 AUTHENTICATION FOR CONNECTING A BARCODE READER TO A CLIENT COMPUTER DEVICE
专利摘要:
An apparatus and system for authenticating functions for downloading to an image scanning device has a client computing device that generates an image of a symbol encoding authentication data. The client computing device hash a communication parameter from its transceiver, digitally signs the hash value with a private key from the public-private key pair, and encrypts the hash value, digital signature, and unencrypted communication parameter in the symbol. The image scanning device takes an image of the symbol, decrypts the symbol, verifies that the unencrypted communication parameter matches the hash of the communication parameter and that a public key stored in the memory of the barcode reader matches the private key being used to sign the hash value. If the communication parameter matches the hash value and the signature matches the public key, the barcode reader may enable its transceiver to download the function from the client computing device. 公开号:BE1026830B1 申请号:E20195915 申请日:2019-12-17 公开日:2021-02-22 发明作者:Kenneth S Bhella;Mariya Wright 申请人:Zebra Tech Corp; IPC主号:
专利说明:
AUTHENTICATION FOR CONNECTING A BARCODE READER TO A CLIENT COMPUTER DEVICE BACKGROUND Conventional barcode readers can be updated or configured with applications or other functions by scanning a barcode on a client computing device, such as a smartphone, tablet, computer, etc. However, the availability of software development kits (SDK) for host operating systems, virtually anyone develop an application to upload to a barcode scanner, including malicious applications. This problem is especially serious with barcode readers in environments that handle sensitive information, such as hospitals. While other authentication methods are available, such as a security password or private identification number (PIN), many barcode readers have no keyboard or display. In addition, while it is possible for a barcode reader to be provided with the MAC (Media Access Control) address of all client computer devices authorized to deliver applications to the barcode reader, this requires that all barcode scanners, possibly hundreds of barcode scanners, be placed in a system. updated when new client computer devices are introduced or removed, changing the list of MAC addresses. Accordingly, there is a need for an improved authentication method for connecting a barcode reader to a client computing device that satisfies both the need to easily establish the connection and to maintain security. RESUME In accordance with one aspect of the invention, there is provided an image scanning device comprising a housing having a window; an imaging assembly positioned in the housing, the imaging assembly comprising an image sensor and a field of view; FOV) extending through the window, the image sensor being arranged to receive at least one of: light reflected from a symbol and light radiated from the symbol; a first communication transceiver positioned in the housing, the first communication transceiver operable to maintain electronic communication via a communication protocol, a controller operably linked to the imaging assembly, the controller comprising a processor and a memory, the controller configured for decoding of a symbol recorded in an image captured by the image sensor, the symbol comprising encrypted data comprising G) an unencrypted first communication parameter related to a second communication transceiver on a client computing device and (1) a hash of a second communication parameter, where G) the hash of the second communication parameter is signed with a private encryption key, (11) the symbol is displayed on a display of the client computing device, and (ii) the second communication parameter includes identification data that uniquely identifies an authorized communication transceiver, validating whether the first communication parameter matches the hash of the second communication parameter, and whether the signature matches a public key stored in the memory, it enables setting the first communication transceiver to establish an electronic communication with the second communication transceiver via the communication protocol in response to matching the first communication parameter with the hash of the second communication parameter and matching the signature with the public key stored in the memory and downloading an attribute from the client computing device to the memory via the communication protocol in response to enabling the first communication transceiver. In response to matching the first communication parameter to the hash of the second communication parameter and matching the signature to the public key stored in the memory, the controller may instruct the first communication transceiver to transmit, via the communication protocol, a signal comprising (i) identification data uniquely identifying the first transceiver and (ii) a communication link establishment request with the second communication transceiver. The first and second communications transceivers may each include a short range wireless communications transceiver, and wherein the communications protocol may include a short range wireless communications protocol. The symbol may include at least one of: GC) a two-dimensional barcode, and Gi) a three-dimensional barcode. The controller may further be configured to query the memory for the public key, enabling the first communication transceiver to establish electronic communication with the second communication transceiver via the communication protocol in response to not being stored in memory. of the public key, and validating whether the first communication parameter matches the hash of the second communication parameter, and whether the signature matches a public key stored in memory in response to the public key being stored in memory. The memory may include a persistent memory, and the controller may further be configured to download the public key from the client computing device to the persistent memory via the communication protocol in response to the public key not being stored in the persistent memory. The first communication parameter may include a Media Access Control (MAC) address that uniquely identifies the second communication transceiver, and the second communication parameter may include a MAC address that uniquely identifies an authorized communication transceiver. In accordance with another aspect of the invention, there is provided a client computing device comprising a housing, a display positioned in the housing, a first communication transceiver positioned in the housing, the first communication transceiver operable to maintain electronic communication over a communication protocol; a controller operably linked to the first communications transceiver, the controller comprising a processor and a memory, the controller configured to hash a communications parameter related to the first communications transceiver, the communications parameter comprising identification data for uniquely identifying the first communications transceiver; digitally signing the hashed communication parameter using a private encryption key, and generating an image of a symbol on the display, the symbol comprising encrypted data, including (i) the communication parameter without hashing, Gi) the hashed communication parameter, and (iii) the digital signature of the hashed communication parameter, the first communication transceiver actively listening for a signal comprising (1) identification data uniquely identifying the first communication transceiver and (ii) a request to establish a communication link with the first communication transceiver and, in response to receiving the signal by the first communications transceiver, the first communications transceiver and a second communications transceiver establish the communications link, the communications link being through the communications protocol. The controller may further be configured to upload an attribute from the memory to the second communications transceiver via the communications protocol in response to establishing the communications link with the second communications transceiver. The controller may further be configured to upload a public key corresponding to the private key to the second communications transceiver via the communications protocol in response to establishing the communications link with the second communications transceiver. The first and second communications transceivers may each include a short range wireless communications transceiver, and the communications protocol may include a short range wireless communications protocol. The symbol may include at least one of (1) a two-dimensional barcode and (1) a three-dimensional barcode. The communication parameter may include the MAC address of the first