Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
MONITORING AN AREA USING ILLUMINATION
Document Type and Number:
WIPO Patent Application WO/2018/019553
Kind Code:
A1
Abstract:
A security system for monitoring the system comprising: a source of visible illumination light; a control module operatively coupled to the source to provide a challenge signal to be embedded in the visible illumination light emitted by the source; a device associated with an entity in the monitored area, the device having a local sensor configured to detect the visible illumination light, a processor configured to detect the embedded challenge signal and to use it to generate a response signal, and an emitter for transmitting visible light in which the response signal is embedded; a light sensor arranged to detect the response signal; and a decode module coupled to receive the response signal, to decode the response signal and to compare it to an expected response to the challenge, and to trigger an authentication action for the entity if the response signal matches the expected response.

Inventors:
CREUSEN, Martinus, Petrus (5656 AE Eindhoven, 5656 AE, NL)
VAN BOMMEL, Ties (5656 AE Eindhoven, 5656 AE, NL)
IJZERMAN, Willem, Lubertus (5656 AE Eindhoven, 5656 AE, NL)
TAKKEN, Robert, Martinus, Hendrikus (5656 AE Eindhoven, 5656 AE, NL)
Application Number:
EP2017/067270
Publication Date:
February 01, 2018
Filing Date:
July 10, 2017
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
PHILIPS LIGHTING HOLDING B.V. (High Tech Campus 45, 5656 AE Eindhoven, 5656 AE, NL)
International Classes:
G07C9/00; H04B10/116; H05B37/02
Attorney, Agent or Firm:
VERWEIJ, Petronella, Danielle et al. (High Tech Campus 45, 5656 AE Eindhoven, 5656 AE, NL)
Download PDF:
Claims:
CLAIMS:

1. A security system for monitoring an area, the system comprising:

a source of visible illumination light (LI);

a control module (20) operatively coupled to the source (LI) to provide a challenge signal (CLl) to be embedded in the visible illumination emitted by the source (LI);

a device (10) associated with an entity (8) in the monitored area, the device

(10) having a local sensor (34) configured to detect the visible illumination light, a processor configured to detect the embedded challenge signal (CLl) and to use it to generate a response signal (CL2), and an emitter (36) for transmitting visible light in which the response signal (CL2) is embedded;

a security camera (6) arranged to detect the challenge signal (CLl) emitted from the source (LI) and an image of the entity comprising the response signal (CL2), the response signal (CL2) and the challenge signal (CLl) being detected within a predetermined time period; and

a decode module (24) coupled to receive the response signal (CL2), to decode the response signal (CL2) and to compare it to an expected response to the challenge (CLl), and to trigger an authentication action for the entity (8) if the response signal matches the expected response.

2. A security system according to claim 1 , wherein the processor is configured to use the embedded challenge signal (CLl) in a cryptographic step utilizing a local key to generate the response signal.

3. A security system according to claim 1 or 2, wherein there is also embedded in the visible illumination light with the challenge signal a descriptor indicative of a preferred response expected by the decode module (24).

4. A security system according to claim 3, wherein the descriptor indicates a parameter associated with encoding the response signal (CL2) in the visible light.

5. A security system according to any preceding claim, wherein the challenge (CL1) comprises a one-time only code.

6. A security system according to any of claims 1 to 4, wherein the challenge (CL1) comprises a pseudorandom sequence.

7. A security system according to any preceding claim, which comprises a radio frequency transmitter which is configured under the control of the control module (24) to provide an auxiliary challenge signal in an RF signal, wherein the processor at the device (10) is configured to detect the auxiliary challenge signal and to use it with the embedded challenge signal to generate the response signal (CL2).

8. A security system according to claim 2, or any of claims 3 to 7 when dependent thereon, wherein the local key comprises a group key which is allocated to a group of multiple devices, where access to a further area adjacent the monitored area is to be permitted for any member of the group.

9. A security system according to any preceding claim, wherein the decode module (24) is configured to trigger an identification signal if the expected response matches the response signal (CL2), the identification signal providing an identity for comparison with the entity (8) associated with the device (10).

10. A security system according to claim 8, comprising a motion detector operable to trigger a new challenge signal on detection of movement of an entity (8) attempting access to the further area, and to advise the control module of the new challenge signal.

