Connector and socket

EP4771517A1Pending Publication Date: 2026-07-08HARTING INT INNOVATION AG

Patent Information

Authority / Receiving Office
EP · EP
Patent Type
Applications
Current Assignee / Owner
HARTING INT INNOVATION AG
Filing Date
2023-08-28
Publication Date
2026-07-08

AI Technical Summary

Technical Problem

Existing IT/OT systems face challenges in securing the physical layer of network connections, particularly in preventing unauthorized access and data interception, which can lead to security risks and downtime in critical infrastructure sectors like transportation and logistics.

Method used

A connector and socket system that implements galvanic separation and authentication mechanisms to physically separate network connections until successful authentication is provided, thereby preventing unauthorized access and ensuring secure data exchange.

Benefits of technology

The solution effectively secures the physical layer of network connections, preventing unauthorized access and data interception, which enhances the security and reliability of IT/OT systems, particularly in critical infrastructure sectors.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure EP2023073570_06032025_PF_FP_ABST
    Figure EP2023073570_06032025_PF_FP_ABST
Patent Text Reader

Abstract

Connector and socket providing data exchange can be an entry port for hackers. To further improve the security in design, construction, installation and / or use of connectors, sockets and systems, a connector (15) is proposed which is constructed and configured to be connected with a socket (17) for data exchange with a network (13) via at least one physical layer (33). Therein, the physical layer (33) comprises at least one connection device constructed and configured for providing a physical link to a counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17). Therein, the connector (15) comprises at least one of the following: - at least one galvanic separation device (21) constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation (16) between the connection device in the connector (15) and the counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17) until an authentication is provided; or - at least one authentication device (20) constructed and configured to establish the physical link of the connection device in the connector (15) and the counterpart connection device in the socket (17) by overcoming the galvanic separation (16) between the connection device and the counterpart connection device upon authentication being provided to the authentication device (20).
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Connector and socket

[0002] Description

[0003] The invention refers to a connector. The invention refers to a socket. The invention refers to a system. The invention refers to a method.

[0004] Prior art

[0005] IT, or information technology, originally referred to the use of computers for information processing and management. The term OT, or operational technology, usually encompasses the hardware and machines that are responsible for a company's physical processes.

[0006] IT encompasses systems and devices such as servers, network devices, and endpoints, while OT generally refers to industrial computing devices such as loT gateways, or Internet of things gateways, and control systems.

[0007] IT may be used as an umbrella term that encompasses the processing, creation, storage, exchange and retrieval of data and information. Although IT frequently refers to computers, other end devices such as smartphones, servers, loT devices and tablets are also part of the IT infrastructure.

[0008] The general term IT may include software development, communications, information security, systems administration, infrastructure, networks, and telecommunications.

[0009] The main task of IT and related IT departments is to ensure that all data is managed, processed and stored securely. Since information technology is closely linked to network access, it is important to ensure that all data is secure and that potential risks are continuously identified and mitigated. Security analysts in IT help protect information and identify potential threats by implementing cybersecurity.

[0010] OT is most commonly used to monitor and control production in factories but is also highly relevant in the logistics and transportation industry as modern trains, planes and trucks become more and more automated and equipped with OT devices. Unlike IT, which is mainly concerned with network infrastructure such as local networks and / or global networks e.g., the internet, OT plays an important role in dealing with “the physical world”. OT may refer to information and control structures in particular devices at customer site or it may refer to particular systems or devices in planes, trains or trucks such as breaks and propulsion systems. In factory settings but also in logistics and transportation, one of the main problems of OT is downtime.

[0011] Downtime is the time during which production or transportation is interrupted, whether planned or unplanned. Unplanned downtime often proves to be very costly for companies. Therefore, the main concern of OT is to avoid downtime as much as possible. Furthermore, particularly in the transportation sector and in the logistics sector OT becomes more and more security and safety relevant as modern trains, planes and trucks comprise OT systems linked to beaks, propulsion and other potentially safety and security relevant systems and devices. Therefore, attacks on former less-interesting (from an attackers point of view) structures, systems and devices become more and more relevant and concerning as potentially costly damages can be induced to system providers, logistics and transportation companies and the broader public.

[0012] IT and OT have remained largely separate in the past, but in recent years, IT / OT convergence has become an increasingly important idea. When it comes to IT and OT, convergence offers many benefits, but it also comes with some risks to be aware of.

[0013] On the one hand, IT / OT convergence offers a lower risk of OT downtime and allows monitoring for malfunction but also to provide updates to modem OT systems and devices. Since downtime is often very expensive, even if it is short-lived, this is very attractive for OT. Furthermore, providing a monitoring of functionality and providing new or improved features and functionality based on updates becomes more and more interesting. On the other hand, increase in potential security risks becomes more and more pressing.

[0014] Object of the invention

[0015] The applicant follows security precautions known to date and feasible to implement on the date of filing and implements them with utmost care. However, the applicant strives to continuously develop and improve security in design, construction and installation of connectors, sockets and systems. For this reason, it is the object of the invention to further improve security in design, construction, installation and / or use of connectors, sockets and systems.

[0016] The object of the invention is solved by a connector according to claim 1 . The object of the invention is solved by a socket according to claim 2. The object of the invention is solved by a system according to claim 7. The object of the invention is solved by a method according to claim 11 .

[0017] According to one aspect, the object is solved by a connector with the features of claim 1 .

[0018] A connector may be constructed and configured to be connected with a socket for data exchange with a network via at least one physical layer. The physical layer may comprise at least one connection device (in the connector) constructed and configured for providing a physical link to a counterpart connection device in the socket upon plugin of the connector into the socket. The connector may comprise at least one galvanic separation device constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation between the connection device in the connector and the counterpart connection device in the socket upon plugin of the connector into the socket until an authentication is provided. Alternatively or additionally, the connector may comprise at least one authentication device constructed and configured to establish the physical link of the connection device in the connector and the counterpart connection device in the socket by overcoming the galvanic separation between the connection device and the counterpart connection device upon authentication being provided to the authentication device. The connector can implement a physical separation to the network up to after successful authentication. Successful authentication may allow a physical connection to the network to be established and to communicate to the network and within the network. This improves the security in design, construction, installation and / or use of connectors, sockets and systems.

[0019] A network (e.g. Ethernet) may not be intercepted on the lower two layers of the ISO-OSI layer model during a physical connection anymore. This makes it impossible to obtain information about devices in the network even though there are protection mechanisms in the higher layers of the reference model, such as firewalls, since those firewalls only intervene in layer 2 or higher. Obtaining such information could result in that the information could be evaluated and a security risk may arise. This security risk could arise simply due to e.g., service ports being present to which unauthorized persons have access. This problem is increasingly present in accessible systems such as train stations, airports, trains or similar. Digitization and digitalization increase the possibility and risk of external malicious influence. The galvanic separation may function as a physical firewall as it prevents any physical link to the network up until the authentication to be an eligible connector is given. As long as the authentication is not provided the connector may be plugged into the respective socket, but no access to the network may be granted. Therefore, it is not even possible to access any information or data about the network structure or any respective devices in the network.

