method of controlling a communication session between a user device and a service system, control system and corresponding computer program.
A control system using multiple IP addresses and tokens anonymizes communication sessions, addressing the security risk of single-IP address exposure and preventing user information aggregation.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- SAGEMCOM BROADBAND SAS
- Filing Date
- 2024-12-17
- Publication Date
- 2026-06-19
AI Technical Summary
In local area networks, communication sessions with service providers using a single public IP address and user identifier expose user information to aggregation by service providers or malicious third parties, compromising security.
A control system allocates multiple public IP addresses and authentication tokens to anonymize communication sessions by dispersing user information, making it difficult for service providers to link data to a single user.
The solution enhances security by obfuscating personal information and preventing its aggregation across communication sessions, ensuring user privacy.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: method for controlling a communication session between a user device and a service system, control system and corresponding computer program. technical field
[0001] The field of the invention is that of local telecommunications networks integrating a plurality of user devices, such as a television (for example, a connected television of the "Smart TV" type), a TV decoder ("Set Top Box"), etc. In particular, the present disclosure relates to the establishment of a secure communication session between a user device and a system (e.g., server) hosting a service required by the user device. STATE OF PRIOR ART
[0002] In general, in a local area network (LAN), access to services accessible via a wide area network (WAN) is established using a fixed public IP (Internet Protocol) address and unique user identifiers for each service. Typically, the public IP address used to establish communication sessions is the public IP address of the network gateway, which acts as a router for user devices on the local area network.
[0003] Consequently, a service provider has access to all information transmitted by the user during the various communication sessions established between the user's device and the system hosting the requested service. Indeed, since all communication sessions originate from the same public IP address, the service provider can easily accumulate or aggregate information related to the user. Thus, information that, in isolation, would have no personal character, can, if concatenated with other information related to the same user, become potentially personal information. This can pose a security problem for the user, particularly if a malicious third party manages to collect / aggregate the information transmitted by the user in this way.
[0004] It is therefore desirable to overcome this drawback of the prior art.
[0005] In particular, it is desirable to provide a solution that improves the Security of communication sessions between a user device and a system hosting a service required by that user device. In particular, it is It is desirable to provide a solution that limits the ability of service providers or a malicious third party to concatenate information about the user and / or their user devices from a single public IP address and a single user identifier. Description of the invention
[0006] A method for controlling a communication session between a user device and a service system hosting a service that the user device requests access to is proposed herein. The user device is connected to a local communication network that includes a network gateway for accessing a wide area network. The method is executed in a control system. The method comprises:
[0007] - execute a first subscription phase comprising:
[0008] (i) allocate a set of public IP addresses to establish said session of communication with said service system,
[0009] (ii) receive, from said service system, a set of authentication tokens to authorize access to said service system,
[0010] - execute a second phase, establishing said communication session including:
[0011] (a) receive a request to access said service system, and select randomly a pair associating a public IP address and an authentication token from a list of pairs each associating a public IP address chosen from the set of public IP addresses obtained and an authentication token chosen from the set of authentication tokens obtained,
[0012] (b) establish said communication session with said service system using said selected couple.
[0013] Thus, it is possible to improve the security of communications between a user device and one or more service systems hosting services to which the user has access, by using a control system as an intermediary. In particular, the use of multiple public IP addresses associated with multiple authentication tokens allows the control system to anonymize requests issued by the user device to the service systems. Indeed, from the perspective of the service systems, these requests appear to originate from several different users or user devices and therefore cannot be linked to a single user. This anonymization of the information transmitted (i.e., the requests issued by the user) makes it possible to limit and complicate the aggregation of information concerning the user by a service provider or a malicious third party.Indeed, by communicating with service systems via the use of multiple public IP addresses and user identifiers (i.e., token). authentication), the control system disperses user information and thus obfuscates sensitive information such as personal information passing between the user device and service systems.
[0014] According to a particular embodiment, creating said list of pairs before said access request to said service system is received, said list of pairs being the same for several distinct communication sessions. Advantageously, it is possible to use the same list of pairs for several communication sessions.
[0015] According to a particular embodiment, creating said list of pairs after receiving said access request to said service system, said list of pairs being new for each communication session. Advantageously, a new list of pairs is created for each communication session, which allows for new combinations of public IP addresses and authentication tokens for each communication session.
[0016] According to a particular embodiment, allocating a set of public IP addresses to establish said communication session with said service system includes: allocating a set of public IP addresses for each service that said user device is authorized to access, or allocating a set of public IP addresses for several services that said user device is authorized to access. It is thus possible to have specific public IP addresses for particular services or to share public IP addresses, particularly when several service systems collaborate to provide a service to the user.
[0017] According to a particular embodiment, receiving said set of authentication tokens from said service system to authorize access to said service system comprises: obtaining a set of authentication tokens for each service to which said user device is authorized to access, or obtaining a set of authentication tokens for several services to which said user device is authorized to access. It is thus possible to have specific authentication tokens for particular services or to pool authentication tokens, particularly when several service systems collaborate to provide a service to the user.