11. A security system according to any preceding claim, wherein the device (10) associated with the entity (8) is a wearable device. 12. A security camera (6) for use in a security system for monitoring an area, the security system comprising a source of visible illumination light (LI);

the security camera comprising a control module (20) operatively coupled to the source (LI) to provide a challenge signal (CL1) to be embedded in the visible

illumination emitted by the source (LI); the security system further comprising a device (10) associated with an entity (8) in the monitored area, the device (10) having a local sensor (34) configured to detect the visible illumination light, a processor configured to detect the embedded challenge signal (CLl) and to use it to generate a response signal (CL2), and an emitter (36) for transmitting visible light in which the response signal (CL2) is embedded;

the security camera (6) being arranged to detect the challenge signal (CLl) emitted from the source (LI) and an image of the entity (8) comprising the response signal (CL2), the response signal (CL2) and the challenge signal (CLl) being detected within a predetermined time period; and

the security camera (6) further comprising a decode module (24) coupled to receive the response signal (CL2), to decode the response signal (CL2) and to compare it to an expected response to the challenge (CLl), and to trigger an authentication action for the entity (8) if the response signal (CL2) matches the expected response. 13. A method of monitoring an area, the method comprising:

generating a challenge signal (CLl) to be embedded in visible illumination light;

associating in storage media (22) the challenge signal (CLl) with an expected response;

decoding the embedded challenge signal (CLl) and a response (CL2) from visible illumination light received by a light sensor (34) from a device (10) associated with an entity (8) in a monitored area receiving the visible illumination light with the embedded challenge signal (CLl); and

determining if the received response (CL2) matches the expected response and if so, triggering an authentication action for the entity (8).

14. A computer program product comprising computer-readable instructions which when executed by a processor perform the steps of:

generating a challenge signal (CLl) to be embedded in visible illumination light;

associating in storage media (22) the challenge signal (CLl) with an expected response;

decoding the embedded challenge signal (CLl) and a response (CL2) from visible illumination light received by a light sensor (34) from a device (10) associated with an entity (8) in a monitored area receiving the visible illumination light with the embedded challenge signal (CL1); and

determining if the received response (CL2) matches the expected response and if so, triggering an authentication action for the entity (8).

15. A computer program product according to claim 14, wherein the step of triggering an authentication action comprises automatically actuating a locking mechanism to release access to a further area adjacent the monitored area. 16. A computer program product according to claim 14, wherein the step of triggering an authentication action comprises providing an identification signal which causes an identifier to be made available to a monitoring arrangement to determine if access is to be granted to a further area adjacent the monitored area.

Description:
Monitoring an area using illumination

BACKGROUND OF THE INVENTION

The present invention relates to monitoring an area for example in the context of controlling access to a secure area.

A technique currently used to control access to secure areas is to use CCTV. Cameras are arranged at strategic points, e.g. entrances, and images from the cameras are passed to multiple screens which are monitored by a security officer. CCTV security systems are in widespread use for surveillance in areas that may need monitoring such as banks, casinos, airports, military installations, and convenience stores. In recent years, the use of body worn video cameras has been introduced as a new form of surveillance.

Using CCTV security systems to check if people are authorized to enter certain secured areas is not trivial. Typically face recognition or checking the security badge cannot be easily done via security cameras. Consequently, it is difficult to judge on security cameras if people are allowed in certain secured areas. Especially when people have to observe multiple monitors it is difficult for humans to keep track. Besides, low-cost CCTV systems are based on low-quality camera kits whereas the professional installation and maintenance of high definition CCTV is expensive.

There is a need for an easier way to control access to an area, while not compromising reliability. SUMMARY OF INVENTION

According to an aspect of the invention there is provided a security system for monitoring an area, the system comprising:

a source of visible illumination light;

a control module operatively coupled to the source to provide a challenge signal to be embedded in the visible illumination light emitted by the source;

a device associated with an entity in the monitored area, the device having a local sensor configured to detect the visible illumination light, a processor configured to detect the embedded challenge signal and to use it to generate a response signal, and an emitter for transmitting visible light in which the response signal is embedded; a security camera arranged to detect the challenge signal emitted from the source and an image of the entity comprising response signal, the response signal and the challenge signal being detected within a predetermined time period; and

a decode module coupled to receive the response signal, to decode the response signal and to compare it to an expected response to the challenge, and to trigger an authentication action for the entity if the response signal matches the expected response.

In described embodiments, the monitored area is adjacent or in the vicinity of a further or a secure area to which access can be controlled by the security system. In one embodiment, triggering an authentication action for the entity comprises enabling access to the secure area. This could be achieved by automatically actuating a locking mechanism to release access to the secure area. In an alternative embodiment, it could be achieved by providing an identification signal which causes an identifier to be made available to a monitoring arrangement to determine if access is to be granted to the secure area.

In a further arrangement, the authentication action can comprise indicating the status of the entity based on whether the response signal matches the expected response or not. For example, if the response signal matches the expected response, an authenticated status for the entity can be indicated, for example, by an appropriate color on a screen in a monitoring arrangement.

