EP4035970A1 - Method for encoded communication between a track-bound vehicle and a track-side device, and devices for applying the method - Google Patents

Abstract

The invention relates to a method for coded communication between a track-bound vehicle (FZ) and a track-side device (SE1 ... SE6), in which several telegrams (T1, T2) between the track-side device (SE1 ... SE6) and the route-bound vehicle (FZ) are transferred. The telegrams (T1, T2) each have a user data area for filling with user data and a code area for coding the user data. At least one of the telegrams (T1, T2) is transmitted unencrypted in such a way that the user data area is filled with the unencrypted user data, which is encoded using the code area, the telegram (T1, T2) is transmitted encoded with the unencrypted user data, and the unencrypted user data are decoded after transmission using the code area. At least one of the telegrams (T1, T2) is transmitted encrypted and coded in such a way that the unencrypted user data is encrypted before the user data area is filled and the user data area is filled with the encrypted user data, which are also coded using the code area. In addition, the telegram (T1, T2) is transmitted in encoded form with the encrypted user data. After the telegram (T1, T2) has been transmitted, the encrypted user data is decoded using the code area and the encrypted user data is then decrypted. The invention also includes a track-bound vehicle (FZ), a trackside device (SE1 . . . SE6), a computer program product and a provision device for the computer program product.

Description

• einen Nutzdatenbereich zum Befüllen mit Nutzdaten aufweisen,
• einen Codebereich für die Codierung der Nutzdaten aufweisen.

The invention relates to a method for computer-aided coded communication between a track-bound vehicle and a track-side device, in which several telegrams are transmitted between the track-side device and the track-bound vehicle, the telegrams respectively

• have a user data area for filling with user data,
• have a code area for coding the user data.

The invention also relates to a track-bound vehicle with a communication interface for a trackside device. Furthermore, the invention relates to a trackside device with a communication interface for a track-bound vehicle.

Finally, the invention relates to a computer program product and a provision device for this computer program product, the computer program product being equipped with program instructions for carrying out this method.

• Aufbau eines Telegramms am Beispiel einer Eurobalise
• Kodierte Datenbits (Länge abhängig von der Balise)
• 913 Bit (Nutzdaten: 830 Bit bei einer Gesamtlänge von 1023 Bit) oder
• 231 Bit (Nutzdaten: 210 Bit bei einer Gesamtlänge von 341 Bit)

Kontrollbits Cb 3 Bit Scramblingbits Sb 12 Bit Zusätzliche Shapingbits Esb 10 Bit Checksumme CheckBit 85 Bit Beacons, for example, in particular according to the ERTMS standard (Eurobalises), are known as trackside facilities. Each of these balises transmits a data set called a telegram. Depending on the balise, these telegrams have either 1023 bits or 341 bits. Of this, 830 or 210 bits can be used as a user data block for the signaling application - the user data block is divided into 10-bit symbols, which are each represented by 11 bits after the shaping and scrambling transformation (thus a block of 913 = 83*11 bit or 231 = 21*11 bit):

• Structure of a telegram using the example of a Eurobalise
• Coded data bits (length dependent on balise)
• 913 bits (user data: 830 bits with a total length of 1023 bits) or
• 231 bits (user data: 210 bits with a total length of 341 bits)

control bits cb 3 bits scrambling bits Sb 12 bits Additional shaping bits Esb 10 bits checksum CheckBit 85 bits

When crossing the balise, the telegrams are repeated cyclically. To protect against transmission errors, the user data is scrambled (scrambling code), a substitution of the user data with code words of different Hamming distances is selected, and checking is made possible by a checksum. Since the checksum is only calculated after the substitution code of the user data, the additional shaping bits are used to fill up the bits of the checksum in such a way that the entire telegram consists only of symbols of the selected channel coding, with each transmitted symbol comprising 11 bits.

The user data area consists of a header block (header), followed by several message fields (packets or packets), which are standardized in the ERTMS protocol, and at the end the Packet255 - End of information. If the user data area is more than 830 bits, further message fields can be transmitted via telegrams from the following beacons in the same beacon group - with up to eight beacons per beacon group, an ERTMS message can therefore include up to 8*830=6640 user data bits (each telegram containing one header and the end packet must contain 255).

Encryption of the data sent according to the ER TMS standard and also when telegrams are transmitted by other trackside devices is not provided for. Hereupon was in the past, in the interest of the fastest possible transmission, since rail vehicles run over the balises at comparatively high speeds and therefore only little time is available for transmitting the telegram. On the other hand, there is an interest in making communication between the trackside device and the track-bound vehicle as secure as possible.

The object of the invention is to specify a method for coded communication between track-bound vehicles and trackside devices, which on the one hand can be standardized and on the other hand meets a high security standard during transmission. In addition, the object of the invention is to specify a track-bound vehicle and a trackside device which are suitable for the use of the method mentioned. In addition, the object of the invention consists in specifying a computer program product and a provision device for this computer program product, with which the aforementioned method can be carried out.

