GB2556893A - Input of data into an on-board computer of a train - Google Patents

Input of data into an on-board computer of a train Download PDF

Info

Publication number
GB2556893A
GB2556893A GB1619807.9A GB201619807A GB2556893A GB 2556893 A GB2556893 A GB 2556893A GB 201619807 A GB201619807 A GB 201619807A GB 2556893 A GB2556893 A GB 2556893A
Authority
GB
United Kingdom
Prior art keywords
data
train
computer
token
physical token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1619807.9A
Other versions
GB201619807D0 (en
Inventor
Parker Peter
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility Ltd
Original Assignee
Siemens Rail Automation Holdings Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Rail Automation Holdings Ltd filed Critical Siemens Rail Automation Holdings Ltd
Priority to GB1619807.9A priority Critical patent/GB2556893A/en
Publication of GB201619807D0 publication Critical patent/GB201619807D0/en
Priority to EP17798134.7A priority patent/EP3544877A1/en
Priority to PCT/EP2017/077667 priority patent/WO2018095696A1/en
Publication of GB2556893A publication Critical patent/GB2556893A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or vehicle train for signalling purposes ; On-board control or communication systems
    • B61L15/0018Communication with or on the vehicle or vehicle train
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/2018Central base unlocks or authorises unlocking
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or vehicle train for signalling purposes ; On-board control or communication systems
    • B61L15/0018Communication with or on the vehicle or vehicle train
    • B61L15/0027Radio-based, e.g. using GSM-R
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or vehicle train for signalling purposes ; On-board control or communication systems
    • B61L15/0072On-board train data handling
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/40Handling position reports or trackside vehicle data
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/70Details of trackside communication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly

Abstract

A physical token stores cryptographic data and is configured to perform a cryptographic operation to authenticate a train driver to whom the token is assigned. Either a server or a client computer transmit data to an on-board computer, in response to acceptance of the data by the driver that includes authentication of the train driver using the token, to allow the train to move along a track. This data is also displayed on a client computer. The cryptographic operation may involve a Public Key Infrastructure (KPI) based protocol, and authentication of the train driver may involve a second factor such as a personal identification number (PIN) or biometric data. The token may store reference biometric data, a qualification or certification of the driver, and data received from the on-board computer at the end of the trains journey. The latter may be passed on to another client terminal using the token.