An alternative aspect of the invention provides a security camera for monitoring an area, the camera comprising:

a control module operable to provide a challenge to be embedded in visible illumination light emitted by a source;

a light sensor arranged to detect a response signal, the response signal having been generated based on the challenge signal;

a decode module coupled to receive the response signal, to decode the response signal and to compare it to an expected response to the challenge, and to trigger an authentication action if the response signal matches the expected response.

In a still further aspect, the invention provides a security camera as defined above in combination with a source of visible illumination light which is coupled to receive the challenge signal and to embed the challenge signal in visible illumination light emitted by the source.

According to another aspect of the invention, there is provided a computer program product comprising computer-readable instructions which when executed by a processor perform the steps of: generating a challenge signal to be embedded in visible illumination light; associating in storage media the challenge signal with an expected response; decoding the embedded challenge signal and a response from visible light received by a light sensor from a device associated with an entity in a monitored area receiving the visible illumination light with the embedded challenge signal; and

determining if the received response matches the expected response and if so, triggering an authentication action for the entity.

A further aspect of the invention provides a method of monitoring an area comprising the steps of:

generating a challenge signal to be embedded in visible illumination light; associating in storage media the challenge signal with an expected response; decoding a response from visible light received by a light sensor from a device associated with an entity in the monitored area receiving the visible illumination light with the embedded challenge signal; and

determining if the received response matches the expected response and if so triggering an authentication action for the entity.

Another aspect of the invention provides a server comprising a processor arranged to execute computer readable instructions which perform the steps of

generating a challenge signal to be embedded in visible illumination light; associating in storage media the challenge signal with an expected response; decoding a response from visible light received by a light sensor from a device associated with an entity in a monitored area receiving the visible illumination light with the embedded challenge signal; and

determining if the received response matches the expected response and if so, triggering an authentication action for the entity.

A further aspect provides such a server in combination with a light sensor, for example, in the form of a camera, and optionally one or more source of visible illumination light.

Another aspect of the invention provides a wearable device for use in a security system for monitoring an area, the wearable device comprising:

a local sensor configured to detect visible illumination light in which a challenge signal is embedded;

a processor configured to detect the embedded challenge signal and to use it to generate a response signal; and an emitter for transmitting visible light in which the response signal is embedded, wherein the wearable device is configured to be associated with an entity in the monitored area.

A further aspect of the invention provides a method of monitoring an area, the method comprising:

receiving at a device associated with an entity in the monitored area a challenge signal embedded in visible illumination light;

the device using the challenge signal to generate a response signal; and emitting from the device visible light in which the response signal is encoded. In a security system for monitoring an area as herein defined, the processor may be configured to use the embedded challenge signal in a cryptographic step utilizing a local key to generate the response signal. In some embodiments it is possible to embed in the visible illumination light with the challenge signal a descriptor indicative of a preferred response expected by the decode module.

According to another aspect of the invention, there is provided a wearable device for use in a security system for monitoring an area, the wearable device comprising:

a local sensor configured to detect visible illumination light, in which a challenge signal is embedded with a descriptor indicative of a type of response;

a processor configured to detect the embedded challenge signal and to use it to generate a response signal; and

an emitter for transmitting visible light in which the response signal is embedded in a manner according to the type of response indicated by the descriptor, wherein the wearable device is configured to be associated with an entity in the monitored area.

The processor can be configured to access a local key which is used in a cryptographic to generate the response signal from the challenge signal.

The descriptor can indicate a parameter associated with encoding the response signal in the visible light, for example modulation frequency, etc.

The challenge can comprise a one-time code. A one-time code is a code generated for single use which is generally therefore time dependent and resilient against replay attacks. In view of the decoding time response to a one-time code should then arrive within a pre-determined window that allows for decoding of the challenge and reliable transmission of the response.

More alternatively instead of a one-time code, the code could be renewed after a predetermined period, the predetermined period could be chosen to match the level of security that it has to provide against replay attacks. The predetermined period could be e.g. 1 second, 1 minute, or an hour.

Alternatively, the challenge could comprise a pseudorandom sequence, optionally enhanced with time or location, the location allowing for spatial discrimination between codes within a building thereby complicating relay attacks.

In some embodiments, the security system can comprise a radio frequency transmitter which is configured under the control of the control module to provide an auxiliary challenge signal in an RF signal, wherein the processor at the device is configured to detect the auxiliary challenge signal and to use it with the embedded challenge signal to generate the response signal.

