阅读说明：本技术 可连接网络的感测装置 (Network connectable sensing device ) 是由 斯特凡·迈耶 伊万·奥尔切夫斯基 斯蒂芬·鲍尔默 弗拉德·特里法 于 2019-12-24 设计创作，主要内容包括：本发明涉及一种感测装置(1),其配置成在制造模式、未配置模式、配置模式和寿命终止模式下选择性地操作。在制造模式中,电子电路(14)将唯一代码(149)永久存储在存储介质(12)中,而在未配置模式中,电子电路(14)等待配置代码(31)以生成私钥和公钥(143)。在配置模式中,电子电路(14)对由计时单元(13)提供的时间戳(146)和由感测单元提供的数据(110)进行签名。然后传输所收集的数据(110)、时间戳(146)、数字签名(144)和公钥(143)。在寿命终止模式中,电子电路(14)永久地擦除私钥。(The present invention relates to a sensing device (1) configured to selectively operate in a manufacturing mode, an unconfigured mode, a configured mode and an end-of-life mode. In the manufacturing mode, the electronic circuit (14) permanently stores the unique code (149) in the storage medium (12), while in the unconfigured mode, the electronic circuit (14) waits for the configuration code (31) to generate the private key and the public key (143). In a configuration mode, the electronic circuit (14) signs the time stamp (146) provided by the timing unit (13) and the data (110) provided by the sensing unit. The collected data (110), timestamp (146), digital signature (144), and public key (143) are then transmitted. In an end-of-life mode, the electronic circuit (14) permanently erases the private key.)

1. A sensing device (1) comprising:

a sensing unit (11) for sensing at least one given phenomenon;

a storage medium (12) for storing digital data;

a communication unit (15) for receiving and transmitting digital data and/or signals;

a timing unit (13) for providing a time stamp, an

An electronic circuit (14) operatively connected to the storage medium (12), the sensing unit (11), the communication unit (15) and the timing unit (13);

wherein the sensing device (1) is configured to selectively operate in:

-a manufacturing mode, wherein the electronic circuit (14) is configured to permanently store a unique code (149) in the storage medium (12);

-an unconfigured mode wherein the electronic circuit (14) is configured to wait for receipt of a configuration code (31) from a configuration device (3) and, in response to a configuration code (39) matching the sensing device's unique code (149):

generates a private key (142) for signing the data, and

deriving a public key (143) for verifying data signed by the private key (142);

-a configuration mode, wherein the electronic circuitry (14) is configured to collect data (110) provided by the sensing unit (11) and to:

signing the collected data and a timestamp provided by the timing unit (13) by the private key (142) to provide a digital signature (144) verifiable by the public key (143), and

transmitting packed data (140) to a gateway device (4) and/or a server (5), the packed data (140) comprising the collected data (110), the timestamp (146), the digital signature (144), and the public key (143); and

-an end-of-life mode, wherein the electronic circuit (14) is configured to permanently erase the private key (142).

2. The sensing device of claim 1, wherein, in the manufacturing mode, the electronic circuit (14) is configured to receive the unique code (149) from a manufacturing device (2).

3. The sensing device of claim 2, wherein, in the manufacturing mode, the electronic circuitry (14) is configured to send a serial number (148) to the manufacturing device (2); preferably, the sequence of numbers is a unique identifier assigned to the sensing device (1).

4. The sensing device according to any one of claims 1 to 3, wherein the sensing device (1) is configured to switch from the manufactured mode to the unconfigured mode in response to storing the unique code (149) in the storage medium (12) and/or receiving a sleep signal (20) provided by the manufacturing device (2).

5. The sensing device according to any one of claims 1 to 4, wherein the electronic circuit (14) is configured to apply configuration settings (32) provided by the configuration device (3) in response to a configuration code (31) matching a unique code (149) of the sensing device;

the configuration settings (32) include: a sensing device identifier 141 to be transmitted into the packaged data; and/or

Settings of the sensing unit, such as measurement rate or frequency, measurement accuracy, sensing threshold, activation/deactivation of sensing elements of the sensing unit; and/or

Setting of the communication unit; and/or

A clock and/or settings of the timing module, such as settings and/or synchronization signals; and/or

A triggering event that triggers measurement and/or collection of data provided by the sensing unit;

and packaging the information.

6. The sensing device according to any one of claims 1 to 5, wherein, in the unconfigured mode, the communication unit (15) is configured to establish near field communication (151) with the configuration device (3).