Description

(71) Applicant(s):
Siemens Rail Automation Holdings Limited Faraday House, Sir William Siemens Square, Frimley, Camberley, GU16 8QD, United Kingdom (72) Inventor(s):
Peter Parker (74) Agent and/or Address for Service:
Siemens AG
PO Box 22 16 34, 80506 Miinchen, Germany (56) Documents Cited:
GB 2478922 A EP 2371661 A2 US 20160292459 A1 US 20030217269 A1
EP 2924605 A1 JP 2004086547 A US 20120313796 A1 US 20020135466 A1 (58) Field of Search:
INT CL B60R, B61L, G06F, G07C Other: WPI, EPODOC, Patent Fulltext (54) Title of the Invention: Input of data into an on-board computer of a train Abstract Title: Authentication of a train driver using a physical token (57) A physical token stores cryptographic data and is configured to perform a cryptographic operation to authenticate a train driver to whom the token is assigned. Either a server or a client computer transmit data to an on-board computer, in response to acceptance of the data by the driver that includes authentication of the train driver using the token, to allow the train to move along a track. This data is also displayed on a client computer. The cryptographic operation may involve a Public Key Infrastructure (KPI) based protocol, and authentication of the train driver may involve a second factor such as a personal identification number (PIN) or biometric data. The token may store reference biometric data, a qualification or certification of the driver, and data received from the on-board computer at the end of the train’s journey. The latter may be passed on to another client terminal using the token.
Figure GB2556893A_D0001
1/4
01 17
FIG1
Figure GB2556893A_D0002
2/4
01 17
Figure GB2556893A_D0003
CD
CM
CM
CM
CD
Figure GB2556893A_D0004
01 17
3/4
Figure GB2556893A_D0005
FIG 4
304
Figure GB2556893A_D0006
01 17
4/4
FIG 6
630
Figure GB2556893A_D0007
Application No. GB1619807.9
RTM
Date :18 May 2017
Intellectual
Property
Office
The following terms are registered trade marks and should be read as such wherever they occur in this document:
ECTS
ERTMS
ISO
Eurobalise
Euroloop
Intellectual Property Office is an operating name of the Patent Office www.gov.uk/ipo
INPUT OF DATA INTO AN ON-BOARD COMPUTER OF A TRAIN
Technical Field of the Invention
The present disclosure relates generally to train control systems and, in particular, to the input of data into an on-board computer of such train control systems.
Background of the Invention
Train control systems typically include train-borne equipment (also often referred to as on-board equipment) that supervises train drivers. For example, in the European Train Control System (ETCS), which is one component of the European Rail Traffic Management System (ERTMS), the other component being a radio system called Global System for Mobile Communications - Railway (GSM-R), the on-board equipment comprises an ETCS Onboard Unit (OBU) that processes the received data, displays it to the train driver and automatically halts the train before a danger point in the case of danger. Typically, the received data includes data that is entered manually by the train driver before the start of the journey as part of a so-called “Start of Mission” procedure, using a driver-machine interface (DMI) installed in the cab of the train. However, there is a chance that the manual inputting of data is done by someone who is not authorised (or qualified) to do so. There is also a risk of errors during the manual inputting of data. Furthermore, the manual inputting of data can result in delays in the train schedule
Solution According to the Invention
According to one embodiment of the present disclosure, there is provided a system comprising: a server computer; a client computer; and a physical token, which is assigned to a train driver, wherein the server computer is configured to store data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track, and to transmit the data to the client computer, the client computer is configured to display the data, the physical token is configured to store cryptographic data, and, when the physical token is presented by the train driver to a token interface at the client computer, to use the cryptographic data to perform a cryptographic operation to authenticate the train driver, and at least one of the server computer and the client computer is configured to transmit, via a wireless transmitter, the data to the on-board computer, in response to acceptance of the data by the train driver that includes the authentication of the train driver based on the cryptographic operation performed by the physical token.
By transmitting the data to the on-board computer, the system can reduce the amount of data entered manually and thus help to avoid mistakes associated with manual data entry. Furthermore, transmitting the data when accepted by an authorised train driver can ensure security of the data. This can be of particular benefit when the data includes train data defining characteristics of the train that are used to supervise the movement of the train. Moreover, transmitting the data to the on-board computer in advance can reduce the time to start the journey.
In one embodiment, the cryptographic operation is performed in accordance with a Public Key Infrastructure, PKI, based protocol that uses asymmetric cryptography. Of course, other user authentication protocols, such as Kerberos, which uses symmetric key cryptography, could be used instead.
In one embodiment, the acceptance of the data by the train driver includes multi-factor authentication (e.g., two-factor authentication) of the train driver. For example, the multi-factor authentication includes the authentication of the train driver based on the cryptographic operation performed by the physical token (i.e., authentication based on an ownership factor), and authentication of the train driver based on at least one of a knowledge factor and an inherence factor. A knowledge factor is something that the train driver knows, such as a personal identification number (PIN). For example, PIN authentication can be based on verification of a PIN entered by the train driver on an input device at the client terminal. An inherence factor is something that the train driver is or does, such as a biometric identifier. For example, biometric authentication of the train driver can be based on a comparison between a biometric identifier of the train driver obtained by a sensor at the client computer and a reference biometric identifier of the train driver. The reference biometric identifier of the train driver can be stored on the physical token. For example, the comparison can be performed by the physical token. The use of multi-factor authentication can improve security.
In one embodiment, the physical token can store at least one of a qualification and a certification of the train driver. This can enable the system to check that the train driver meets one or more criteria pertaining to the data, thereby ensuring that the train driver is suitably trained for the intended movement of the train along the track.
In one embodiment, the physical token is configured to receive, via the token interface, the data from the client computer. This can allow verification of whether the wirelessly transmitted data has been correctly received by the on-board computer. For example, when the physical token is presented by the train driver to an on-board token interface at the on-board computer, the on-board computer can compare the wirelessly transmitted data to the data stored on the physical token. Furthermore, it can provide a positive correlation of driver to train to ETCS mission. The transmission of the data to the physical token can be in response to the aforementioned acceptance of the data by the train driver, or it can be a separate process.