Where the cryptographic step utilizes a local key, this can comprise a group key which is allocated to a group of multiple devices, where access to a further or a secure area adjacent the monitored area is to be permitted for any member of the group.

The identification signal can provide an identity for comparison with the entity associated with the device. This can allow a monitoring arrangement to compare the identity which is provided with an entity which can be seen through an image picked up by the security camera and made visible to a monitoring arrangement, for example, on a monitoring screen.

The system can comprise a motion detector operable to detect a new challenge signal on detection of movement of an entity attempting access to the further or the secure area, and to advice the control module of the new challenge signal.

In the embodiments described herein, the ambient light used for general illumination of a restricted area is coded with a first invisible coded light signal (i.e. either applying an unobtrusive high frequency coded signal or a, for humans, invisible wavelength of the light). The protective equipment ( for example a garment) of workers in this restricted area is able to detect this first coded light signal and to convert this signal, using a function that is based on the first coded light signal (and preferably a device based secret), into a second coded light signal, which is typically also invisible for humans. The safety garment will consequently emit this non-visible coded light signal. The function could be a cryptographic function, e.g. an encryption function or a hash-function and depending on the security requirement might even be a non-cryptographic function. Optionally the device may also include the challenge signal with the response; so as to simplify verification.

Notably the general illumination light (that comprises the challenge) on account of its primary function; i.e. general illumination will have to be flicker free, and of a sufficient intensity to illuminate an environment. The latter is not necessarily the case for the response signal. In fact the response signal likely will be of lesser intensity and could potentially even blink or flicker and be perceptible to the human eye, as long as the light sensor used to detect the response (e.g. a security camera) can detect it. However preferably the response is flicker-free so as not to be annoying/distractive to bystanders.

In one embodiment, the device is a body worn device such as a garment or article of clothing which emits visible radiation. Personal Protective Equipment (PPE) such as safety garments are typically used to protect the wearer's body from injury or infection. European regulations prescribe that PPE intended for applications in which the wearer's presence must be visible, must have means to emit or reflect visible radiation with appropriate luminous intensity (see Council Directive 89/686/EEC). Such garments can be used in accordance with embodiments of the invention to emit coded light which forms the response.

Preferably to further simplify detection the body worn device may comprise an optical element that comprises one or more LEDs and additional optics, such that light from the one or more LEDs may be injected into a thin light guide such as an optical fiber, an optical fiber array, a ribbon-shaped light-guiding structure and coupled out of a larger surface area such as disclosed in US granted patent US9075170. Creating a larger light emission footprint is particularly advantageous when detection involves a rolling shutter camera, as a larger footprint will result in a larger signal carrying area in the images captured using rolling shutter camera.

When safety garments which emit coded LED lighting are worn in security areas, it will be much easier for security employees to monitor the different security areas via multiple monitor screens. In one embodiment, the system will help to identify people who are not allowed in certain areas. Where images of people seeking to gain access are made available on monitors, a detection algorithm which receives the response can be used to color code images of people on the monitor screens (e.g. by indicating a green circle for people with the right coded light and red circles for people who do not wear PPE with the correct coded light signal).

For a better understanding of the present invention and to show how the same may be carried into effect reference will now be made by way of example to the following drawings, in which:

Fig. 1 is a schematic diagram of a lighting system acting as part of a security system; Fig. 2 is a schematic block diagram of a control system in the security system;

Fig. 3 is a schematic block diagram of components at a wearable device;

Fig. 4 is a diagram showing message exchange of embedded signals in illumination light with simultaneous detection at a camera and a wearable device;

Fig. 5 is a diagram showing a signal exchange with multimodal signal generation by both an RF and illumination infrastructure;

Fig. 6 is a diagram showing signal exchange with RF base synchronization of the coded light emissions of the security system; and

Fig. 7 shows a screen with images from multiple monitors to be monitored by security employees .

DETAILED DESCRIPTION OF EMBODIMENTS

In the following description of non-limiting examples a lighting system is described which uses coded light for identification detection. The lighting system implements a security system for monitoring an area, for example to control access to a secure area adjacent the monitored area. In the described embodiments the system comprises: a luminaire providing visible coded ambient light; a body worn device (also referred to herein as a wearable device) to be worn by a person, (e.g. protective equipment such as safety garments, helmets etc.) including a sensor, a light source and a security camera.