7. The sensing device according to any one of claims 1 to 6, wherein, in the unconfigured mode, the communication unit (15) is configured to establish an unsecure or secured communication with the configuration device (3) based on a shared key (147);

preferably, the shared secret key (147) is retrieved and/or generated by the electronic circuit (14); preferably, the shared secret key (147) is stored in the storage medium (12).

8. The sensing device according to claim 7, the electronic circuit (14) being configured to receive a pre-shared key (30) from the configuration device (3) and to generate the shared key (147) from the pre-shared key (30) and from secret data, in particular the unique code (149).

9. The sensing device according to any one of claims 1 to 8, wherein the sensing device (1) is configured to switch from the unconfigured mode to the configured mode in response to generation of the private key (142), and/or derivation of the public key (143), and/or application of the configuration settings (32), and/or reception of a wake-up signal (33) provided by the configuration device (3).

10. The sensing device according to any one of claims 1 to 9, wherein, in the configuration mode, the electronic circuitry (14) is configured to store the collected data in the storage medium (12) and, in response to a request signal (40) provided by the gateway device (4) and/or the server (5):

signing the collected data (110) and the timestamp (146); and is

Transmitting the packetized data (140).

11. The sensing device of claim 10, wherein, in the configuration mode, the electronic circuitry (14) is configured to receive an acknowledgement signal (33) from the gateway device (4) and/or the server (5) acknowledging the secure receipt of the packetized data, and to remove the collected data from the storage medium (12) in response to receipt of an acknowledgement signal (41).

12. The sensing device of any one of claims 1 to 11, wherein, in response to receipt of an end-of-life signal, the sensing device is configured to switch to the end-of-life mode.

13. The sensing device according to any one of claims 1 to 12, wherein, in the configuration mode, the communication unit (15) is configured to establish a local communication (152) with the gateway device (4);

preferably, the local communication is: wireless local area network communication, radio wireless local area network communication, bluetooth communication, ANT communication, wired communication, USB communication, or a combination thereof.

14. The sensing device according to any one of claims 1 to 13, wherein, in the configuration mode, the communication unit (15) is configured to establish a peer-to-peer communication (152) with the gateway device (4);

preferably, the point-to-point communication relies at least on a point-to-point computer network connection, such as a wired and/or wireless cellular network, a satellite network, a wired network, and/or combinations thereof.

15. The sensing device according to any one of claims 1 to 14, wherein, in the end-of-life mode, the electronic circuitry (14) is configured to permanently erase the collected data (110) provided by the sensing unit (11) and to switch the sensing device to the unconfigured mode.

16. The sensing device according to any one of claims 1 to 14, wherein, in the end-of-life mode, the electronic circuitry (14) is configured to permanently disable the sensing device (1).

17. Sensing device according to any one of claims 1 to 16, the timing unit (13) being configured to provide clock synchronization with a reference time, in particular with a coordinated universal time, by acquiring a synchronization signal;

preferably, said synchronization signal is a radio, satellite and/or cable synchronization signal provided by said communication unit (15) and/or global positioning system (17) and/or radio antenna;

preferably, the timing unit (13) comprises or is operatively connected to a slave clock (131), preferably the slave clock is a radio slave clock (131).

18. Sensing device according to any of claims 1 to 17, further comprising a protective casing (10) for preventing vandalism; preferably, the protective casing (10) is a watertight and/or airtight casing;

the protective case (10) encloses the communication unit (15), the sensing unit (11), the storage medium (12), the electronic circuit (14), the timing unit (13), the global positioning system (17) and/or the radio antenna, the clock (131).

19. The sensing device according to claim 18, further comprising a breach detector (16) configured to detect a breach of the protective hull (10); preferably, the damage detector (16) is enclosed in the protective casing (10); wherein

In response to detecting a breach, the sensing device is configured to switch to the end-of-life mode.

20. The sensing device of any one of claims 1 to 19, further comprising:

an energy storage module (18) for powering the electronic circuit (14), the communication unit (15), the sensing unit (11), the storage medium (12), the electronic circuit (14), the timing unit (13), the breach detector (16), the global positioning system (17), the clock (131) and/or the radio antenna; preferably, the energy storage module (18) is enclosed in the protective casing (10); wherein the content of the first and second substances,

the electronic circuitry (14) is configured to detect that the remaining energy of the storage module (18) is below a given energy threshold, and to switch the sensing apparatus (1) to the end-of-life mode in response to detecting that the remaining energy is below the threshold.

