Secure gateways for connected dispensing machines

US 10,313,316 B2
Filed: 05/26/2016
Issued: 06/04/2019
Est. Priority Date: 05/26/2016
Status: Active Grant

First Claim

Patent Images

1. A dispenser controller comprising:

a dispenser web service client configured to construct a web service message comprising a header and a body, wherein the body contains telemetry data of a dispenser machine;

a dispenser web service gateway configured to;

intercept the web service message from the dispenser web service client in a manner transparent to the dispenser web service client before the web service message is sent over a computer network to an administrator controller;

determine the web service message is different than a heartbeat message;

create a digital signature by signing at least a part of the telemetry data in the web service message with a private key associated with the dispenser controller based on the determination that the web service message is different than the heartbeat message;

insert the digital signature into the header of the web service message;

encrypt at least a part of the telemetry data in the body of the web service message; and

transmit the web service message, after inserting the digital signature into the header of the web service message and encrypting the at least a part of the telemetry data in the body of the web service message, to the administrator over the computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to systems and methods for securely providing telemetry data of a dispenser machine to an administrator system via an exposed web service over a computer network. To secure the exposed web service, the systems and methods of the present disclosure provide secure gateways at the dispenser machine and the administrator system that can provide one or more of message integrity, authentication, authorization, and confidentiality. The secure gateways are implemented separate from the applications creating web service request and response messages at the dispenser machine and the administrator system, respectively. Because the secure gateways are implemented separate from the applications creating the web service request and response messages, the applications creating the web service request and response messages can be created and modified without consideration to message security, which is handled transparently by the secure gateways.

15 Citations

21 Claims

1. A dispenser controller comprising:
- a dispenser web service client configured to construct a web service message comprising a header and a body, wherein the body contains telemetry data of a dispenser machine;
  
  a dispenser web service gateway configured to;
  
  intercept the web service message from the dispenser web service client in a manner transparent to the dispenser web service client before the web service message is sent over a computer network to an administrator controller;
  
  determine the web service message is different than a heartbeat message;
  
  create a digital signature by signing at least a part of the telemetry data in the web service message with a private key associated with the dispenser controller based on the determination that the web service message is different than the heartbeat message;
  
  insert the digital signature into the header of the web service message;
  
  encrypt at least a part of the telemetry data in the body of the web service message; and
  
  transmit the web service message, after inserting the digital signature into the header of the web service message and encrypting the at least a part of the telemetry data in the body of the web service message, to the administrator over the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The dispenser controller of claim 1, wherein the telemetry data includes both consumption data of the dispenser machine and status data of the dispenser machine.
  - 3. The dispenser controller of claim 1, wherein the dispenser web service gateway is further configured encrypt the at least a part of the telemetry data in the body of the web service message using a public key associated with the administrator controller.
  - 4. The dispenser controller of claim 1, wherein the dispenser web service gateway is further configured encrypt the at least a part of the telemetry data in the body of the web service message using a symmetric key.
  - 5. The dispenser controller of claim 4, wherein the dispenser web service gateway is further configured to encrypt the symmetric key using a public key associated with the administrator controller.
  - 6. The dispenser controller of claim 1, wherein the dispenser web service gateway is further configured to send a second heartbeat message, without signing or encrypting data within the second heartbeat message, to the administrator controller before transmitting the web service message to the administrator controller over the computer network, wherein the second heartbeat message is used to signal that the dispenser machine exists to the administrator controller.
  - 7. The dispenser controller of claim 1, wherein the dispensing machine dispenses beverages.
  - 8. The dispenser controller of claim 1, wherein the computer network is the internet.
  - 9. The dispenser controller of claim 1, wherein the dispenser web service gateway comprises a hypertext transfer protocol (HTTP) proxy.
  - 10. The dispenser controller of claim 9, wherein the dispenser web service gateway is further configured to intercept an HTTP request message containing the web service message from the dispenser web service client.

11. An administrator controller comprising:
- an administrator web service gateway configured to;
  
  receive a web service message comprising a header and a body over a computer network, wherein the header contains a digital signature and the body contains encrypted telemetry data of a dispenser machine,determine the web service message is different than a heartbeat message;
  
  authenticate the web service message using a public key associated with the dispenser machine;
  
  authorize a request in the web service message based on an identity of the dispenser machine, anddecrypt the encrypted telemetry data in the body of the web service message based on the determination that the web service message is different than the heartbeat message; and
  
  an administrator web service provider configured to process the web service message based on the request and the decrypted telemetry data after the web service message has been authenticated and the request authorized by the administrator web service gateway,wherein the administrator web service gateway provides the web service message to the administrator web service provider in a manner transparent to the administrator web service provider.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The administrator controller of claim 11, wherein the telemetry data includes both consumption data of the dispenser machine and status data of the dispenser machine.
  - 13. The administrator controller of claim 11, wherein the web service gateway is further configured to authorize the request in the web service message based on the identity of the dispenser machine only after authenticating the web service message.
  - 14. The administrator controller of claim 11, wherein the request is to place the decrypted telemetry data into a database.
  - 15. The administrator controller of claim 11, wherein the dispensing machine dispenses beverages.
  - 16. The administrator controller of claim 11, wherein the computer network is the internet.
  - 17. The administrator controller of claim 11, wherein the administrator web service gateway is further configured to receive a second web service message from a second dispensing machine.

18. A method comprising:
- constructing, by a web service client, a web service message comprising a header and a body, wherein the body contains telemetry data of a dispenser machine;
  
  intercepting the web service message from the web service client in a manner transparent to the web service client before the web service message is sent over the internet to an administrator controller;
  
  determine the web service message is different than a heartbeat message;
  
  creating a digital signature by signing at least a part of the telemetry data in the web service message with a private key associated with the dispenser controller based on the determination that the web service message is different than the heartbeat message;
  
  inserting the digital signature into the header of the web service message;
  
  encrypting at least a part of the telemetry data in the body of the web service message; and
  
  transmitting the web service message, after inserting the digital signature into the header of the web service message and encrypting the at least a part of the telemetry data in the body of the web service message, to the administrator over the internet.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, wherein the telemetry data includes both consumption data of the dispenser machine and maintenance data of the dispenser machine.
  - 20. The method of claim 18, further comprising:
    - sending a second heartbeat message, without signing or encrypting data within the second heartbeat message, to the administrator controller before transmitting the web service message to the administrator controller over the internet, wherein the second heartbeat message is used to register the dispenser machine with the administrator controller.
  - 21. The method of claim 18, wherein the dispensing machine dispenses beverages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PepsiCo Incorporated
Original Assignee
PepsiCo Incorporated
Inventors
Gong, George Xu
Primary Examiner(s)
Collins, Michael

Application Number

US15/165,907
Publication Number

US 20170346795A1
Time in Patent Office

1,104 Days
Field of Search

700231-244
US Class Current
CPC Class Codes

B67D 1/0022   the apparatus comprising me...

B67D 1/0888   Means comprising electronic...

G07F 9/002   Vending machines being part...

H04L 2209/80   Wireless network architectu...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/123   received data contents, e.g...

H04L 67/02   based on web technology, e....

H04L 67/125   involving control of end-de...

H04L 9/32   including means for verifyi...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04W 4/70   Services for machine-to-mac...

Secure gateways for connected dispensing machines

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure gateways for connected dispensing machines

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links