The luminaire generates ambient light for the purpose of illuminating a zone around or adjacent to a secure area. That is, the ambient light has an illumination function for the monitored area. The illumination contains a first coded light signal which provides a challenge. The sensor of the protective equipment detects the first coded light signal and converts this signal using an embedded function (e.g. a hash function) into a second coded light signal which provides a response. This second coded light signal is a unique identifier which can be detected by the security camera. The challenge can be generated by a centralized control system and provided to a number of light sources in a connected network. In this case, all light sources would emit the same challenge. However, it is also possible to have luminaires that generate codes themselves without being connected to a control system that generates the codes. In this case, the security camera can register both the challenge and the response to provide a simple synchronization mechanism for unconnected (that is, not networked) light sources.

Embodiments of the invention render it possible to provide a challenge by means of the illumination light and to have the garment as a wearable light emitter provide a response to the challenge in a manner that allows the light sensor (detector or camera) to verify presence and authenticity of the wearable light emitter.

Figure 1 is a highly schematic diagram illustrating an infrastructure for embodying a security system. Luminaires LI and L2 are illustrated as providing ambient illumination for a monitored area 2. The luminaires act as a source of visible illumination. They each emit visible illumination in which is embedded a challenge signal. Although two different challenge signal CLla and CLlb are shown in Figure 1, we will describe a situation where one challenge signal is emitted by luminaire L2. The challenge signal is provided by a control system 4 which is connected to the luminaires. The control system 4 is also connected to a security camera 6. The control system is discussed in more detail later. The other challenge signal CLla shown in Figure 1 indicates that there can be scenarios where different luminaires emit different challenges, for example for different monitored areas.

In Figure 1, the camera 6 is shown as a separate device from the luminaires. In another example the security camera can also be embedded in the outdoor luminaire device.

The ambient illumination from luminaire L2, with its embedded challenge signal, is received by an entity in the monitored area seeking access to a secure area, in this case a person 8. The person has a wearable device 10, for example, a safety garment, which acts as an emitter for transmitting visible illumination. The garment also incorporates a local sensor 34 (Figure 3) which is configured to detect the visible illumination from the luminaire L2. The garment further incorporates a processor which is configured to detect the embedded challenge signal and to use it to generate a response. The illumination in which the response signal is encoded is labelled CL2 in Figure 1, and can be picked up by the security cameras 6. The control system receives the response signal (decoded from the illumination received from the garment) and compares it to an expected response to the challenge. If the response signal matches the expected response, access to the secure area can be enabled. This can be done in different ways as described in more detail in the following.

Coded Light (CL) is a method to embed information in the emitted light of electrical light sources without affecting the primary illumination function. Hence, the embedded information is not perceptible by humans but is electronically detectable. In general, the embedded information is encoded in the form of high frequency intensity and/or chromaticity modulations.

Preferably the code in the coded light signal is invisible to a human and is perceived as continuous flicker- free illumination light, or the code in the coded light signal may simply be unobtrusive to a human. In order to be perceived as flicker free the spectrum of the modulated signal, or the emitted light should not contain low frequencies, preferably there should be limited or no frequency components present below 50 Hz, and more preferably limited or no frequency components below 100Hz. Moreover, it is noted that repetitive messages may also give rise to low frequency components, however, this may be addressed through proper channel coding. For example in case of amplitude modulation, one could use a DC-free channel code, such as Manchester coding.

In embodiments, the modulation may comprise a single tone (sinusoid) or a single oscillating waveform (e.g. rectangular wave) and the frequency of this tone or waveform acts as the embedded code (i.e. different light sources each emit light with a different unique modulation frequency, unique within the system in question).

As light sources connected to the usual power grid commonly produce strong interference e.g. at DC, 50 Hz or 100 Hz, these frequencies quite often need to be suppressed at the coded light receiver side; i.e. filtered out in order to increase the signal to noise ratio. It is advantageous to take such filtering into account when selecting the modulation

(parameters), for example in case of frequency shift keying (FSK), the modulation frequencies are preferably placed at a sufficient distance from these suppression bands.

Alternatively more complex modulation schemes are possible in order to embed more complex data. For example the modulation frequency may be varied to represent data according to a frequency keying scheme, or the phase of the modulation frequency may be varied to represent data according to a phase keying scheme, or the amplitude of the modulation may be varied to represent data according to an amplitude keying scheme (e.g. a Manchester code or ternary Manchester code).

Alternatively coded light may leverage the fact that the human eye sensitivity to changes in color is lower than the sensitivity to changes in intensity. This may be advantageously used to modulate information in the light output of a luminaire with at least two light sources having different spectral color output. An example of such a system can be found in US8594510, but other approaches are known to those skilled in the art; including e.g. color-shift keying as proposed in IEEE 802.15.7-2011.