21. The sensing device according to any one of claims 1 to 20, the electronic circuit (14) being configured to collect data provided by the sensing unit (11) in response to a motion and/or acceleration detected by an accelerometer (19), preferably in response to a motion and/or acceleration above a detection threshold, preferably the configuration setting (32) comprising the detection threshold.

22. A method for transmitting data from a sensing device (1), the method comprising the steps of:

-permanently storing the unique code (149) in a storage medium (12) of the sensing device (1);

-generating a private key (142) and a public key (143) on the sensing device (1) in response to providing a configuration code (31) matching the unique code (149), the configuration code preferably being provided by a configuration device (3);

-signing, on the sensing device (1), the collected data provided by the sensing unit (11) and the timestamp (146) provided by the timing unit (13) by means of the private key (142) to provide a digital signature (144);

-transmitting to a server (5) packaged data (140) comprising the collected data (110), the timestamp (146), the digital signature (144) and the public key (143); then the

-permanently erasing the private key (142) on the sensing device (1) in response to detecting that the protective case (10) of the sensing device is broken, and/or detecting that the remaining energy of the storage module (18) of the sensing device is below a given energy threshold, and/or receiving an end-of-life signal.

23. The method according to claim 22, further comprising activating on the server (5) the public key (243) generated on the sensing device (1);

preferably, said activation comprises transmitting said public key (143) to said server (5) by said configuration means (3).

Technical Field

The present invention relates to a network-connectable sensing device, and more particularly, to a network-connectable multi-sensing device.

Background

Network-connectable sensing devices, such as internet of things (IoT) devices, are electronic devices that remotely provide physical entity measurements (data) to a receiving device (e.g., a server) either directly or through a gateway. Most of them rely on Bluetooth Low Energy (BLE) communication to transmit these data.

Since data is transmitted over an uncontrolled medium, the data is susceptible to interference or malicious attacks, which can lead to unsafe or critical situations.

Even if some network-connectable sensing devices are configured to encrypt data, the network-connectable sensing devices are still vulnerable to interference or malicious attacks, particularly attacks based on identity replacement, key replacement, and/or retransmission of old intercepted data.

Disclosure of Invention

It is an object of the present invention to provide a sensing device capable of measuring a physical entity and transmitting the results remotely in a manner that is better resistant to interference and malicious attacks than the H known systems and methods.

According to the present invention, this object is achieved by a network-connectable sensing device according to claim 1 and a method for transmitting data from a sensing device to a server according to claim 22.

This solution provides a more stable transmission of physical entity measurements provided by the sensing device, because:

the permanent unique code prevents unauthorized or malicious generation or regeneration of the private and public keys;

the packaged data provides a public key that allows verification of the integrity of the collected data (e.g., measurements); and is

The packed data of each signature becomes unique by the time stamp.

Drawings

The invention will be better understood from the description of an embodiment given by way of example and illustrated by the accompanying drawings, in which:

FIG. 1 shows a schematic diagram of a communication system including a network-connectable sensing device according to the present invention;

FIG. 2 illustrates an exemplary flow diagram of the sensing device of FIG. 1 operating in a manufacturing mode;

FIG. 3 illustrates an exemplary flow diagram of the sensing apparatus of FIG. 1 operating in an unconfigured mode;

FIG. 4 illustrates an exemplary flow diagram of the sensing apparatus of FIG. 1 operating in a configuration mode;

fig. 5 shows an exemplary flow diagram of the operational mode of the sensing device of fig. 1.

Detailed Description

Fig. 1 shows a schematic view of a communication system comprising a network-connectable sensing device 1, which sensing device 1 is configured to remotely provide measurements of a given physical quantity or phenomenon, in particular in the form of digital data, to a remotely located server 5.

The server 5 may be any electronic device providing storage and/or analysis of provided measurements, such as a computer, portable computer, smartphone, smartwatch, tablet, portable device, or any other suitable device.

The sensing device 1 of fig. 1 comprises a sensing unit 11 for sensing one or more desired (physical) phenomena, i.e. events or changes of or affecting the sensing device or the environment in which the sensing device is located. In particular, the sensing unit 11 may be configured to sense (measure): temperature (of the environment and/or the sensing device), humidity, light, position (relative and/or absolute) of the sensing device, acceleration of the sensing device, or impact affecting the sensing device, or a combination thereof.

