
risks, costs and damages user • required time of activities and
• independent from mobile processes
Documentation of provider, internationally operate • transparent maintenance activity, maintenance tasks: the • modular installation of elements costs, risks (in the case of absence of unequivocal
machinery, equipment, roads, documentation of issued
public utilities networks,
maintenance tasks in many
buildings)
cases provides for a chance
of malversation or
overcharging
Service qualify verification: • customizable user platform • time of disputes, and legal verification of (compliance • customer may look into disputes - occupying time of of) service quality is often a database, on user decision management,
cause for dispute between • no significant energy • costs of legal disputes
the parties consumption • measurable performance, quality
• no limitation on phone operation of performance management
Tracking of energy • database easily integrated with • degree and cost of specific consumption: existing technologies energy consumption
conventional" metering • easy to integrate with • checking the execution of solutions contribute to the complementary devices (e.g. determined (e.g. overhours) efficient use of energy in audio recording to digital text, energy saving steps
buildings in a minimum written text to digital text • quality of information available degree only converting solutions, or e.g. to energy management decisions headlamp for night- • quality of information available
Documentation of the state photography) on valuable possessions,
of real estate: manufacturing costs, time
Documentation of status of demand
buildings, public utility
networks and roads is an
important but costly task
Table 3
The invention, of course, is not limited to the above detailed preferred embodiments, but further variations, modifications and further developments are possible within the scope defined by the claims.

Claims

1. A method for operating a data communication system, the system comprising a server (11) and a mobile client (10) suitable for data communication with the server (11), the method comprising the step of authenticating the client (10) at the server (11), wherein communication parameters of the authenticated client (10) are enabled to be controlled by the server (11) by means of control commands,
c h a r a c t e r i z e d in that the authentication comprises the following steps:
establishing a trusted relationship between the server (11) and the client (10), in the course of which the server (11) and the client (10) are identified to each other, and a shared secret is determined for both the server (11) and the client (10), and
storing a public key on the client (10) for encrypting data communication transferred from the client (10) to the server (11), wherein
the data communication from the authenticated client (10) to the server (11) is controlled from the server (1 1) through setting the communication parameters.
2. The method according to claim 1, characterized in that the step of establishing the trusted relationship between the server (11) and the client (10) comprises the steps of sending information identifying the server (11) from the server (11) to the client (10), checking and accepting it on the client (10), and storing on the client (10) a shared secret uniquely generated by the server (11).
3. The method according to claim 1 or claim 2, characterized in that the shared secret is a symmetric key, and the control command signed by the symmetric key is sent in a short text message from the server (1 1) to the client (10), which message comprises
an identification character sequence
a time stamp, and
the control command.
4. The method according to claim 3, characterized by rejecting the control command by the client (10), if the identification character sequence of the message is inappropriate.
5. The method according to claim 3 or claim 4, characterized by rejecting the control command by the client (10), if the time stamp is older than a validity period determined in a communication parameter, or a control command had already been received with the same time stamp.
6. The method according to claim 1, characterized in that the client (10) is controlled by the server (1 1) through an internet connection.
7. The method according to any of claims 1 to 6, characterized in that data derived from the client's (10) communication events are stored on the client (10).
8. The method according to claim 7, characterized in that the stored data are pictures, videos made by means of the mobile client (10), short text messages, location data of the client (10), data of events of the client (10), or audio recordings, preferably audio recordings of conversations made through the client (10).
9. The method according to claim 7 or claim 8, characterized in that the data are stored in an encrypted format.
10. The method according to any of claims 7 to 9, characterized in that for each communication event of the client (10), a session key is generated by the client (10) for a symmetric encryption of data derived from the communication event.
11. The method according to claim 10, characterized in that the session key is stored on the client (10) and uploaded onto the server (1 1) asymmetrically encrypted by the public key.
12. The method according to claim 10 or claim 11, characterized in that the data are uploaded onto the server (11) in a form encrypted by means of the session key.
13. The method according to any of claims 7 to 12, characterized in that a portion of the storage space of the client (10) determined by a communication parameter is reserved for the data communication system.
14. The method according to claim 13, characterized in that for the sake of ensuring sufficient space to be available for data recording, a reserve is allocated in the reserved portion.
15. The method according to claim 14, characterized in that filling files are written onto the reserved portion in order to bar access to the reserved portion by applications running on the client (10) other than the application of the data communication system.
16. The method according to any of claims 13 to 15, characterized in that the storage space belonging to the client (10) is an internal memory or an external memory of the client (10).
17. The method according to any of claims 1 to 16, characterized in that data transfer from the client (10) to the server (11) is carried out through a secure internet connection.
18. The method according to any of claims 1 to 17, characterized in that a configuration applicable to the client (10) is downloaded from the server (11) onto the client (10), preferably for customizing the application running on the client (10).
19. The method according to any of claims 1 to 18, characterized in that after completion of the authentication, a report is sent from the client (10) to the server (1 1) about the completion of authentication.
20. The method according to any of claims 13 to 16, characterized in that the communication parameters are the data expected by the server (11) from the client (10), the validity period of the time stamp, the maximum size of allocable reserve of the storage available for data recording, the minimum size of the free memory to be maintained, the size of the memory gap, the checking frequency of the size of free memory, reference links of remote services on the server (11), phone number of a messaging module of the server (1 1) and/or the public key.
21. A data communication system comprising
a server (11),
a mobile client (10), preferably a mobile phone, suitable for data communication with the server (1 1),
- a storage assigned to the client (10),
a communication channel connecting the client (10) and the server (11),
control command managing modules enabling control of communication parameters of the client (10) by the server (11), including a module suitable for authenticating the control commands on the client (10), c h a r a c t e r i z e d by comprising
software means enabling operation according to any of claims 1 to 20.
22. The data communication system according to claim 21, characterized by comprising an encryption module for encrypting data stored on the client (10) and a decryption module on the server (1 1) for decrypting data transferred from the client (10).
23. The data communication system according to claim 21 or claim 22, characterized by comprising a module managing a portion of the memory reserved for the data communication system.
24. The data communication system according to any of claims 21 to 23, characterized by comprising a database (13) enabling structured analysis of the data.
25. The data communication system according to any of claims 21 to 24, characterized in that the communication channel is an internet connection, preferably a secure internet connection.
26. The data communication system according to any of claims 21 to 25, characterized in that the data stored by the mobile client (10) are pictures, videos taken by the client (10), short text messages, location data of the client, data of the events of the client (10), or audio recordings, preferably audio records of conversations made through the client (10).
PCT/HU2010/000129 2009-11-24 2010-11-24 Method for operating a data communication system, and data communication system WO2011064608A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
HU0900729A HU0900729D0 (en) 2009-11-24 2009-11-24 Communication systems
HUP0900729 2009-11-24