The challenge signal can be embedded in such a way in the illumination CLla/b from luminaires LI, L2. The response signal can be embedded in a similar or different way in the illumination CL2 from the wearable device 10. Thus, all the above- mentioned features of the challenge signal can apply to the response signal. Alternatively, a pulsed signal (e.g. at a frequency < 2Hz) could be used. To detect coded light, in embodiments the camera 6 is a rolling-shutter camera 6 in which the pixels of the image sensor are grouped into a plurality of lines (e.g. horizontal rows), and the camera 6 captures an image by exposing each of the lines in a sequence, at slightly different successive times. Thus each line captures the light from the light source at a slightly different time, and hence a different phase of the modulation. If the line rate is high enough relative to the modulation frequency, this therefore enables the modulation to be detected in the image. If the code is short enough relative to the number of lines in a frame, then the code can be detected in a single frame; or otherwise the code can be detected over multiple frames of a video image. Also, if the camera 6 is not a rolling shutter camera but rather a global shutter camera which exposes the whole frame at once, then the coded light can still be detected from a video image if the frame rate is high enough relative to the modulation frequency. Suitable coded light techniques will in themselves be familiar to a person skilled in the art.

By choosing the right frequency/color code, the security cameras can detect the emitted coded light signal CL2. The coded light signal can be embedded in the non- visible spectrum (e.g. IR) or embedded as high-frequency component in the emitted light. In both options, the coded light signal is not visible for the human eye. However, security cameras are able to detect the coded light signal, especially when the right "resonating" frequency (e.g. depending on the display refresh rate) has been chosen. That is, the security cameras can be suited to detect the coded signals. Thus the security camera acts as a light sensor or image sensor. It will be appreciated that any suitable sensor could be utilized to pick up the response signal.

In one embodiment, the cameras may also detect the first coded light signal CLl, thereby facilitating the synchronization between the challenge (CLl) and the response (CL2), as discussed later. Note that if a reflective wearable garment acts as the light source, it can emit the illumination CL2 as well as reflect the illumination CLlb.

Figure 2 is a schematic diagram showing the control system 4 of the security system. The control system is illustrated in terms of functional blocks. It will readily be appreciated that these functional blocks may all be implemented in a single piece of hardware, such as a computer server. Alternatively, they could be implemented in a distributed fashion, and indeed some of the functions could be incorporated into other elements of the security system, for example, into the camera 6 or a controller embedded in the luminaire L2. The functions can be implemented by one or more processor executing suitable code comprising computer readable instructions, in firmware or in hardware. Code can be shared locally or remotely, e.g. for wired or wireless access.

Figure 2 illustrates a control module 20 which issues the challenge which will be embedded into the visible illumination from the luminaire. The challenge is associated with an expected response in storage media 22. The illumination CL2 with the embedded response signal is picked up by the camera 6 and the response signal is detected by an image handling module 18. The image handling module 18 may be implemented in one or more of a number of different possible places, such as: in the same unit as the camera device 6

(meaning integrated into the same housing); in an external device (a device in a separate unit, i.e. separate housing, than the camera device 6); or a server (comprising one or more server units at one or more sites, i.e. at one or more data centers or geographic locations).

A decode module 24 receives the response from the image handling module 18, decodes it and compares it to the expected response which was stored in the storage media associated with the challenge. Where the response signal was generated using a private or secret key, the decode module 24 uses a paired key to decode it. The decode module then sends information to a monitor 26, for example, flagging people in red or green to indicate their status, based on whether the received response matched the expected response.

Alternatively, or additionally the decode module 24 can communicate with an identity module 28 where identities have previously been stored in association with expected responses. These identities may then be supplied to the monitor 26 when the appropriate code in the response is detected.

Figure 3 is a schematic diagram of the core components which are worn by a person. These components are incorporated into a wearable device associated with the person, for example, in the garment. They include a processor capable of performing a cryptographic or non-cryptographic function, labelled "cryptographic module 30". The cryptographic module operates with a local key 32 stored in storage media 32 accessible by the module 30. The coded light CLlb is picked up by a local sensor 34 and the challenge signal is identified and supplied to the cryptographic module 30. The cryptographic module generates a response to an emitter 36 which embeds the response into emitted light. This is a schematic version only, the details of which are set out more fully in the following.

While a non-cryptographic function can be used, the use of a cryptographic function further strengthens security as it complicates the generation of responses by unauthorized parties. The cryptographic function in crypto module 30 may be a hash function. By using a cryptographic hash, and by hashing the challenge with the cryptographic key, a proof of authenticity can be generated that shows that the responding device has received the challenge (and thus is at the spatial location) and is in possession of the cryptographic key. The hash meanwhile can be chosen to substantially preserve the security of the cryptographic key. The coded light signal CLlb, as well as the embedded hash function, can periodically be adjusted to increase the security of the overall system (e.g. every week different codes can be applied). Another option is to update the hash algorithm as a function of the area in which the user is found (e.g. using a NFC tag at the entrance door or in combination with the security badge).