• der Nutzdatenbereich mit den unverschlüsselten Nutzdaten befüllt wird, wobei diese unter Nutzung des Codebereiches codiert werden,
• das Telegramm mit den unverschlüsselten Nutzdaten codiert übertragen wird,
• die unverschlüsselten Nutzdaten nach der Übertragung unter Nutzung des Codebereiches decodiert werden,

und dass mindestens eines der Telegramme verschlüsselt und codiert derart übertragen wird, dass

• die unverschlüsselten Nutzdaten vor dem Befüllen des Nutzdatenbereiches verschlüsselt werden,
• der Nutzdatenbereich mit den verschlüsselten Nutzdaten befüllt wird, wobei diese zusätzlich unter Nutzung des Codebereiches codiert werden,
• das Telegramm mit den verschlüsselten Nutzdaten codiert übertragen wird,
• die verschlüsselten Nutzdaten nach der Übertragung des Telegramms unter Nutzung des Codebereiches decodiert werden,
• danach die verschlüsselten Nutzdaten entschlüsselt werden.

This object is achieved with the subject matter of the claim (method) specified at the outset, according to the invention, in that at least one of the telegrams is transmitted unencrypted in such a way that

• the user data area is filled with the unencrypted user data, which is encoded using the code area,
• the telegram is transmitted encoded with the unencrypted user data,
• the unencrypted user data is decoded after transmission using the code area,

and that at least one of the telegrams is transmitted encrypted and coded in such a way that

• the unencrypted user data is encrypted before filling the user data area,
• the user data area is filled with the encrypted user data, which is additionally encoded using the code area,
• the telegram is transmitted encoded with the encrypted user data,
• the encrypted user data is decoded after the transmission of the telegram using the code area,
• then the encrypted user data is decrypted.

According to the invention, user data can therefore be easily encrypted (for example before standardized coding), for example with a block cipher (and filled up padding bits in order to arrive at the required format) or a stream cipher. To do this, the sender and receiver (i.e. the wayside facility and the wayside vehicle) must have a common key.

The encoded transmission standard itself does not have to be touched for the purpose of transmitting the encrypted information. From a technical point of view, according to the invention only other data than in the known method, namely the encrypted data, are transmitted, which can certainly have the same content. This means that an encrypted telegram can have identical content to a comparable unencrypted telegram after decryption. The content of a telegram is contained in the user data (more on this below).

Due to the fact that the transmission of the telegram remains untouched from a technical point of view, the intervention in the transmission standard, the transmission of which is to be made more secure according to the invention, is limited to a minimum. This advantageously facilitates approval for an already existing standard, which in many cases is associated with a great deal of effort. Advantageously, no hardware-related changes are required either on the track-bound vehicle or on the track-side facility. The encryption can be done by modifying the operating software, which is associated with significantly lower investments. The mixed transmission according to the invention of encrypted and unencrypted telegrams is also advantageously possible for the improved transmission method to be introduced step by step. A step-by-step introduction means that a relevant route section, which is equipped with trackside devices that can already use the method according to the invention, can also be driven on by track-bound vehicles that cannot decrypt encrypted telegrams. This is because unencrypted telegrams can be transmitted to such vehicles by the trackside facilities.

The modification according to the invention can be carried out, for example, for the communication of Eurobalises with rail vehicles. However, the modification is not limited to this application. Wherever encoded transmission between trackside devices and track-bound vehicles is provided, this can also be supplemented by encryption of the information to be transmitted before it is encoded in order to increase the security standard. In particular, this modification can be advantageous not only in rail-bound vehicles, but also, for example, in vehicles (automobiles) that are tied to a specific route, for example a road, due to autonomous operation.

The decoding step itself may not conform to the standard, since it has to be checked whether all telegrams received are identical. The standard would have to be changed here if necessary. However, at least the transmission itself can take place using the advantage according to the invention without changing the standard. The standard could thus be expanded, which ensures downward compatibility of an unencrypted transmission. Alternatively, decryption could take place independently of the standard after decoding.

In principle, the direction in which the transmission is to take place is irrelevant for the method. The transmission takes place from a transmitter to a receiver. When the telegram is transmitted between the track-bound vehicle and the track-side device, both the track-bound vehicle can be the receiver and the track-side device can be the transmitter, and the track-bound vehicle can be the transmitter and the track-side device can be the receiver. It's both It is possible for transmission to occur in only one direction (and optionally at a different time in the other direction), as well as for transmission to occur in both directions at the same time.

Coding within the meaning of the invention is understood to be a modification of the user data of the user data area using the code area, which contains the necessary information for the coding. Such a coding can be defined, for example, in a standard for the transmission of the telegram and is therefore known per se. For this reason, such a coding cannot be used to restrict access to the telegram by unauthorized persons, since the coding can be traced.

In contrast, encryption within the meaning of the invention is to be understood as a modification of the user data using keys, with the encryption ensuring protection against unauthorized access to the telegrams. The key must be available to both the sender and the recipient in order to ensure that the telegram is encrypted and then decrypted. Encryption methods known per se can be used here.