communication transceiver. In accordance with another aspect of the invention, there is provided a system comprising a client computing device having a client computing device housing, a display positioned in the client computing device housing, a first communications transceiver positioned in the client computing device housing, the first communications transceiver operable for the maintaining electronic communication via a communication protocol, a first controller operably linked to the first communication transceiver and the display, the first controller configured to hash a Media Access Control (MAC) address that uniquely identifies the first communication transceiver; to digitally sign the hashed MAC address using a private encryption key and to generate an image on the display of a symbol showing the MAC address without hashing, the hashed MAC address and the digital signature of the hashed MAC address. The system further includes a symbol reader with a symbol reader housing; an imaging assembly positioned at least partially within the symbol reader housing, the imaging assembly having a field of view (FOV), the imaging assembly being configured to record image data associated with a symbol code; and a second communications transceiver positioned in the symbol reader housing, the second communications transceiver being operable to maintain electronic communications over the communications protocol; and a second controller communicatively coupled to the second communications transceiver, the second controller comprising a memory and a processor, wherein, in response to recording an image of the symbol by the imaging assembly, the second controller queries the memory for a public key that matches the private key. In response to the public key not being stored in memory, the second controller enables the second communications transceiver to establish electronic communications with the first communications transceiver. In response to establishing electronic communication with the first communications transceiver, the first controller enables the first communications transceiver to transfer the public key corresponding to the private key to the second transceiver. In response to the public key being stored in memory, the second controller validates whether the MAC address without hashing matches the hash of the MAC address, and whether the signature matches the public key stored in memory . In response to matching the MAC address without hashing with the hash of the MAC address and matching the signature with the public key stored in the memory, the second controller instructs the second communication transceiver to transfer, via the communication protocol, of a signal comprising Gi) the MAC address that uniquely identifies the first communications transceiver and (ii) a request to establish a communications link with the first communications transceiver. The first communications transceiver actively listens for the signal comprising (1) the MAC address that uniquely identifies the first communications transceiver and (ii) the request to establish the communications link with the first communications transceiver. In response to receiving the signal by the first communications transceiver, the first communications transceiver and the second communications transceiver establish the communications link, the communications link being through the communications protocol. In response to establishing the communication link, the second communication transceiver downloads an attribute from the client computing device to memory via the communication protocol. The system, wherein the symbol reader includes a first symbol reader, may further include a second symbol reader, the second symbol reader comprising a second symbol reader housing, a second imaging assembly positioned at least partially within the second symbol reader housing, the second imaging assembly having a field of view (Field of View; FOV), the second imaging assembly being configured to record image data associated with a symbol code, has a third communications transceiver positioned in the second symbol reader housing, the third communications transceiver being operable to maintain electronic communications over the communications protocol, and a third controller communicatively coupled to the second communications transceiver, the third controller including a second memory and a second processor. In response to the imaging assembly taking an image of the symbol, the third controller may query the second memory for a public key corresponding to the private key. In response to the public key not being stored in the second memory, the third controller may enable the third communications transceiver to establish electronic communications with the first communications transceiver. In response to establishing electronic communication with the first communications transceiver, the first controller may enable the first communications transceiver to transfer the public key corresponding to the private key to the third transceiver. In response to the public key being stored in the second memory, the third controller can validate whether the MAC address without hashing matches the hash of the MAC address, and whether the signature matches the public key stored in the second memory. In response to matching the MAC address without hashing with the hash of the MAC address and of the signature with the public key stored in the second memory, the third controller can instruct the third communication transceiver to transfer, through the communication protocol, of a signal that (1) the MAC address uniquely identifies the first communications transceiver and (ii) a request to establish a communications link with the first communications transceiver. The first communications transceiver may actively listen for the signal comprising (1) the MAC address uniquely identifying the first communications transceiver and (ii) the request to establish the communications link with the first communications transceiver. In response to receiving the signal by the first communications transceiver, the first communications transceiver and the third communications transceiver may establish the communications link, the communications link being through the communications protocol. In response to establishing the second communications link, the third communications transceiver may download an attribute from the client computing device to the second memory via the communications protocol. The first and second communications transceivers may each include a short range wireless communications transceiver, and wherein the communications protocol includes a short range wireless communications protocol. The symbol may include at least one of GC) a two-dimensional barcode, and (ii) a three-dimensional barcode. The memory may comprise a persistent memory, and the second controller may further be configured to download the public key from the client computing device to the persistent memory via the communication protocol in response to the public key not being stored in the persistent memory. . BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS The accompanying figures, where like reference numerals refer to identical or functionally similar elements in the individual views, together with the detailed description below, are included in and form a part of the specification, and serve to illustrate embodiments of concepts that embody the claimed invention further to illustrate and explain various principles and advantages of those embodiments. FIG. 1 illustrates a system for communication between components according to an embodiment of the present invention. FIG. 2 illustrates a perspective view of a barcode reader of FIG. 1 according to an embodiment of the present invention. FIG. 3 illustrates a block diagram diagram of some of the components of the barcode reader of FIG. 1 according to an embodiment of the present invention. FIG. 4 is a flowchart of an authentication method for updating functions on the barcode reader performed by the smartphone of FIG. 1 in accordance with some embodiments. FIG. 5 is a flowchart of an authentication method for updating functions on the barcode reader as performed by the barcode reader of FIG. 1 in accordance with some embodiments. Those skilled in the art will appreciate that elements in the figures are illustrated for simplicity and clarity and are not necessarily drawn to scale. For example, the dimensions of some elements in the figures may be exaggerated relative to other elements to facilitate understanding of embodiments of the present invention. The device and method components, where applicable, are represented by conventional symbols in the drawings, showing only those specific details that are relevant to understanding the embodiments of the present invention so as not to obscure