In one embodiment, the physical token is configured to receive, via an on-board token interface connected to or integrated with the on-board computer, data from the onboard computer when the train has completed its movement along the track. For example, the physical token can be configured to transmit, when the physical token is presented by the train driver to the token interface at the client computer or another token interface at another client terminal, the data received from the on-board computer. The data can be checked against data received by the system from the onboard computer independent of the physical token. The data transmitted to the system can serve as a positive recording of driver compliance issues such as, for example, Signal Passed at Danger (SPAD) under ERTMS/ETCS Level NTC (train equipped with ERTMS/ETCS operating on a line equipped with a national system). Either or both of the processes (receiving/transmitting the data by the physical token) can be performed upon acceptance by the train driver, in a similar manner as described above, which is to say by authentication of the train driver by cryptographic operation and, optionally, biometric authentication.
According to one embodiment of the present disclosure, there is provided a client computer, comprising: a processor; a network interface configured to enable the client computer to communicate over a network; and memory that stores instructions which, when executed by the processor, cause the client computer to: receive, from a server computer, data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track, facilitate performance of a cryptographic operation, by a physical token that stores cryptographic data, to authenticate a train driver to whom the physical token is assigned, when the physical token is presented by the train driver to a token interface connected to or integrated with the client computer, and transmit the data to the on-board computer via a wireless transmitter, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token.
According to one embodiment of the present disclosure, there is provided a physical token, comprising: a processor; an interface configured to allow the physical token to communicate with an external entity; and memory configured to store: cryptographic data, and instructions which, when executed by the processor, cause the physical token to use the cryptographic data to perform a cryptographic operation to authenticate a train driver to whom the physical token is assigned.
In one embodiment, the memory is configured to store data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track.
In one embodiment, the memory is configured to store data received from the on-board computer when the train has completed its movement along the track.
In embodiments, the physical token is a smart card (also often referred to as a chip card or an integrated circuit card). The term “smart card” should not be considered limited to a particular form factor and can be, among other things, a card approximately the same size and shape as an ISO standard credit card, a key fob, a subscriber identification module (SIM), or a USB-based token.
According to one embodiment of the present disclosure, there is provided a method performed by a client computer, comprising: receiving, from a server computer, data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track; displaying the data; facilitating performance, by a physical token that stores cryptographic data, of a cryptographic operation to authenticate a train driver to whom the physical token is assigned, when the physical token is presented by the train driver to a token interface connected to or integrated with the client computer, and transmitting the data to the on-board computer via a wireless transmitter, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token.
According to one embodiment of the present disclosure, there is provided a method performed by a physical token that is assigned to a train driver, comprising: storing cryptographic data; and using cryptographic data the performing a cryptographic operation to authenticate the train driver, when the physical token is presented by the train driver to a token interface at a computer.
According to one embodiment of the present disclosure, there is provided a computer program comprising computer-executable instructions to perform any one of the aforementioned methods.
According to one embodiment of the present disclosure, there is provided an on-board computer for a train, comprising: a processor; memory that stores instructions which, when executed by the processor, cause the on-board computer to: receive, from a wireless receiver, data that is provided to the on-board computer in order to allow the train to start its movement along a track, facilitate performance of a cryptographic operation, by a physical token that stores cryptographic data, to authenticate a train driver to whom the physical token is assigned, when the physical token is presented by the train driver to an on-board token interface connected to or integrated with the onboard client computer, and allow the train to start its movement along the track, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token.
According to one embodiment of the present disclosure, there is provided on-board equipment of train, comprising: the aforementioned on-board computer; the wireless receiver; and the on-board token interface.
An apparatus or computer program according to one embodiment can comprise any combination of the method aspects. Methods or computer programs according to further embodiments can be described as computer-implemented in that they require processing and memory capability.
The apparatus according to embodiments is described as configured or arranged to, or simply “to” carry out certain functions. This configuration or arrangement could be by use of hardware or middleware or any other suitable system. In some embodiments, the configuration or arrangement is by software.
Thus according to one aspect there is provided a program which, when loaded onto at least one computer configures the computer to become the apparatus according to any of the preceding apparatus definitions or any combination thereof.
According to one embodiment, there is provided a program which, when loaded onto at least one computer, configures the at least one computer to carry out the method steps according to any of the preceding method definitions or any combination thereof.
In general the computer may comprise the elements listed as being configured or arranged to provide the functions defined. For example this computer may include memory, processing, and a network interface.
Embodiments can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Embodiments can be implemented as a computer program or computer program product, i.e., a computer program tangibly embodied in a non-transitory information carrier, e.g., in a machinereadable storage device, or in a propagated signal, for execution by, or to control the operation of, one or more hardware modules.
A computer program can be in the form of a stand-alone program, a computer program portion or more than one computer program and can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a data processing environment. A computer program can be deployed to be executed on one module or on multiple modules at one site or distributed across multiple sites and interconnected by a communication network.
Method steps of embodiments can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Apparatus can be implemented as programmed hardware or as special purpose logic circuitry, including e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions coupled to one or more memory devices for storing instructions and data.