Publications (1)

Publication Number Publication Date
WO2011064608A1 true WO2011064608A1 (en) 2011-06-03

Family

ID=89989389

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/HU2010/000129 WO2011064608A1 (en) 2009-11-24 2010-11-24 Method for operating a data communication system, and data communication system

Country Status (2)

Country Link
HU (1) HU0900729D0 (en)
WO (1) WO2011064608A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113015170A (en) * 2021-03-05 2021-06-22 中国工商银行股份有限公司 Short message verification method, device, electronic equipment and medium

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5839067A (en) 1995-01-10 1998-11-17 Telefonaktiebolaget Lm Ericsson Corporate communication system
US6301484B1 (en) 1999-08-31 2001-10-09 Qualcomm Incorporated Method and apparatus for remote activation of wireless device features using short message services (SMS)
US6597772B1 (en) 1998-12-21 2003-07-22 Micron Technology, Inc. Method of programming telephone numbers and identifiers in multiple databases
WO2005009017A1 (en) 2003-07-21 2005-01-27 C.R. Cellular Recorder Ltd. System and method for recording audible and/or visual information on a server
US20050044165A1 (en) 2003-01-23 2005-02-24 O'farrell Robert System and method for mobile data update
US20050090239A1 (en) 2003-10-22 2005-04-28 Chang-Hung Lee Text message based mobile phone configuration system
US6970698B2 (en) 2002-07-23 2005-11-29 Sbc Technology Resources, Inc. System and method for updating data in remote devices
US20060183469A1 (en) 2005-02-16 2006-08-17 Gadson Gregory P Mobile communication device backup, disaster recovery, and migration scheme
US7110753B2 (en) 2002-09-26 2006-09-19 Siemens Communications, Inc. Remotely controllable wireless device
US7116996B2 (en) 2002-10-17 2006-10-03 Cingular Wireless Ii, Llc Providing contact data in a wireless telecommunication system
US20070211876A1 (en) 2004-10-20 2007-09-13 Core Mobility Systems and Methods for Consent-based Recording of Voice Data
US7389123B2 (en) 2003-04-29 2008-06-17 Sony Ericsson Mobile Communications Ab Mobile apparatus with remote lock and control function
US7450936B2 (en) 2001-01-20 2008-11-11 Samsung Electronics Co., Ltd System and method for remotely controlling a mobile terminal
WO2009008781A1 (en) * 2007-07-10 2009-01-15 Telefonaktiebolaget Lm Ericsson (Publ) Drm scheme extension
US20090110156A1 (en) 2007-10-27 2009-04-30 Joseph Hosteny Method and apparatus for the storage of recorded audio and retrieval from an associated URL