[0018] According to one embodiment, each authentication token in said set of authentication tokens is valid for several distinct communication sessions over a predetermined validity period. It is thus possible to renew the authentication tokens to limit the redundancy of public IP address / authentication token pairs.
[0019] A method for maintaining a user device connected to a local communication network, including a network gateway for accessing a wide area network, is also proposed herein. The maintenance method comprises:
[0020] - establish a communication session between said user device and a system of a maintenance service hosting a maintenance service to which said user device requests access, by executing said communication session control process as described above,
[0021] - perform a maintenance operation on said user device, when said A communication session is established with said maintenance service system.
[0022] Generally speaking, "maintenance operation" means any type of action aimed at ensuring the maintenance of the user device, for example: a diagnosis of one or more malfunctions of the user device, repair operations or resolution of identified malfunctions.
[0023] Also proposed here is a system for controlling a communication session between a user device and a service system hosting a service that the user device requests access to, the user device being connected to a local communication network including a network gateway for accessing a wide area network. The control system includes electronic circuitry configured to:
[0024] - execute a first subscription phase comprising:
[0025] (i) allocate a set of public IP addresses to establish said session of communication with said service system,
[0026] (ii) receive, from said service system, a set of authentication tokens to authorize access to said service system, - execute a second phase, of establishing said communication session comprising:
[0027] (a) receive a request to access said service system, and select randomly a pair associating a public IP address and an authentication token from a list of pairs each associating a public IP address chosen from the set of public IP addresses obtained and an authentication token chosen from the set of authentication tokens obtained,
[0028] (b) establish said communication session with said service system using said selected couple.
[0029] Also proposed here is a network gateway for accessing a wide area network connected to a local area network. This network gateway includes a control system as described above.
[0030] Also proposed here is a computer program product, comprising instructions causing the execution, by a processor, of the process as described above, when said instructions are executed by the processor.
[0031] Also proposed here is a storage medium, storing a computer program comprising instructions causing the execution, by a processor, of the process as described above, when said instructions are read and executed by the processor. Brief description of the drawings
[0032] The features of the invention mentioned above, as well as others, will become clearer upon reading the following description of at least one exemplary embodiment, said description being made in relation to the accompanying drawings, among which:
[0033] [Fig-1] schematically illustrates an example of an implementation environment of a method for controlling a communication session between a user device and a service system, according to one embodiment;
[0034] [Fig.2] illustrates in diagram form the steps of the process of controlling a communication session between a user device and a service system, according to one embodiment;
[0035] [Fig.3] schematically illustrates an example of a hardware platform allowing the implementation, in the form of electronic circuitry, of the control system to execute all or part of the steps of the process of controlling a communication session illustrated in [Fig.2],
[0036] DETAILED DESCRIPTION OF IMPROVEMENTS
[0037] The general principle of this disclosure is to use a communication session control system which will act as an intermediary between the user device and the system hosting a service required by the user device to anonymize and obfuscate the information transmitted by the user during various communication sessions.
[0038] To this end, the control system is configured to allocate a set of public IP addresses to a service for establishing communication sessions. Each public IP address in this set is then associated with an authentication token, allowing the control system access to the service requested by the user device. In order to establish a secure communication session with a system (e.g., a server) hosting the required service, the control system randomly selects a public IP address / authentication token pair from a list of pairs. In other words, for each communication session with a system hosting a service, a specific public IP address / authentication token pair is used to establish the communication session.
[0039] The control system thus anonymizes and obfuscates the information transmitted by the user during the various communication sessions, since the user device no longer communicates directly with the system hosting the service using a single public IP address and a single user identifier. More specifically, from the perspective of the system hosting the service, each communication session is established by a different user device. It then becomes much more difficult for the service provider to concatenate the information transmitted by the user, since the communication sessions are established from different public IP addresses and different user identifiers (corresponding to authentication tokens).
[0040] Fig. 1 thus schematically illustrates an example of an implementation environment for a method of controlling a communication session, according to a particular embodiment.
[0041] Figure 1 shows a first local area network (LAN), denoted LAN (hereafter referred to as "local area network"). This LAN includes a network communication gateway, denoted GW (also hereafter referred to as "network gateway GW"). The network gateway GW is configured to operate primarily, but not exclusively, as a link and communication interface between the LAN and a second wide area network (WAN), denoted WAN (hereafter referred to as "wide area network"). Such a WAN is, for example, the Internet. The network gateway GW is configured to connect to the WAN, for example, via an ADSL or fiber optic connection, or via a 2G to 5G wireless radio connection.