The invention is described in terms of particular embodiments. Other embodiments are within the scope of the following claims. For example, the steps of the invention can be performed in a different order and still achieve desirable results.
The skilled person will appreciate that the recited features and their equivalents may refer to parts of the system that are spatially separate but combine to serve the function defined. Equally, the same physical parts of the system may provide two or more of the functions defined. For example, separately defined means may be implemented using the same memory and/or processor as appropriate.
Brief Description of the Drawings
The above-mentioned attributes, features, and advantages of the invention and the manner of achieving them, will become more apparent and understandable (clear) with the following description of embodiments of the invention in conjunction with the corresponding drawings, wherein:
Figure 1 is a schematic diagram depicting a system according to an example of the present disclosure;
Figure 2 is a sequence diagram showing some interactions between entities of the system of Figure 1 according to an example of the present disclosure;
Figure 3 is a schematic diagram depicting a physical token according to an example of the present disclosure;
Figure 4 is a schematic diagram depicting components of the physical token of Figure 3 according to an example of the present disclosure;
Figure 5 is a schematic diagram depicting components of a computer according to an example of the present disclosure; and
Figure 6 is a schematic diagram depicting components of the ETCS as well as interface components.
Detailed Description of the Preferred Embodiments
The following description of preferred embodiments of the invention is made in the context of the ERTMS. It should, however, be appreciated embodiments can be applied in other contexts such as, for example, Communication-Based Train Control (CBTC) system.
The ERTMS is a signalling and traffic management system. As noted earlier, it has two main components: the ETCS and GSM-R (Global System for Mobile Communications - Railway). As depicted in Figure 6, the ETCS includes trackside and on-board subsystems 602, 604. The track-side sub-system 602 typically comprises the following elements (only some of which are shown): Transparent Eurobalise 606a, a transmission device that sends telegrams to the on-board sub-system; Fixed Eurobalise 606b, a transmission device that sends telegrams to the on-board subsystem based on pre-defined telegrams that are transmitted to every train; Lineside Electronic Unit (LEU) 608, an electronic device that generates telegrams to be sent by Eurobalise 606, based on information received from external track-side systems; Euroloop and Radio infill (not shown), which provide signalling information in advance; and Radio Block Centre (RBC) 610, a computer-based system that elaborates messages to be sent to the train 630, based on information received from external track-side sub-systems and information exchanged with the on-board sub-systems using GSM-R. Interlocking 612 is not an ERTMS component, but it provides safety for train movements or routes and ensures that the route for a specific train is maintained and that incompatible routes are not simultaneously established.
The on-board sub-system 604 comprises on-board equipment responsible for supervising the movement of the train to which it belongs, on the basis of information exchanged with track-side sub-system 604 by means of Balise Transmission Unit (BTU) 614 and/or Radio Transmission Unit (RTM) 628, and possibly the on-board part
616 of the GSM-R radio system according to the ETCS level. In particular, European Vital Computer (EVC) 618 is responsible for safety critical functions and is the unit with which many other train functions interact, including for example odometer 620. The Driver Machine Interface (DMI) 622 is the interface between the driver and the onboard equipment, and is typically located on the driver’s desk. The DMI 612 can have a display screen that may be touch-sensitive and/or have buttons to permit the driver to input data, request permission to move and acknowledge certain events. Train Interface Unit (TIU) 624 provides the interface between the on-board equipment and other systems of the train 630 such as the brake interface 626. The Juridical Recorder Unit 626 provides ‘black box’ functions, storing the most important data and variables from train journeys to allow later analysis.
Typically, a train driver of an ETCS fitted train performs a Start of Mission procedure in order to allow the train to start its movement along the track, according to the planned operative modes and the ERTMS/ETCS level. In this procedure, the train driver enters and/or confirms the following sets of data: train data, and additional data. Train data refer to rolling stock characteristics and include: train running number, maximum train speed, ERTMS train category, train length, deceleration data, power supply, loading gauge, axle load, train fitted with airtight system, list of Specific Transmission Module (STM) available. Additional data refer to other parameters that may be needed to perform the mission and include: Driver ID, ERTMS/ETCS Level, RBC identification/telephone number, adhesion factor, and, if required by the journey, the STM to be activated including additional STM data.
Referring now to Figure 1, a system according to embodiments comprises a server computer 102 and one or more client computers 104, 106 (which may the same or different types of computing devices) that are configured to communicate over network 108. The network 108 can be any type of wired or wireless network or combination thereof, such as the Internet, a local area network (LAN), a wide area network (WAN), or the like. A token interface 110 is connected to (or integrated with) at least one of the client computers 104. The token interface 110 allows physical token 112 to interact with external entities, for example in order to perform a cryptographic operation when the physical token 112 is presented to the token interface 110 by a user (in this example, a train driver) to whom the physical token 112 is assigned. For example, where the physical token 112 is a smart card, the token interface 110 can be a smart card reader configured to establish contact with the card, supply it with necessary electrical energy and act as a clock for the card processor. The physical token 112 can also be involved in biometric authentication of the train driver.
Also connected to the network 108 is a wireless transmitter 114 that is configured to use a wireless communication protocol to wirelessly transmit signals to a wireless communication receiver 118 on board a train 122. The wireless transmission can take place through any suitable radio interface including, for example, 2G, 3G, LTE, 802.11, etc. The train 122 can be an individual vehicle or a formation of vehicles formed from a plurality of individual vehicles. Data received by the wireless communication receiver 118 can be input to an on-board computer 120 that is configured to supervise movement of the train 122. The train 122 also includes an on-board token interface 124 connected to (or integrated with) the on-board computer 120, and which may be substantially the same as token interface 110 so that the physical token 112 can be used with both token interfaces 110, 124.
In the context of the ETCS, and with reference to Figure 6, the receiver 118 can be the on-board part 616 of the GSM-R system; the on-board computer 120 can be and EVC 618; the wirelessly transmitted data can be at least some of the data typically entered manually as part of Start of Mission procedure; and the token interface 124 can be implemented as part of the DMI 622. It will be understood, of course, that embodiments are not limited to ETCS.
