Spagnolatti, Mirko (Via Oriolo, 52 Fraz. Monastero, Berbenno di Valtellina, I-23010, IT)
Della Fonte, Giorgio (Via Perlegia, 194, Berbenno di Valtellina, I-23010, IT)
Pera, Raffaele (Via Europa 1A, Valgreghentino, I-23857, IT)
Spagnolatti, Mirko (Via Oriolo, 52 Fraz. Monastero, Berbenno di Valtellina, I-23010, IT)
Della Fonte, Giorgio (Via Perlegia, 194, Berbenno di Valtellina, I-23010, IT)
| 1. | A control system of an electronic instrument for me trological measurements, comprising a computer for local processing including a handling application of said in strument, characterized in that it comprises: a control application for said handling application, which can be associated with said local processing unit, said control application being suitable for generat ing a univocal metrological certification code for the application. |
| 2. | The control system according to claim 1, wherein said univocal code is associated with the printing of a stamp comprising an issuing date of said stamp (82), a reference code of the metrological measurement instru ment, a bar code (83) corresponding to said univocal code. |
| 3. | The control system according to claim 1, wherein said control application is associated with a central processing unit, which is connected to said local unit through a telecommunication network. |
| 4. | The control system according to claim 1, character ized in that it includes a dynamic library associated with said handling application, which, at the start of the handling application, activates said control applica tion. |
| 5. | The control system according to claim 4, wherein said dynamic library is placed in said local unit. |
| 6. | The control system according to claim 4, wherein said dynamic library is situated in said central process ing unit. |
| 7. | The control system according to claim 1, wherein said univocal code is obtained by means of a cryptography algorithm. |
| 8. | A method for controlling an electronic instrument for metrological measurements, said instrument being as sociated with a local processing computer, including a handling application of said instrument, comprising the following steps: * receiving, at the start of the handling application, information contained in said local unit referring to the handling application; * processing said information by means of a comparison with prememorized information; * issuing a univocal certification code which can be associated with said handling application; * printing on paper, a stamp containing said univocal code. |
| 9. | The method according to claim 8, wherein said step for producing a univocal code includes processing said information by means of a cryptography algorithm. |
| 10. | The method according to claim 8, wherein said step for receiving information comprises the step of receiving an authenticity certificate of the handling application. |
| 11. | The method according to claim 8, wherein said step of receiving information comprises the step of receiving an acknowledgement code of said local unit. |
In particular, the present invention relates to a method and system for controlling electronic instruments for metrological measurements including an application for handling the measurement effected by the instrument.
Said instrument for metrological measurements can be, for example, an instrument situated inside a gasoline pump, suitable for measuring the flow of gasoline.
For the purposes of the present invention, applica- tion for handling the metrological measurement means a software or a processing program which can acquire, proc- ess, visualize and print the data relating to the meas- urement effected.
As is known, metric instruments are, according to the law, subjected to periodic controls which consist in
ascertaining their constant metrological reliability with time, with the aim of protecting the integrity of seals, also electronic, and labels or other protection elements envisaged by the law in force.
An authorized person (metric officer) is charged with performing these controls, which refer, for example, to the integrity of both the structure of the measuring instrument, and also to that of the applications or proc- essing programs contained in said instrument.
Integrity of the applications means that the ap- plications have not been subjected to interventions which can alter the integrity and originality of the software application which runs the instrument for metrological measurement.
Said seals which guarantee the integrity and origi- nality of the application are currently of the hardware type, for example lead seals.
The Applicant has observed that for these controls the operator (metric officer) must go to the place where the measurement instrument is installed and check the in- tegrity of said hardware seals. Should the supplier of the application issue a new updated version of said ap- plication, the metric officer must go on site to remove said seals and insert the new ones, after verifying the correct functioning of the updated version of the appli-
cation.
The intention of the Applicant is to simplify certi- fication operations of software applications for elec- tronic instruments for simple metrological measurements and make them reliable.