the disclosure among details that will be apparent to the present invention. those of skill in the art with the benefit of the description herein. DETAILED DESCRIPTION OF THE INVENTION Referring to the drawings, FIG. 1 various aspects of an example architecture implementing a system 100 for uploading functions to a barcode reader, including, but not limited to, software applications, software functions, configuration settings, firmware updates, etc. More specific examples of the functions include, but are not limited to software for decoding different symbologies (e.g., identification of unique devices), software for optical character recognition, software for parsing information about a driver's license, and software for reading a plurality of barcodes on a single surface. The high-level architecture includes both hardware and software applications, as well as different data communication channels for communicating data between the different hardware and software components. The system 100 for uploading functions to a barcode reader may include various software and hardware components or modules. The system 100 for uploading functions to a barcode reader includes front-end components, including one or more barcode readers 102, 103 and a client computing device 104. The client computing device 104 can be a computer, a smartphone, a tablet computer, a smart watch. , include a head display, a portable computer, or other suitable client computing device. The client computing device 104 includes several components that are operatively coupled together, including a controller, which includes a microcontroller or a processor 106, a program memory 108, a display 110, and an imaging assembly 112, such as a camera, with an image sensor, which are all connected via an address / data bus (not shown). The processor 106 of the client computing device 104 executes the instructions stored in the memory 108 to: 1) generate images on the display 110 and 2) record images via the imaging assembly 112. It will be appreciated that although FIG. 1 shows only one processor 106, the controller may include a plurality of processors 106. Likewise, the controller memory 108 may include a plurality of RAM memories and a plurality of program memories that store one or more corresponding server application modules, according to the particular configuration of the controller. The memory 108 may be implemented in any known form of computer storage media, including but not limited to, for example, semiconductor memories, magnetically readable memories and / or optically readable memories, but does not include volatile media such as carrier waves. It will be understood from Figs. 1 and the accompanying description that a single client computing device 104 can be used to upload functions to a plurality of barcode readers. As such, it will be appreciated that the client computing device 104, although only two barcode readers 102, 103 are shown, can be used to upload functions to any number of barcode readers. It will further be appreciated that, although only one client computing device is shown, a plurality of client computing devices can be used in the system 100 and can communicate with the back-end components, with each client computing device assigned to particular barcode readers or each client computing device is capable of uploading functions to any of the plurality of barcode readers. The client computing device 104 also includes various communication components, including a hardwire communication port 114, such as a Universal Serial Bus (USB), and / or a short range wireless transceiver 116, such as a Bluetooth® transceiver, for communication with other front-end components. such as the barcode readers 102, 103. Furthermore, the client computing device 104 includes a cellular network transceiver 118 and / or a local area network transceiver 120, such as a WiFi transceiver based on IEEE (Institute of Electrical and Electronics Engineers) 802.11- standards, for communicating with back-end components 122 over a public computer network 124. In one embodiment, the processor 106 of the client computing device 104 executes instructions to manage and receive data from the back-end components 122 over the computer network 124 , such as for uploading data for the function itself to the barcode reader 102. The computer network 124 may be a network such as the Internet or some other suitable network (e.g., a Local Area Network (LAN), a Metropolitan Area Network (MAN), a Wide Area Network (WAN), a cellular, wired or wireless network. , etc.). The computer network 124 may also consist of one or more cellular networks such as Code Division Multiple Access (CDMA) network, GSM (Global System for Mobile Communications) network, WiMAX (Worldwide Interoperability for Microwave Access) network, Long Term Evolution (LTE) network, etc. The processor 106 of the client computing device 104 may also run one or more applications to perform the tasks discussed above. The back-end components 122 may include a data server 128 and an account database 131. The back-end components 122 can communicate with each other through a communication network 138 such as a local area network or other type of suitable network (e.g., the Internet, a Metropolitan Area Network (MAN), a Wide Area Network (WAN), a cellular, a wired or wireless network, private network, virtual private network, etc.). The system for uploading functions to a barcode reader 102, 103 in general, and data server 128 in particular, includes computer executable instructions 130. In one embodiment, a processor of data server 128 executes instructions 130 to access an access tool. 132, a fetch tool 134 and an analysis tool 136. The access tool 132 receives data from the client computing device 104 and stores the data in one or more databases, such as the account database 131. The fetch tool 134 retrieves data from the account database 131 or uses an account identification code to access client account information from the account database 131 regarding licenses for barcode readers owned or rented by the customer, and licensed functions for each of the barcode readers. The account database 131 may be a data storage device such as random access memory (RAM), hard disk drive (HDD), flash memory, flash memory such as a solid state drive (SSD), etc. The analysis tool 136 may perform one or more analyzes of the customer account data and / or or requests from the client computing device 104 before providing activation data to activate a function on the barcode reader 102. FIG. 2 illustrates an example of a barcode reader 102 having a housing 202 having a handle portion 204, also called a handle 204, and a head portion 206, also called a scan head 206. The head portion 206 includes a window 208, and is configured to be positioned on the top of the handle portion 204. The handle portion 204 is configured to be gripped by a user of the reader (not shown) and includes a trigger 210 for activation by the user. In the embodiment also includes a base 212 attached to the handle portion 204 opposite the head portion 206. The base 212 is configured to stand on a surface and support the housing 202 in a generally upright position. The barcode reader 102 can be used in a hands-free mode as a stationary workstation when placed on the worktop. The barcode reader 102 can also be used in a handheld mode when picked up from the worktop and held in the hand of an operator. In hands-free mode, products can be pushed past, swiped or presented on the window. In the handheld mode, the barcode reader 102 can be moved to a barcode on a product and the trigger 210 can be manually depressed to initiate imaging of the barcode. In some implementations, the base 212 may be omitted and the housing 202 may be in other handheld forms. Other implementations may provide only handheld or only hands-free configurations. FIG. 3 illustrates a block diagram diagram of a portion of a barcode reader 102 in accordance with some embodiments. It will be understood that FIG. 3 is not drawn to scale. Referring to Fig. 3; an image forming assembly includes a light detection sensor or image sensor 211 operably coupled to or mounted on a printed circuit board (PCB) 216 in reader 102. In one embodiment, image sensor 211 is a solid state device, for example, a CCD or a CMOS device. imager, having a one-dimensional array of addressable image sensors or pixels arranged in a single row, or a two-dimensional array of addressable image sensors or pixels arranged in mutually orthogonal rows and columns, and operable to detect return light captured by an imaging lens assembly 215 over a field of view (Field of View; FOV) along an imaging axis 217 through the window 208. The return light is scattered and / or reflected by a symbol, here the target 213, across the field of view (FOV). The imaging lens