[0042] In the example of [Fig. 1], a user device 100 is capable of connecting to the local area network (LAN), for example, to communicate with other user devices (not shown in [Fig. 1]), or to access the wide area network (WAN) via the network gateway GW. The network gateway GW is therefore configured to act as a router for this user device 100. The connection of user device 100 to the network gateway GW can be made via a wired connection (for example, Ethernet), or via other types of connection such as USB, wireless connection (for example, Wi-Fi, Bluetooth, Bluetooth Low Energy, Z-Wave, Zigbee, DECT-ULE, etc.). However, user device 100 is not necessarily configured or capable of connecting to the network gateway GW. Thus, user device 100 can be configured to access the wide area network (WAN) using a mobile radio network, for example, 3G, 4G, or 5G, or any other type of wireless network. another infrastructure allowing it to access the wide area network (WAN). In this case, the user device 100 includes a wireless communication interface of type 3G, 4G or 5G.
[0043] Thus, the term "user device" is understood to mean an electronic device belonging, or intended to belong (i.e., configured to belong), to the local area network (LAN).
[0044] For the purposes of this illustration, user device 100 is considered, for example, to be an audio / video (A / V) device for distributing audio and / or video content over the local area network (LAN). In the example of [Fig. 1], user device 100 is an audio-visual stream decoder, or TV decoder (also known as a "Set-Top Box," or STB), preferably a voice-activated TV decoder (or "Voice STB"). User device 100 (i.e., the voice-activated TV decoder) is further configured to capture and generate an audio recording corresponding to requests and responses issued verbally by user UT. For example, during a maintenance service for user device 100 (i.e., the voice-activated TV decoder), user UT can verbally issue requests (e.g., to request access to the maintenance service, etc.) and responses (e.g., to request access to the maintenance service)., responses to requests issued by the system hosting the maintenance service concerning details on the configuration of user device 100, etc.) for the diagnosis and resolution of malfunctions of user device 100. These requests and voice responses are intended to be transmitted by user device 100 to the system hosting the maintenance service (or maintenance system) and, where appropriate, to any other service systems collaborating with the maintenance system for the diagnosis and resolution of malfunctions of user device 100. .
[0045] It should be noted, however, that the user device 100 can also be, for example, a connected television (“Smart TV” in English), connected speakers, etc., which can connect to the network gateway GW, for example via Wi-Fi, for access to the wide area network WAN.
[0046] In the example in [Fig. 1], user UT has subscribed to various services from service providers and accessed over the WAN from the LAN via the network gateway GW. In the example in [Fig. 1], such services are:
[0047] - a maintenance service for user device 100, hosted in a system Maintenance 101. The Maintenance 101 system allows for the diagnosis and resolution of malfunctions in the user device 100. The Maintenance 101 system is, for example, a service provider's maintenance server configured to maintain all or part of the user devices 100. Diagnosing malfunctions in the user device 100 and their resolution can be carried out by the maintenance system 101 alone (i.e., all the steps necessary for the diagnosis and resolution of malfunctions are carried out by the maintenance system 101 alone) or in collaboration with other service systems (i.e., some steps necessary for the diagnosis and resolution of malfunctions are "outsourced" to other service systems which then carry out these steps in place of the maintenance system 101);
[0048] - a speech transcription service hosted by a transcription system 102. The transcription system 102 is, for example, a transcription server from a service provider configured to transcribe, or convert, spoken words or audio content into written or digital text. In particular, the transcription system 102 is configured to transcribe into text an audio or voice recording (e.g., user UT voice requests and responses) made by the user device 100;
[0049] - an artificial intelligence service hosted by an intelligence system artificial intelligence 103. This artificial intelligence system 103 is, for example, an artificial intelligence server from a service provider configured to guide the user UT in resolving technical problems related to the use and / or operation of the user device 100.
[0050] Hereafter, a "service system" is understood to mean a system hosting a service. Thus, such a service system is, for example, a maintenance system 101, a speech transcription system 102, or an artificial intelligence system 103.
[0051] When the user UT subscribes to a service, for example a maintenance service for the user device 100, other services may become involved in diagnosing and resolving malfunctions of the user device 100. For example, when the user UT wishes to diagnose and resolve malfunctions of the user device 100 via voice queries and responses captured and recorded by the user device 100, then the maintenance system 101 can collaborate with the voice transcription system 102 and the artificial intelligence system 103 for the diagnosis and resolution of malfunctions of the user device 100. For example, the transcription system 102 transcribes the user UT's voice queries and responses into text, and the artificial intelligence system 103 guides the user UT in resolving technical problems related to the operation of the user device 100.
[0052] Subsequently, in order to illustrate the implementation of the communication session control method described below, the service subscribed to by user UT is considered to be a maintenance service for user device 100 (e.g., a voice-activated TV decoder). This maintenance service uses various other services: transcription service hosted on transcription system 102 and artificial intelligence service hosted on artificial intelligence system 103, for the diagnosis and resolution of malfunctions of user device 100.
