DE102018207661A1 - Verification of sensor data - Google Patents

Verification of sensor data

Info

Publication number
DE102018207661A1
DE102018207661A1 DE102018207661.8A DE102018207661A DE102018207661A1 DE 102018207661 A1 DE102018207661 A1 DE 102018207661A1 DE 102018207661 A DE102018207661 A DE 102018207661A DE 102018207661 A1 DE102018207661 A1 DE 102018207661A1
Authority
DE
Germany
Prior art keywords
sensor data
motor vehicle
sensor
identification
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
DE102018207661.8A
Other languages
German (de)
Inventor
Mehrdad Salari Khaniki
Ulrich Mair
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZF Friedrichshafen AG
Original Assignee
ZF Friedrichshafen AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZF Friedrichshafen AG filed Critical ZF Friedrichshafen AG
Priority to DE102018207661.8A priority Critical patent/DE102018207661A1/en
Publication of DE102018207661A1 publication Critical patent/DE102018207661A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
    • G07C5/0808Diagnosing performance data
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/008Registering or indicating the working of vehicles communicating information to a remotely located station
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/023Services making use of location information using mutual or relative location information between multiple location based services [LBS] targets or of distance thresholds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/01Detecting movement of traffic to be counted or controlled
    • G08G1/0104Measuring and analyzing of parameters relative to traffic conditions
    • G08G1/0108Measuring and analyzing of parameters relative to traffic conditions based on the source of data
    • G08G1/0112Measuring and analyzing of parameters relative to traffic conditions based on the source of data from the vehicle, e.g. floating car data [FCD]

Abstract

A method (200) includes steps of sampling (205) first sensor data from a first sensor (120) onboard a first motor vehicle (105); scanning (210) second sensor data from a second sensor (140) located in the region of the first motor vehicle (105), wherein the second sensor (140) is disposed onboard a second motor vehicle (110) or on an infrastructure (160) is; comparing (220) the sampled first and second sensor data with each other; and determining (225) that the first sensor data is trustworthy if it corresponds to the second sensor data. In this case, the second sensor data comprise an identification of the device (162) and the comparison is carried out only if the identification of the device (162) can be successfully checked.