[0020] In other words, the above-given problem can be solved by physically separating the connection from the network up until authentication is provided. The physical connection to the network is only established after successful authentication by one or more authentication options. So far, access was hidden (e.g. the position and / or function of service ports) or physically secured (e.g. by locks). However, the attraction of cyberattacks on previously uninteresting systems is considered to increase as a result of digitization and digitalization. If the physical layer is not protected physically, access may be given to passive participants, but passive participants (read-out systems and devices) cannot be detected.

[0021] Therefore, intrusions might not be detected and no countermeasures could be initiated. A lock may physically be destructed. Thereafter, access to at least partial information about the network may be achieved.

[0022] According to the embodiments of devices, systems and methods described here and in the following, authentication may have to be given even before the physical connection to the actual network may be established. It is particularly no longer possible to intercept (partial) information from the network without authentication and passive components cannot be connected to the network. The physical layer is particularly secured. Thus, a Secured Network Port (SNP) and / or a Securing Physical Layer (SPL) may have been implemented. Embodiments of respective devices, systems and methods as described here and in the following are in particular intended for all types of physical access to a network. This can be implemented in a switch, in a cable or directly in the network connection (e.g. Ethernet port) and can be used, for example, in the railway industry, manufacturing industry, construction and other areas where networks with connection options may be available. This contributes to the protection of a network and therefore improves the safety and security measures. This makes any physical access more difficult for unauthorized persons. In addition, the embodiments may create another (in both senses: further and / or alternative) security hurdle for securing the network as the physical connection to the network is only possible after successful authentication, so any unauthenticated connection attempt does not connect to the network. The embodiments may physically separate the network from the possibility of connecting to the network. Only after successful authentication, the physical connection to the network may be established and communication within the network may become possible.

[0023] ISO stands for International Organization for Standardization. OSI stands for Open Systems Interconnection model, also known as ISO- OSI layer model or OSI reference model. In the OSI reference model, the communications between a computing system can be split into seven different abstraction layers: physical, data Link, network, transport, session, presentation, and application, wherein the physical layer is the layer of physical connection referred to with respect to the connector and / or the socket (described here and in the following). In other words, the physical layer is the lowest layer of physical connection. The application layer is the highest layer. The terms “high” and “low” do not refer to anything synonymous to the term “importance”, but simply to a hierarchy between the layers and the data being transferred therein and / or in between the layers. In other words, the model may partition the flow of data in a communication system into seven abstraction layers to describe networked communication from the physical implementation of transmitting bits across a communications medium to the highest-level representation of data of a distributed application. Each intermediate layer may serve a class of functionality to the layer above it and may be served by the layer below it. Classes of functionality can be realized in all software development through all standardized communication protocols.

[0024] Each layer in the OSI model may have well-defined functions, and the methods of each layer communicate and interact preferably with those of the layers immediately above and below as appropriate.

[0025] The physical layer as already described in some detail above may be responsible for the transmission and reception of unstructured raw data between a device, such as a network interface controller, Ethernet hub, or network switch, and a physical transmission medium. It can convert the digital bits into electrical, radio, or optical signals. Layer specifications may define characteristics such as voltage levels, the timing of voltage changes, physical data rates, maximum transmission distances, modulation scheme, channel access method and physical connectors. This can include the layout of pins, voltages, line impedance, cable specifications, signal timing and frequency for wireless devices. Also an opto-coupler may be provided to transfer information based on optical signals, not in an electronic format. The opto-coupler may work in concatenation with a to-be-established physical link or may replace it in some embodiments. In embodiments, the bit rate control may be done at the physical layer and may define transmission mode as simplex, half duplex, and full duplex. The components of a physical layer can be described in terms of a network topology. Physical layer specifications can be included in the specifications for the ubiquitous Bluetooth, Ethernet, and USB standards as well as for the CAN standard for example. The physical layer can also specify how encoding occurs over a physical signal, such as electrical voltage or a light pulse (opto - coupler). For example, a 1 bit might be represented on a copper wire by the transition from a 0-volt to a 5-volt signal, whereas a 0 bit might be represented by the transition from a 5-volt to a 0-volt signal. This is for illustrative and explanatory purposes, but other encodings may be used. The physical layer as the “lowest” layer is so far not protected by any type of firewalls, as described in great detail above. Therefore, the physical firewall described here allows to implement a protection of the physical layer. In other embodiments, the second layer explained in the following might be protected by software-based firewalls or not. In both cases the physical firewall described here protects those embodiments as well.

[0026] The data link layer (German: “Sicherungsschicht”) may provide node-to- node data transfer - a link between two directly connected nodes. It can detect and possibly correct errors that may occur in the physical layer. It can define the protocol to establish and terminate a connection between two physically connected devices. It may also define the protocol for flow control between them. The data link layer can be the second layer and digital firewalls may protect the network from second layer up. The lowest layer, the physical layer, may so far not be protected by these firewalls. Therefore, the physical firewall described here allows to implement a protection of the physical layer, but also of the second layer in embodiments where the second layer is not protected by a respective software-based firewall.

[0027] The network layer can provide the functional and procedural means of transferring packets from one node to another connected in "different networks". A network is a medium to which many nodes can be connected, on which every node can have an address and which can permit nodes connected to it to transfer messages to other nodes connected to it by merely providing the content of a message and the address of the destination node and letting the network find the way to deliver the message to the destination node, possibly routing it through intermediate nodes. If the message is too large to be transmitted from one node to another on the data link layer between those nodes, the network may implement message delivery by splitting the message into several fragments at one node, sending the fragments independently, and reassembling the fragments at another node. It may, but does not need to, report delivery errors.

[0028] The transport layer can provide the functional and procedural means of transferring variable-length data sequences from a source host to a destination host from one application to another across a network, while maintaining the quality-of-service functions.

[0029] The transport layer can also control the reliability of a given link between a source and destination host through flow control, error control, and acknowledgments of sequence and existence. Some protocols are state- and connection-oriented. This means that the transport layer can keep track of segments (single pieces belonging to a data package, which may be transmitted over separate paths in the network) and may retransmit those that fail delivery through the acknowledgment hand-shake system. The transport layer can also provide the acknowledgement of the successful data transmission and sends the next data if no errors occurred.

[0030] The session layer can create the setup, can control the connections, and can end the teardown, between two or more computers, which is called a "session". Since DNS and other Name Resolution Protocols may operate in this part of the layer, common functions of the session layer may include user logon (establishment), name lookup (management), and user logoff (termination) functions. Including this matter, authentication protocols are particularly built into client software, such as FTP Client and NFS Client for Microsoft Networks. Therefore, the session layer can establish, manage and terminate the connections between the local and remote application.