[0053] As described previously, in a conventional manner, when the user device 100 wishes to access the various service systems (e.g., maintenance system 101, transcription system 102, and / or artificial intelligence system 103), the communication sessions between the user device 100 and the various service systems are established from a single public IP address (e.g., the public IP address of the network gateway GW). Thus, the various service providers are able to aggregate, from this single public IP address, the information transmitted by the user UT when using these different services.
[0054] According to one embodiment, in order to secure communication sessions between the user device 100 and the various service systems (i.e., maintenance system 101, transcription system 102, and artificial intelligence system 103), the user UT subscribes to an obfuscation and anonymization service hosted in a communication session control system, denoted S (also referred to hereafter as "control system S"). This obfuscation and anonymization service makes it more difficult for service providers to concatenate the user UT's information from a single public IP address and a single user identifier to establish the communication session. Thus, in the example in [Fig. 1], the control system S is configured to perform all or part of the steps of the communication session control process described below.
[0055] The exact definition of a "communication session" (or "usage sequence") depends on the service(s) required. Generally, it corresponds to a series of one or more requests / responses for which the service(s) need a history or context to provide the user UT with a relevant response. For example, for a virtual maintenance assistant of a maintenance service that needs to communicate with the user UT to resolve a problem (e.g., during maintenance on a voice-activated TV decoder), the usage sequence is the series of requests from the user UT and responses from the maintenance service associated with the problem in question.
[0056] In one embodiment, the control system S is available on the local area network LAN, for example by being integrated into the network gateway GW.
[0057] In one variant, the control system S is accessible on the wide area network (WAN) from the local area network (LAN) via the network gateway (GW). The control system S is then hosted on a dedicated server or in the cloud.
[0058] Figure 2 illustrates in diagram form the steps of the process for controlling a communication session according to one embodiment. The process for controlling a communication session is therefore implemented in the control system S.
[0059] During a first phase 200, referred to as the "subscription phase 200", the user UT subscribes to the obfuscation and anonymization service hosted on the control system S. A user profile for the user UT is then created with this obfuscation and anonymization service. The control system S stores this user profile in memory, which includes, for example, a list of services to which the user UT has access rights (e.g., the maintenance service, the transcription service, the artificial intelligence service).
[0060] During this subscription phase 200, in a step 201, the control system S first provides several public IP addresses (IP1, IP2...IP) to establish communication sessions with the various service systems to which the user UT has access rights (e.g., maintenance system 101, transcription system 102, artificial intelligence system 103). For this purpose, in one example, the control system S is a physical server with several physical and / or virtual network interfaces, each having its own public IP address. In another example, the control system S is a set of physical servers, each having one or more physical and / or virtual network interfaces, each with its own public IP address. In other words, the control system S provides several public IP addresses (IP1, IP2...IP)IPi) by means of one or more servers, each having one or more physical and / or virtual network interfaces.
[0061] Next, the control system S allocates, to each service system for which the user UT has access rights, a set of public IP addresses comprising one or more of these public IP addresses in order to establish communication sessions with the service system in question. Thus, each service is allocated a specific set of IP addresses. The list of services recorded by the control system S when the user UT subscribes to the obfuscation and anonymization service therefore also includes, for each service to which the user UT has access rights, a set of public IP addresses allocated to that service.
[0062] The control system S is therefore configured to use one or more different public IP addresses depending on the service required by the user UT, so that for each service and each communication session, a different public IP address from the point of view of the required service system can be used.
[0063] According to one embodiment, the same set of public IP addresses is allocated to a particular service or to a set of distinct services, referred to as a "multiservice set". Thus, in a first example, the control system S allocates:
[0064] - a first set of public IP addresses comprising the IP addresses Public IPb, IP2 and IP3 to the 101 maintenance system,
[0065] - a second set of public IP addresses comprising the IP addresses public: IP4, IP5, IP6 to the 102 transcription system, and
[0066] - a third set of public IP addresses comprising the IP addresses public: IP7, IP8 and IP9 to the artificial intelligence system 103.
[0067] In a second example, the control system S allocates a single set of public IP addresses to all service systems, namely the maintenance system 101, the transcription system 102, the artificial intelligence system 103. For example, the control system S allocates the set of public IP addresses comprising the public IP addresses: IPb, IP2 and IP3, to all service systems.
[0068] According to another embodiment, when the control system S allocates a different set of public IP addresses from one service to another, these distinct sets of public IP addresses may include one or more common public IP addresses. For example, the control system S allocates:
[0069] - to the maintenance system 101 a first set of public IP addresses including the public IP address (IPi),
[0070] - to the transcription system 102 a second set of public IP addresses including public IP addresses IP2 and IP3,
[0071] - to the artificial intelligence system 103 a third set of IP addresses public including the public IP address IP2 which is then common with the 102 transcription system.
[0072] The first, second and third sets are different from one service system to another, but the second and third sets of public IP addresses include one public IP address in common.
