DE10141737C1 - Secure communication method for use in vehicle has new or updated programs provided with digital signature allowing checking by external trust centre for detection of false programs - Google Patents

Abstract

The communication method provides secure exchange of data between processors and programs coupled by a data bus with data encoding and/or authentication, using a public key method with cryptographic keys embedded in the processors and the programs. One of the processors acts as a trust component, with new and/or updated programs only loaded in the databus system via the trust component and provided with a digital signature allowing checking for detection of false programs by an external trust centre, before generation of a key pair provided by a public key and a private key for the program.

Description

The invention relates to a method for securing the Kommu between computers and programs in a traffic message tel, whereby the computers and programs data by means of a data exchange the data, encrypt the data exchange and / or Authenticated takes place, cryptographic keys in the Computers and / or programs are stored, with the Absi communication is a public-key process is, wherein participating in the public-key method computers and / or programs each a corresponding key pair consisting of a public and a private key assigned by a trust component, whereby the trust Component of one of the computers within the means of transport is formed.

From DE 100 08 974 A1 a method for ensuring the data integrity of a software for a control unit of a Motor vehicle known. Here is proposed a key selpaar for the control unit for encryption and decryption of provide electronic data. The software to be loaded The goods are electronically signed with the first key. The electronic signature is issued by the relevant control unit checked by means of the second key. The second key was already stored in the control unit before the test. The Generation of key pairs can be in the vehicle or outside respectively. Is the key pair for a control unit in the driving generated, the first key must be readable.  

DE 100 08 973 A1 discloses a method which comprises the in DE 100 08 974 A1 disclosed method on several computations extended by digital signature of certificates.

The article "Vehicular Implementation of Public Key Cryp tographic techniques "(Arazi, B in IEEE Transaction on Vehicular Technology, Vol. 40, no. 3, August 1991, pages 646-653) how public-key systems are implemented in vehicles, focusing on the communication of the vehicle or the driver is placed with external terminals, for example when paying tolls or parking fees or when refueling.

EP 0 816 970 A2 discloses a method and a device known by means of which when starting computer systems a Authenticity check of the boot program via a public Private key procedure takes place.

US 5844986 discloses a device for preventing unauthorized manipulation on the BIOS of computer Systems. This will update the BIOS via Public-key procedure checked.

Used in vehicle information and vehicle control system Software or hardware components have different Tasks that require access to, for example, Files, drivers, interfaces or data bus systems needed become. Accesses of this type are with data exchange between connected to the respective components and as sicherheitskri to look at. Thus, he is a strict access control required so that each component accesses one other component can authenticate. Because the components of Different manufacturers can come, the different be trusted, care must be taken that a false identity can not be faked.  

The information exchanged between the components can be confidential, if, for example wise addresses, passwords, business papers, diaries by means of the vehicle information and vehicle control system are processed. The vehicle can be driven by different drivers are used, which generally have unrestricted access have the complete networked system. That's one thing possible attackers very easily listening devices in this network to install the system. It also allows traffic on a network  be monitored by means of directional microphones. To the trust in the vehicle by means of a data bus system This information must be provided to ensure that information is available Encrypted transfer between the individual components become.

Authentication and encryption are the two security services that are of central importance here. By Ver encryption may entail confidentiality secured data can be achieved. In authentication, two Types of authentication differed: Authentication of a Entity and authentication of the data origin. Under Authenti The identification of an entity becomes proof of identity Entity, here hardware or software component, understood. With the help of the authentication of the data origin, the Un corruptedness of various properties of transmitted Data are guaranteed, in particular sender, content, time point of creation. This service implies in particular the Integrity of transmitted data.

The public-key encryption method is among others through the work of Diffie and Hellmann (W. Diffie, M.E. Hellmann, "New Directions in Cryptography", IEEE Transactions on Information Theory, Vol. IT-22, November 1976, pages 644- 654) and Rivest, Shamir and Adleman (R. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems ", Communications of the ACM, Vol. 27, No. 2, February 1978, pages 120-126, the so-called RSA Method) known. In this procedure are two keys used; one for encryption and the other for decryption. This method is also called asymmetric encryption referred to. In contrast, use symmetric Encryption methods, such as DES, for Vote and decrypt the same key.