assembly 215 is operable to focus the return light on the array of image sensors to allow the target 213 to be read. The target 213 can be anywhere in a working range of distances between a close working distance ("Working Distance", WD1) and a far working distance (WD2). In a preferred embodiment, WD1 is approximately one-half inch from the window 208 and WD2 is approximately thirty inches from the window 208. An illumination light assembly is also mounted in the imaging reader 102. The illumination light assembly includes an illumination light source, such as at least one light emitting diode (LED) 219 and at least one illumination lens 221, and preferably a plurality of illumination LEDs and illumination lenses, configured to provide an generate a substantially uniformly distributed illumination pattern of illumination light on and along the target 213 to be read by image recording. At least a portion of the scattered and / or reflected return light is derived from the illumination pattern of light on and along the target 213. A directional light assembly is also mounted in the imaging reader 102 and preferably includes a directional light source 223 (e.g., one or more directional light sources). LEDs) and a target lens 225 for generating and directing a visible target light beam away from the reader 102 onto the symbol, such as the target 213. The target light beam has a cross-section with a pattern, for example a generally circular spot or reticle for placement in the center of the symbol 213, or a line for placement over the symbol 213, or a series of box lines to delimit the field of view (FOV), to assist an operator in visually locating the symbol 213 in the field of view (FOV) before recording the image. The client computing device 104 also includes various communication components, including a short range wireless transceiver 230, such as a Bluetooth® transceiver, and / or a hardwire communications port 231, such as a Universal Serial Bus (USB), for communicating with the client computing device 104. As also shown in Figs. 3, the image sensor 211, illumination LED 219, aiming LED 223, short range transceiver 230 and communication port 231 are operably connected to a controller or programmed microprocessor 227 operable to control the operation of these components. A memory 229 is connected to and accessible to the controller 227. Preferably, the microprocessor 227 is the same as the one used to process the recorded return light from the illuminated target 213 to obtain data related to the target 213. Preferably, the microprocessor 227 is the same as the one used to communicate with the client computing device 104, including processing recorded return or emitted light from an illuminated target. 213 is displayed on the display of the client computing device to obtain data related to the target 213, as well as communicating with one or more corresponding transceivers of the client computing device 104 through the short range transceiver 230 and / or the communication port 231. The disclosure of the barcode reader 102 in Figs. 2 and 3 are equally applicable to the barcode reader 103 of Figs. 1, and on any other barcode reader within the System 100. FIG. 4 is a flowchart of the control of the client computing device 104 for authentication prior to establishing a communication link with the barcode reader 102, 103 and uploading functions to the barcode reader 102, 103 in the embodiments described herein. The following description refers only to the barcode reader 102, although it will be understood that such disclosure applies equally well to the barcode reader 103 or any other barcode reader in the system 100. In general, the client computer device 104 generates a link barcode that is read. by the barcode reader 102 to verify that the client computing device 104 is an authorized device to download functions such as applications, updates, etc. Once the link barcode has been validated and the client computing device 104 has been validated as an authorized device, the barcode reader 102 and the client computing device 104 establish a communication link via a communication protocol suitable for downloading the function from the client computing device 104, such as communication protocols associated with the short range transceivers 116, 230 or the communication ports 114, 231 (and corresponding transceivers). Now looking at the flowchart of Fig. 4; When a function is to be uploaded to the barcode reader 102, a client computing device 104 authorized to upload functions to the barcode reader 102 generates a link barcode, an image of which is generated on the display 110 for scanning by the barcode reader 102. Starting at block 302, when an application or other function is ready to be uploaded to the barcode reader 102, the client computing device 104 uses a hash function to create a hash value of a communication parameter unique to the transceiver that will be used to function. For example, if the function is to be uploaded using short range communication such as Bluetooth®, the client computing device 104 uses the hash function to create a hash value based on the Media Access Control (MAC) address that uniquely identifies the Nearfield transceiver 116.When the barcode is generated on the display 110, the barcode will encode the hash value and the unencrypted communication parameter (e.g., plaintext MAC address) that is unique to the transceiver of the client computing device 104 displaying the barcode. Thus, a barcode reader 102 will be able to read the unencrypted communication parameter from the barcode and determine whether or not it has been tampered with by comparing its hash value with the hash value encoded in the barcode. Even if a small part of the communication parameter is different from the one used to create the hash value, the communication parameter is considered invalid. For example, the barcode reader 102 can only accept uploads from authorized client computing devices, each of which is identified by their MAC address. As an unauthorized client computing device, a MAC address of an authorized client computer computer device, the hash value of the MAC address of an authorized client computing device (known by the barcode reader 102) does not match the hash value of the spoofed MAC address. As another example, the barcode reader 102 compares the plaintext MAC address encoded in the barcode with the hash value encoded in the barcode to verify that the MAC address has not been tampered with. In addition to creating the hash value of the communication parameter unique to the transceiver of the client computing device, the client computing device uses a signature algorithm to digitally sign the hash value at block 304. In particular, an authorized client uses computing device asymmetric encryption using private-public key pairs, wherein an authorized client computing device distributes the public key to the barcode readers and maintains the associated private key. Thus, a barcode reader is able to accept or reject the authenticity of the barcode displayed on client computing device using the associated public key. In one embodiment, the private key is used to digitally sign not only the hash value, but also the unencrypted communication parameter (e.g. plaintext MAC address). At block 306, the client computing device encodes the digitally signed hash value and the unencrypted communication parameter (digitally signed or unsigned) into a barcode symbol. In one embodiment, the barcode symbol is a two-dimensional or three-dimensional barcode symbol, whereby more information can be encoded than a one-dimensional barcode allows. Since a digital signature tends to be quite large, it is preferred that a two- or three-dimensional barcode symbol is used. A graphical representation or image of the barcode symbol is then generated by the client computing device on the display 110 at block 308 for scanning by the barcode reader 102. In one embodiment, the image of the barcode symbol can be generated only upon a prompt by a user of the client computing device when the client computing device is ready to upload the function to the barcode reader 102. Thereafter, the client computing device and, more specifically, the short range communication transceiver for uploading the function (e.g., the communication port transceiver 114 or the short range transceiver 116) actively listens for a signal from a barcode reader that contains the barcode symbol. generated on the display 110 of the client computing device 104 at block 310. In one embodiment, the signal includes the communication parameter (e.g., MAC address) of the client computing device from the barcode symbol along with a request to establish a communication link between the client computing transceiver and a corresponding barcode reader transceiver 102. In response to receiving the signal, the