[0073] Following step 201 or concurrently with it, during a step 202, for each service to which the user UT has access, the control system S obtains a set of authentication tokens (Tki, Tk2...Tkj) for the identification and authentication of the control system S and the authorization of access to the service in question. In one example, an authentication token is of type API key (Application Programming Interface). The authentication token therefore corresponds to a user identifier allowing the control system S to be identified and authenticated with each service system and, where appropriate, authorize it to access the service required by the UT user.
[0074] In particular, the control system S receives from the service system(s) (e.g., maintenance system 101, transcription system 102, artificial intelligence system 103) a set of authentication tokens to identify and authenticate the control system S and authorize access to the control system S. The list of services recorded by the control system S therefore further includes, for each service, a set of authentication tokens allowing the control system S to identify and authenticate itself with the services required by the user UT and then access these required services when authorized.
[0075] According to one embodiment, the same set of authentication tokens (Tkb Tk2.. .Tkj) is assigned to a particular service or to a multi-service set.
[0076] Thus, in a first example, the maintenance system 101 transmits a first set of authentication tokens comprising the authentication tokens TkB Tk2, Tk3, the transcription system 102 transmits a second set of authentication tokens comprising the authentication tokens Tk4, Tk5, Tk6, and the artificial intelligence system 103 transmits a third set of authentication tokens comprising the authentication tokens Tk7, Tk8, Tk9.
[0077] According to a second example, the maintenance system 101, the transcription system 102, and the artificial intelligence system 103 transmit the same set of authentication tokens, comprising the authentication tokens TkB, Tk2, and Tk3, to the control system S. In this case, the authentication tokens of this set allow the control system S to be identified and authenticated against these three service systems. This might be the case, for example, when these three services are going to work together to perform, for example, a maintenance operation on the user device 100 (i.e., diagnosing and resolving malfunctions of the user device 100).
[0078] According to another embodiment, when the set of authentication tokens differs from one service to another, these distinct sets of authentication tokens may include one or more common authentication tokens. For example:
[0079] - the maintenance system 101 transmits a first set of tokens authentication including Tki and Tk2 authentication tokens,
[0080] - the transcription system 102 transmits a second set of tokens authentication including Tk2 and Tk3 authentication tokens,
[0081] - the artificial intelligence system 103 transmits a third set of tokens authentication including Tki and Tk3 authentication tokens.
[0082] The first, second and third sets are different from one service to another, but include common authentication tokens: the authentication token Tk1 is common for the maintenance system 101 and the artificial intelligence system 103, the authentication token Tk2 is common for the maintenance system 101 and the transcription system 102, and the authentication token Tk3 is common to the transcription system 102 and the artificial intelligence system 103.
[0083] In one embodiment, an authentication token is valid for several distinct communication sessions over a predetermined validity period (e.g., 6 months, 1 year, etc.). Beyond the predetermined validity period, the authentication tokens are renewed. Thus, new authentication tokens are obtained by the control system S for each service to which the user UT has access. It is therefore possible, for example, to limit the redundancy of public IP address / authentication token pairs by regularly renewing the set of authentication tokens for a service.
[0084] During a second phase 2001 called "establishing a communication session 2001", the user UT requests access to a service via, for example, his user device 100. In order to secure the exchanges between the user device 100 and the different service systems, the control system S will play the role of intermediary in order to obfuscate and anonymize the information transmitted by the user device 100.
[0085] For example, the user device 100 encounters a malfunction at one of its input / output interfaces such as, for example, a video output (HDMI connection (“High-Definition Multimedia Interface”), analog video connection, or other) rendering the display inoperative or of reduced quality (this can, for example, occur in the event of a failure of HDCP (“High-Bandwidth Digital Content Protection”) negotiation, a hardware malfunction of the device’s video output, or a problem with the video link cable), or a malfunction at the level of buttons present on the device, or a malfunction on input interfaces such as a remote control or a keyboard, or other types of malfunction.
[0086] The user UT will therefore call upon the maintenance service to which he has subscribed and activate the maintenance assistance of his user device 100, for example via a dedicated key of a remote control configured to control the user device 100, or a wake word (“WakeWord” in English) allowing the start of the maintenance assistance and the recording of the requests and voice responses of the user UT.
[0087] Thus, during step 203, the control system S receives a voice request from the user device 100 for access to one or more services to which the user UT has subscribed. A communication session between the user device 100 and the various service systems required by the latter is therefore established via the control system S.
[0088] In particular, upon receiving the access request to the service system(s), the control system S then randomly selects, for each required service, a pair associating a public IP address and an authentication token from a list of pairs, each pair associating a public IP address chosen from the set of public IP addresses allocated to the service and an authentication token chosen from the set of authentication tokens obtained for that service. This selected IP address / authentication token pair is then used to establish the communication session between the control system S and the required service system, and this is maintained throughout the entire communication session (i.e., all exchanges or sequences of requests / responses during the communication session are carried out using this pair).