The Applicant has achieved a method and system for controlling an electronic instrument for metrological measurements, wherein a control application, residing on a computer connected to said measurement instrument, for example through a network, checks whether the handling application of the measurement effected by the instrument has undergone alterations, violations, modifications or similar variations. This control of the handling applica- tion of the instrument results in the emission of an authenticity stamp.
The control application preferably determines whether the handling applications satisfy the following conditions: * the handling application installed on the instru- ment must conform with what is certified at the start of the instrument; * the handling application installed on the instrument cannot be unduly interfered with; * any variation in the handling application installed on the instrument must be evident and acknowledgeable;
* the presence of a different handling application must be acknowledgeable; * the techniques adopted must guarantee that all the aforesaid actions are carried out in a context of data security, using suitable cryptography techniques, digital signatures, certifications etc..; * all relevant actions in the sphere of variations in the programs which can be effected by the instrument, must be marked on carriers that cannot be modified by third parties.
The controls are generally such as to allow a defi- nite reconstruction of the actions effected on the han- dling application of the instrument.
An aspect of the present invention relates to the controlling system of an electronic instrument for me- trological measurements, including a local processing computer which comprises a handling application of said instrument, characterized in that it includes a control application for said handling application, which can be associated with said local computer, said control appli- cation being suitable for generating a univocal certifi- cation code for the application.
A further aspect of the present invention relates to a method for controlling an electronic instrument for me- trological measurements, said instrument being associated
with a local processing computer including a handling ap- plication of said instrument, comprising the following steps: * receiving, at the start of the handling application, information contained in said local unit referring to the handling application ; * processing said information through a comparison with pre-memorized information; * issuing a univocal certification code which can be associated with said handling application ; * printing on paper a stamp containing said univocal code.
The characteristics and advantages of the method and system for controlling metrological measurement instru- ments according to the present invention will be better clarified and appear more evident from the following il- lustrative and non-limiting description of an embodiment, with reference to the attached figures, wherein: figure 1 is a block scheme of the control system ac- cording to the present invention applied to generic cli- ent uses; figure 2 is a block scheme of the control system ac- cording to the present invention applied to a fuel sta- tion for motor vehicles; figure 3 is a representation of a"software stamp"
according to the present invention; figures 4a-f represent visualization cards of the control application according to the present invention.
With reference to the aforesaid figures, the system according to the present invention preferably comprises a central processing unit (server) (2), and at least one local processing unit (3) in which there is at least one handling application of a metric instrument (4). This central processing unit preferably also includes a han- dling application of a metric instrument (4).
The connection between said central unit and the lo- cal units is preferably obtained through a traditional telecommunication network, a LAN network, for example, an Ethernet network, or an Internet connection. In general said network allows applications and programs, physically residing in a memory of said central processing unit, to be used in said local units.
Figure 1 shows, as an example, three local stations, as the system of the present invention is also capable of controlling a series of local units contemporaneously.
One of the local units indicated in figure 1 comprises two handling applications (4) of an electronic instrument for metrological measurements, as the system of the pres- ent invention contemporaneously and equivalently controls one or more applications inside the local unit itself.
Said central processing unit preferably includes at least one control application (21) of said handling ap- plications, in addition to at least one central applica- tion (22).
At least one dynamic library (6) of functions which can be associated with said control application (21), is preferably present on both the central processing unit and the local units, said library acting as a connection between the handling applications and the control appli- cation.
Figure 2 shows an application example of the control system according to the present invention, applied to a fuel station for motor vehicles, indicated, as a whole, with reference number (7).
The fuel station includes at least one gasoline pump (71), containing inside said metrological measurement in- strument, suitable for measuring the flow of gasoline from a pump. A local processing unit associated with said pump includes said handling application, as described above, which controls the measurement instrument.
Said fuel station also includes an automatic distri- bution pump (72), suitable for allowing the pumps to op- erate in the absence of personnel. This pump is activated by inserting a certain amount of money, in the form of banknotes or credit cards, bancomat or similar. Inside
this column there is, for example, a further local proc- essing unit.