In connection with the invention, “computer-aided” or “computer-implemented” can be understood to mean an implementation of the method in which at least one computer or processor executes at least one method step of the method.

The term "calculator" or "computer" covers any electronic device with data processing properties. Computers can be, for example, personal computers, servers, handheld computers, mobile phones and other communication devices that process computer-aided data, processors and other electronic devices for data processing, which can preferably also be combined to form a network.

In connection with the invention, a “processor” can be understood to mean, for example, a converter, a sensor for generating measurement signals, or an electronic circuit. A processor can, in particular, be a Main processor (Central Processing Unit, CPU), a microprocessor, a microcontroller, or a digital signal processor, possibly in combination with a memory unit for storing program instructions, etc. A processor can also be understood to mean a virtualized processor or a soft CPU.

In the context of the invention, a “memory unit” can be understood to mean, for example, a computer-readable memory in the form of a random-access memory (RAM) or data memory (hard disk or data carrier).

The "interfaces" can be realized in terms of hardware, for example wired or as a radio connection, and/or software, for example as an interaction between individual program modules or program parts of one or more computer programs.

"Cloud" is to be understood as an environment for "cloud computing" (German computer cloud or data cloud). What is meant is an IT infrastructure that is made available via interfaces of a network such as the Internet. It usually includes storage space, computing power or software as a service, without these having to be installed on the local computer using the cloud. The services offered as part of cloud computing cover the entire spectrum of information technology and include infrastructure, platforms and software, among other things.

"Program modules" are to be understood as meaning individual functional units which enable a program sequence of method steps according to the invention. These functional units can be implemented in a single computer program or in several computer programs that communicate with one another. The interfaces implemented here can be implemented in terms of software within a single processor or in terms of hardware if multiple processors are used.

According to one embodiment of the invention, it is provided that at least one of the telegrams transmitted with unencrypted user data is also transmitted as a telegram with encrypted user data of the same content.

It should be noted here that the unencrypted user data is of course different from the encrypted user data. However, this does not change the fact that the unencrypted user data can have the same content as the encrypted user data. Content within the meaning of the invention is therefore to be understood as the information content of the user data, which becomes accessible after decryption of the encrypted user data and then has the same content as the user data of the corresponding telegram transmitted unencrypted.

By transmitting a telegram with the same content in both encrypted and unencrypted form, it is possible for the content of the telegram to be evaluated both by track-bound vehicles that can decode the encrypted telegram (hereinafter referred to as equipped vehicle) and by track-bound vehicles that do not (yet) have the key (hereinafter referred to as non-equipped vehicle). Although the latter cannot use the encrypted transmitted telegram to check whether the unencrypted transmitted telegram has been manipulated, the operation of the vehicle can be ensured using the unencrypted telegram.

By sending telegrams with the same content both encrypted and unencrypted, it is possible for equipped vehicles to compare the contents of the telegrams with the same content after decryption and decoding or after decoding and, if necessary, to derive further steps from the comparison result. For example, manipulations or errors in the unencrypted transmitted telegrams can be detected. It is also possible (although less likely) that the content of the encrypted telegram contains an error.

If manipulation or an error is detected, a security measure can be derived from this detection.

This can advantageously also relate to non-equipped vehicles which, for example, communicated with the affected trackside device in a specific time interval before the manipulation was detected. The decoding of the coded telegrams thus advantageously makes train operation safer overall, including the operation of unequipped vehicles, even if telegrams with changed content relating to the unequipped trains can only be detected with a time delay. The safety measures can relate to individual track-bound vehicles, trackside facilities or specific track sections or the entire operation, depending on the severity of the error or errors detected (in the form of deviations in the content of telegrams).

• zuerst die unverschlüsselten Nutzdaten nach der Übertragung unter Nutzung des Codebereiches decodiert werden,
• danach die verschlüsselten Nutzdaten nach der Übertragung des Telegramms unter Nutzung des Codebereiches decodiert werden,
• danach die verschlüsselten Nutzdaten entschlüsselt werden.

According to one embodiment of the invention, it is provided that

• first the unencrypted user data is decoded after transmission using the code area,
• then the encrypted user data is decoded after the transmission of the telegram using the code area,
• then the encrypted user data is decrypted.

This refinement of the invention is aimed at improving the performance when decoding the user data. In this case, the unencrypted user data is decoded first (before the encrypted one with the same content), since in this case the step of decryption can be saved and in this way the content can be accessed earlier. This effect has a particularly strong effect when the telegrams are received by a vehicle or a trackside device that is not yet able to decrypt the encrypted user data. Otherwise, they would have to access the unencrypted user data in a further step, which would mean an additional loss of time.

• zuerst das mindestens eine mit unverschlüsselten Nutzdaten übertragenen Telegramm,
• danach das Telegramm mit den verschlüsselten Nutzdaten desselben Inhalts übertragen wird.

According to one embodiment of the invention, it is provided that

• first the at least one telegram transmitted with unencrypted user data,
• then the telegram with the encrypted user data same content is transmitted.