[0089] This list of pairs is created by the control system S, which allocates a public IP address chosen from the set of public IP addresses allocated to the service to an authentication token chosen from the set of authentication tokens obtained for that service. In other words, for each service, a list of public IP address / authentication token pairs is created.
[0090] According to one embodiment, this list of pairs is created during the subscription phase 200, after step 202. This list of pairs is therefore common or valid for several distinct communication sessions. This is the case, for example, when the list of pairs includes all possible public IP address / token pairs.
[0091] In one variant, this list of pairs is created during the establishment phase of the communication session 2001, upon receipt of the access request to the service(s). This list of pairs is therefore specific to each communication session and valid only for that particular communication session. In other words, a list of pairs is created for each communication session with the requested service. This is the case, for example, when the list of pairs includes a predetermined number of public IP address / token pairs, and not all possible public IP address / token pairs.
[0092] According to one embodiment, in the case where the number of pairs is less than a predetermined threshold, it is possible to require that a pair already used during the last N communication sessions not be reused (e.g., for the same user UT, or the same service).
[0093] During a step 204, the control system S establishes a secure communication session with the various service systems from the public IP address / authentication token pair selected for each service system.
[0094] All exchanges carried out during the communication session between the service system(s) and the user device 100 are conducted via the control system S, which acts as an intermediary to anonymize and obfuscate the information transmitted by the user device 100. In particular, identification, authentication, and authorization of access to the service are performed on the control system S and not on the user device 100 itself. It is thus possible to obfuscate and anonymize the information transmitted by the user UT to the service systems by dispersing the information provided by the user UT and thereby anonymizing information that may be of a personal nature. For example, the user UT can thus benefit from a maintenance service on their user device 100 (e.g., a voice-activated TV decoder) without exposing their personal information to services (e.g.conversational agent implemented by an artificial intelligence system 103 to assist the user UT in resolving a malfunction observed on their user device 100).
[0095] According to one embodiment, the communication session control method can also anonymize information originating from any set of user devices present on the local area network (LAN). The obfuscation and anonymization service can be implemented either on the network gateway (GW), which then acts as a proxy, or on a proxy located on the wide area network (WAN).
[0096] According to this embodiment, the proxy detects that the service targeted by the user device is among the services to which the user UT has access and which are registered by the control system S integrated into the proxy. The proxy will then use the control system S to propagate the request to the service, possibly modifying the authentication token (e.g., if it is present in the initial request from the user device), in the request that will be sent from the proxy's control system S to the system hosting the required service.
[0097] Figure 3 schematically illustrates an example of a hardware platform for implementing, in the form of electronic circuitry, the control system S to execute all or part of the steps of the communication session control process illustrated in Figure 2.
[0098] The hardware platform comprises, connected by a communication bus 310: a processor or CPU (Central Processing Unit) 301; a RAM (Random-Access Memory) 302; a read-only memory 303, for example of the ROM (Read Only Memory) or EEPROM type (" Electrically-Erasable Programmable ROM), such as Flash memory; a storage unit, such as a hard disk drive (HDD) 304, or a storage media reader, such as an SD card reader (Secure Digital); and a Vf interface manager 305.
[0099] The I / F interface manager 305 allows the control system S to interact with user devices such as user device 100 and service systems such as maintenance system 101, transcription system 102 and artificial intelligence system 103.
[0100] The processor 301 is capable of executing instructions loaded into RAM 302 from ROM 303, external memory, a storage medium (such as an SD card), or a communication network. When the hardware platform is powered on, the processor 301 is capable of reading instructions from RAM 302 and executing them. These instructions form a computer program causing the processor 301 to implement all or part of the steps, processes, and operations described herein.
[0101] All or part of the steps, processes, and operations described herein can thus be implemented in software form by the execution of a set of instructions by a programmable machine, for example, a DSP (Digital Signal Processor) or a microcontroller, or be implemented in hardware form by a dedicated machine or electronic component (chip) or a dedicated set of electronic components (chipset), for example, an FPGA (Field Programmable Gate Array) or ASIC (Application-Specific Integrated Circuit). Generally, the control system S comprises electronic circuitry adapted and configured to implement the operations, processes, and steps described herein.
[0102] Examples of a maintenance procedure for a user device 100 of the type voice-controlled TV decoder connected to the local area network LAN via the network gateway GW will now be described in detail.
[0103] It is assumed that a communication session is established between the TV decoder 100 and the service system 101 hosting a maintenance service to which the TV decoder 100 requests access, having previously executed the communication session control procedure as described above.
[0104] In a conventional manner, peripheral equipment can be associated with the TV 100 decoder. This peripheral equipment is, for example, connected to the TV 100 decoder via a dedicated input / output interface. This connection can be established via Wi-Fi, HDMI, Bluetooth, etc. Such peripheral equipment allows the user UT to interact with the TV 100 decoder. For example, a television is connected to the TV 100 decoder and adapted to display the Decoded A / V streams. A remote control allows the UT user to remotely operate the TV 100 decoder.