Figure 2 is a sequence diagram showing some of the interactions between entities shown in Figure 1. As will be apparent, some entities such as the client computer 106 and the token interfaces 110, 124 are not shown in the interests of clarity.
Data (e.g., ETCS mission data) that is to be provided to the on-board computer 120 is generated by input of planning information at, for example, the client computer 106, and stored on the server computer 102 (step S202). The data is batch processed and made available for transmission to the on-board unit 120 and to the physical token 112. In particular, at step S204, the data is transmitted over the network 108 to the client computer 104. This can be in response to a request, instruction, or other indication received from the client computer 104, for example after a train driver has performed a log-in procedure using the client computer 104.
At step S206, the data are displayed on a display device connected to or integrated with the client computer 104, so that the train driver can view them.
At step S208, the train driver accepts the data. In embodiments, acceptance includes multi-factor authentication of the train driver. For example, the multi-factor authentication includes authentication based on a cryptographic operation using the physical token 112 (step S210) and authentication based either on a secure PIN or a biometric of the train driver (step S212). It will appreciated that steps S210 and S212 can be carried out in any order.
As noted above, the cryptographic operation can be a PKI-cryptographic operation. This involves asymmetric cryptography in which a corresponding pair of keys, consisting of a private and public cryptographic key, is used for encryption/decryption. The authenticity of the pair of keys is ensured by means of a certificate, which associates the public key with identification data of the key holder. The certificate is issued by an authentication entity (e.g., a server) which can be, for example, a private Certification Authority (CA) or a public (third-party) CA. In other words, the authentication entity can be part of the system or a trusted third party.
Authentication by PIN can be performed by entry of the PIN via an input device, and verification against a PIN stored in the physical token. Suitable input devices include a keypad, a keyboard, a touchscreen or other user interfaces. The input device can be connected to or integrated with the client computer 104. In the case of an on-board input device it can be connected to or integrated with the on-board computer 120 (i.e., the DMI 622). It will be appreciated that other secrets can be used for authentication, such as passwords, patterns, and touch gestures.
Biometric authentication uses one or more biometric identifiers, i.e., distinctive, measurable characteristics of a person, to authenticate that person. Examples of suitable biometric identifiers include, but are not limited to, fingerprint, palm veins, face recognition, retina, and voice. Suitable hardware (e.g., fingerprint reader, palm scanner, face scanner, retina scanner, and voice recognition device), which may be connected to or integrated with client computer 104, can be used to scan the biometric characteristic(s), extract critical information, and then store the results. (For this reason, the biometric authentication S212 is shown as being performed by the client computer 104, though it will be appreciated that other or different entities may be involved.) The result can then be compared to a reference biometric characteristic, and, if there is sufficient commonality, a pass is achieved. In some embodiments, the reference biometric characteristic is securely stored on the physical token 112. The physical token 112 can be configured to carry out the comparison.
Once the driver has accepted the data, it is transmitted via secure wireless transmission to the train (steps S212, S214). This data can be stored by the on-board computer 120 in, for example, secure memory of the EVC 618. In some embodiments, the data is also transmitted to the physical token 112 (step S216). This can be after the transmission to the on-board computer 120, before the transmission to the onboard computer 120, or substantially in parallel.
After entering the cab of the train 122, the train driver inserts the physical token 112 into the on-board token interface 124 on, for example, the driver’s console. There is an authentication step in which the train driver is authenticated via PIN or biometric ID on a driver-machine interface (not shown in Figure 1) such as, for example, DMI 622. Once authentication is complete, the driver-machine interface displays the data for the driver to accept. Once the driver accepts the data, which can involve authentication based on a cryptographic operation using the physical token 112, they are able to begin the movement of the train along the track (e.g., begin the ETCS mission). In embodiments, the physical token 112 should remain inserted in the on-board token interface 124 at all times during the movement of the train along the track, and removal of the physical token 112 will result in activation of the service or emergency brake (depending on the train’s speed I location I national rules etc.) and the train coming to a halt.
At the completion of the movement of the train along the track (e.g., completion of the the ETCS mission), the corresponding data is written to the physical token 112 and confirmed by the driver through entering of PIN or biometric ID confirmation. Once this is complete, the train 122 transmits the data to the central system (e.g., server 102) via a secure wireless link. Thus, while reference is made in Figure 1 to wireless transmitter 114, it will be appreciated that there may also be a wireless receiver. When the driver returns to the depot/compound, they can access a computer terminal 102, 104 with the physical token 112 to allow transmission of the data back to the central system (e.g., server 102) which batch processes the data from the physical token 112 and the data transmitted by the train 122 via the wireless link.
With reference to Figures 3 and 4, one example of a physical token 112 is a smart card 302 comprising an integrated circuit 304 and, in this particular case, an antenna (RFID loop) 306 to allow the smart card 302 to be programmed for additional access security measures (e.g., doors & gates to offices/compounds etc.) and for driver Clock On/Clock Off. Other suitable physical tokens 112 can include a USB device or a mobile device (SIM card).
The integrated circuit 304 comprises a processor 402, memory 404, 406, 408, and an Input/Output (I/O) interface 410. The processor 402 embedded in the card can manipulate and control the data present in the smart card 302. As shown, the memory comprises a Read Only Memory (ROM) 404, a Random Access Memory (RAM) 406, and a Non-Volatile Memory (NVM) such as an Electrically Erasable Programmable Read Only Memory (EEPROM). The ROM 404 contains the smart card operating system. The RAM 406 provides working memory for card operations, such as encryption and decryption. The EEPROM 408 is where applications and their persistent associated data are stored. For example, the EEPROM 408 can store cryptographic data such as a private key and a digital certificate/public key, applications for performing cryptographic operations such as cryptographic calculations involving the private key, a biometric characteristic of the train driver, and the train driver’s qualifications and certifications. The cryptographic operation can be in accordance with a PKI-based authentication protocol. An example of a digital certificate is a X.509 certificate.