As a result, an additional gain in performance can advantageously be generated in the evaluation of the transmitted user data at the receiver. This gain in performance is achieved in that the decoding of the unencrypted user data in the transmitted message can already begin while the message with the encrypted user data of the same content is still being transmitted. This would not be possible in reverse order.

According to one embodiment of the invention, it is provided that telegrams with encrypted and unencrypted user data are transmitted in alternating order.

This solves the problem that in the case of existing routes and route-bound vehicles already in use (at least before an update), a communication standard is used which does not yet enable the user data to be decrypted. Because both encrypted and unencrypted user data are transmitted in coded, alternating sequence, it is possible for both equipped vehicles and non-equipped vehicles to extract the information required for operation from the user data of a number of different telegrams. The invention takes into account that only a limited period of time is available for the transmission of the data between the trackside device and the trackbound vehicle while the latter is driving past.

So that the probability that not all telegrams are transmitted when driving past is as low as possible, for example, a first telegram can be encrypted and unencrypted, then a second telegram can be encrypted and unencrypted, then a third telegram can be encrypted and unencrypted, etc. If all telegrams to be transmitted are encrypted and were transmitted unencrypted, you can start again with the first telegram, etc. If, for example, the track-bound vehicle passes the track-side Setup while the third telegram is being transmitted, the first and second telegrams can be received in the second transmission cycle.

The changing order does not necessarily mean that unencrypted telegrams (U) and encrypted telegrams (V) must be sent alternately, i.e.:
U, V, U, V...

• U, V, V, U, V, V ...
• U, U, V, U, U, V ...
• U, U, U, V, U, U, U, V ...

Depending on whether you want to give higher priority to safety or availability, you can also send other combinations, ie either send more N (higher availability) or more V telegrams (higher safety), e.g. e.g.:

• U, V, V, U, V, V ...
• U, U, V, U, U, V ...
• U, U, U, V, U, U, U, V ...

In the last-mentioned examples, sequences are repeated in the alternating order (namely U, V and U, V, V and U, U, U, V - other sequences are conceivable). However, the sequence to be repeated can also be changed during the transmission as required. Another possibility is to determine the alternating order without a repetition rule.

As a rule, for example, when crossing a balise, several telegrams are transmitted anyway. In order to achieve compatibility here, unencrypted telegrams (U) and encrypted telegrams (V) are sent in alternating order, ie mixed and consecutively, in the transmission stream of the balise, e.g. B. alternately. Particularly in the case of Eurobalises, in which long telegrams and short telegrams can be transmitted, three-part sequences of short telegrams can be selected, which correspond to the transmission of a long telegram. The effect described above, that even with short transmission times (for example at high speeds of the route-bound vehicle), as much data as possible is transmitted can therefore be implemented particularly effectively with Eurobalises.

• die Nutzdatenbereiche der unverschlüsselt übertragenen Telegramme der Sequenz mit unterschiedlichen Inhalten befüllt sind,
• mindestens eines der mit unverschlüsselten Nutzdaten übertragenen Telegramme der Sequenz auch als Telegramm mit verschlüsselten Nutzdaten desselben Inhalts übertragen wird.

According to one embodiment of the invention, it is provided that in a sequence of telegrams, more telegrams with unencrypted user data than telegrams with encrypted user data are transmitted in proportion

• the user data areas of the unencrypted transmitted telegrams of the sequence are filled with different contents,
• at least one of the telegrams of the sequence transmitted with unencrypted user data is also transmitted as a telegram with encrypted user data of the same content.

This embodiment of the invention has the advantage that a larger amount of data can be transmitted with a limited available transmission time, for example when the track-bound vehicle drives over a balise as a track-side device. Because the transmission of unencrypted data can be faster than the transmission of unencrypted data. This is primarily due to the fact that the data still has to be encrypted before it is sent, but also because encryption increases the amount of data and thus the transmission time required.

With the ratio of telegrams that are exclusively transmitted unencrypted on the one hand and telegrams transmitted encrypted and unencrypted on the other hand, a technical compromise must be found that takes into account the amount of data to be transmitted in relation to the available transmission time (data rate) and also creates a sufficient possibility of To be able to detect data manipulation or errors by comparing an encrypted telegram with an unencrypted telegram with the same content. The more telegrams are also sent in encrypted form, the more secure the transmission process becomes. The more telegrams that are only sent unencrypted, the higher the transmittable data rate.

According to one embodiment of the invention, it is provided that the payload data of a telegram sent in encrypted form after decryption is compared with the payload data of a telegram sent in unencrypted form with the same content before and/or after decoding.

As described above, the comparison serves to reveal errors or manipulations of the user data in the telegrams. In this way, the transmission method can be made sufficiently secure, even if some of the telegrams are sent unencrypted. Deviations in content in unencrypted telegrams will be noticed promptly, so that countermeasures can be taken and the security of the operation is only slightly impaired.

According to one embodiment of the invention, an error signal is generated and/or output if the comparison shows that the user data of the encrypted telegram sent differs from the user data of the unencrypted telegram with the same content.