[0031] The presentation layer can establish data formatting and data translation into a format specified by the application layer during the encapsulation of outgoing messages while being passed down the protocol stack, and possibly reversed during the deencapsulation of incoming messages when being passed up the protocol stack. For this very reason, outgoing messages during encapsulation may be converted into a format specified by the application layer, while the conversion for incoming messages during deencapsulation may be reversed.

[0032] The presentation layer can handle protocol conversion, data encryption, data decryption, data compression, data decompression, incompatibility of data representation between operating systems, and graphic commands. The presentation layer can transform data into the form that the application layer accepts, to be sent across a network. Since the presentation layer can convert data and graphics into a display format for the application layer, the presentation layer may be called the syntax layer.

[0033] The application layer is in particular the layer of the OSI model that is closest to the end user, which means both the OSI application layer and the user interact directly with a software application that implements a component of communication between the client and server, such as File Explorer and Microsoft Word. Such application programs may fall outside the scope of the OSI model unless they are directly integrated into the application layer through the functions of communication, as is the case with applications such as web browsers and email programs. Other examples of software are Microsoft Network Software for File and connected devices sharing and Unix / Linux Network File System Client for access to shared file resources.

[0034] Application-layer functions may typically include file sharing, message handling, and database access, through the most common protocols at the application layer, known as HTTP, FTP, SMB / CIFS, TFTP, and SMTP. When identifying communication partners, the application layer may determine the identity and availability of communication partners for an application with data to transmit. The most important distinction in the application layer is particularly the distinction between the application-entity and the application.

[0035] As described above, the physical layer as the lowest layer is particularly to be protected from unauthorized access to protect even leaking partial information about the network and its structure. As described above, the physical layer (German: “Bitubertragungsschicht”) may comprise a connection device and a counterpart connection device that may be brought into physical contact to exchange data. The galvanic separation device may block this physical contact in the sense that no information transfer is possible (no current or electric signal may flow) due to the galvanic separation being implemented by the galvanic separation device. Positive authentication to the authentication device may allow to establish the physical link.

[0036] In some embodiments, the galvanic separation may be permanent and an opto-coupler may be used to transmit information optically, as described throughout the description. In those embodiments, the optocoupler may function as connection device, counterpart connection device and galvanic separation device. The connection device (here: in the connector) may be any type of device or structure that is suitable for connecting to a respective counterpart connection device (here: in the socket) physically to allow for an electronic connection to be established. In the simplest case, the connection device and counterpart connection device are endings or end pieces of wires and / or of conducting paths. Bringing these endings or end pieces of wires and / or of conducting paths together by plugging in the connector into a socket, the respective conductive connections may be established.

[0037] The at least one galvanic separation device may be constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation between the connection device in the connector and the counterpart connection device in the socket upon plugin of the connector into the socket until an authentication is provided. In other words, the galvanic separation device may be constructed and configured to block the physical (conductive) link between the connector side and the socket side. Therefore, even if the connection device and counterpart connection device are in conductive and / or electronic contact, conduction is not possible as the galvanic separation device maintains a galvanic separation. The galvanic separation device may be located in a housing that hosts a connection e.g. the connector’s and / or the socket's.

[0038] Alternatively, the galvanic separation device may be located in a wiring connection to the connector and / or from the socket.

[0039] The at least one authentication device may be constructed and configured to establish the physical link of the connection device in the connector and the counterpart connection device in the socket by overcoming the galvanic separation between the connection device and the counterpart connection device upon authentication being provided to the authentication device. In other words, the authentication device may provide a given authentication and may process it in a way that the authentication is checked for validity. Upon positive feedback (the authentication is valid for the respective access to the network), the authentication device may provide a signal and / or trigger to the galvanic separation device for the latter to establish the physical (conductive and / or electronic and / or optic) link between the connection device and the counterpart connection device. In some embodiments, at least one authentication device and at least one galvanic separation device may form a single component and / or structure in the connector. In other embodiments, both may form separate components and / or structures.

[0040] The authentication device or the galvanic separation device may be provided either in the connector or alternatively in the socket which will be described in the following. Furthermore, both or at least one of the devices may be implemented into a housing of a socket or a connector respectively. Alternatively or additionally, they may be provided in a respective housing on its / their own along the cable connection of the connector or socket respectively. In other words, they may be located at the connector housing and / or the socket housing and / or along the wiring path to the connector and / or from the socket (information and current may flow to the socket as well).

[0041] According to an independent aspect, a socket may be constructed and configured to be connected with a connector for data exchange with a network via at least one physical layer. The physical layer (in the socket) may comprise at least one counterpart connection device constructed and configured for providing a physical link to a connection device in a connector upon plugin of the connector into the socket. The socket may comprise at least one galvanic separation device constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation between the connection device in the connector and the counterpart connection device in the socket upon plugin of the connector into the socket until an authentication is provided. Additionally or alternatively, the socket may comprise at least one authentication device constructed and configured (in the socket) to establish the physical link of the connection device in the connector and the counterpart connection device in the socket by overcoming the galvanic separation between the connection device and the counterpart connection device upon an authentication being provided to the authentication device. The socket can implement a physical separation to the network up to after successful authentication. Successful authentication may allow a physical connection to the network to be established and to communicate to the network and within the network. This improves the security in design, construction, installation and / or use of connectors, sockets and systems.

[0042] The definition regarding features, structures, components and their respective functional links as well as regarding terms used to define and to describe the connector apply to the socket accordingly. This applies to the respective advantages as they are described as well. Furthermore, the socket can be described by the respective features, structures, components and their respective functional links as they are described with respect to the connector. Recasting of big portions of these descriptions is avoided for matters of readability and conciseness. It is referred to them as these descriptions apply with respect to the socket accordingly.

[0043] Embodiments can be implemented wherein at least one galvanic separation device and at least one authentication device form a single component and / or structure. Alternatively, at least one galvanic separation device and at least one authentication device may form separate components and / or structures. In this case, both the at least one galvanic separation device and the at least one authentication device may be located at either the connector or at the socket, according to some embodiments. In other embodiments, the galvanic separation device may be located at a different location of the connection than the authentication device. According to these embodiments, the galvanic separation device may be located at I in the connector, while the authentication device may be located at I in the socket. In other embodiments, the galvanic separation device may be located at I in the socket, while the authentication device may be located at I in the connector. They may be located at the connector housing and / or the socket housing and / or along the wiring path to the connector and / or from the socket (information and current may flow to the socket as well).

[0044] According to one aspect, the galvanic separation device may be at least one of an opto-coupler, a mechanical electrical switch, a semiconductorbased switch, a relay and / or a microcontroller. The galvanic separation device can implement a physical separation to the network up to after successful authentication. Successful authentication may allow a physical connection to the network to be established and to communicate to the network and within the network. This improves the security in design, construction, installation and / or use of connectors, sockets and systems.

[0045] Alternatively or additionally, to the embodiments described above, inductive or capacitive galvanic separation may be implemented. Inductive galvanic separation may be implemented using at least one sending and receiving circuit with inductive responsivity. Capacitive galvanic separation may be implemented based on at least one capacitor.