The I/O interface 410 is one point of communication with the smart card 302. This can be a contact interface or a remote contactless radio frequency interface. For example, the I/O interface can be a conductive contact module provided on a surface of the smart card 302. In this way, the integrated circuit 304 can communicate by way of a physical electrical connection with a card reader. Alternatively, the I/O interface 410 can be an internal antenna (separate from antenna 306) so that the integrated circuit 304 can communicate wirelessly by way of an electromagnetic interface when the smart card 302 is placed in proximity of a card reader.
Figure 5 is a block diagram of a computing device, such as server computer 102, client computer 104, 106, and on-board computer 120, which embodies the present invention, and which may be used to implement method of the present disclosure. The relationship of client computers 104, 106 and server computer 102 arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. Client computers 104, 106 can include, but are not limited to, personal computers (whether desktop, laptop, or otherwise), personal digital assistants (PDAs), cellular telephones and smartphones, or the like. Preferably, the client computers 104, 106 are secure terminals. Server devices are any computerized component, system or entity regardless of form which is adapted to provide data, files, applications, content, or other services to one or more other devices or entities on a computer network. The client and server computers 102, 104, 106 are generally remote (separate) from the train.
The computing device comprises a processor 502, and memory 504. Optionally, the computing device also includes a network interface 510 for communication with other computing devices, for example with other computing devices of invention embodiments. For example, an embodiment may be composed of a network of such computing devices. Optionally, the computing device also includes one or more input mechanisms such as keyboard and mouse (generally referred to as input 508), and a display 506 such as one or more monitors. The components are connectable to one another via a bus 512.
The memory 504 may include a computer readable medium, which term may refer to a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) configured to carry computer-executable instructions or have data structures stored thereon. Computer-executable instructions may include, for example, instructions and data accessible by and causing a general purpose computer, special purpose computer, or special purpose processing device (e.g., one or more processors) to perform one or more functions or operations. Thus, the term “computer-readable storage medium” may also include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methods of the present disclosure. The term “computer-readable storage medium” may accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media. By way of example, and not limitation, such computer-readable media may include non-transitory computer-readable storage media, including Random Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices).
The processor 502 is configured to control the computing device and execute processing operations, for example executing code stored in the memory to implement the various different functions described here and in the claims. The memory 504 stores data being read and written by the processor 502. As referred to herein, a processor may include one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. The processor may include a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or a processor implementing other instruction sets or processors implementing a combination of instruction sets. The processor may also include one or more specialpurpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. In one or more embodiments, a processor is configured to execute instructions for performing the operations and steps discussed herein.
The display 506 may display a representation of data stored by the computing device and may also display a cursor and dialog boxes and screens enabling interaction between a user and the programs and data stored on the computing device. The input mechanisms 508 may enable a user to input data and instructions to the computing device.
The network interface (network l/F) 510 may be connected to a network, such as the Internet, and is connectable to other such computing devices via the network. The network l/F 510 may control data input/output from/to other apparatus via the network. Other peripheral devices such as microphone, speakers, printer, power supply unit, fan, case, scanner, trackerball etc may be included in the computing device.
Methods embodying the present invention may be carried out on a computing device such as that illustrated in Figure 5. Such a computing device need not have every component illustrated in Figure 5, and may be composed of a subset of those components.
The ETCS is only one example of a train control system in which embodiments of the invention can be practiced. Another example is the Communication Based Train Control (CBTC) systems which are often used in light rail/metro systems. In CBTC systems, an Automatic Train Supervision (ATS) system functions as an interface between an operator and the system, managing the traffic according to the specific regulation criteria. It is responsible for sending data used in the Start of Mission procedure and during the train running. The mission contains a set of information for each stop that the train must perform during the service. These include: start time, stop point, side of the doors to be opened and the time duration that doors must remain open. A wayside Automatic Train Protection (ATP) system undertakes the management of all the communications with the trains in its area. Additionally, it calculates the limits of movement authority that every train must respect while operating in the mentioned area. A wayside Automatic Train Operation (ATO) system is in charge of controlling the destination and regulation targets of every train. The wayside ATO functionality provides all the trains in the system with their destination as well as with other data such as the dwell time in the stations. On board the train, an on-board ATO system controls the speed of the train. The on-board ATO is monitored and, if necessary, corrected by an on-board ATP system. In the context of CBTC, the client terminal 104 can be part of the ATS system which an operator uses to accept mission data that is to be sent to the on-board ATO if the operator is authenticated. Thus, the train driver is only an example of person (user) to whom a physical token can be assigned and with which physical token the person (user) can be authorised, and who can accept data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track. Furthermore, it will be appreciated that, depending on the railway undertakings organisation, the person (user) entering data can be performed by somebody who may not be the driver, e.g., a train preparer. Thus, a train preparer is another example of person (user) to whom a physical token can be assigned and with which physical token the person (user) can be authorised, and who can accept data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track.
While the invention has been illustrated and described in detail with the help of various embodiments, the invention is not limited to the disclosed examples. Other variations can be deduced by those skilled in the art without departing from the scope of protection of the claimed invention.