The error signal is used to initiate further steps. These steps can consist of an interpretation or evaluation of the deviations of the telegram in question from the expected content. These steps can also already contain security-relevant reactions, as has already been described in more detail above. The error signal is thus the basis for information technology processing that must follow the registration of an error or manipulation.

According to one embodiment of the invention, it is provided that several telegrams with user data areas of different sizes are transmitted.

In this way, it is advantageously possible for the size of the user data areas to be able to be selected in accordance with the amount of information to be transmitted. In the case of encryption, this is of particular advantage, since the Encryption of smaller amounts of data entails less time and computing effort and therefore the transmission and decryption, and thus the use of the data, can take place in a shorter time interval. In particular, when data is to be transmitted to a route-bound vehicle via a balise, only a short time interval is available while the vehicle is crossing the balise.

• der Nutzdatenbereich mit den verschlüsselten Nutzdaten befüllt wird, wobei diese zusätzlich unter Nutzung des Codebereiches codiert werden,
• das Telegramm mit den verschlüsselten Nutzdaten codiert übertragen wird,
• die verschlüsselten Nutzdaten nach der Übertragung des Telegramms unter Nutzung des Codebereiches decodiert werden,
  oder
• der Nutzdatenbereich mit den unverschlüsselten Nutzdaten befüllt wird, wobei diese unter Nutzung des Codebereiches codiert werden,
• das Telegramm mit den unverschlüsselten Nutzdaten codiert übertragen wird,
• die unverschlüsselten Nutzdaten nach der Übertragung unter Nutzung des Codebereiches decodiert werden,

nach für dem ETCS (European Train Control System) geltenden ERTMS-Standard (European Rail Traffic Management System) oder dem CBTC-Standard (Communication-Based Train Control) oder dem PTC-Standard (Positive Train Control) durchgeführt werden.According to one embodiment of the invention it is provided that the steps that

• the user data area is filled with the encrypted user data, which is additionally encoded using the code area,
• the telegram is transmitted encoded with the encrypted user data,
• the encrypted user data is decoded after the transmission of the telegram using the code area,
  or
• the user data area is filled with the unencrypted user data, which is encoded using the code area,
• the telegram is transmitted encoded with the unencrypted user data,
• the unencrypted user data is decoded after transmission using the code area,

carried out according to the ERTMS standard (European Rail Traffic Management System) applicable to the ETCS (European Train Control System) or the CBTC standard (Communication-Based Train Control) or the PTC standard (Positive Train Control).

All of these standards provide for transmission between wayside equipment and wayside vehicles in coded form. In the manner indicated above, these standards therefore benefit from additional encryption of part of the transmitted data, as a result of which operational security can be increased.

According to one embodiment of the invention it is provided that the Transmission takes place between a balise as a wayside device and the wayside vehicle.

The advantages of using the method according to the invention for beacons have already been explained above.

According to one embodiment of the invention, it is provided that a check is made as to whether the balise belongs to a balise group, with the data received then being classified as trustworthy.

Within the scope of the invention, unlinked balises are to be understood as balises which are not connected to other balises during transmission: these therefore offer a greater potential for unauthorized attacks. For example, hackers could delete a danger point or increase the speed limit for a train.

In contrast to non-linked beacons, linked beacons are functionally related to other beacons in a beacon group. However, this also means that an unauthorized attack can also be uncovered without the encrypted transmission of telegrams with the same content if the information sent by the balises does not fit into the context of the balise association, i. H. does not fit into the context that would be expected when crossing the balises concerned. Because the functionality of the beacon group is known, it is possible to draw conclusions as part of a plausibility check as to what information can be expected from a specific beacon in the beacon group and when this information is transmitted (depending on the position of the beacon within the beacon group ).

This makes it possible to equip preferably unlinked balises with encryption in the sense of the invention. This is because these are often retrofitted balises anyway, which are not integrated into a balise association. At the same time, the upgrade creates the possibility of equipping them from the start with an inventive encryption option for the transmitted telegrams. The encrypted one Transmission then creates a protection from which an unlinked balise particularly benefits. Outside of the balise group, this would form a weak point for unauthorized attacks due to the above-mentioned relationships.

The stated object is alternatively achieved according to the invention with the initially specified subject of the claim (vehicle) in that this is set up to participate in a method for encoded communication according to one of the preceding claims.

The stated object is also achieved according to the invention as an alternative with the subject matter of the claim (device) specified at the outset in that it is set up to participate in a method for encoded communication according to one of claims 1-12.

The devices (ie vehicle and device) can achieve the advantages that have already been explained in connection with the method described in more detail above. What has been said about the method according to the invention also applies correspondingly to the devices according to the invention.
Furthermore, a computer program product with program instructions for carrying out the method according to the invention and/or its exemplary embodiments is claimed, with the method according to the invention and/or its exemplary embodiments being able to be carried out in each case by means of the computer program product.

In addition, a provision device for storing and/or providing the computer program product is claimed. The provision device is, for example, a storage unit that stores and/or provides the computer program product. Alternatively and/or additionally, the provision device is, for example, a network service, a computer system, a server system, in particular a distributed, for example cloud-based computer system and/or virtual computer system, which the computer program product preferably in the form of a data stream stores and/or makes available.