[0046] Alternatively or additionally, further possibilities for physical separation may be implemented via wireless technologies. An example could be a transmitter and receiver with RFID that are very close to each other (e.g., in a chip) whose receiver / transmitter is only supplied with power after successful authentication. The transmitter and receiver could then be shielded against external tapping. An opto-coupler is a component of optoelectronics which may be used to transmit a signal between two galvanically separated (in the sense of electrically isolated) circuits. It may comprise a light-emitting diode (LED) or laser diode (LD) as the optical transmitter and a photodiode or phototransistor as an optical receiver. The transmitter and receiver components may be optically coupled to each other in a housing that is opaque from the outside. Opto-couplers can be used to transmit both digital and analog signals. In embodiments at least one opto-coupler may be used to establish a permanent galvanic separation between the connection device and the counterpart connection device. The optocoupler can be implemented and configured to transmit a signal optically between the connection device and the counterpart connection device. In such embodiments, the respective connection device and counterpart connection device might not be cables or any other current conducting device. Instead, the respective connection device might be a light emitting device and the counterpart connection device might be an optical sensor to detect emitted optical signals from the light emitting device and translating them into an electrical signal. This way, the (permanent) galvanic separation may be overcome optically as any of the features of the other mentioned and described embodiments and aspects e.g., regarding the authentication device are implemented.

[0047] A mechanical electrical switch may be a physical switch that can have two switching positions - open and closed. An open position may be referred to as the galvanic separation position, while a closed position may be referred to as a conducting position where the galvanic separation is broken and the physical link being established.

[0048] A relay can be a remotely operated switch powered by electric current, which may have two switching positions. The relay may be activated via a control circuit and can switch other circuits. As matter of example, a simple and easy to implement relay may be a mechanical relay that can be based on the principle of the electromagnet. A current in an excitation coil may generate a magnetic flux through the ferromagnetic core and a movably mounted, also ferromagnetic armature may be located on it. At an air gap, force is applied to the armature, causing it to switch one or more contacts. The armature is returned to its original position by spring force as soon as the coil is no longer energized. Therefore, two switching positions may be implemented which allow to introduce a galvanic separation between a connection device (in contact with a first electric circuit being in the connector) and a counterpart connection device (in contact with a second electric circuit being in the socket).

[0049] A relay for considerably higher powers in high-voltage technology may be called a contactor (German: “Schutz”). The amperage and electrical voltage in the load circuit can be several times greater than in a coil. Contactors may have a tie rod, the control of which is provided by a (slightly) higher power.

[0050] A semiconductor-based switch may be used to avoid any moving parts, but further allows to implement the benefits of solid stated semiconductor technology to switch between a galvanic separation and a conducting state. As matter of example, solid state relays (SSRs) may be used. SSRs are particularly not mechanical relays, but electronic components that can switch without moving contacts. SSRs can be realized with transistors or thyristors or triacs. They can be very durable, suitable for high switching frequency and unfavorable environmental conditions (humidity, aggressive or explosive gases). Using SSRs can make it possible to switch alternating voltage during the zero crossing (zero crossing switch), which can avoid disturbing pulses. In addition, SSRs can be implemented that switch at the apex of the main voltage or immediately when controlled, i.e. instantaneously. Circuit breakers may be used to switch inductors that have little or no residual magnetization and therefore have no hysteresis. In SSRs, galvanic separation (synonym here and elsewhere: galvanic isolation) between the control circuit and the load circuit may be achieved by opto-couplers integrated in the component. SSRs may have higher losses in the load current path than mechanical relays and therefore they may be mounted on a heat sink to conduct the heat.

[0051] So-called OptoMOS or PhotoMOS relays can be similar in design to optocouplers. On the control side, they may work like an opto-coupler with an LED e.g., emitting in the infrared. In contrast to the SSRs described above, they can avoid triacs or thyristors on the load side but can be equipped with MOSFETs with which they can switch DC and AC voltages. They can be used to switch small currents. They do not need to be cooled, and may have a lower voltage drop than SSRs, but typically exhibit a higher "contact resistance" than mechanical signal relays. Particularly, they work bounce-free and wear-free and with switching speeds of down to a few microseconds.

[0052] A microcontroller can be a compact integrated circuit designed to govern a specific operation (here: the opening and closing of the galvanic separation) in an embedded system (here the connection between a connector and a socket as described). A microcontroller may include a processor, a memory and input / output (I / O) peripherals on a single chip.

[0053] According to another aspect, the galvanic separation device may be a microcontroller. The microcontroller can be constructed and configured to get activated by plugging the connector into the socket, particularly by providing power from the network, further particularly by providing power over ethernet. This allows to establish an active microcontroller solely during connection. Therefore, the microcontroller does not have to be powered all the time. To the contrary, the microcontroller may only be powered, particularly by the power of the network, when the connector is plugged into the socket. Therefore, one may distinguish a data transfer circuitry from a power transfer circuitry. The first circuitry to be linked may be the power transfer circuitry, which allows to activate the respective microcontroller(s) of the galvanic separation device. This avoids power usage at times where the galvanic separation is already implemented as the connector and the socket are disconnected by the connector not being plugged into the socket. The second circuitry may be the data transfer circuitry, which may not be linked between the connection device and the counterpart connection device, even in cases where there is a power transfer to the microcontroller. To the contrary, the microcontroller may be powered via the power transfer circuitry to implement the galvanic separation.

[0054] The same or similar features may apply to the authentication device. The authentication device may comprise at least one microcontroller. This microcontroller may be used to transfer a successful authentication as a positive trigger to break galvanic separation to implement a physical link between the connection device and the counterpart connection device.

[0055] According to another aspect, the authentication device can be constructed and configured for authentication being based on at least one authentication method collected from PKI-based authentication (e.g. X.509-Certificate), 802.1X-based authentication, NFC-based authentication, RFID-based authentication, 2-factor-authentification, providing login data, a token-based authentication, providing and evaluating at least one digital certificate, finger print authentication, HTTP- authentication and / or HTTPS-authentication or connector-ID-based authentication and / or socket-l D-based authentication. This may allow to implement an authentication to avoid unauthorized persons or personnel to access the network and to obtain at least partial information about the network and connected devices and systems. PKI-based authentication can also be called public key infrastructure authentication. A public key infrastructure (PKI) can refer to a set of roles, policies, hardware, software and procedures which may be used to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as the transfer of identification information. It is particularly used as simple passwords may be an inadequate authentication method. The more rigorous proof of identity can be used to confirm the identity of the parties (here e.g., the person trying to access the network and the information or identity of the network) involved in the communication and to validate the information being transferred (from the network to the person accessing it and information provided to the network). The PKI may be an arrangement that can bind public keys with respective identities of entities (like persons allowed to access a respective network infrastructure of an organization). The binding can be established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision. When done over a network, this can require using a secure certificate enrollment or certificate management protocol such as CMP. PKIs may be used to identify the respective person that may be given access to the network. Alternatively or additionally, the socket and / or the connector may be provided with a respective PKI. Therefore, either natural persons may be granted access to the network or the respective connector or socket used in combination with the respective counterpart.