The separation into a public and private key at asymmetric encryption facilitates key management  ment considerably because the public needed for encryption key does not need to be protected and thus protected by all Communication partners can be used. Because of this Advantage will be the public-key method in the field of digital Signature used. Certification bodies, so-called trust Center, take over the registration of the persons who key selgenerierung and awarding and the directory service for the public key. For digital signature signed one Person with her private key the electronic document. In the signature, the hash value becomes a more characteristic electronic fingerprint, electronic document determined and encrypted to the electronic document prevented. The recipient can use the public key the authenticity of the sender and by comparing the current With the decrypted hash value, the integrity of the notice the document received.

The concept of the certification authority, also trust center ge called, has the advantage that a central location for the Au thenticity that she has created, spent, and administered key pairs. This ensures that yourself the participants on the authenticity of the key owner being able to leave. For example, a person can only enter Key pair to participate in the digital signature, if they have previously been to a certification authority has authenticated a badge. This will be at the Trust Center the circle of entities to be trusted is selected and ent stands with the trusted entities a trustworthy Surroundings.

The scope of the public-key procedure is manifold. Which key, public or private, for or decrypting, depends on the application.

The public-key procedure can also be used to exchange keys for other encryption methods like Data Encryption Stan dard (DES) in the case of symmetric encryption  become. So the advantage of the asymmetric method, so simple key management, with the advantage of symmetrical Method, so speed, be combined.

An overview of the different encryption methods and their application is described in the article "The Cryptography Report ", published in the magazine Elektronik 22/2000, Page 78-86, to find. Details can be found in the standard work "Hand book of Applied Cryptography "(A. Menezes, P. v. Oorschot, S. Vanstone, CRC Press, 1997).

Authentication as well as encryption can be done by means of the asymmetric encryption method described above be realized if the entities owned by Informatio which are unknown to the other entities, that is have a secret. This secret is the private key (PrivKey) of the respective entity. The associated public The key (PubKey) must be available to all entities stand, whereby the generation of the key pair as well as the Directory service ideally done centrally to To guarantee authenticity of the participating entities.

In DE 196 52 256 A1 discloses a method for securing the Data transmission between control units in a motor vehicle discloses tools that communicate with each other via a data bus In this process, the communication takes place between the control units in encrypted form. The shape of Ver encryption depends on one stored in the ECUs secret key and from a time-varying to case size off. The procedure allows a secure communication tion on the data bus because it is a symmetric ver encryption method in conjunction with a random number gene actor. The process is complicated, since before its An the random number generation takes place and this too number of units is communicated to all participating control units got to. It also stands for authentication in communication  between the control units no ECU-related key ready.

It is now the object of the present invention, a Verfah secure communication between computers and / or to provide programs in means of transport that is feasible without great effort and a safe procedure represents in data bus systems. In addition, the process should be like this be designed that retrofitted components in simple Can be involved in the hedging process.

This object is achieved by the features of the claim 1 solved. After that, new and / or updated Programs only via the trust component in the data bus system loaded. The new and / or updated ones to be introduced Programs are digitally signed. The trust component checks the Programs on security to ensure that no ge fake program can get into the data bus system. The Review of new and / or updated loaded programs takes place by means of their digital signature via an external Trust Center, being successful in security testing the trust component consists of a key pair consisting of one public and private keys generated for the program and the key pair as well as the public key of the Trust component is attached to the program.

Securing communication between the participants Computers and / or programs can be encrypted via of the public-key method. There a pure public-key encryption due to the necessary high computing capacity is very slow, in general used a hybrid method. After that, the public key Procedure for agreement and exchange of a common used symmetrical key. The actual encryption The data is then separated by means of the symmetrical Ver encryption method, which binds less computing capacity and thus is much faster.  