Description

  • The present invention relates to the verification of sensor data. In particular, the invention relates to the verification of data that has been sampled on board a motor vehicle.
  • On board a motor vehicle, a sensor is mounted which scans a size on the basis of which the motor vehicle or a system mounted on board the motor vehicle can be controlled. Sensed sensor data may be disturbed, noisy, or corrupted for a variety of reasons, so control based on sensor data may generally be risky. If the controlled system has to fulfill high security requirements, for example because a malfunction can cause material or personal damage, then usually either a sensor is used whose operational reliability and accuracy meet predetermined requirements, which can be specified in the ASIL specification, for example Several sensors are used to scan the same size. If the sensor data of the multiple sensors correspond to one another, then the sensor data can be classified as plausible or trustworthy.
  • However, this procedure requires a complex sensor concept. One object of the present invention is to provide an improved technique that allows a plausibility check of sensor data sensed by a sensor on board a motor vehicle. The invention achieves the object by means of the subject matters of the independent claims. Subclaims give preferred embodiments again.
  • One method includes steps of sampling first sensor data from a first sensor onboard a first motor vehicle; scanning second sensor data from a second sensor located in the region of the first motor vehicle, wherein the second sensor is arranged on in a device, in particular on board a second motor vehicle or on an infrastructure; comparing the sampled first and second sensor data with each other; and determining that the first sensor data is trustworthy if it corresponds to the second sensor data. In this case, the second sensor data comprise an identification of the device and the comparison is only carried out if the identification of the device can be successfully checked.
  • This ensures that only second sensor data from a known source is used to assess the trustworthiness of the first sensor data. If the second sensor data turns out to be wrong, the device from which the second sensor data was received can be notified. The device may then check the second sensor and / or suspend the transmission of second sensor data until the problem is found.
  • In addition, an indication of incorrect sensor data of the device may be deposited at a central location. Another first motor vehicle may obtain information from the device at the central location about recently reported incorrect sensor data and refuse to process the second sensor data received from the device.
  • By verifying the identity of the device, sensor data of questionable quality can be prevented from propagating in a network with one or more first motor vehicles. A malicious distribution of manipulated second sensor data can be counteracted. This can also be used to resist a hacker or cyberattack that might otherwise be appropriate to restrict public road traffic.
  • The identification can be checked by means of an asymmetric cryptographic method. One of several known authentication methods with asymmetric keys can be used for this purpose. Several such methods have been in use for some time and can be considered safe. The method may be publicly documented and an implementation may be freely available. The method can be used easily and inexpensively. External efforts to improve the authentication process can be beneficial. Such efforts, especially for widely used methods, can be made permanently from different locations.
  • To carry out an authentication method with asymmetrical cryptographic keys, in one embodiment a message is generated by the first motor vehicle and transmitted to the device; the message is encrypted by the device with a private key of the device and transmitted back to the first motor vehicle; decrypting the transmitted message from the first motor vehicle with a public key of the device and comparing it with the original message.
  • If the decrypted message contains the original message, the identity of the device can be successfully verified. Otherwise, if the original message is not included in the received message, the identity may be not be checked successfully. The comparison of the received with the locally collected sensor data can then be omitted. In a further embodiment, the transmitted message may comprise further information, in particular the second sensor data. If the identification of the device can be successfully checked, it can also be assumed at the same time that the communication of the first motor vehicle with the device is unadulterated. Furthermore, a timestamp can be contained in the transmitted message, so that an encrypted message which is intercepted and later transmitted to the first motor vehicle can be recognized and discarded.
  • The public key of the facility can be obtained from a central location. The central office may comprise a certificate authority (CA) and be implemented, for example, as a server or as a service, such as in a cloud. Several widely recognized CAs are currently known and eligible for public key distribution. For communication with the CA, a similar method may be used wherein a public key of the CA may be fixedly predetermined on board the first motor vehicle.
  • The central office may be notified of a success or failure of a device identification check. Thus, on the one hand, a distribution of doubtful, false, inaccurate or malicious information can be contained. On the other hand, it is also possible to reward a device that proves to be a good source of second sensor data. The reward may be an increased associated trust. In other words, the second sensor data can be assigned a trustworthiness, as a reward can be raised. According to the principle of some social networks, the best and most reliable source of second sensor data within a group of first motor vehicles can be implemented in an improved way.
  • Reward may also be otherwise, for example, by material compensation or improved availability of other second sensor data, if the device in turn wishes to obtain second sensor data from another source.
  • The identification may include a feature that can be scanned by means of a sensor of the first motor vehicle. The feature may include at least one of a color, type, design, equipment, or registration of the device. The sensor may in particular comprise an optical sensor, for example a camera. Thus, a transfer of an identification from one device to another ("identity theft") can be counteracted.