The coded light signal and hash function can be implemented in safety garments, such as vests but also e.g. in safety helmets or other elements of the Personal Protective Equipment (e.g. shoes, belts, shirts, jackets, trousers, etc.).

Video analyzing software provided at the security camera, for example in the image handling module 18, can assist in identifying the coded light signal in order to flag people in red or green to indicate their status. Such video analyzing software can also assist in the visualization of the person on the monitor screens, in particular to allow the

identification of people that are "tagging along", but that are in fact trespassing. For example, a person could be identified by a green circle (or outlined in green for example) if they are allowed access to the secure area. Conversely, they could be outlined in red, or be associated with a red circle, if they are not allowed in the secure area.

A feedback loop back to the ambient light function (i.e. outdoor luminaires) can be used to signal towards the unauthorized person that he/she entered a restricted area. For example, a predetermined confirmation can be provided to the person such as a particular blinking or color pattern which is presented to the person depending on the class of location where access is sought. Such signaling could be provided by additional illumination light sources, or by the same light sources that emit the coded light in such a manner that there is no interference with the coded light emission. According to one possibility, colored light could be used to provide a signal to the person, whereas intensity could be used to transmit the coded light signal in the illumination. In this way, it could be indicated to a person using a red light that they are trespassing/not authorized to enter the secure area adjacent the monitored area.

The basic challenge/response will now be described with reference to

Figure 4. The control module 20 injects a time-varying challenge in the form of a nonce l into its coded light emissions. The coded light emission is received by the sensor 34. The sensor can be a coded light receiver (e.g. in the form of a photo-diode based detector). The sensor 34 detects the nonce l and hands this over to the cryptographic module 30 to form a response.

The cryptographic module 30 uses information available at the module; e.g. in the form of a private key 32 (in case of public key cryptography) or in the form of a secret key (in case of symmetric cryptography) to provide a response that only a module having that unique key could generate.

The cryptographic module 30 encrypts the nonce l using its private or secret key 32 and outputs this response by means of a coded light emission CL2 for receipt by the security system in a particular location.

The security system subsequently uses the corresponding public key 25 and/or its copy of the secret key in order to verify authenticity of the cryptographic module. In this manner the security system may simultaneously verify that the cryptographic module is present at the location on account of the fact that the cryptographic module used the nonce l (which was time varying) and at the same time can verify authenticity of the module as the response can only be generated by a module having the secret key.

In order to assist the security system in verifying the proof of presence; the response may also comprise an indication of the alleged identity of the "prover". This in turn changes the task for the security system from one of identifying the response (1 :N); to that of authenticating the response (1 : 1).

As some safety garments typically also have reflective stripes, coded light CLla, CLlb emitted by conventional luminaires can be reflected by the safety garments and thereby be detected as well by the security cameras. In this case, it can be advantageous if both signals are synchronized to improve the signal to noise ratio of the overall coded light signal. Such synchronization may be in the form of time multiplexing. For example, the coded light from the illumination source can be transmitted in a certain time slot, while light from the body worn emitter is emitted in another time slot. This would be one way of implementing synchronization using temporal separation. Other schemes may also be used to create non-interfering signals. For example, the illumination light might use intensity modulation for the coded challenge, whereas the body worn device could use spectral separation (color modulation) for the response. More optionally, retroreflectors might be positioned such that it is easy to use spatial separation in the captured images. This could be done by locating the retroreflectors out of the proximity of the light source.

On account of the fact that the camera system may register both the challenge as well as the response from the wearable device thereto, only a limited amount of synchronization will be required as long as the transmission of a particular nonce persists sufficiently long for robust detection of both the challenge as well as the response by the camera.

In one embodiment, the challenge may provide information on a desirable response.

As wearable devices, in particular in case of first responders, could be used in combination with a wide variety of systems on multiple sites; the illumination system, may in addition to the challenge, also provide a descriptor indicative of the preferred response.

For instance the challenge may provide an indication in the form of an identifier (ID); that may be used as index in a lookup table 35 in the wearable device 10 to select a preferred modulation type, bit-rate and/or modulation frequency for providing a response. More alternatively the descriptor could comprise one or more parameters; such as modulation depth, modulation frequency or modulation amplitude.

A multimodal challenge/response will now be described with reference to Figure 5 which shows multi-modal nonce generation by both an RF and illumination infrastructure.