The public-key method can also be used to authenticate the Computers and / or programs as well as for data authentication, especially for checking data integrity, according to the above described methods are used.  

The trust component thus corresponds to one within the Ver arranged internal trust center and takes over the tasks described above. The term calculator should be any Include type of control unit. In particular hardware Components that are equipped with appropriate software which allow the loading and unloading of programs at runtime such as the OSGi standard (Open Services Gate way Initiative, "OSGi Service Gateway Specification", Release 1.0, May 2000). Programs can use software programs, modules or data.

Due to the advantageous restriction of the hedge on the In-vehicle communication can be the trust center in the Transportation will be integrated and the key generation can be done dynamically within the means of transport. Thereby loses the application of the public-private key method for Complex data bus networks and is particularly suitable for the use in transport, since no communication with a trust center located outside the means of transport necessary is.

In a further development of the method according to the invention new and / or updated programs only through the Trust Component loaded into the data bus system. The trust component checks the programs for security, that is their authenticity and integrity, to ensure that no fake pro gram into the data bus system.

With the help of this procedure becomes a trusted environment within the means of transport, as only safe units are loaded into the data bus system can.

The inventive method can be in an advantageous Further educate yourself by clicking on Safely if successful The trust component is a key pair consisting of one  public and private keys generated for the program and the key pair as well as the public key of the Trust component is attached to the program.

Thus, for a tested for authenticity and integrity Program while charging the corresponding key selgenerated dynamically. The program is from this time also part of the trusted environment of the data bussystems and can participate in secure communication.

There are now various possibilities, the teaching of the present to design the invention advantageously and further education. This is on the one hand to the subordinate Claims and on the other hand to the following explanation of the Procedure to refer. It should also the advantageous Ver be included driving variants, which can be from any Combination of subclaims.

The vehicle information and vehicle control system consists of multiple computers connected to each other via a data bus system are connected. Within the computers run software programs or software modules. Both the calculator and the soft Software programs use the data bus system to communicate with the other computers and their software programs and / or soft ware modules. The calculators have the option software program me or modules to exchange with each other.

Only one of the computers, hereinafter referred to as trust component be features an interface that allows additional to introduce software programs from outside into the system. This trust component is also called gateway loader or commu referred to in the notification platform. The interface of this trust Component has a wireless communication protocol such as GSM or Bluetooth on. The interface can also as be designed serial interface, via direct on For example, it is possible to read in data from a CD-ROM.  

The software programs or modules to be introduced are from the Manufacturer digitally signed, so that the trust component with the method described above the authenticity and Integri the software programs or modules that have just been transferred, and the degree of confidentiality via an external trust Center can check. So that the trust component is capable of doing so must be in a safe environment before the public Key of the external trust center in the trust component be stored in read-only mode.

In a secure environment, ie in the production of Ver sweetener or in a workshop, can now be the distribution the key, especially the private key, to the individual hardware components, d. H. the computers and the trust Component to be performed. In the first step, the Computer in the safe environment with the private keys equipped and afterwards can also every software program or - module to be assigned a private key.

First, a key pair, consisting of a priva and a public key (PrivKeyG, PubKeyG), for the trust component is generated by the trust component and filed there. When installing each computer will turn from the trust component for each computer a key selpaar, consisting of (PrivKeyL, PubKeyL) generated. This Key pair and public key (PubKeyG) of the Trust components are stored together on each computer, which should be integrated in the secure data transmission. Of the private key of the computer (PrivKeyL) is against one unauthorized read and write access protected. For the public key (PubKeyG and PubKeyL) on the machine is sufficient only a write protection. The public key sel (PubKeyL) of the embedded in a software program transfer computers, is also stored in the storage area of the trust Component stored as read-only because of the public Key (PubKeyL) for the above encryption ver drive must be available to all computers.  