short range communications transceiver from the client computing device and the short range communications transceiver from the barcode reader establish a communication link. ng (for example, a two-way communication link) using the short range communication protocol of the transceivers (for example, Bluetooth®). Once the signal is received by the client computing device, the client computing device establishes the communication link with the barcode reader at block 312 and uploads at block 314 the function to the barcode reader. In some cases, the barcode reader is not yet provided with a public key, for example, when the barcode reader is first activated in the system 100. In such cases, as will be described below, the client computing device may request block 316 for a public key received from the barcode reader. Provided that a private key has already been generated residing on the client computing device (along with associated public keys), the client computing device transfers the public key to the barcode reader at block 318, which will be used to retrieve the private key signature. verify barcodes associated with any subsequent downloads of functions from a client computing device. FIG. 5 is a flowchart of the barcode reader 102 control for downloading functions to the barcode reader 102 in the embodiments described herein. Referring now to the flowchart of Fig. 5; when the client computing device 104 generates an image of the symbol encoding the authentication data, including the communication parameter, the hash value of the communication parameter and the signature of the private key on the display 110, the image sensor 211 of the barcode reader 102 takes an image from the symbol to block 402. The target 213 for the barcode reader 102 in this case is the symbol displayed on the client computing device 104. The aiming LED 223 is activated so that the barcode reader 102 can be aimed at the target 213 , and the illumination LED 219 is activated to illuminate the target 213. The image sensor 211 then records an image of the target 213. At block 404, the controller 227 uses a decoding algorithm stored in the memory 229 corresponding to the symbology type of the symbol displayed on the client computing device 104 to decode the image of the symbol as captured by the image sensor 211. In particular, the image of the symbol is decrypted to decrypt the authentication data encrypted within the symbol. As mentioned above, the authentication data, once decrypted, includes the communication parameter that uniquely identifies the transceiver of the client computing device for downloading the function (e.g., the MAC address of the Bluetooth® transceiver), the hash value of the hash of the communication parameter, and the signature made with the private key. Initially, the controller 227 checks its memory 229 to see if the barcode reader 102 is provided with a public key with which to verify the authenticity of the signature at block 406. If the public key is stored in the memory 229, the controller 227 continues to authenticate the authentication data encrypted in the symbol at block 408. On the other hand, if the public key is not in the memory 229, the controller 227 bypassing the authentication process and establishing a communication link with the client computing device 104 at block 414, at which point it can generate an indication and transmit it to the client computing device 104 through the short range transceiver 116 or communications port 114 using the non encrypted communication parameter as provided in the symbol. Such a case may occur when the barcode reader 102 is first operated by a customer for introduction to the system 100. The indication is provided as a prompt for the client communications device 104 to generate the public / private key pair and / or transfer the public key corresponding to its private key to the barcode reader 102. In one embodiment, the client communication device 104 has a key generation algorithm stored in its memory 108 and executed by its processor 106 to generate a random private key and generate a corresponding public key. After the barcode reader 102 is provided with the public key, the barcode reader 102 stores the public key in persistent memory (this can be memory 229, a partition of memory 229, or separate memory) to allow future downloads from a client computing device. are authenticated using the public key, even after resetting the barcode reader 102 to factory settings. Referring back to block 408; controller 227 verifies that the communication parameter unique to the transceiver of client computing device 104 as encoded in the symbol matches the hash value encoded in the symbol. For example, the barcode reader 102 maps the unencrypted communication parameter to its hash value and determines whether the mapped hash value is the same as that in the encrypted symbol. As mentioned above, a communication parameter, such as a MAC address, that is compromised results in a different hash value from that in the symbol. Thus, the barcode reader 102 verifies that the client computing device is a client computing device authorized to download a function from, and that the function is authorized to be downloaded to the barcode reader 102. At block 410, the controller 227 verifies that the digital signature of the authentication data has been made with a private key corresponding to the public key stored in the memory 229. For example, the controller 227 may execute a signature verification algorithm that, given the authentication data, public key, and signature, either accepts or denies the authenticity of the authentication data. If one of the authentication steps fails at blocks 408, 410, the controller 227 may fail block 412, which may correspond to a visual or audible signal that the symbol has not been verified. The error in block 412 causes the controller 102 to prevent the short range transceiver 230 and / or the communication port 231 from establishing a communication link with the corresponding transceiver of the client computing device 104. On the other hand, if the authentication process in blocks 408, 410 is successful, the controller 227 turns on the transceiver corresponding to the transceiver of the unencrypted communication parameter encoded in the symbol, and the barcode reader 102 downloads the function of the client computing device 104 via the short range transceiver. 230 or via the communication port 231 if connected via hardwire communication (eg USB cable). After the function has been downloaded to the barcode reader 102, the controller 227 installs and activates the function in memory 229. Thereafter, the barcode reader 102 can use the function. In the foregoing description, specific embodiments have been described. However, those skilled in the art will recognize that various modifications and changes can be made without departing from the scope of the invention as set out in the claims below. Therefore, the description and figures are to be understood by way of illustration rather than limitation, and all such modifications are intended to be included within the scope of the invention of the present description. The benefits, solutions to problems, and any element (s) that could cause any benefit or solution to occur or become more apparent should not be construed as critical, mandatory or essential functions or elements of any or all of the conclusions. The invention is defined solely by the appended claims, including any modifications made during the course of this application and all equivalents to those claims as published. For clarity and brief description, functions are described herein as part of the same or separate embodiments, but it is to be understood that the scope of the invention may include embodiments having combinations of all or some of the functions described. It will be understood that the embodiments shown have the same or similar components, except where they are described as being different. In addition, relational terms such as first and second, top and bottom, and the like, may be used herein only to distinguish an entity or action from another entity or action without necessarily requiring or requiring an actual relationship or sequence between such entities or actions. imply. The terms “comprise”, “comprising”, “has”, “having”, “contains”, “containing” or any variation thereof are intended to cover a non-exclusive inclusion, so that a process, method, article, or assembly that a list includes, has, contains not only those elements but may also contain other elements not explicitly mentioned or inherent in such a process, method, item, or assembly. An element preceded by “includes. a ”,“ has… a ”,“ contains… a ”does not exclude, without further restrictions, the existence of additional identical elements in the process, method, item or arrangement that