The provision takes place in the form of a program data block as a file, in particular as a download file, or as a data stream, in particular as a download data stream, of the computer program product. However, this provision can also be made, for example, as a partial download consisting of several parts. Such a computer program product is read into a system, for example using the provision device, so that the method according to the invention is executed on a computer.

Further details of the invention are described below with reference to the drawing. Identical or corresponding drawing elements are each provided with the same reference symbols and are only explained several times insofar as there are differences between the individual figures.

The exemplary embodiments explained below are preferred embodiments of the invention. In the exemplary embodiments, the described components of the embodiments each represent individual features of the invention to be considered independently of one another, which also develop the invention independently of one another and are therefore also to be regarded as part of the invention individually or in a combination other than the one shown. Furthermore, the components described can also be combined with the features of the invention described above.

• Figur 1 ein Ausführungsbeispiel der erfindungsbemäßen Vorrichtungen (streckenseitige Einrichtung, streckengebundenes Fahrzeug) mit ihren Wirkzusammenhängen schematisch,
• Figur 2 ein Ausführungsbeispiel einer Computer-Infrastruktur der Vorrichtungen (streckenseitige Einrichtung, streckengebundenes Fahrzeug) gemäß Figur 1 als Blockschaltbild, wobei die einzelnen Funktionseinheiten Programmmodule enthalten, die jeweils in einem oder mehreren Prozessoren ablaufen können und die Schnittstellen demgemäß softwaretechnisch oder hardwaretechnisch ausgeführt sein können,
• Figur 3 und 4 Ausführungsbeispiele der Übertragung von verschlüsselten sowie unverschlüsselten Kurztelegrammen und Langtelegrammen, abhängig von einem Zeitverlauf t,
• Figur 5 ein Ausführungsbeispiel des erfindungsgemäßen Verfahrens als Flussdiagramm, wobei die einzelnen Verfahrensschritte einzeln oder in Gruppen durch Programmmodule verwirklicht sein können und wobei die Funktionseinheiten und Schnittstellen gemäß Figur 2 beispielhaft angedeutet sind.

Show it:

• figure 1 an exemplary embodiment of the devices according to the invention (track-side device, track-bound vehicle) with their functional relationships schematically,
• figure 2 an exemplary embodiment of a computer infrastructure of the devices (wayside device, wayside vehicle) according to FIG figure 1 as a block diagram, the individual functional units containing program modules, each in a or several processors can run and the interfaces can accordingly be implemented in terms of software or hardware,
• Figure 3 and 4 Exemplary embodiments of the transmission of encrypted and unencrypted short telegrams and long telegrams, depending on a time t,
• figure 5 an embodiment of the method according to the invention as a flow chart, wherein the individual method steps can be implemented individually or in groups by program modules and wherein the functional units and interfaces according to figure 2 are indicated as examples.

In figure 1 a track GL is shown as the route, on which a route-bound vehicle FZ is traveling in a travel direction FR. In addition, the route is in the form of track GL with trackside facilities SE1 ... SE6 equipped in the embodiment according to figure 1 are designed as Eurobalises.

The trackside facilities SE1 and SE3 ... SE6 form an association VB of trackside facilities. These trackside facilities can, for example, have already been provided when the track was initially equipped, with these being functionally related and therefore referred to below as linked beacons. The trackside device SE2 could have been retrofitted at a later point in time, for example, in order to get a further reference point on the route for locating the route-bound vehicle FZ. However, this trackside facility SE2 does not belong to formation VB and should therefore be referred to as an unlinked balise.

The trackside facilities of the association VB are less vulnerable to hackers or error-prone compared to the non-linked balise, represented by the trackside facility SE2. This can be justified by the fact that the functional connection means that the trackside Devices SE1 and SE3 ... SE6 certain data are expected that fit into the context of driving events of the route-bound vehicle FZ. A deviation from this is therefore noticed more quickly than in the case of the non-linked balise, represented by the wayside device SE2. The trackside device SE2 therefore benefits the most from the method according to the invention of a mixed encrypted and unencrypted transmission of telegrams. This can be designed for the method according to the invention from the start, for example as part of a retrofit.

In figure 2 the route-bound vehicle FZ and the route-side device SE2 are shown schematically. Data is transmitted via a first interface S1, which is designed as a radio interface. Therefore, the trackside device SE2 has a first antenna A1 and the track-bound vehicle FZ has a second antenna A2.

The first antenna A1 is connected to a first computer C1 via a fourth interface S4. In addition, the first computer C1 can retrieve a key KEY from a first memory device SP1 via a fifth interface S5. The key KEY thus enables the inventive decryption or encryption of a telegram to be transmitted via the first interface S1 (in the function as a balise, the trackside device SE2 will preferably send the telegram via the first interface S1 to the track-bound vehicle FZ).