Claims (15)

Claims
1. A system comprising:
a server computer (102); a client computer (104); and a physical token (112), which is assigned to a train driver, wherein the server computer (102) is configured to store data that is to be provided to an on-board computer (120) of a train (122) in order to allow the train (122) to start its movement along a track, and to transmit the data to the client computer (104), the client computer (104) is configured to display the data, the physical token (112) is configured to store cryptographic data, and, when the physical token (112) is presented by the train driver to a token interface (110) at the client computer (104), to use the cryptographic data to perform a cryptographic operation to authenticate the train driver, and at least one of the server computer (102) and the client computer (104) is configured to transmit, via a wireless transmitter (114), the data to the on-board computer (120), in response to acceptance of the data by the train driver that includes the authentication of the train driver based on the cryptographic operation performed by the physical token (112).
2. The system according to claim 1, wherein the cryptographic operation is performed in accordance with a Public Key Infrastructure, PKI, based protocol.
3. The system according to claim 1 or 2, wherein the acceptance of the data by the train driver further includes authentication of the train driver based on at least one of: a verification of a personal identification number, PIN, entered by the train driver on an input device at the client terminal (106), and a comparison between a biometric identifier of the train driver obtained by a sensor at the client computer (104) and a reference biometric identifier of the train driver.
4. The system according to claim 3, wherein the reference biometric identifier of the train driver is stored on the physical token (110).
5. The system according to any one of the preceding claims, wherein the physical token (112) is configured to store at least one of a qualification and a certification of the train driver.
6. The system according to any one of the preceding claims, wherein the physical token (112) is configured to receive, via the token interface (110), the data from the client computer (104).
7. The system according to any one of the preceding claims, wherein the physical token (112) is configured to receive, via an on-board token interface (124) connected to or integrated with the on-board computer (120), data from the on-board computer (120) when the train (122) has completed its movement along the track.
8. The system according to claim 7, wherein the physical token (112) is configured to transmit, when the physical token (112) is presented by the train driver to the token interface (110) at the client computer (104) or another token interface at another client terminal, the data received from the on-board computer (120).
9 A client computer (104), comprising: a processor (502);
a network interface (510) configured to enable the client computer (104) to communicate over a network (108); and memory (504) that stores instructions which, when executed by the processor (502), cause the client computer (104) to:
receive, from a server computer (102), data that is to be provided to an onboard computer (120) of a train (122) in order to allow the train (122) to start its movement along a track, facilitate performance of a cryptographic operation, by a physical token (112) that stores cryptographic data, to authenticate a train driver to whom the physical token (112) is assigned, when the physical token (112) is presented by the train driver to a token interface (110) connected to or integrated with the client computer (104), and transmit the data to the on-board computer (120) via a wireless transmitter (114), in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token (112).
10. A physical token (112, 302), comprising:
a processor (402);
an interface (410) configured to allow the physical token (112, 302) to communicate with an external entity; and memory (404, 406, 408) configured to store: cryptographic data, and instructions which, when executed by the processor (402), cause the physical token to use the cryptographic data to perform a cryptographic operation to authenticate a train driver to whom the physical token is assigned.
11. The physical token (112, 302) according to claim 10, wherein the memory (408) is configured to store data that is to be provided to an on-board computer (120) of a train (122) in order to allow the train (122) to start its movement along a track.
12. The physical token (112, 302) according to claim 11, wherein the memory (408) is configured to store data received from the on-board computer (120) when the train (122) has completed its movement along the track.
13. A method performed by a client computer (104), comprising:
receiving, from a server computer (102), data that is to be provided to an onboard computer (120) of a train (122) in order to allow the train (122) to start its movement along a track;
displaying the data;
facilitating performance, by a physical token (112) that stores cryptographic data, of a cryptographic operation to authenticate a train driver to whom the physical token (112) is assigned, when the physical token (112) is presented by the train driver to a token interface (110) connected to or integrated with the client computer (104), and transmitting the data to the on-board computer (120) via a wireless transmitter, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token (112).
14. A method performed by a physical token (112, 302) that is assigned to a train driver, comprising:
storing cryptographic data; and using cryptographic data the performing a cryptographic operation to authenticate the train driver, when the physical token (112, 302) is presented by the train driver to a token interface (110, 124) at a computer (104, 120).
15. A computer program comprising computer-executable instructions to perform the method of claim 13 or claim 14.
Intellectual
Property
Office
Application No: GB1619807.9 Examiner: Dr Maurice Blount
GB1619807.9A 2016-11-23 2016-11-23 Input of data into an on-board computer of a train Withdrawn GB2556893A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB1619807.9A GB2556893A (en) 2016-11-23 2016-11-23 Input of data into an on-board computer of a train
EP17798134.7A EP3544877A1 (en) 2016-11-23 2017-10-27 Input of data into an on-board computer of a train
PCT/EP2017/077667 WO2018095696A1 (en) 2016-11-23 2017-10-27 Input of data into an on-board computer of a train