the element comprises, has or contains. The term “one” is defined as one or more unless explicitly stated otherwise. The terms "substantially", "essential", "near", "approximately" or any other version thereof are defined as close to what is understood by those of skill in the art, and in a non-limiting embodiment, the term is defined as being within 10% , in another embodiment within 5%, in another embodiment within 1%, and in another embodiment within 0.5%. The term "linked" is defined herein as linked, but not necessarily directly and not necessarily mechanically. A device or structure that has been “configured” in some way is configured in at least that way, but can also be configured in ways not described. It will be appreciated that some embodiments may be contained in one or more generic or specialized processors (or "processing devices") such as microprocessors, digital signal processors, custom processors and field programmable port arrays (FPGAs) and unique stored program instructions (including both software and firmware) which direct the one or more processors to implement, in conjunction with certain non-processor circuitry, some, most, or all of the functions of the method and / or arrangement described herein. Alternatively, some or all of the functions can be implemented by a state machine that does not contain any stored program instructions, or in one or more application specific integrated circuits (ASICs), in which any function or some combinations of certain functions are implemented as custom logic. Of course, a combination of the two approaches could be used. In addition, one embodiment can be implemented as a computer-readable storage medium with computer-readable code stored thereon for programming a computer (e.g., comprising a processor) to perform a method as described herein and for which rights are pending. Examples of such computer readable storage media include, but are not limited to, a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a ROM (read-only memory), a PROM (programmable read-only memory), an EPROM (erasable programmable read-only memory), an EEPROM (electrically erasable programmable read-only memory), and a flash memory. Furthermore, it is expected that, notwithstanding potentially significant efforts and many design choices motivated by, for example, available time, current technology and economic considerations, when guided by the concepts and principles described herein, those skilled in the art will be readily able to use such software instructions and software. generate programs and ICs with minimal experimentation. The summary of the disclosure is provided to give the reader a quick impression of the nature of the technical description. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In addition, in the foregoing "detailed description", it can be seen that different functions are grouped together in different embodiments to streamline the description. This manner of description cannot be interpreted as reflecting an intention that the claimed embodiments require more functions than those expressly stated in each claim. Rather, as the following claims reflect, there is inventive matter in less than all of the functions of a single described embodiment. Thus, the following claims are included in the "detailed description", with each claim standing alone as subject matter individually for which rights are sought. The mere fact that certain measures are defined in mutually different claims does not indicate that a combination of these measures cannot be used to an advantage. A multitude of variants will be apparent to those skilled in the art. All variants are understood to fall within the scope of the invention described in the following claims.
权利要求:
Claims (18) [1] An image scanning device comprising: a housing with a window; an imaging assembly positioned in the housing, the imaging assembly comprising an image sensor and a field of view (FOV) extending through the window, the image sensor being arranged to receive at least one of: light reflected from a symbol and light emitted from the symbol; a first communication transceiver positioned in the housing, the first communication transceiver operable to maintain electronic communication via a communication protocol a controller operably linked to the imaging assembly, the controller comprising a processor and a memory, the controller being arranged for: decoding of a symbol included in an image captured by the image sensor, the symbol comprising encrypted data comprising (1) an unencrypted first communication parameter related to a second communication transceiver on a client computing device and (ii) a hash of a second communication parameter, where ( 1) the hash of the second communication parameter is signed with a private encryption key, (11) the symbol is displayed on a display of the client computing device, and (iii) the second communication parameter including identification data that an authorized communication sender has uniquely identifying catcher, validating whether the first communication parameter matches the hash of the second communication parameter, and whether the signature matches a public key stored in memory, enabling the first communication transceiver to establish electronic communication with the second communication transceiver via the communication protocol in response to matching the first communication parameter to the hash of the second communication parameter and matching the signature to the public key stored in the memory, and downloading an attribute from the client computing device to the memory via the communication protocol in response to enabling the first communication transceiver. [2] The image scanning device of claim 1, wherein in response to matching the first communication parameter to the hash of the second communication parameter and matching the signature to the public key stored in the memory, the controller instructs the first communication transceiver to transmit, via the communication protocol, of a signal comprising (1) identification data uniquely identifying the first transceiver and (ii) a request to establish a communication link with the second communication transceiver; [3] The image scanning apparatus of claim 1 or 2, wherein the first and second communication transceivers each comprise a short range wireless communication transceiver, and wherein the communication protocol comprises a short range wireless communication protocol. [4] The image scanning device of claim 1, 2 or 3, wherein the symbol comprises at least one of: (1) a two-dimensional barcode, and (ii) a three-dimensional barcode. [5] The image scanning device of any preceding claim, wherein the controller is further configured to: query the memory for the public key; enabling the first communication transceiver to establish electronic communication with the second communication transceiver via the communication protocol in response to the public key not being stored in memory; and validating whether the first communication parameter matches the hash of the second communication parameter, and whether the signature matches a public key stored in the memory in response to the public key being stored in the memory. [6] The image scanning device of claim 5, wherein the memory comprises a persistent memory, and wherein the controller is further arranged to download the public key from the client computing device to the persistent memory via the communication protocol in response to the non-persistent memory. stored of the public key. [7] The image scanning device of any one of the preceding claims, wherein the first communication parameter includes a Media Access Control (MAC) address that uniquely identifies the second communication transceiver, and the second communication parameter includes a MAC address that uniquely identifies an authorized communication transceiver. [8] A client computing device comprising: a housing; a display positioned in the housing; a first communications transceiver positioned in the housing, the first communications transceiver operable to maintain electronic communications over a communications protocol; a controller operably linked to the first communications transceiver, the controller comprising a processor and a memory, the controller configured to: hash a communications parameter related to the first communications transceiver, the communications parameter comprising identification data for uniquely identifying the first communications transceiver; digitally signing the hashed communication parameter using a private encryption key, and generating an image of a symbol on the display, the symbol comprising encrypted data, including () the communication parameter without hashing, (11) the hashed communication parameter, and (iii) the digital signature of the hashed communication