The second antenna A2 is connected to a second computer C2 via a second interface S2. The second computer C2 can access a second memory device SP2 via a third interface S3, in which, among other things, a key KEY is stored. Thus, the route-bound vehicle FZ and the route-side device SE2 each have a key KEY for decrypting or encrypting the telegram to be transmitted via the first interface S1.

figure 3 Using the example of telegrams to be transmitted by Eurobalises, FIG. 1 shows the advantage if several short telegrams KT are transmitted instead of one long telegram LT. This results in three short telegrams KT, as in figure 3 indicated, a long telegram LT - at least in terms of the amount of data to be transmitted.

The transmission of telegrams is in figure 3 represented as a band, this corresponding to a time course corresponding to a time axis t. During the passage of the vehicle FZ over the trackside facility (e.g. SE2 as in figure 2 shown) there is only a specific time window in which the two antennas A1, A2 are sufficiently close together for transmission to take place. This time window is called the transmission window REC and is in figure 3 registered.

In the example according to figure 3 the track-bound vehicle FZ crosses the track-side device SE2 at a speed at which theoretically four short telegrams KT can be transmitted. However shows figure 3 also that the transmission window REC opens while a short telegram KT is being transmitted, so that it is cut off and cannot be evaluated by the route-bound vehicle FZ. The same applies to the fifth and last short telegram KT, which (at least partially) in accordance with the transmission window REC figure 3 lies. In between are three completely transmitted short telegrams KT, which, in terms of their information content, can contain the information of a long telegram LT. If the transmitted data of three short telegrams KT are sent repeatedly by the trackside device SE2, the complete information content of the trackside device SE2 can be transmitted in the transmission window REC.

This example is only used as an example to illustrate a transmission standard and can also be implemented in any other way. However, this example is intended to be in the following figure 4 be used to create a sequence of encrypted and to discuss unencrypted telegrams in relation to the length of the transmission window REC.

The telegrams T1, T2 are with a view to figure 3 preferably short telegrams according to the ETCS standard. However, any other telegrams can also be transmitted, for example long telegrams LT if the route-bound vehicle FZ drives more slowly, for example, or also telegrams of a different transmission standard.

In figure 4 two variants V1 and V2 are shown for the targeted encrypted and unencrypted transmission of a first telegram T1 and a second telegram T2. In variant V1, the first telegram is first sent unencrypted (T1U) and then the first telegram is sent encrypted (T1V). The second telegram is then sent unencrypted (T2U) and then the second telegram encrypted (T2V). The sequence described is then repeated, as shown in figure 4 is specified.

Will now, as in figure 3 , assuming that only three telegrams can be completely transmitted in the transmission window REC, it becomes clear that the first telegram is encrypted and unencrypted, and the second telegram is transmitted only encrypted. If the trackside device is passed by an unequipped track-bound vehicle, it cannot process the content of the second telegram T2, since there is no way of decrypting the second encrypted telegram T2V.

For such cases, the transmission sequence of sequences according to variant V2 is better suited. Here the first telegram is always first transmitted unencrypted (T1U) and then encrypted (T1V) and then the second telegram only unencrypted (T2U) and this sequence is then repeated.

It turns out that the transmission window REC is now sufficient to always encrypt the first telegram as well as unencrypted and the second telegram unencrypted (although the order can be different). An unequipped route-bound vehicle FZ can therefore decode and thus process all the data even without the possibility of decrypting the first telegram T1.

However, the possibility of mixed operation of equipped and non-equipped track-bound vehicles FZ is paid for by the fact that the second telegram is never sent in encrypted form and an error investigation or investigation of manipulation attempts can only be carried out according to the invention using the first telegram T1.

It is thus evident that the choice of the sequence of telegrams (encrypted, unencrypted) in the sequence depends on the application in question and a compromise must always be found in order to achieve the highest possible level of security while taking into account the technical conditions (equipped vehicles, non-equipped vehicles). vehicles, length of the transmission window REC, speed of the vehicles when crossing the trackside facility).

In figure 5 the procedure for the transmission of telegrams is shown as a flowchart. The method begins with a starting step START and takes place initially in the transmitter S. There, after an initialization step INI, a query is made as to whether a high security level SEC should be selected for the telegram to be transmitted. If this is the case, the key KEY is loaded from the memory device SP and the telegram is encrypted with it in an encryption step CRYP. The telegram is then coded in a coding step CODE and sent to the receiver R via the interface S1.

A decoding step DECO takes place in the receiver R and then a decoding DECR using the key KEY, which is loaded from the memory device SP. The telegram is then available there for further processing.

The memory devices SP in the transmitter S and in the receiver R are different memory devices. If the transmitter is the trackside equipment SE2 according to figure 2 , the memory device SP could be formed, for example, by the memory device SP1 and the memory device in the receiver by the memory device SP2.

If the query for the security level SEC is answered negatively, then during transmission, as in figure 5 shown, the encryption step CRYP and the decryption step DECR away. Only the CODE coding step, the TRN transmission step and the DECO decoding step take place.

In the transmitter S, a query RECEND is repeatedly carried out as to whether the transmission has ended. If this is the case, the transmission is aborted in a stop step STOP. If this is not the case, the security level SEC is queried again for the next telegram.