[0056] 802.1 X-based authentication is based on network access control (NAC) via the 802.1X protocol. 802.1X network access control (NAC) enables administrators to provide uniform access control across wired and wireless networks. It may comprise two major elements, the 802.1X protocol (from here: the protocol) and the NAC itself. The protocol is an IEEE standard for port-based network access control (PNAC) on wired and wireless access points. 802.1X may define authentication controls for any user or device trying to access a LAN (or WLAN). The NAC can be a proven networking concept that identifies users (persons eligible to access the network) and devices (sockets and / or connectors or linked devices which may be used for accessing the respective network) by controlling access to the network. NAC may control access to enterprise resources using authorization and policy enforcement. The standard as described herein with respect to 802.1X refers to the standard as set-up and used on the date of filing the application (and / or the respective priority date).

[0057] The 802.1X NAC operation sequence may be described as follows.

[0058] Upon initiation, the authenticator (here the authentication device in concatenation with the galvanic separation device as a type of switch) or supplicant (client device) can send a session initiation request. A supplicant may send an Extended Authentication Protocol-response (EAP- response) message to the authenticator, which encapsulates the message and forwards it to an authentication server. Extensible Authentication Protocol (EAP) is an authentication framework which can be used in network and internet connections. EAP refers to a multitude of methods as implemented on the date of filing (or the priority date respectively).

[0059] Upon authentication the messages pass between the authentication server and the supplicant via the authenticator to validate several pieces of information, here e.g., the identity of the person to access the network.

[0060] Authorization may be given if the credentials are valid. In this case the authentication server notifies the authenticator to give the supplicant access to the port. Accounting may keep session records including user and device details, session types, and service details.

[0061] Upon termination, the sessions may be terminated e.g., by reintroduction of the galvanic separation to break the physical link.

[0062] NFC-based authentication may be based on the near field communication standard as applicable on the date of filing (and / or the date of priority). Near-field communication (NFC) can refer to a set of communication protocols that enable communication between two electronic devices over a distance of about 4 cm (1 .57 in) or less. Thus, the NFC may allow the connector and the socket to exchange information already upon bringing both closer together than the respective standard distance being required. NFC can be based on inductive coupling between two so-called antennas present on NFC-enabled devices - for example the socket and the connector - communicating in one or both directions, particularly using a frequency of 13.56 MHz in the globally available unlicensed radio frequency ISM band using the ISO / IEC 18000-3 air interface standard at data rates ranging from 106 to 848 kbit / s.

[0063] RFID-based authentication may be based on Radio-Frequency Identification (RFID). RFID particularly uses electromagnetic fields to automatically identify and track tags attached to objects such as the socket and / or the connector. An RFID system may comprise a radio transponder, a radio receiver and a transmitter. When triggered by an electromagnetic interrogation pulse from a nearby RFID reader device (e,g. at the socket and / or the connector, but also at an independent identification device from the accessing person), the tag can transmit digital data, usually an identifying number, back to the reader. This identifying number can be used to identify the respective socket and / or connector which may be used together to access the network. Additionally or alternatively, the respective socket and / or connector may be using RFID to independently verify the identity of the person trying to access the network.

[0064] Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, may refer to a security process in which persons trying to access the network can be obliged to provide two different authentication factors to verify themselves. Thus, 2FA can be implemented to better protect the network resources a person can access. Two-factor authentication may provide a higher level of security than authentication methods that depend on single-factor authentication (SFA), in which the person trying to access the network may provide only one factor e.g., a password or passcode. 2FA methods can rely on a person / user providing a password as the first factor and a second, different factor - particularly either a security token or a biometric factor, such as a fingerprint, iris or facial scan. 2FA may add an additional layer of security to the authentication process by making it harder for attackers to gain access to the network because, even if one factor is hacked e.g., the password, access to the network would still be restricted as the galvanic separation would not be overcome as a single factor, e.g. a password, alone is not enough to pass the authentication check.

[0065] In other embodiments providing login data might suffice. Therefore, also SFA may be implemented to allow access to the network even on a physical layer to read at least partial information from the network such as the connected components, systems and devices. This may be implemented in devices and systems of lower importance and lower safety and security relevance. SFA may improve speed of access.

[0066] A token-based authentication is particularly a protocol that generates encrypted security tokens. It enables users to verify their identity to the authentication device, which then may generate a unique encrypted authentication token. That token may provide persons who are allowed to access the network with access to the network by providing a physical link in the galvanic separation device by overcoming the galvanic separation and establishing the physical link. This access may be provided for a limited period of time without having to re-enter e.g., their username and password in case of a SFA or without providing a second input in a 2FA.

[0067] Token-based authentication may work through a five-step process:

[0068] In an (initial) request, the user may log in to a service using their login credentials, which may issue an access request to the authentication device to access the protected resource, here the network.

[0069] During verification, the authentication device can verify the login information to determine that the user should have access to the network and that the galvanic separation device should close the physical link. This involves e.g., checking the password entered against the username provided in SFA and additionally providing the second factor in 2FA.

[0070] In token submission, the authentication device can generate a secure, signed authentication token for the user for a specific period of time.

[0071] In a storage step, the token may be transmitted back to the user e.g. to the authentication device, which stores it for access to future access request. When the user provides a new access request, the authentication token can be decoded and verified. If there is a match, the user will be allowed to proceed as the physical link may be established in the galvanic separation device. Therefore, the physical link may allow the person to proceed with sending and receiving information from the network such as the connection to structures, devices and systems.

[0072] In expiration, the token can remain active until the person accessing the network logs out from the network or disconnects the connector from the socket. The galvanic separation may be reintroduced also by a log-off process in transition to physical disconnection of the connector from the socket.

[0073] This token-based process may prove that the person has been provided access to the network and attached resources without having to verify their identity every time they navigate in the network or reconnect to the network by plugging in the connector into the socket.

[0074] Token-based authentication can also be a positive step up from relying on traditional passwords, which can be inherently insecure. Passwords may be human-generated, which can render them weak and easy for hackers to crack. For example, people tend to recycle passwords across accounts because it helps to remember their login details.

[0075] Furthermore, password-based systems may require persons who want to access the network via a connector-socket connection to repeatedly enter their login credentials, which wastes time and can be frustrating, especially if they forget their password. With a token-based approach, a person may only need to remember one password, which may be quicker and simpler and may encourage them to use a stronger password.

[0076] An authentication token may securely transmit information about person identities e.g., to the authentication device and to the galvanic separation device, where a successful authentication may be used to overcome galvanic separation as described throughout the description of the embodiments of the socket, the connector, but also the respective systems and methods. Authentication tokens enable organizations to strengthen their authentication processes for accessing the network even on a physical layer basis as no physical link may be provided unless the authentication is successful. An authentication token allows eligible persons to access the network, particularly without having to enter their login credentials each time they try to access the network via a respective port or socket. Instead, the user may log in once, and a unique token is generated and shared with the authentication device and / or the galvanic separation device to verify their identity and to establish a physical link once the respective user tries to access the respective network via the same socket or port. An authentication token can be formed of three key components: the header, payload, and signature.