parameter; wherein: the first communications transceiver is actively listening for a signal comprising (1) identification data that uniquely identifies the first communications transceiver and (ii) a request to establish a communications link with the first communications transceiver; and in response to receiving the signal by the first communications transceiver, the first communications transceiver and a second communications transceiver establish the communications link, the communications link being through the communications protocol. [9] The client computing device of claim 8, wherein the controller is further configured to upload an attribute from the memory to the second communications transceiver via the communications protocol in response to establishing the communications link with the second communications transceiver. [10] The client computing device of claim 8 or 9, wherein the controller is further configured to upload a public key corresponding to the private key to the second communications transceiver via the communications protocol in response to establishing the communications link with the second communication transceiver. [11] The client computing device of claim 8, 9 or 10, wherein the first and second communication transceivers each comprise a short range wireless communication transceiver, and wherein the communication protocol comprises a short range wireless communication protocol. [12] The client computing device of any of claims 8-11, wherein the symbol comprises at least one of: (1) a two-dimensional barcode and (ii) a three-dimensional barcode. [13] The client computing device of any of claims 8-12, wherein the communication parameter includes the MAC address of the first communication transceiver. [14] A system comprising: a client computing device having: a client computing device housing; a display positioned in the client computing device housing; a first communications transceiver positioned in the client computing device housing, the first communications transceiver operable to maintain electronic communications over a communications protocol; a first controller operably linked to the first communications transceiver and the display, the first controller configured to hash a Media Access Control (MAC) address that uniquely identifies the first communications transceiver; to digitally sign the hashed MAC address using a private encryption key and to generate an image on the display of a symbol showing the MAC address without hashing, the hashed MAC address and the digital signature of the hashed MAC encode address; and a symbol reader having: a symbol reader housing; an imaging assembly positioned at least partially within the symbol reader housing 1s, the imaging assembly having a field of view (FOV), the imaging assembly being configured to record image data associated with a symbol code; a second communications transceiver positioned in the symbol reader housing, the second communications transceiver being operable to maintain electronic communications over the communications protocol; and a second controller communicatively coupled to the second communications transceiver, the second controller comprising a memory and a processor, wherein, in response to the imaging assembly taking an image of the symbol: the second controller queries the memory for a public key that matches the private key; in response to the public key not being stored in memory, the second controller enables the second communications transceiver to establish electronic communications with the first communications transceiver; in response to establishing electronic communication with the first communications transceiver, the first controller enables the first communications transceiver to transfer the public key corresponding to the private key to the second transceiver; in response to the public key being stored in memory, the second controller validates whether the MAC address without hashing matches the hash of the MAC address, and whether the signature matches the public key in memory stored, in response to matching the MAC address without hashing with the hash of the MAC address and matching the signature with the public key stored in the memory, the second controller instructs the second communications transceiver to transmit, via the communication protocol, of a signal comprising (1) the MAC address that uniquely identifies the first communication transceiver and (ii) a request to establish a communication link with the first communication transceiver; the first communications transceiver actively listens for the signal comprising (1) the MAC address uniquely identifying the first communications transceiver and (ii) the request to establish the communications link with the first communications transceiver; and in response to receiving the signal by the first communications transceiver, the first communications transceiver and the second communications transceiver establish the communications link, the communications link being through the communications protocol; and in response to the communication connection being established, the second communication transceiver downloads an attribute from the client computing device to the memory via the communication protocol. [15] The system of claim 14, wherein the symbol reader comprises a first symbol reader, the system further comprising a second symbol reader, the second symbol reader comprising: a second symbol reader housing; a second imaging assembly positioned at least partially in the second symbol reader housing, the second imaging assembly having a field of view (FOV), the second imaging assembly being configured to record image data associated with a symbol code; a third communications transceiver positioned in the second symbol reader housing, the third communications transceiver being operable to maintain electronic communications over the communications protocol; and a third controller communicatively coupled to the second communications transceiver, the third controller comprising a second memory and a second processor, wherein, in response to recording an image of the symbol by the imaging assembly: the third controller queries the second memory for a public key corresponding to the private key; in response to the public key not being stored in the second memory, the third controller enables the third communications transceiver to establish electronic communications with the first communications transceiver; in response to establishing electronic communication with the first communications transceiver, the first controller enables the first communications transceiver to transfer the public key corresponding to the private key to the third transceiver; in response to the public key being stored in the second memory, the third controller validates whether the MAC address without hashing matches the hash of the MAC address, and whether the signature matches the public key contained in the second memory is stored, in response to matching the MAC address without hashing with the hash of the MAC address and the signature with the public key stored in the second memory, the third controller instructs the third communication transceiver to transmit, via the communication protocol, a signal that G) the MAC address uniquely identifies the first communications transceiver and (ii) a request to establish a communications link with the first communications transceiver; the first communications transceiver actively listens for the signal comprising (1) the MAC address uniquely identifying the first communications transceiver and (ii) the request to establish the communications link with the first communications transceiver; and in response to receiving the signal by the first communications transceiver, the first communications transceiver and the third communications transceiver establish the communications link, the communications link being through the communications protocol; and in response to establishing the second communication link, the third communication transceiver downloads an attribute from the client computing device to the second memory via the communication protocol. [16] The system of claim 15, wherein the first and second communications transceivers each comprise a short range wireless communications transceiver, and wherein the communications protocol comprises a short range wireless communications protocol. [17] The system of claim 15 or 16 wherein the symbol comprises at least one of: (1) a two-dimensional barcode, and (u) a three-dimensional barcode. [18] The system of claim 15, 16 or 17, wherein the memory comprises a persistent memory, and wherein the second controller is further configured to download the client's public key. computing device to the persistent memory via the communication protocol in response to the public key not being stored in persistent memory.
