| CPC H04L 9/3271 (2013.01) [H04L 9/3213 (2013.01); H04L 9/3247 (2013.01)] | 14 Claims |
|
1. A method for controlling a plurality of devices via a server connected with a database, each device being equipped with a processing unit, a communication unit, and a hardware trusted execution environment (TEE) having a memory and securely connected to the communication unit via a dedicated secure hardware pathway, and being controlled by a corresponding controller, the communication units being adapted to securely communicate with each other via a wireless or wired point to point communication link for offline communication, and the server being adapted to securely communicate with each device communication unit via a wired or wireless communication network for online communication, the server and the communication units being adapted to transfer data using encrypted protocols, the server and the TEE of each device being adapted to respond to a validation challenge via a zero-knowledge proof (ZKP) protocol, and to generate and validate a single use ownership digital signature and its corresponding ownership signature validation challenge,
wherein:
the database managed by the server stores digital tokens, each token delivered by the server comprising a token unique identifier, corresponding token data assigned by the server and including a server signature, and a token ownership challenge corresponding to a unique controller owning said token attributed by the server;
in case of offline transfer of a token owned by a controller A of a device to another controller B of another device, the controller A first sends an offline transfer request containing the token unique identifier and a TEE single use offline signature of the trusted execution environment of the device of controller A via online communication to the server by means of the communication unit of the device, upon reception of said offline transfer request the server checks that the token unique identifier is stored in the database with corresponding token ownership challenge and then, sends said token ownership challenge to the controller A, upon reception and verification of the token ownership challenge response from controller A the server verifies that the TEE single use offline signature is valid, in case said TEE single use offline signature is valid the server replaces the token ownership challenge corresponding to the token unique identifier with a TEE ownership challenge corresponding to the TEE single use offline signature and sends back a confirmation message indicating a successful replacement of token ownership challenge together with data necessary for the TEE of the device of controller A to start executing the token, in case said single use offline signature is not valid the server sends back a corresponding failure message corresponding to an invalid single use offline signature to controller A;
in case the controller A receives the confirmation message the TEE of the device of controller A starts executing the token and the communication unit of the device of controller A exposes the running token to the communication unit of the device of controller B which then continuously observes the running token, synchronizes with it in its trusted execution environment and checks that:
(i) the token is signed by the server,
(ii) the token owner is controller A, and
(iii) the token is running in the trusted execution environment of the device of controller A;
then the device of controller A changes the token ownership challenge of the running token in favor of controller B and the controller B continuously observes a copy of the token with the changed token ownership challenge in the trusted execution environment of its device, and
the TEE of the device of controller B stops running the token and generates a proof of stop, and the controller B then pushes online a transfer request containing the token unique identifier, the proof of stop and the changed token ownership challenge to the server, and upon reception of said transfer request the server checks that the request is valid and in case the request is valid it performs a corresponding change of token ownership challenge for this token in the database.
|