The sensing device 1 comprises a communication unit 15 for transmitting the data collected from the sensing unit 11 to the server 5, in particular in the form of packetized data 140, directly or via the gateway device 4. The communication unit 15 is further configured to receive digital data and/or signals from the server 5, the gateway device 4 or from another device 2, 3.

The gateway device may be any device providing data transmission between the sensing device 1 and the server. The gateway device may be a mobile, transportable or static device.

The sensing device 1 further comprises an electronic circuit 14 which provides a signature 144 of the transmitted data 110 by a private key of a given asymmetric key, so that the server 5 and/or the gateway device 4 can verify the integrity of the transmitted data by a public key 143 of the given asymmetric key. Public and permanent verification is achieved by providing the digital signature 144 and the public key 143 with the packaged data 140.

The packed data 140 further comprises a timestamp 146 provided by the timing unit 13 of the sensing device 1, which timestamp is also signed by the (same) private key.

The time stamp 146 is a sequence of symbols (represented in digital format) that identifies an occurring phenomenon sensing, data acquisition and/or transmission event. The symbol may be a function or represent a given date and time, preferably accurate to a fraction of a second. Alternatively, the time stamp may be a unique sequence of symbols (e.g., a random or pseudo-random sequence of symbols) assigned to a phenomenon sensing, data acquisition, and/or transmission event.

The symbols of the timestamp 146 may contain or include: an alphanumeric symbol, one or more numeric symbols, one or more binary digits, one or more printed symbols, and/or one or more graphical symbols, or a combination thereof.

The absolute (or at least relative) uniqueness of the timestamp ensures the uniqueness of the generated signature (the signature of each packed data is different from the signatures of other packed data), which provides (intrinsic) detection of spoofing or malicious attacks based on data replication or retransmission.

The timing unit 13 may comprise a dedicated clock or may rely on a (shared) clock of the sensing device 1 or components thereof, such as the electronic circuitry 14.

Advantageously, the dedicated or shared clock may be a steered clock 131, i.e. a clock that is automatically (i.e. synchronized by itself, not directly under human control) by a synchronization signal (e.g. a time code) transmitted by a single or multiple transmitters connected to a time standard such as an atomic clock and/or coordinated Universal Time (UTC). The transmitter may be a national or regional time transmitter or a universal time transmitter. The plurality of transmitters may be part of a relative or absolute positioning system requiring time synchronization, such as a global (satellite) positioning system (e.g. GPS, galileo or GLONASS). Such systems may be used to automatically set and/or synchronize a controlled clock.

The synchronization signal may be a radio synchronization signal transmitted by a radio transmitter and acquired by a communication unit (15) and/or a radio antenna of the sensing device 1.

Alternatively or additionally, the synchronization signal may be provided by a relative or absolute positioning system 17 of the sensing unit 11 and/or the sensing device 1, which system is configured to provide clock synchronization with a time reference. Preferably, the relative or absolute positioning system 17 is a global satellite positioning system (GNSS), which relies inter alia on GPS, galileo and/or GLONASS satellite constellations.

Alternatively or additionally, the synchronization signal may be a wired synchronization signal provided by the communication unit 15 and/or by a connection interface of the communication unit 15 and/or a connection interface of the sensing device 1.

The network-connectable sensing device 1 is advantageously a stand-alone device, i.e. an off-grid powered device.

The sensing device may thus comprise an energy storage module 18 for powering its active components. The energy storage module 18 may be a non-rechargeable or rechargeable power pack, in particular comprising or consisting of one or more storage batteries and/or batteries.

The sensing device may comprise a protective housing or shell 10 for protecting the sensing device, and in particular its components, from damage. The protective casing 10 encloses the components of the sensing device and advantageously, the casing may be a waterproof and/or airtight casing.

The device of the present invention presets several modes of operation and is configured to selectively operate in one or another of the available modes. To increase robustness against attacks based on identity replacement and/or key replacement, the sensing device 1 is preset and configured to selectively operate at least in the following modes: a manufacturing mode, an unconfigured mode, a configured mode, and an end-of-life mode (refer to fig. 5).

Fig. 2 shows an exemplary flow diagram of the sensing device 1 operating in a manufacturing mode.

In the manufacturing mode, the electronic circuit 14 is configured to permanently store the unique code 149, in particular in a digital format, in the storage medium 12 of the sensing device 1.