Reference List

car

track vehicle

SE1 ... SE6

trackside facility

GL

Track

FR

driving direction

vb

Association

A1...A2

antenna

SP1 ... SP2

storage facility

C1...C2

computer

S1...S5

interface

LT

long telegram

KT

short telegram

T1...T2

telegram

T1U ... T2U

unencrypted telegram

T1V ... T2V

encrypted telegram

t

time

REC

transmission window

V1...V2

variant

S

Channel

R

recipient

BEGIN

start step

INI

initialization step

SEC

Security level query

KEY

key

CRYP

encryption step

CODE

coding step

TRN

transfer step

DECO

decoding step

DEC

decryption step

RECEND

Inquiry about the end of the transmission

STOP

stop step

Claims (16)

Method for coded communication between a track-bound vehicle (FZ) and a track-side device (SE1 ... SE6), in which several telegrams (T1, T2) between the track-side device (SE1 ... SE6) and the track-bound vehicle (FZ) are transmitted, the telegrams (T1, T2) respectively • have a user data area for filling with user data, • have a code area for coding the user data, characterized in that that at least one of the telegrams (T1, T2) is transmitted unencrypted in such a way that • the user data area is filled with the unencrypted user data, which is encoded using the code area, • the telegram (T1, T2) is transmitted in encoded form with the unencrypted user data, • the unencrypted user data is decoded after transmission using the code area, and that at least one of the telegrams (T1, T2) is transmitted encrypted and coded in such a way that • the unencrypted user data is encrypted before filling the user data area, • the user data area is filled with the encrypted user data, which is additionally encoded using the code area, • the telegram (T1, T2) is transmitted encoded with the encrypted user data, • the encrypted user data are decoded after the transmission of the telegram (T1, T2) using the code area, • then the encrypted user data is decrypted. Method according to claim 1
characterized,
that at least one of the telegrams (T1, T2) transmitted with unencrypted user data is also transmitted as a telegram with encrypted user data of the same content. Method according to claim 2,
characterized,
that • first the unencrypted user data are decoded after transmission using the code area. • the encrypted user data is then decoded after the transmission of the telegram (T1, T2) using the code area, • then the encrypted user data is decrypted. Method according to claim 3,
characterized,
that • first the at least one telegram (T1, T2) transmitted with unencrypted user data, • then the telegram (T1, T2) is transmitted with the encrypted user data of the same content. Method according to one of the preceding claims,
characterized,
that telegrams (T1, T2) with encrypted and unencrypted user data are transmitted in alternating order. Method according to claim 5,
characterized,
that in a sequence of telegrams (T1, T2) proportionately more telegrams (T1, T2) with unencrypted user data than telegrams (T1, T2) with encrypted user data are transmitted, wherein • the user data areas of the unencrypted transmitted telegrams (T1, T2) of the sequence are filled with different contents, • at least one of the telegrams (T1, T2) of the sequence transmitted with unencrypted user data is also transmitted as a telegram (T1, T2) with encrypted user data of the same content. Method according to claim 1,
characterized,
that the user data of a telegram (T1, T2) sent in encrypted form after decryption (DECR) is compared with the user data of a telegram (T1, T2) sent in unencrypted form with the same content before and/or after decoding (DECO). Method according to claim 7,
characterized,
that in the event that the comparison shows that the payload data of the encrypted sent telegram (T1, T2) differs from the payload data of the unencrypted sent telegram (T1, T2) of the same content, an error signal is generated and/or output. Method according to one of the preceding claims,
characterized,
that several telegrams (T1, T2) with user data areas of different sizes are transmitted. Method according to one of the preceding claims,
characterized,
that steps that • the user data area is filled with the encrypted user data, which is additionally encoded using the code area, • the telegram (T1, T2) is transmitted encoded with the encrypted user data, • the encrypted user data are decoded after the transmission of the telegram (T1, T2) using the code area,
or • the user data area is filled with the unencrypted user data, which is encoded using the code area, • the telegram (T1, T2) is transmitted in encoded form with the unencrypted user data, • the unencrypted user data is decoded after transmission using the code area, be carried out according to the ETCS standard or the ERTMS standard or the CBTC standard or the PTC standard. Method according to one of the preceding claims,
characterized,
that the transmission takes place between a balise as trackside device (SE1 ... SE6) and the trackbound vehicle (FZ). Method according to claim 11,
characterized,
that it is checked whether the balise belongs to a balise association (VB), whereby the received data is then classified as trustworthy. Track-bound vehicle (FZ) with a communication interface (S1) for a trackside device (SE1 ... SE6),
characterized,
that this is set up to participate in a method for encoded communication according to one of the preceding claims. Trackside device (SE1 ... SE6) with a communication interface (S1) for a track-bound vehicle (FZ),
characterized,
that this is set up to participate in a method for encoded communication according to any one of claims 1 - 12. Computer program product with program instructions for carrying out the method according to one of Claims 1 - 12. Provision device for the computer program product according to the last preceding claim, wherein the provision device stores and/or provides the computer program product.

Images