[0077] The person may provide at least one digital certificate that can be evaluated by the authentication device to establish the physical link by overcoming the galvanic separation. A digital certificate can be a file or electronic password that proves the authenticity of a device, server, or person through the use of cryptography and particularly through the use of PKI as described elsewhere. Digital certificate authentication may help organizations to ensure that only trusted devices and persons can connect to their networks.

[0078] Biometric authentication may allow to use biometric features such as facial recognition authentication, fingerprint authentication, iris authentication and other to be implemented e.g., during SFA and / or 2FA, both described as above.

[0079] HTTP-authentication may be provided as so-called Basic Authentication (BA). BA can refer to a method for providing a username and password to the authentication device when making a request for accessing the network (e.g., simply by plugging the connector into the socket). This may also be referred as SFA authentication as previously stated. The BA may also work via a web-interface and / or server interface which may also be implemented in the authentication device here or with respect to other authentication methods and respective embodiments. When employing BA, a person trying to access the network may include an encoded string in the authorization header of each request they make. Upon successful completion of the authorization, the server may provide a signal to the authentication device and / or the galvanic separation device indicating successful completion of the authentication. Therefore, the physical link may be established as described herein.

[0080] HTTPS Client Authentication is a more secure method of authentication than either BA or a form-based authentication. It can use HTTP over SSL (HTTPS), in which a server authenticates the user is using a respective Public Key Certificate (PKC) that is to be considered eligible to grant access to the network.

[0081] Connector-I D-based authentication and / or socket-l D-based authentication give(s) the respective connector and / or socket an ID on its / their own. Therefore, the connector and / or the socket may function as their own authentication device and may further function as their own token and / or may provide their own PKCs or other digital certificates. Therefore, the person being in possession of the respective connector and / or socket is authorized to access the network, while counterfeits of the socket and / or the connector may not grant access to the network. This improves the usability for the user as the user does not have to memorize additional passwords and / or does not have to carry additional identification equipment e.g., next to their maintenance equipment. Furthermore, the user may be protected from using insecure counterfeit products. Furthermore, counterfeit products may indicate ineligible access attempts.

[0082] According to another aspect, the connector and / or the socket can be constructed and configured such that dismantling the connector and / or the socket leads to a loss of the function to establish the physical link. At least one of the connector and / or the socket may have a break on purpose device that is configured and integrated into the circuitry such that opening the connector and / or the socket will lead to a respective destruction of either the first and / or second circuit such that the physical link cannot be reestablished by the galvanic separation device.

[0083] According to an independent aspect, the objection is solved by a system comprising at least one connection between a connector, particularly a connector as described elsewhere, and a socket, particularly a socket as described elsewhere. The connection is particularly configured for data exchange with a network via at least one physical layer. The physical layer may comprise at least one connection device in the connector and / or one counterpart connection device in the socket. The physical layer may be constructed and configured for providing a physical link between the connection device in a connector and the counterpart connection device in the socket upon plugin of the connector into the socket. The connection can comprise at least one galvanic separation device constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation between the connection device in the connector and the counterpart connection device in the socket upon plugin of the connector into the socket until an authentication is provided. The connection can comprise at least one authentication device constructed and configured to establish the physical link between the connection device in the connector and the counterpart connection device in the socket by overcoming the galvanic separation between the connection device and the counterpart connection device upon an authentication being provided to the authentication device. The connection between connector and socket can implement a physical separation to the network up to after successful authentication. Successful authentication may allow a physical connection to the network to be established and to communicate to the network and within the network. This improves the security in design, construction, installation and / or use of connectors, sockets and systems. The definitions regarding features, structures, components and their respective functional links as well as regarding terms used to define and to describe the connector and / or the socket apply to the system accordingly. This applies to the respective advantages as they are described with respect to the connector and / or the socket as well. Furthermore, the system can be described by the respective features, structures, components and their respective functional links as they are described with respect to the connector and / or the socket. Recasting of big portions of these descriptions and definitions is avoided for matters of readability and conciseness. It is referred to them as these descriptions apply with respect to the system accordingly.

[0084] According to an aspect the system can be a train and / or a train station. The system can be a ship and / or a harbor. The system can be a plane and / or an airport. The system can be a truck and / or a logistics terminal. This allows to link a respective mobile system with a respective terminal system for data transfer. Alternatively or additionally, maintenance operations may be performed at a train in a train station, at a ship laying in a harbor or at a truck at a logistic terminal, a gas station and / or a repair shop. For data transfer e.g., for OT updates, for maintenance and other operations, it may be possible to link to networks linking the terminal system and / or the mobile system. Therefore, at least one of the terminal system and / or the mobile system may have a port comprising a socket and / or a connector to establish a respective connection.

[0085] According to another aspect the system is particularly constructed and configured to remain inactive as long as no power is supplied e.g., via power over ethernet, to at least one of the connector and / or the socket. This may reduce the resources necessary to run the system.

[0086] Particularly, the microcontroller may only be powered by a power transfer circuit upon connection being established between the connector and the socket. As described previously, the power transfer circuit can be distinguished from the data transfer circuit which allows linking to the network. Therefore, the power transfer circuit does not have to be active all the time, but only in case the microcontroller is needed to take the decision if a physical link may be established or not.

[0087] According to another aspect the system may comprise at least one of the connector or the socket being constructed and configured to be paired by recognizing its counterpart to automatically establish the physical link upon connection of the connector and the socket. Therefore, the usability may be improved by also improving the security of the ports from respective malicious connections or respective connection attempts to the network.

[0088] Pairing may be based on temporal network maintenance schedules, on the connector and / or socket IDs used or on additional or alternative authentication attempts and procedures.

[0089] According to an independent aspect, a method may be established for providing a physical link between a connector, particularly a connector as described here, and a socket, particularly as described here. The method may comprise a step of connecting the connector and the socket. In this step, the physical link via a physical layer may maintain separated by a galvanic separation by a galvanic separation device until an authentication is provided to an authentication device. The method may comprise a step of providing an authentication to an authentication device. The method may comprise a step of establishing the physical link in the physical layer, particularly upon positive authentication. Thereafter, a data exchange might be possible and be implemented.

[0090] Embodiments

[0091] An embodiment of the invention is shown in the drawings and is explained in more detail below. It is shown in: Fig. 1 a train station situation, where embodiments can be implemented;

[0092] Fig. 2 a schematic of an ISO-OS I model of a connector and a socket;

[0093] Fig. 3 a schematic of a physical link between a connector and a socket;

[0094] Fig. 4 a schematic of an ethernet port of a socket; and

[0095] Fig. 5 a method for providing a physical link between a connector and a socket.