Depending on the encryption and signing method used The generation of keys is based on different maths matic theories. Algorithms for generating keys For symmetric and asymmetric methods, this can be cited prior art (see For example, chapters 4 and 5 in "Handbook of Applied Cryp tography ", A. Menezes, P. v. Oorschot, S. Vanstone, CRC Press, 1997).

It is of particular importance in this process that the Computer in a first step in a secure environment with Keys are equipped. The keys can, as in Executed in the embodiment of the intrinsic system Trust component can be generated, or even via an external Trust Center will be made available.

After all computers with the appropriate keys in sys tem, the trust component contains a private key (PrivKeyG) that is write and read protected is. In addition, the trust component represents the public Keys for each individual on secure data transmission participating computers are write-protected.

The trust component thus serves as certification in the system position and trust component. Since all other computers in the Hold the public key of the trust component, Anytime a single computer can correct the public Key of another machine from the trust component ask. Furthermore, at any time a secured, so au thentisierte and confidential communication after the above be wrote public-key procedures between the computers be built.

After the calculator and the trust component in a secure Environment installed and with the appropriate keys In the second step, the software pro  programs or modules are loaded into the system via the Trust Center become. The new software programs or modules will, like described above, on their authenticity and integrity of the Trust component checked by means of an external trust center. This ensures that no fake software pro gramme, modules or data to the individual computer be transmitted. After checking a new software program through the trust component generates the trust Component a new key pair (PrivKeyN, PubKeyN) for this new software program. The public key (pub KeyN) is stored in the trust component as read-only, so that this all components for the application of the closures lation and authentication procedures are available.

Subsequently, will be to the transmitted software program Key pair (PrivKeyN, PubKeyN) and public key attached to the trust component (PubKeyG). By means of the above described encryption mechanisms between Trust Center and calculator can now safely return the package to that one Calculator that runs the software program from the trust component or an external workshop has been requested. The software program sets the private key to write and protected from reading, so that the key against unauthorized access is protected. The calculator must take care that the software programs or modules are not the private ones Keys of other software programs installed on it modules can read.

From this point on is a new software program with a clearly secured secret in the form of a private key sels (PrivKeyN). Because the corresponding public Key (PubKeyN) for each software program in the trust Component is stored at any time by any software pro gram the public key of another software program be queried secured. If a software program of one transferred to another computer, the software program takes the Key in the transfer with, in which the keys are behind  attached to the transmitted data. As between the If a secure connection is established, the private keys during data transfer over the data bus can not be intercepted.

Claims (5)

1. Method for securing communication between computers and programs in a means of transport,
the computers and programs exchanging data by means of a data bus,
the data exchange is encrypted and / or authenticated,
Cryptographic keys are stored in the computers and / or programs, wherein
to secure the communication, a public-key method is used, wherein in the public-key-method participating computers and / or programs each have a corresponding key pair consisting of a public and a private key is assigned by a trust component, said
the trust component is formed by one of the computers within the means of transport,
characterized in that
new and / or updated programs are only loaded into the data bus system via the trust component,
the new and / or updated programs to be submitted are digitally signed,
the trust component checks the programs for security to ensure that no fake program can enter the data bus system,
the examination of new and / or updated charged. Programs by means of their digital signature via an external trust center, where
Upon successful verification for security, the trust component generates a key pair consisting of a public and private key for the program and
the key pair and the public key of the trust component are attached to the program. 2. The method according to claim 1, characterized, that when testing for security an exam on Authenti the quality and / or integrity of the program. 3. The method according to claim 1, characterized, that when moving a program to another machine the key pair consisting of a private and a public key of the program will not be reassigned. 4. The method according to claim 1, characterized in that
when moving a program to another computer a data packet consisting of the program, the key pair of the program and the public key of the trust component is formed and
this data packet will be encrypted between the computers to ensure the trusted environment in the data bus system. 5. The method according to any one of the preceding claims, characterized
that to secure communication
Encryption is carried out by means of the public-key method Runaway and / or
Authentication of computers and / or programs by means of the public-key method method is performed and / or
Data authentication is performed by means of the public-key method.