Other local processing units are situated, for exam- ple, in sales and/or distribution points of products (74) of the fuel station, accounting and/or administrative of- fices (75).
According to the example of figure 2, the central processing unit (73) connects the aforementioned local processing units so as to form a network.
According to the present invention, the control ap- plication is preferably contained in the central unit (73). Alternatively, if the fuel station is not connected by a network, but comprises at least one local processor associated with a metrological measurement instrument, said control application is installed inside said local unit.
The handling application of the measurement instru- ment preferably comprises an authenticity certification, which is provided by the application author. This certi- fication includes a digital signature which is imple- mented, for example, by means of an RSA cryptography pro- tocol.
This digital signature, through a mechanism of pub- lic and private keys, guarantees the authenticity of the handling application with which said key is associated.
A technological note which implements said digital signatures is the Microsoft@ Authenticode TM technology which verifies that a certain application has a valid certificate, or that the identity of the application pro- ducer corresponds to what is certified and that the cer- tificate is still valid. This is achieved by applying a digital signature to the software code, which allows re- mote clients to check the reliability of the application editor.
According to the present invention, the control ap- plication is capable of reading said digital signatures and acknowledging their authenticity. If said authentic- ity is not verified, the control application emits a sig- nal and interrupts the start of the handling application which contains the non-valid digital signature.
Furthermore, the control application acquires some information on the unit on which the application to be controlled resides, in order to create a single data bank, connected-to the unit itself. Possible examples of information which can be useful for controlling the ap- plication are: series number of the network card, series number of the hard disk, univocal identification of the data processor, etc..
In the case of network configurations, the control application also univocally identifies the machines con- nected by the network through their local application component, so as to be able to react to any possible variations in the network configuration.
Once the aforementioned information has been ac- quired, the control application processes all the data and creates a synthesis of a limited dimension. This syn- thesis can be obtained, for example, by means of so- called cryptography"hashing"algorithms (SHA, RSA, etc..) and generates a univocal code which is called"software stamp", which is printed from these local units and asso- ciated with the controlled handling application.
This univocal code is preferably printed, for exam- ple, in the form illustrated in figure 3, which refers to the certification of a handling application called SINP, version 2.0. 1, produced by the same Applicant and granted on September 13, 2001. This stamp (8) also shows a stamp printing date (81), a fuel station code (82), a bar code (83) corresponding to said univocal code of the software stamp.
The handling application operates as follows.
At the start of the handling application (4) to be controlled, the control application (21) is automatically called by means of said dynamic library (6) associated
with the handling application in the local unit.
Information on the handling application itself is acquired through said library.
The application is validated using the verification of said application certificate, for example according to the rules of the Microsofto Authenticode TM standard.
The control application (21) acquires some informa- tion on the local processing unit (3) on which the han- dling application (4) resides, in order to create a sin- gle data bank for recognizing the unit itself. In the case of network configurations, the handling application also univocally identifies the other units present on the network, through all dynamic libraries (6) present in each local unit, so as to able to react to any possible variations in the network configuration.
Once all the aforementioned information has been ac- quired, software stamp"is emitted, as described above, which is memorized in said local processing unit and bound to the controlled handling application.
All the applications effected by the control appli- cation on the handling application to be controlled, are preferably collected in a file, whose integrity and con- sistency is checked in order to verify that no cancella- tions or manipulations have been made. Any possible in- consistencies found in this phase, produce a signal and
prevent the start of the applications.
If an updating of the handling application is de- sired, for example by installing a new version, the con- trol application emits a new software stamp.
In particular, the control application detects that the application has changed and is no longer consistent with the information pre-installed through the software stamp. In this case, the authenticity of the new version of the handling application is checked.
This control is-essentially carried out in three steps: a control is made that the new version has been pre- pared by the same producer as the previous one, through said digital signature ; a control is made that the new version is subsequent to the previous one (for example, version 1.2 in the place of version 1.1) ; a control is made that said version is consistent with the other applications, with which it operates, of the local processing unit.