In particular, the unique code 149 may be stored in a dedicated memory location of the storage medium 12 that provides a unique one-time storage of the unique code 149.

The unique code 149 is a sequence of symbols that is guaranteed to be unique among all codes for other sensing devices.

Storage medium 12 is any single or multiple unit (e.g., in the form of an electronic circuit or device) that provides storage (in digital format) of data that is particularly collected and/or operatively designated for components of sensing device 1.

In particular, the unique code 149 may be provided by the manufacturing device 2, particularly in response to providing a serial number of the sensing device 1 (e.g., a unique manufacturing identifier assigned to the sensing device 1). The serial number of the sensing device 1 may be Hard-written (Hard-write) during manufacture of the sensing device 1 or stored in a read-only storage medium accessible (i.e., readable) by the electronic circuit 14.

In particular, the sensing device 1 may be configured (in particular by the electronic circuit 14) to wait for the unique code 149 to be received from the manufacturing device 2 once, in particular when the sensing device is first powered, for example by the energy storage module 18.

As shown in fig. 5, the sensing device 1 may be configured to switch (automatically) from the manufacturing mode to the unconfigured mode (S1) in response to:

receiving and/or storing a unique code 149 in the storage medium 12; and/or

In particular, the sleep signal 20 provided by the manufacturing apparatus 2 is received by the communication unit 15.

The communication between the sensing device 1 and the manufacturing device 2 may rely on a wired and/or wireless data link 150 provided by the communication unit 15. The data link 150 may be unidirectional or bidirectional (particularly where the serial number is transmitted to the manufacturing device 2).

FIG. 3 illustrates an exemplary flow chart of the sensing device of FIG. 1 operating in an unconfigured mode.

In the unconfigured mode, the sensing device is configured to wait for receipt of a configuration signal to generate an asymmetric key pair for signing the time stamps of the collected data and the packaged data. During waiting, the sensing device is advantageously configured to operate in a sleep mode, wherein the communication unit 15 is configured to operate in a receive-only mode (i.e. not allowing and/or not operating transmissions).

In particular, the electronic circuit 14 is configured to wait for receipt of a configuration signal constituted by the configuration code 31 or comprising the configuration code 31, and to respond to the configuration code 31 matching the unique code 149 of the sensing device, so as to:

generates a private key 142 for signing (digital) data, and

a public key 143 for verifying the data signed by the private key 142 is derived (generated).

The configuration code 31 matching the unique code 149 provides authentication of the providing device.

More advantageously, the electronic circuit may be configured to wait for the configuration signal to become a Near Field Communication (NFC) signal, preferably according to the NFC communication protocol, for example by configuring the communication unit 15 to uniquely establish a near field communication 151 with the configuration device 3, for example by placing the sensing device and the configuration device within 4 cm.

The near field communication 151 may be realized by (uniquely) activating the NFC reader of the communication unit 15.

Any attempt to remotely attack the sensing device is prevented as long as the sensing device is in sleep mode while waiting for a (NFC) configuration signal to wake it up. This allows a safer longer pot life (shelf life time).

Advantageously, in the sleep mode, the sensing unit and/or the timing unit 13 are disabled to reduce power consumption. This allows further provision of a longer pot life.

In the unconfigured mode, the communication unit 15 may be configured to establish an unsecure communication, or advantageously a secure communication, with the configuration means 3 based on the shared secret 147.

Shared key 147 may be retrieved from storage medium 12.

Alternatively or additionally, the shared key 147 may be generated by the electronic circuit 14, in particular based on the secret data of the sensing device (e.g. the unique code 149) and the pre-shared key 30 provided by the configuration device 3. Preferably, the electronic circuitry 14 may provide an associated pre-shared key to allow the configuration device to generate the same shared key without (directly) transmitting the shared key. In particular, the shared key 147 may be generated in dependence on the Diffie-Hellman key exchange protocol.

The generated shared key 147 may then be stored in the storage medium 12 to allow later communication with the (same) providing apparatus.

This allows not only to create a secure connection between the sensing apparatus and the providing apparatus, but also to establish a trusted pairing between the sensing apparatus and the providing device and to conduct an out-of-band pre-shared key exchange.

Further, in response to the configuration code 31 matching the unique code 149 of the sensing device, the electronic circuitry may be configured to receive the configuration settings 32 provided by the configuration device 3. Once received, the sensing device may be configured to apply the received configuration settings 32, in particular by storing them in a storage medium and/or by setting components of the sensing device according to the received configuration settings 32.