[0096] Some of the figures contain simplified, schematic representations. In some cases, identical reference signs are used for the same, but possibly not identical, elements. Different views of the same elements might be scaled differently. Directions such as "left", "right", "up" and "down" are to be understood in relation to the respective figure and may vary in the individual representations compared to the object depicted.

[0097] Fig. 1 shows an exemplary situation in a train station 1 , where embodiments can be implemented. The embodiment can refer to a system 40 that can refer to a train 2 and / or a train station 1 . Trains 2 can comprise wagons and locomotives 3. Ports for maintenance, data transfer and information input and / or readout can be provided at multiple locations in exemplary situations, similar to that shown in Fig.1 . They may be provided at links between wagons, a so-called wagon connections 5, where information flows between one wagon and the next via wires connecting them. Furthermore, information provided and transferred along the train via a network 13 may link to the breaks 6, to propulsion systems 10, to information screens 7 for informing passengers and passenger doors 8. Input and control signals may be provided by a driver in a driver’s cab 11. The driver may input commands into a driver’s control board 12. Even the control of the pantograph 9 may be provided using the network 13. At all these different locations there can be access ports, where a connector 15 may be plugged into a socket 17 to provide a link. As more and more systems 40 are getting linked this way, even previously uninteresting systems 40 may become interesting to hackers. As even safety and security relevant structures and elements such as the propulsion systems 10 and the breaks 6 may be linked, unwanted access to them may lead to safety and security concerns. To secure the network 13 and the respective linked devices software firewalls may be provided in ISO-OSI models as shown exemplarily in Fig. 2 from the second level, the data link layer 34, or higher. The following description may also account for embodiments where the data link 34 is not protected by a software-based firewall.

[0098] Alternative situations that can implement described embodiments may be provided in a ship and / or a harbor, in a plane and / or an airport or in a truck and / or a logistics terminal. Furthermore, the system 40 may be applied in a factory and / manufacturing site setting as well.

[0099] Fig. 2 shows an exemplary schematic of an ISO-OSI model of a connector 15 and a socket 17. The ISO-OSI model of the connector 15 can provide several abstraction layers in the connector’s layer model 28 and the ISO- OSI model of the socket 17 can provide several abstraction layers in the socket’s layer model 29. The communications between a computing system can be split into seven different abstraction layers: physical layer 33, data link layer 34, network layer 35, transport layer 36, session layer 37, presentation layer 38, and application layer 39, wherein the physical layer 33 is the layer of physical connection referred to with respect to the connector 15 and / or the socket 17 (described with respect to Fig. 3 and 4). In other words, the physical layer 33 is the lowest layer of a physical connection. The application layer 39 is the highest layer. Only the second layer, the data link layer 34, and higher may be protected by a softwarebased firewall. This would still allow hackers to access information about the devices connected to a network 13. Obtaining such information could result in that the information could be evaluated and a security risk may arise. This security risk could arise simply due to e.g., service ports being present to which unauthorized persons (passengers) have access. This problem is increasingly present in accessible systems such as train stations, airports, trains or similar. Digitization and digitalization increase the possibility and risk of external malicious influence. Regarding the function of the individual abstraction layers it is referred to the previous and detailed description thereof.

[0100] A network 13 (e.g. Ethernet) may not be intercepted on the lower two layers of the ISO-OSI layer model during a physical connection if a physical separation is kept until an authentication 25 is provided (see Fig. 5). This galvanic separation 16 may function as a physical firewall. This makes it impossible to obtain information about devices in the network 13 even though there are protection mechanisms in the higher layers of the reference model, such as software-based firewalls, since those firewalls only intervene in layer 2 or higher. There may be embodiments, where the data link layer 34 is not protected by a software-based firewall. The data link layer 34 in those embodiments may be protected against access based on the same physical firewall protecting the first layer.

[0101] Fig. 3 shows a schematic of a physical link between a connector 15 and a socket 17 as a system 40. The system 40 may comprise at least one connection 30 between a connector 15 and a socket 17. The connection 30 can be configured for data exchange with the network 13 as described previously via at least one physical layer 33. The physical layer 33 comprises at least one connection device in the connector 15. Additionally or alternatively, one counterpart connection device may be provided in the socket 17.

[0102] The physical layer 33 may be constructed and configured for providing a physical link between the connection device in the connector 15 and the counterpart connection device in the socket 17 upon plugin of the connector 15 into the socket 17. The connection device and the counterpart connection device can be wires that are brought into contact in the simplest embodiments upon plugin of the connector 15 into the socket 17.

[0103] The connection 30 may comprise at least one galvanic separation device 21 . This galvanic separation device 21 may be constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation 16 between the connection device in the connector 15 and the counterpart connection device in the socket 17 upon plugin of the connector 15 into the socket 17 until an authentication 25 is provided. The galvanic separation device 21 may be provided in the connector 15, in the socket 17 - so in any of their housings - or alternative in an electric link that provides the respective information to be provided to the connector 15 or from the socket 17. Therefore, it may also be provided in a transmitting cable as a cable connection 31 .

[0104] The connection 30 may comprise at least one authentication device 20 constructed and configured to establish the physical link between the connection device in the connector 15 and the counterpart connection device in the socket 17 by overcoming the galvanic separation 16 between the connection device and the counterpart connection device upon an authentication 25 being provided to the authentication device 20.

[0105] As shown already in Fig. 3, but as well as in Fig. 4, the connector may be a part of a connection line 14 (potentially linked to other connection lines

[0106] 14 via nods). There may be several connection lines 14 as there is a network architecture as discussed throughout this description. Connector

[0107] 15 can be plugged into a socket 17, but providing the physical connection does not provide a physical link as galvanic separation 16 is maintained until an authentication 25 is provided. The system 40 may be constructed and configured to remain inactive as long as no power is supplied via power over ethernet to at least one of the connector 15 or the socket 17.

[0108] At least one of the connector 15 or the socket 17 may be constructed and configured to be paired by recognizing its counterpart to automatically establish the physical link upon connection 30 of the connector 15 and the socket 17. This automatic pairing will allow to establish the physical link by overcoming the galvanic separation via the galvanic separation device. The galvanic separation device may be deactivated in some embodiments, or it may become active in other embodiments e.g., where an opto-coupler may be used to transmit information as optical link.