[0105] Normally, the TV 100 decoder is configured to interact with its associated peripheral equipment (e.g., remote control, keyboard, television screen, etc.). The user UT can, for example, use a remote control to interact with their television screen connected to the TV 100 decoder.
[0106] However, when these peripheral devices are inoperative or malfunctioning, the UT user requests assistance from the maintenance service, for example by issuing a voice request which is captured, recorded and sent by the TV 100 decoder.
[0107] It is assumed that the TV decoder 100 is experiencing a malfunction in its communication interfaces with peripheral equipment (e.g., input / output interfaces of the TV decoder), such as the television and the remote control. One or more of these peripheral devices may be inoperative.
[0108] Preferably, the maintenance service makes it possible to diagnose malfunctions of the TV decoder and / or its peripheral equipment and to apply the necessary actions to resolve the malfunctions.
[0109] In particular, the 101 maintenance system is a service provider's maintenance server configured to provide maintenance for all or part of the user devices on the local area network (LAN), in particular the 100 TV decoder and its peripherals.
[0110] According to one example, the remote control previously associated or paired with the TV decoder (for example by association (or “pairing” in English) according to the ZigBee communication protocol in the case of a remote control implementing the RF4CE profile, or by association according to the Bluetooth communication protocol, or according to another wireless communication protocol) is considered to be inoperative.
[0111] The remote control is considered inoperative when, for example: the remote control is not paired (or associated) with the TV 100 decoder, the remote control is paired, but its signal is too weak (i.e., below a predetermined signal power threshold) to be properly detected by the TV 100 decoder, the remote control is detected by the TV 100 decoder but the pairing is not effective due to a problem recognizing encryption keys, etc.
[0112] Thus, during the maintenance operation, the TV decoder 100 transmits, in the current communication session, to the maintenance system 101 an association information representative of an association (or pairing) with one or more remote controls at the time of the maintenance operation.
[0113] This information includes, for example:
[0114] - an indication that the TV decoder 100 is not paired with any remote control, or a list of the remote controls to which the TV 100 decoder is paired (or associated) at the time of the maintenance operation, this list being potentially empty if no remote control is paired with the TV 100 decoder, and / or
[0115] - an indication that one or more paired remote controls are detected at proximity to the TV 100 decoder, combined with a signal strength measurement for each detected remote control, and / or,
[0116] - an indication that a remote control recognized by the TV 100 decoder is detected, but it cannot communicate with it because the encryption key is rejected by the remote control.
[0117] In response to receiving this association information, when no remote control is paired or if the remote control that the user UT is trying to operate does not belong to the list (or table) of associated remote controls (in the case of a new remote control), then the maintenance system sends, in the current communication session, to the TV decoder 100 a command to put into pairing mode or an association command, for example.
[0118] This association command then allows the association of a new remote control or a new association with a remote control already known (i.e., already registered in the list of associated remote controls) of the TV decoder. In the latter case, as soon as the TV decoder executes this association command, the contents of the association list (or table) (e.g., the list in which wireless peripheral equipment with which the TV decoder 100 has previously associated is referenced) are deleted at least in part, so that the TV decoder 100 launches an association procedure adapted to detect the remote control and register it in the list (or table).
[0119] In another example, when one or more paired remote controls are detected near the TV decoder 100, but the signal level is low (i.e., below a predetermined signal power threshold), the maintenance system 101 then transmits to the user UT a suggestion to change the batteries of the remote control, for example via the display of a message on a communication device (e.g., smartphone).
[0120] Similarly, if the remote control is detected but the TV decoder 100 cannot communicate with it, the maintenance system 101 can send, in the current communication session, a command to forget the remote control and then to switch to pairing mode in order to force a renegotiation of the encryption keys.
[0121] According to another example, in order for the maintenance system 101 to detect that the remote control is inoperative, the TV decoder 100 sends, in the current communication session, information related to the previous starts of the TV 100 decoder (for example, the number of restarts during a given period of time, such as the last ten minutes or the last hour), as well as information related to the last remote control key presses received by the TV 100 decoder (for example, whether there was no key press detected between the last two or five starts).
[0122] According to another example, in which the display on the TV screen is considered inoperative (e.g., because the HDMI configuration settings used by the TV decoder 100 are incorrect or not supported by the screen), the TV decoder 100 is configured to send video configuration information (e.g., resolution) and the model of the TV associated with the TV decoder to the maintenance system 101 during the current communication session. Based on this information, the maintenance system 101 may determine a suitable resolution for the screen and sends a resolution change command to the TV decoder 100 during the current communication session. Upon receiving this command, the TV decoder 100 executes it, thereby changing the screen resolution so that the display is visible to the user UT.The 101 maintenance system can also transmit directly to the TV 100 decoder, within the current communication session, a default configuration assumed to be supported by all television screen models, without needing to have received information about the television model from the TV 100 decoder.