In yet a further embodiment the nonce 1 as emitted by the luminaire may be complemented by a substantially simultaneously emitted nonce_2 that is emitted in an RF transmission 9 using an RF transmitter. See RF transmitter 7 in Figure 1. The nonce l and nonce_2 may e.g. be combined by the cryptographic module 30 e.g. by means of an XOR or by means of a concatenation function in order to strengthen robustness and/or security.

Response = E(keyl, nonce l XOR nonce_2)

Response = E(keyl ||key2, nonce_l || nonce_2)

Response = E(keyl || lkey, nonce_l || nonce_2)

(where || is the concatenation operator, and key 1 / 2 are the local keys such as key 32.)

That is, a response could use one key for both nonces, or a key per nonce.

Alternatively as shown in Figure 6, the RF transmission 9 may be used to simplify synchronization of transmission of the challenge by the illumination light from the luminaire and transmission of the response as coded light by the body worn coded light emitter 36, such that the challenge does not collide with the response signal. To this end the RF signal might be a mere toggle for signaling the transmission opportunity for the challenge and or for the response in order to prevent collision of visible light codes from the luminaire(s) and the wearable device 10.

More alternatively the coded light challenge signal embedded in the illumination light may be arranged to comprise blank spaces wherein the illumination light is not modulated and the body- worn device 10 may be arranged to only transmit during such blank spaces. The latter may be particularly useful when the body worn device is used in proximity of reflecting clothing.

In case the encrypted response E(key,nonce_l) would be considered to be too lengthy for the transmission by the body worn device; e.g. as a result of limitations in transmit power available, a solution may be used in the form of a cryptographic hash/entropy preserving message digest function in order to shorten the encrypted response without unnecessarily jeopardizing security.

In a further embodiment the cryptographic module 30 may instead of using a secret key particular/unique to that cryptographic module use a secret group key. Such a group key may be representative of a class of users; and may for example be issued to first- responders, such as the fire-department, the police department and/or medical first aid personnel. Based on the response received and the state of the security system, the thus obtained proof of presence and authenticity may be used to provide an emergency access control feature.

Detection by the security system of an authenticated response may allow the security system to determine the identity of a wearer by proxy; i.e. the detected cryptographic module may be linked to an identity. Such an identity may be registered on a semi-permanent basis or when badges, or security clothing are handed out and stored at the control system in identity module 28. Alternatively the security system may authenticate the wearer as belonging to a class of users.

In response thereto the security system may flag the person detected in camera footage to human observers on monitored images from the security signals using either the person's identity, or the group identity. If privacy considerations are an issue such

information may be first transformed into privacy preserving metadata that for example transforms an identity in to e.g. an access level that is anonymized but has meaning to the security personnel. Alternatively the same functionality may be used to enable a conditional access control function, here again access could be controlled on identity level, or on group, or access level. The latter may be particularly useful when the sensor 34 (e.g. coded light detector) and emitter 36 are incorporated in e.g. a body worn badge. As a result the body worn badge may be challenged by the illumination lighting signal; and upon authentication may also trigger devices, such as automated door locks to be released, or access to terminal devices be enabled.

Motion/presence detectors 27 within an existing lighting system may be used to trigger the generation of a new nonce upon detection of a new as-of-yet unseen presence and may cause such a modified challenge to be embedded into the illumination transmitted from the luminaire. As a result it will become more difficult to perform a replay attack as the new nonce will command a new response.

The motion/presence detectors may use a wired or wireless transmission 29 to the security system to flag the use of a new nonce; in this manner pre-existing hardware may be given a further function and can be used to prevent replay attacks.

Although in the above examples a nonce is used, another possibility is short pseudo random sequences. In the latter case, to prevent replay attacks, it may be possible to further "uniquify" the shorter numbers by means of a location or time specific pre-fix or postfix unique thereto, thereby allowing the system to prevent replay attacks in different locations and or at different moments in time.

Embodiments of the invention find application in a variety of contexts including without limitation military venues or other secured areas watched over by security cameras. Introducing wearable devices such as protective clothing items embodying the invention can enhance existing security provisions.

Figure 7 shows a monitor 26 with multiple monitor screens 72a, 72b. Each monitor screen shows the image from a security camera 6. A security system may have multiple such cameras. Each image may be flagged red or green as described earlier, based on the coded light emissions from wearable devices of people whose image is picked up by the camera.

It will be appreciated that the above embodiments have been described only by way of example. Other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the indefinite article "a" or "an" does not exclude a plurality. A single processor or other unit may fulfil the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. A computer program may be stored and/or distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems. Any reference signs in the claims should not be construed as limiting the scope.