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1619807.9A GB2556893A (en) 2016-11-23 2016-11-23 Input of data into an on-board computer of a train

Publications (2)

Publication Number Publication Date
GB201619807D0 GB201619807D0 (en) 2017-01-04
GB2556893A true GB2556893A (en) 2018-06-13

Family

ID=57993911

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1619807.9A Withdrawn GB2556893A (en) 2016-11-23 2016-11-23 Input of data into an on-board computer of a train

Country Status (3)

Country Link
EP (1) EP3544877A1 (en)
GB (1) GB2556893A (en)
WO (1) WO2018095696A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102491371B1 (en) * 2017-11-02 2023-01-26 현대자동차주식회사 Remote control device and vehicle including the same
CN110435590A (en) * 2019-09-17 2019-11-12 河海大学常州校区 A kind of protection system for public transit vehicle control loop
CN112918517B (en) * 2021-02-01 2023-02-17 中国神华能源股份有限公司神朔铁路分公司 Method and device for setting railway locomotive driving parameters, computer equipment and storage medium
CN113022662B (en) * 2021-04-16 2022-10-18 湖南中车时代通信信号有限公司 Vehicle-mounted ATC network system and rail transit system
CN113641306A (en) * 2021-07-28 2021-11-12 通号城市轨道交通技术有限公司 Data interaction method and device for vehicle-mounted ATO and vehicle-mounted ATP
CN115465336A (en) * 2022-08-29 2022-12-13 通号万全信号设备有限公司 Tramcar operation diagram-based method and device for counting driver and passenger driving data
CN116373961B (en) * 2023-06-07 2023-11-17 北京全路通信信号研究设计院集团有限公司 Monitoring system and method for signal interface of train control system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020135466A1 (en) * 2001-03-21 2002-09-26 Bunyan Roy James Vehicle security system and method
US20030217269A1 (en) * 2002-05-15 2003-11-20 Alexander Gantman System and method for managing sonic token verifiers
JP2004086547A (en) * 2002-08-27 2004-03-18 Matsushita Electric Ind Co Ltd Portable electronic key
GB2478922A (en) * 2010-03-23 2011-09-28 Ian Ratcliffe Authorisation device for a vehicle starting system
EP2371661A2 (en) * 2010-03-18 2011-10-05 Westinghouse Brake and Signal Holdings Limited Train information exchange
US20120313796A1 (en) * 2011-06-13 2012-12-13 Kt Corporation Car control system
EP2924605A1 (en) * 2014-02-14 2015-09-30 So. System. Service Co., Ltd. Operator authentication operation system
US20160292459A1 (en) * 2006-04-25 2016-10-06 Vetrix, Llc Converged logical and physical security

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020135466A1 (en) * 2001-03-21 2002-09-26 Bunyan Roy James Vehicle security system and method
US20030217269A1 (en) * 2002-05-15 2003-11-20 Alexander Gantman System and method for managing sonic token verifiers
JP2004086547A (en) * 2002-08-27 2004-03-18 Matsushita Electric Ind Co Ltd Portable electronic key
US20160292459A1 (en) * 2006-04-25 2016-10-06 Vetrix, Llc Converged logical and physical security
EP2371661A2 (en) * 2010-03-18 2011-10-05 Westinghouse Brake and Signal Holdings Limited Train information exchange
GB2478922A (en) * 2010-03-23 2011-09-28 Ian Ratcliffe Authorisation device for a vehicle starting system
US20120313796A1 (en) * 2011-06-13 2012-12-13 Kt Corporation Car control system
EP2924605A1 (en) * 2014-02-14 2015-09-30 So. System. Service Co., Ltd. Operator authentication operation system

Also Published As

Publication number Publication date
GB201619807D0 (en) 2017-01-04
WO2018095696A1 (en) 2018-05-31
EP3544877A1 (en) 2019-10-02

Similar Documents

Publication Publication Date Title
GB2556893A (en) Input of data into an on-board computer of a train
US8855312B1 (en) Mobile trust broker
US20140049367A1 (en) Automatic unlock device and method
KR20120057602A (en) Method, vehicle terminal, biometrics card and system for controlling vehicle through authenticating driver, and method for providing passenger protecting/tracking function using biometrics card and terminal
CN108023943A (en) APP controls Vehicular system
US11716194B2 (en) Vehicle communication for authorized entry
CN108650220A (en) Provide, obtain method, the equipment of mobile terminal certificate and automobile end chip certificate
KR101864792B1 (en) Shuttle bus passenger verifying terminal for verifying shuttle bus passenger, Shuttle bus management system, Shuttle bus passenger verifying method
CN104583049A (en) Local operation of a component of a railway track system
CN106850638A (en) A kind of mobile unit access control method and system
CN109890009A (en) A kind of vehicle communication system
CN112888607A (en) Method and apparatus for identifying passengers and goods being transported
Schmittner et al. Threat modeling in the railway domain
US11485317B2 (en) Concept for provision of a key signal or an immobilizer signal for a vehicle
US20190028487A1 (en) Indirect Authorization Transport
CN107077666B (en) Method and apparatus for authorizing actions at a self-service system
US11763309B2 (en) System and method for maintaining a fraud risk profile in a fraud risk engine
JP6368261B2 (en) Authentication system and authentication method
Affia et al. Security risk management in shared mobility integration
CN114039771A (en) Data processing method, device and system, electronic equipment and storage medium
EP3336736B1 (en) Auxiliary id token for multi-factor authentication
CN103827877A (en) Method for plagiarism protection and arrangement for carrying out said method
Muniandi Blockchain‐enabled balise data security for train control system
Hartong Secure communications based train control (CBTC) operations
CN112184953A (en) Unlocking method, unlocking system, logistics vehicle, equipment and storage medium

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)