[0123] According to another example, upon receiving configuration information from the TV decoder 100 (e.g., address of a current server), the maintenance system 101 transmits, in the current communication session, to the TV decoder 100 a new address of a new server necessary for the proper start-up or operation of the TV decoder 100.
[0124] Another example considers the diagnosis and repair of a non-functional HDMI connection between the TV 100 decoder and the television. If the remote control is functional, the user UT can initiate the maintenance service by pressing a button on the remote control or otherwise by voice by saying a "WakeWord". Once the communication session has been established as described above, the user UT can freely communicate with a remote voice assistant within this same session, without risking the disclosure of sensitive information specific to their environment and / or personal data to the various service servers that might be involved in identifying and resolving the identified malfunction.
[0125] As illustrated in the examples above, all data exchanged between the maintenance service 101 and the user within the framework of the maintenance process according to the invention, in particular the information emitted by the TV decoder 100 (more generally the user device 100) are obfuscated in such a way as to ensure the anonymity of the UT user, which helps to improve the security of communications between the TV decoder 100 and service systems and the protection of information concerning the UT user.
Claims
Demands
1. A method for controlling a communication session between a user device (100) and a service system hosting a service to which said user device (100) requests access, said user device (100) being connected to a local area network (LAN) comprising a network gateway (GW) for access to a wide area network (WAN), said method being executed in a control system (S), and said method being characterized in that it comprises: - executing a first subscription phase comprising: (i) allocating (201) a set of public IP addresses to establish said communication session with said service system, (ii) receiving (202), from said service system, a set of authentication tokens to authorize access to said service system, - executing a second phase,establishing said communication session comprising: (a) receiving (203) a request to access said service system, and randomly selecting a pair associating a public IP address and an authentication token from a list of pairs, each associating a public IP address chosen from the set of public IP addresses obtained and an authentication token chosen from the set of authentication tokens obtained, (b) establishing said communication session with said service system using said selected pair.
2. Method according to claim 1, said method further comprising: creating said pair list before said request to access said service system is received, said pair list being the same for several separate communication sessions.
3. Method according to claim 1, said method further comprising: creating said list of pairs after receiving said request to access said service system, said list of pairs being new at each communication session.
4. A method according to any one of claims 1 to 3, wherein allocating a set of public IP addresses to establish said communication session with said service system comprises: - allocate a set of public IP addresses for each service that said user device (100) is authorized to access, or - allocate a set of public IP addresses for multiple services that said user device (100) is authorized to access.
5. A method according to any one of claims 1 to 4, wherein receiving said set of authentication tokens from said service system to authorize access to said service system comprises: - obtaining a set of authentication tokens for each service to which said user device (100) is authorized to access, or - obtaining a set of authentication tokens for several services to which said user device (100) is authorized to access.
6. A method according to any one of claims 1 to 5, wherein each authentication token of said set of authentication tokens is valid for several distinct communication sessions over a predetermined period of validity.
7. A method for maintaining a user device (100) connected to a local area network (LAN) comprising a network gateway (GW) for accessing a wide area network (WAN), said maintenance method being characterized in that it comprises: - establishing a communication session between said user device (100) and a maintenance service system hosting a maintenance service to which said user device (100) requests access, by executing said method for controlling a communication session according to any one of claims 1 to 6, - performing a maintenance operation on said user device (100), when said communication session is established with said maintenance service system.
8. A system for controlling a communication session between a user device (100) and a service system hosting a service that said user device (100) requests access to, said user device (100) being connected to a local area network (LAN) comprising a network gateway (GW) for access to a wide area network (WAN), said control system (S) being characterized in that it comprises electronic circuitry configured to: - perform a first subscription phase comprising: (i) allocating (201) a set of public IP addresses to establish said communication session with said service system, (ii) receiving (202), from said service system, a set of authentication tokens to authorize access to said service system, - perform a second phase, of establishing said communication session comprising: (a) receiving (203) a request to access said service system, and randomly selecting a pair associating a public IP address and an authentication token from a list of pairs each associating a public IP address chosen from the set of public IP addresses obtained and an authentication token chosen from the set of authentication tokens obtained,(b) establish (204) said communication session with said service system using said selected pair.
9. A network gateway (GW) providing access to a wide area network (WAN) connected to a local area network (LAN), said network gateway (GW) being characterized in that it comprises a control system (S) according to claim Q
10. O. Product computer program, comprising instructions causing a processor to execute the method according to any one of claims 1 to 6, when said instructions are executed by the processor.
11. Storage medium, storing a computer program comprising instructions causing a processor to execute the method according to any one of claims 1 to 6, when said instructions are read and executed by the processor.