Configuration settings 32 may include:

a sensing device identifier 141 to be transmitted into the packaged data; and/or

Settings of the sensing unit, such as measurement rate or frequency, measurement accuracy, sensing threshold, activation/deactivation of sensing elements of the sensing unit; and/or

Setting of a communication unit; and/or

Settings of a clock and/or timing module, such as setting and/or synchronization signals; and/or

A triggering event that triggers measurement and/or collection of data provided by the sensing unit; in particular a detection threshold of the measured movement and/or acceleration; and/or

And packaging the information.

Advantageously, the electronic circuit may be configured to transmit the public key 143, once generated, to the configuration means in order to activate the public key 143 on the server 5.

The sensing device 1 may be configured to (automatically) switch from the unconfigured mode to the configured mode (S2) in response to the following events:

generation of private key 142, and/or

Derivation of the public key 143, and/or

Application of configuration settings 32, and/or

Reception of a wake-up signal 33 provided by the configuration means 3, and/or

Activation of the public key 143 on the server.

FIG. 4 illustrates an exemplary flow chart of the sensing device of FIG. 1 operating in a configuration mode.

In the configuration mode, the electronic circuitry 14 is configured to collect the data 110 provided by the sensing unit 11 and to:

the collected data 110 and a timestamp 146 provided by the timing unit 13 are signed by a private key 142 to provide a digital signature 144, and

the packaged data 140 is transmitted to the server 5, either directly or through the gateway device 4, the packaged data 140 including the collected data 110, the timestamp 146, the digital signature 144, the public key (143), and finally the sensing device identifier 141.

In particular, in the configuration mode, the electronic circuit 14 is configured to collect the data 110 provided by the sensing unit 11, in particular according to:

given collection and/or sensing rules, and/or

Configuration settings 32 provided by the configuration means are in particular according to:

a triggering event provided for triggering a measurement and/or data collection; and/or

The detection threshold provided.

Advantageously, the electronic circuit 14 is configured to store the collected data in the storage medium 12 and to wait for a request signal 40 provided by the gateway device 4 and/or the server 5. In response to the request signal 40 provided by the gateway apparatus 4 and/or the server 5, the electronic circuitry 14 is configured to:

the collected data 110 (e.g., data stored in the storage medium 12) and the timestamp 146 are signed, and

the packetized data 140 is transmitted.

In particular, the electronic circuitry 14 may be configured to collect and store data provided by the sensing unit 11 in response to motion and/or acceleration sensed by the accelerometer 19 of the sensing device 1, the sensed motion or acceleration being above a detection threshold, preferably provided by the configuration setting 32.

The electronic circuitry 14 may be configured to wait for an acknowledgement signal 41 provided by the gateway device 4 and/or the server 5 and, in response to receiving the acknowledgement signal 41 confirming secure receipt of the packaged data and/or verification of the signature, remove the transmitted data from the storage medium 12. Alternatively or additionally, the confirmation signal 41 may be provided by checking the activation of the public key on the server 5.

Data removal may include data erasure (i.e., by overwriting selected data with zeros and ones to completely (absolutely) corrupt the selected data on the storage medium 12).

The packetized data 140 may be transmitted to the network management device via the communication unit 15 via local communications 152 established between the sensing device and the gateway device (i.e. communications that do not exceed 1km, preferably in the range from 4cm to 500 m, depending on the separation between the sensing device and the gateway device). The local communication may be: wireless local area network communication, radio wireless local area communication, bluetooth communication, ANT communication, wired communication (such as USB communication), or a combination thereof.

Alternatively or additionally, the packetized data 140 may be transmitted via peer-to-peer communications 152 established between the sensing device and the gateway device and/or server 5, wherein the peer-to-peer communications rely at least on peer-to-peer computer network connections (such as wired and/or wireless cellular networks, satellite networks, wired networks).

The gateway device 3 may transmit the (entire) packaged data 140 to the server 5 for storage, preferably with a blockchain for providing security records, before verifying the signature 144 or advantageously after verifying the signature 144. Once stored and/or blockchained on the server (i.e. stored or recorded with the blockchain), the packaged data 140 can be handled by a user who can always verify the integrity of the data provided by the sensing device 1, in particular by means of the signature 144 and the public key 143 provided in the packaged data 140.

As shown in fig. 5, in the end-of-life mode, the sensing device (particularly by the electronic circuitry) is configured to be temporarily or permanently disabled, particularly by permanently erasing private key 142.