类似技术:
公开号 | 公开日 | 专利标题 US10121039B2|2018-11-06|Depth sensor based auto-focus system for an indicia scanner JP4891173B2|2012-03-07|Method and system for authenticating an article US20170140144A1|2017-05-18|System and method for authenticating a mobile device US8826399B2|2014-09-02|Systems and methods for fast authentication with a mobile device CA2988318A1|2016-12-08|Open registry for identity of things US20080231418A1|2008-09-25|Integrated Physical Unclonable Function | with Combined Sensor and Display US9582700B2|2017-02-28|Point-of-sale scanner BE1026524B1|2020-11-20|DEVICE AND METHOD FOR UPDATING BARCODE READERS US9519445B2|2016-12-13|Print data retrieval system using graphical codes CN109191142B|2020-10-16|Commodity tracing method, equipment and system KR20170001849A|2017-01-05|Implement for a genuine certification, a genuine certification system BE1026830B1|2021-02-22|AUTHENTICATION FOR CONNECTING A BARCODE READER TO A CLIENT COMPUTER DEVICE EP3171312A1|2017-05-24|Methods, a system and an analyze server for verifying an authenticity of an identity document and extracting textual information therefrom US10846689B2|2020-11-24|Reducing cybersecurity risks when purchasing products over a network EP3171296B1|2020-03-04|A method and a scanner for verifying an authenticity of an identity document KR20180137667A|2018-12-28|Mobile quality certificate management system using identification code attached to product And method JP6161182B2|2017-07-12|Method and system for authenticating a user to operate an electronic device FR3040099A1|2017-02-17|VALIDATION OF A DECODE BAR CODE AS A BAR CODE REQUIRED BE1027668B1|2022-01-10|SYSTEMS AND METHODS FOR USER CHOICE OF BARCODE SCANNING RANGE KR102166621B1|2020-10-16|Art certification method and art certification system US20220044257A1|2022-02-10|Electronic device having unique ticket and information processing method using the unique ticket
同族专利:
公开号 | 公开日 BE1026830A1|2020-06-30| AU2019406116A1|2021-05-27| US20200195424A1|2020-06-18| KR20210091267A|2021-07-21| DE112019006235T5|2021-09-09| US10938558B2|2021-03-02| WO2020131207A1|2020-06-25| GB202108246D0|2021-07-21| GB2594391A|2021-10-27| CA3128008A1|2020-06-25| AU2019406116B2|2021-06-17| CN113228031A|2021-08-06|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 US20110081860A1|2009-10-02|2011-04-07|Research In Motion Limited|Methods and devices for facilitating bluetooth pairing using a camera as a barcode scanner| US20140270158A1|2013-03-14|2014-09-18|General Motors Llc|Connection key distribution| US20180091303A1|2016-09-26|2018-03-29|Snap Inc.|Systems and methods for device pairing with optical codes| US6582138B1|2000-08-21|2003-06-24|Xerox Corporation|Authenticated sheet material| JP4655345B2|2000-08-31|2011-03-23|ソニー株式会社|Information processing apparatus, information processing method, and program providing medium| US7841533B2|2003-11-13|2010-11-30|Metrologic Instruments, Inc.|Method of capturing and processing digital images of an object within the field of view of a hand-supportable digitial image capture and processing system| WO2003041338A1|2001-11-06|2003-05-15|International Business Machines Corporation|Method and system for the supply of data, transactions and electronic voting| US7941855B2|2003-04-14|2011-05-10|New Mexico Technical Research Foundation|Computationally intelligent agents for distributed intrusion detection system and method of practicing same| JP4150043B2|2003-12-12|2008-09-17|富士通株式会社|Data transmission device| AU2010251755B2|2009-05-18|2014-09-11|Mikoh Corporation|Biometric identification method| EP2388730A1|2010-05-17|2011-11-23|Nagravision S.A.|Method for generating software code| US8782435B1|2010-07-15|2014-07-15|The Research Foundation For The State University Of New York|System and method for validating program execution at run-time using control flow signatures| US8998076B2|2011-06-03|2015-04-07|Arthur Chang|Establishing connections among electronic devices| US8989376B2|2012-03-29|2015-03-24|Alcatel Lucent|Method and apparatus for authenticating video content| US9223554B1|2012-04-12|2015-12-29|SourceDNA, Inc.|Recovering source code structure from program binaries| CN109190427A|2012-08-31|2019-01-11|手持产品公司|The method that wireless scanner is matched by RFID| CA2926459A1|2013-10-07|2015-04-16|Google Inc.|Smart home device facilitating user-friendly setup experience| US9756074B2|2013-12-26|2017-09-05|Fireeye, Inc.|System and method for IPS and VM-based detection of suspicious objects| US10284619B2|2014-01-22|2019-05-07|Telefonaktiebolaget Lm Ericsson |Method for scalable distributed network traffic analytics in telco| US9226147B2|2014-06-02|2015-12-29|Blackberry Limited|System and method of securing instant messaging sessions| CN107111677A|2014-12-19|2017-08-29|皇家飞利浦有限公司|Connect the wearable thing of caregiver| US9606854B2|2015-08-13|2017-03-28|At&T Intellectual Property I, L.P.|Insider attack resistant system and method for cloud services integrity checking| US9832024B2|2015-11-13|2017-11-28|Visa International Service Association|Methods and systems for PKI-based authentication| JP6746427B2|2016-08-10|2020-08-26|キヤノン株式会社|Communication device, communication method, and program| WO2018213496A1|2017-05-16|2018-11-22|Qualcomm Incorporated|Regulatory domain security techniques for wireless devices| EP3502994A1|2017-12-22|2019-06-26|Mastercard International Incorporated|Method and system for trusted notifications| WO2020028502A1|2018-08-01|2020-02-06|The Chamberlain Group, Inc.|Movable barrier operator and transmitter pairing over a network|
法律状态:
2021-04-23| FG| Patent granted|Effective date: 20210222 |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 US16/221,753|US10938558B2|2018-12-17|2018-12-17|Authentication for connecting a barcode reader to a client computing device| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|