Once the above controls have been effected, the con- trol application proposes to the user to produce a new software stamp. The software stamp represents the neces- sary evidence, on a normative level, for the correct han- dling of the issuing of new versions. All the above is
obtained, in concrete terms, through a printout on paper which produces a model as illustrated in figure 3.
Figures 4a-e represent a few examples of insertion and/or visualization masks generated by the control ap- plication during a survey on a handling application- Figure 4a illustrates a first mask (91), which, at the start of the handling application of the measurement instrument, shows the univocal code of the software stamp. In this case, there was no modification in the handling application, and the handling application is consequently correctly started by pushing the key"OK".
This mask is optional, in the sense that it can be put in evidence when the handling applications envisage the presence of a user at the start ; when the start of the handling application is automatic, for example in corre- spondence with the tensioning of a plant, this mask is omitted.
Figure 4b illustrates a second mask (92), which shows that there has been a change in the configuration of the local processing unit. This change can, for exam- ple, be an update of the handling application version or a change in the hardware and/or software configuration of the processing unit.
In this case a comparison mask (93) is put in evi- dence, in which these changes are listed. In particular,
an upper box (931) of said mask reveals the new applica- tions and/or versions of the application present on the local unit, and a lower box (932) reveals the substituted parts. The new configuration revealed by said upper box, must be confirmed by a push button present on the lower part of the card ; the confirmation operation simply de- clares that the changes comply with the aforementioned authentication conditions. After this confirmation, a new univocal code is issued and a new software stamp is printed.
The univocal code can, at this point, be inserted in said second mask (92) and, following confirmation, by pushing the key"OK", the system proposes a third mask (94) in which a confirmation is required (yes/no) that the modifications comply with the regulations on the met- ric test of the measurement instrument.
In the case of confirmation (yes), the system pro- poses a fourth mask (95) which communicates that the op- erations have been correctly effected and allows the cor- rect start of the handling application.
In the case of lack of confirmation (no), the system proposes a fifth mask (96), which communicates the impos- sibility of correctly starting the application, as the metrological operations have not been completed.
In this case, the application can only be started for
effecting functional tests.
The application is preferably developed according to modularity, re-use of the code and portability criteria, in order to guarantee the natural evolution which the control application will undergo during its life cycle.
Respect of these requirements guarantees the possibility of adding new functions with limited impacts. For this purpose, when applicable, the use of programming lan- guages of the type known as"object oriented", is prefer- able.
It is preferable, moreover, to use techniques which allow the application and the data format to be as inde- pendent as possible of each other. In this way, the ap- plication is ready for any possible data format changes and is advantageously compatible with other applications, devices or systems.
All public interfaces, public data and functions are documented, in order to guarantee access to the control application code. The system variables preferably have mnemonic names and respect the code writing notations typical of the development environment (prefixes for in- dicating the data type, etc..). Each public function or method is suitably documented through a description on the function itself, and a functional description is specified for each parameter, including the validity in-
terval and the use in input or output of the parameter itself.
The error codifications are preferably consistent with the remaining parts of the application and can be obtained from a single source (header file or resource).
In any case, any error code which can be generated by the application is documented and memorized in the applica- tion event register.
Respect of the application longevity requirement in- evitably implicates the selection of architectures which are presumably supported for a period of time equal or longer than the assumed life of the application itself.
The control application, according to the present in- vention, follows the operation modes, terminology and documents already known to users of the handling applica- tion and metrological measurement instrument, as much as possible, so that the user itself can consider the proce- dure as"familiar". In any case, the interfaces and de- signs of the masks are as simple and clear as possible.
The most frequent operations are advantageously effected with the lowest possible number of passages. All opera- tions of the control application are coherently grouped into functional sets, to make them easily available. Ac- cess to the functions is preferably obtained by means of buttons or, when applicable, through menus, hyper-tests
or icons.
The parts indicating commands or data must have suf- ficient dimensions to allow them to be clearly read. The dimensions of the interface elements should not however be too large, in order to prevent the elements themselves from becoming dispersive.
Next Patent: INTEGER DIVISION METHOD AGAINST COVERT CHANNEL ATTACKS