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5839067A (en) 1995-01-10 1998-11-17 Telefonaktiebolaget Lm Ericsson Corporate communication system
US6597772B1 (en) 1998-12-21 2003-07-22 Micron Technology, Inc. Method of programming telephone numbers and identifiers in multiple databases
US6301484B1 (en) 1999-08-31 2001-10-09 Qualcomm Incorporated Method and apparatus for remote activation of wireless device features using short message services (SMS)
US7450936B2 (en) 2001-01-20 2008-11-11 Samsung Electronics Co., Ltd System and method for remotely controlling a mobile terminal
US6970698B2 (en) 2002-07-23 2005-11-29 Sbc Technology Resources, Inc. System and method for updating data in remote devices
US7110753B2 (en) 2002-09-26 2006-09-19 Siemens Communications, Inc. Remotely controllable wireless device
US7116996B2 (en) 2002-10-17 2006-10-03 Cingular Wireless Ii, Llc Providing contact data in a wireless telecommunication system
US20050044165A1 (en) 2003-01-23 2005-02-24 O'farrell Robert System and method for mobile data update
US7389123B2 (en) 2003-04-29 2008-06-17 Sony Ericsson Mobile Communications Ab Mobile apparatus with remote lock and control function
WO2005009017A1 (en) 2003-07-21 2005-01-27 C.R. Cellular Recorder Ltd. System and method for recording audible and/or visual information on a server
US20050090239A1 (en) 2003-10-22 2005-04-28 Chang-Hung Lee Text message based mobile phone configuration system
US20070211876A1 (en) 2004-10-20 2007-09-13 Core Mobility Systems and Methods for Consent-based Recording of Voice Data
US20060183469A1 (en) 2005-02-16 2006-08-17 Gadson Gregory P Mobile communication device backup, disaster recovery, and migration scheme
WO2009008781A1 (en) * 2007-07-10 2009-01-15 Telefonaktiebolaget Lm Ericsson (Publ) Drm scheme extension
US20090110156A1 (en) 2007-10-27 2009-04-30 Joseph Hosteny Method and apparatus for the storage of recorded audio and retrieval from an associated URL

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HASSINEN M: "Java based Public Key Infrastructure for SMS Messaging", INTERNET CITATION, 28 April 2006 (2006-04-28), pages 88 - 93, XP002532212, ISBN: 978-0-7803-9521-3, Retrieved from the Internet <URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1684350&isnum ber=35470> [retrieved on 20090615] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113015170A (en) * 2021-03-05 2021-06-22 中国工商银行股份有限公司 Short message verification method, device, electronic equipment and medium

Also Published As

Publication number Publication date
HU0900729D0 (en) 2010-01-28

Similar Documents

Publication Publication Date Title
US20210201320A1 (en) System and method for secure transactions using images
US9324074B2 (en) Mobile communication device monitoring systems and methods
KR102119449B1 (en) Aggregation open api platform system, method for prividing financial services using the same and computer program for the same
CN104376266B (en) The determination method and device of application software level of security
US20060116912A1 (en) Managing account-holder information using policies
CN109672645A (en) A kind of identity identifying method, user terminal and authentication management server
CN105391724A (en) Authorization management method and authorization management device used for information system
WO2015059389A1 (en) Method for executing a transaction between a first terminal and a second terminal
CN114329290B (en) Capability open platform and authorized access method thereof
CN104704521A (en) Multi-factor profile and security fingerprint analysis
US20100094756A1 (en) System and method for rapid financial transactions through an open financial exchange or wire transfer
CN110955906A (en) Method and system for managing personal data authorization
WO2011064608A1 (en) Method for operating a data communication system, and data communication system
CN103873435B (en) A kind of network trading platform account control method, device and server
Afanu et al. Mobile Money Security: A Holistic Approach
US11783328B2 (en) Systems and methods for wallet, token, and transaction management using distributed ledgers
CN114418769A (en) Block chain transaction charging method and device and readable storage medium
Parsons The governance of telecommunications surveillance: How opaque and unaccountable practices and policies threaten Canadians
Balco et al. Intelligent Solutions for Secure Communication and Collaboration Based on Cloud Technologies
EP2317691B1 (en) System and method for contextually and dynamically securing data exchange through a network
EP1510904B1 (en) Method and system for evaluating the level of security of an electronic equipment and for providing conditional access to resources
FR3025677A1 (en) GATEWAY FOR PREPARING ENERGY DISTRIBUTION
KR101553065B1 (en) Stand alone NFC device using personal information service delete and restore and certification system of mobile terminal and method of the same
WO2023001846A1 (en) Method for transaction between an organisation and an establishment on a blockchain
CN117132269A (en) Chargeable key service charging method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10810828

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10810828

Country of ref document: EP

Kind code of ref document: A1