The electronic circuitry 14 may be configured to permanently disable the sensing device 1, in particular by triggering (mechanical and/or electronic) one or more components of the sensing device 1.

In particular, the electronic circuit 14 may trigger:

rupture or damage of the cell, e.g. by shortening the electrodes of the cell or by actuators, and/or

Complete discharge of the battery; and/or

A rupture or opening of the sealed housing, such as by an actuator; and/or

Rupture or destruction of the sensor unit, e.g. by triggering an overvoltage or by an actuator, and/or

Rupture or destruction of the storage medium, e.g. by triggering an overvoltage or by an actuator, and/or

Destroying instruction data residing on the sensing device (in particular on the storage medium and/or on the electronic circuit), the instruction data being in particular readable by the electronic circuit 14 to carry out one or more tasks of the electronic circuit 14; and/or

An interruption or short of an electrical connection of the sensing device, such as an interruption or short of an electrical connection that electrically connects the electronic circuit 14 to other components of the sensing device; for example by triggering an overvoltage or by means of an actuator.

Optionally, to provide for safe reuse of the sensing device 1, in the end-of-life mode, the electronic circuitry 14 may be configured to permanently erase the (collected) data 110 from the storage medium and switch the sensing device 1 to the unconfigured mode (S31). Preferably, the electronic circuitry 14 may be configured to permanently erase (e.g., by data erasure) the public key and/or configuration settings.

In particular, the sensing device may be configured to switch to an end-of-life mode (in particular by the electronic circuitry) in response to:

receiving an end-of-life signal provided by the device, in particular by the regulating device; and/or detecting (by electronic circuitry) that the remaining energy of the storage module 18 is below a given energy threshold, preferably provided by the manufacturing apparatus and/or the configuration apparatus 3, e.g. by the configuration settings 32; and/or

A breach protective casing 10 provided by a breach detector 16 of the sensing device 1 is detected.

The sensing device 1 may further be configured to switch (automatically) from an end-of-life mode or from a configured mode to an unconfigured mode (S21, S31) in response to receiving a configuration code 31 provided by the (coupled) configuration device 3, wherein the configuration code 31 matches the sensing device' S unique code 149. This allows for a reliable re-initialization of the sensing device 1.

The sensing device 1 thus provides a more stable transmission for measurements of the physical entity provided by the sensing device, because:

the permanent unique code prevents unauthorized or malicious generation or regeneration of the private and public keys;

the packaged data provides a public key that allows verification of the integrity of the collected data (e.g., measurements); and is

Each signed packed data is made unique by a timestamp.

In fact, since the packed data for each transmission is different, by comparing the packed data already stored and/or block chain records, it will be easy to detect a data replication attack on the server. The time stamp ensures that the generated signatures are different and therefore the package cannot be simply copied.

The public key provided by the sensing device can provide a source of data, thereby avoiding identity theft attacks, since the (relevant) private key is randomly generated on the device itself when configured (i.e. the sensing device is uniquely aware of the private key and the private key is unique). In addition, the public key is transmitted in the packaged data to allow the user to verify that the information was indeed signed by the device. The signature serves as an authentication certificate.

The robustness of the transmission can be further improved by activating the public key 243 generated on the sensing device 1 on the server 5, preferably by the configuration device 3 transmitting the public key 143 to the server 5. This activation may be used on the server and/or gateway device to verify the received packetized data (in particular its public key) and/or to allow the received packetized data to be stored and/or block-chained.

Numerical designations used in the drawings:

1 sensing device

10 outer casing

11 sensing unit

110 data

12 storage medium

13 timing unit

131 clock

14 electronic circuit

140 packing data

141 identity

142 private key

143 public key

144 signature

145 key code

146 time stamp

147 shared secret key

148 serial number

149 unique code

15 communication unit

150 data link

151 Near Field Communication (NFC) data link

152 (wireless) data link

16 destructive detector

17 global positioning system

18 energy storage module

19 accelerometer

2 manufacturing apparatus

20 sleep signal

3 configuring device

30 pre-shared key

31 configuration code

32 configuration settings

33 wake-up signal

34 data link

4 gateway device

40 request signal

41 acknowledgement signal

44 data link

5 Server

51 acknowledge signal

S1, S21, S31 switch to unconfigured mode

S2 switching to Pre-configured mode

S3 switching to end-of-life mode