[0109] Fig. 4 shows a schematic of an ethernet port 18 of a socket 17. This ethernet port 18 may comprise a physical port 19. This physical port 19 may comprise a counterpart connection device here, as the socket 17 is schematically shown as matter of example. One may refer to the socket 17 as the female part of the connection 30, while the connector 15 may be referred to as the male part of the connection 30. The principle would uphold for a connector 15. Therefore, therein a connection device could be implemented into the physical port 19. Furthermore, an authentication device 20 is particularly provided. An authentication 25 can be provided to the authentication device 20. Here, the authentication device 20 is a microcontroller authentication device which will identify and analyze a respective authentication 25 provided to it. The authentication 25 may be provided via an external tool or device (not shown) such as a biometric signal analyzer e.g., an iris scanner, a fingerprint scanner, etc. Upon a user, a maintenance personnel or any other person trying to access the network 13, it may have to provide an authentication 25 as described previously. This authentication 25 will allow the person to physically link to the network and to access it. The authentication device 20 may provide a signal about a positive authentication to a galvanic separation device 21 which breaks the galvanic connection 16 and thus may provide the physical link between the connection device and the counterpart connection device. Even in embodiments, where an opto-coupler is solely used to replace an electrically conductive link between the connector 15 and the socket 17, the authentication device 20 will activate the optocoupler.

[0110] Fig. 5 shows a schematic of an exemplary embodiment of a method 23 for providing a physical link between a connector 15 and a socket 17. Socket 17 and / or connector 15 may be as described previously. The method 23 may comprise a step of connecting 24 the connector 15 and the socket 17. Therein, the physical link via a physical layer 33 is separated by a galvanic separation 16 by a galvanic separation device 21 until an authentication 25 is provided to an authentication device 20. The method 23 may comprise a step of providing an authentication 25 to an authentication device 20. The method 23 may comprise a step of establishing 26 the physical link in the physical layer 33. Thereafter, the method may comprise a step of data exchange 27 with the network 13.

[0111] Connector and socket

[0112] Reference signs train station train e.g., wagon locomotive switchboard wagon connection breaks information screen passenger doors pantograph propulsion system driver’s cab driver’s control board network connection line connector galvanic separation socket ethernet port physical port with connection device and / or counterpart connection device authentication device e.g., microcontroller authentication galvanic separation device wired connection to network method for establishing data connection to network bringing connector and socket into physical connection, but network remains physically disconnected by galvanic separation authentication establishing physical link to network by overcoming galvanic separation data exchange with the network connector’s layer model socket’s layer model connection cable connection physical firewall protection frame physical layer data link layer network layer transport layer session layer presentation layer application layer system

Claims

Connector and socketClaims1 . Connector (15) constructed and configured to be connected with a socket (17) for data exchange with a network (13) via at least one physical layer (33), wherein the physical layer (33) comprises at least one connection device constructed and configured for providing a physical link to a counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17); wherein the connector (15) comprises at least one of the following:- at least one galvanic separation device (21 ) constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation (16) between the connection device in the connector (15) and the counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17) until an authentication is provided; or- at least one authentication device (20) constructed and configured to establish the physical link of the connection device in the connector (15) and the counterpart connection device in the socket (17) by overcoming the galvanic separation (16) between the connection device and the counterpart connection device upon authentication being provided to the authentication device (20).

2. Socket (17) constructed and configured to be connected with a connector (15) for data exchange with a network (13) via at least one physical layer (33), wherein the physical layer (33) comprises at least one counterpart connection device constructed and configured for providing a physical link to a connection device in aconnector (15) upon plugin of the connector (15) into the socket (17); wherein the socket (17) comprises at least one of the following:- at least one galvanic separation device (21 ) constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation (16) between the connection device in the connector (15) and the counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17) until an authentication is provided; or- at least one authentication device (20) constructed and configured to establish the physical link of the connection device in the connector (15) and the counterpart connection device in the socket (17) by overcoming the galvanic separation (16) between the connection device and the counterpart connection device upon an authentication being provided to the authentication device (20).

3. Connector (15) according to claim 1 or socket (17) according to claim 2, wherein the galvanic separation device (21 ) is at least one of:- an opto-coupler;- a mechanical electrical switch;- a semiconductor-based switch;- a relais; or- a microcontroller.

4. Connector (15) according to either of the claims 1 or 3 or socket (17) according to either of the claims 2 or 3, wherein the galvanic separation device (21 ) is a microcontroller, the microcontroller being constructed and configured to get activated by plugging the connector (15) into the socket (17), particularly by providing powerfrom the network (13), further particularly by providing power over ethernet.

5. Connector (15) according to either of the claims 1 or 3 to 4 or socket (17) according to either of the claims 2 to 4, wherein the authentication device (20) is constructed and configured for authentication being based on at least one of the following:- PKI-based authentication;- 802.1 X-based authentication;- NFC-based authentication;- RFID-based authentication;- 2-factor-authentification;- providing login data;- a token-based authentication;- providing and evaluating at least one digital certificate;- biometric authentication, particular fingerprint authentication;- HTTP-authentication and / or HTTPS-authentication; or- connector-ID-based authentication and / or socket-ID- based authentication.

6. Connector (15) according to either of the claims 1 or 3 to 5 or socket (17) according to either of the claims 2 to 5, the connector (15) or the socket (17) constructed and configured such that dismantling the connector (15) or the socket (17) leads to a loss of the function to establish the physical link.

7. System (40) comprising at least one connection between a connector (15) , particularly a connector (15) according to either of the claims 1 or 3 to 6, and a socket (17), particularly a socket (17) according to either of the claims 2 to 6, wherein the connection is configured for data exchange with a network (13) via at least one physical layer (33), wherein the physical layer (33) comprises at least one connection device in the connector (15) and / or onecounterpart connection device in the socket (17), the physical layer (33) constructed and configured for providing a physical link between the connection device in the connector (15) and the counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17); wherein the connection comprises:- at least one galvanic separation device (21 ) constructed and configured to keep the physical link between connection device and counterpart connection device separated by a galvanic separation (16) between the connection device in the connector (15) and the counterpart connection device in the socket (17) upon plugin of the connector (15) into the socket (17) until an authentication (25) is provided; and- at least one authentication device (20) constructed and configured to establish the physical link between the connection device in the connector (15) and the counterpart connection device in the socket (17) by overcoming the galvanic separation (16) between the connection device and the counterpart connection device upon an authentication (25) being provided to the authentication device (20).

8. System (40) according to claim 6, wherein the system (40) is either of:- a train (2) and / or a train station (1 );- a ship and / or a harbor;- a plane and / or an airport; or- a truck and / or a logistics terminal.

9. System (40) according to either of the claims 7 to 8, wherein the system (40) is constructed and configured to remain inactive aslong as no power is supplied via power over ethernet to at least one of the connector (15) or the socket (17).

10. System (40) according to either of the claims 7 to 9, wherein at least one of the connector (15) or the socket (17) is constructed and configured to be paired by recognizing its counterpart to automatically establish the physical link upon connection of the connector (15) and the socket (17).11 . Method (23) for providing a physical link between a connector(15), particularly a connector (15) according to either of the claims 1 or 3 to 6, and a socket (17), particularly according to either of the claims 2 to 6, comprising the steps of:- connecting (24) the connector (15) and the socket (17), wherein the physical link via a physical layer (33) is separated by a galvanic separation (16) by a galvanic separation device (21 ) until an authentication (25) is provided to an authentication device (20);- providing an authentication (25) to an authentication device (20); and- establishing (26) the physical link in the physical layer (33).