  • The identification may also include a position of the device. It is common that, for example, a second motor vehicle regularly determines its actual position and transmits it to a central location, for example for navigation purposes. If the second motor vehicle transmits a position which, although lying in the region of the first motor vehicle, deviates from the position deposited at the central point, then the identification can not be checked successfully. This can prevent second sensor data from being used beyond a range of its actual validity. In addition, an attacker who transmits second sensor data from one location to another can be defended.
  • In yet another embodiment, it is determined that the second sensor data is less trustworthy than the first sensor data. As a result, a message of lack of trustworthiness may be sent to the facility, another facility, or a central office. In other words, the device that has provided the second sensor data can be informed of the possibly faulty or damaged sensor data, so that further dissemination can be counteracted. Another road user in the area of the first motor vehicle can be warned and handle or reject second sensor data of the same device with particular care. For this, the first motor vehicle may identify with the device as described herein. A warning may also be issued to a central location which may, for example, warn other facilities.
  • Further embodiments of the present invention relate primarily to the determination and treatment of potentially untrusted sensor data.
  • In contrast to known solutions, a trustworthiness of the first sensor data can be determined on the basis of second sensor data originating from a source which does not belong to the first motor vehicle. Thus, a distribution and networking of sensors in the area of the first motor vehicle can advantageously be exploited.
  • Preferably, the second sensor is located in the region of the first motor vehicle when both sensors have an overlapping scanning range or relate to the same determinable phenomenon. Different sampling times or sampling periods can be taken into account in the comparison. For example, the second Sensor information after a predetermined time as outdated and thus classified as less trustworthy. The loss of trustworthiness can be binary, gradual or infinite. First and second sensor data preferably correspond to one another if they correspond to one another, ie do not deviate from one another by a predetermined amount, or if both allow the processing-related derivation of the same circumstance. For example, both sensor values may relate to an object on a roadway in front of the first motor vehicle. For this purpose, the sensors can in particular perform a non-contact scanning of a region, for example by means of radar or LiDAR. The sensor values of the two sensors correspond to each other when the object can be determined based on the sensor values of the two sensors each with substantially the same size, surface, texture or another predetermined property.
  • The second sensor data may be verified or plausibility-checked based on third sensor data, the first sensor data being determined to be untrustworthy if it does not correspond to the second sensor data. The first sensor data is usually not verified so that the verified second sensor data can be more trustworthy. If the first sensor data deviate from the second one, the second sensor data, instead of the first one, can serve as the basis for a predetermined control task on board the motor vehicle.
  • In particular, the second sensor data may be provided together with information certifying the trustworthiness of the second sensor data. The trustworthiness of the second sensor data can be indicated by means of a simple, for example binary information ("flag"). The trustworthiness information may also take a numerical value. Also, several dimensions of trustworthiness may be determined, such as a measurement distance, a signal-to-noise ratio, a used sensor, an age of the sensor data, or on the basis of which information a verification has taken place. On the basis of this multi-dimensional information, it can be determined in an improved manner with sensor values which do not correspond to one another, which sensor information has the higher reliability and is therefore to be used preferably for a control task. The information about the trustworthiness can be cryptographically secured, for example by means of a digital certificate. Thus, the sensor data can be transmitted together with the information and the security, for example via a wireless communication link.
  • A plurality of second sensor data can be scanned by different second sensors, the second sensors each being located in the region of the first motor vehicle, the second sensors each being arranged on board a vehicle other than the first motor vehicle or on an infrastructure; and wherein the first sensor data is determined to be untrustworthy if there are less second sensor data to which the first sensor data correspond than second sensor data to which the first sensor data does not correspond. Thus, on the basis of the sensor data, a majority decision can be made as to which sensor data is to be trusted and which not.
  • Method according to one of the preceding claims, wherein the second sensor data from the second sensor are transmitted to a central location and stored there. The central office can continuously collect second sensor data. If the second sensor data are to be compared with first sensor data, then those can be selected from the stored sensor data which match the first sensor data as well as possible, for example with respect to a measurement location, a measurement type or a measurement time. For the comparison with the first sensor data also several second sensor data can be verified against each other. For this, a trustworthiness of the verified sensor data can be determined and based on the comparison.
  • In different variants, the comparison between the first and the second sensor data can be carried out by the central location, on the part of the first or the second motor vehicle. For this purpose, the required sensor data and further information can be transmitted accordingly between the central location, the first and the second motor vehicle. The transmission is preferably wireless.
  • The first and the second sensor data may relate to the same facts from different perspectives of the respective sensors, the comparison taking into account the different perspectives. The perspective may include a sample location and a sample time. Accompanying circumstances of a scan may include a speed of movement of the sensor relative to a scanned object or the type or setting of a measuring equipment comprising the sensor.
  • The first sensor data can relate to different circumstances. In one embodiment, they relate to a driving or moving state of the first motor vehicle. The driving state may in particular at least one of a position, a speed, an acceleration or a distance from a predetermined object. As a result, basic parameters of a movement dynamics of the first motor vehicle, on the basis of which the motor vehicle or one of its systems can be controlled, can be verified on the basis of the second sensor values.
  • The sensor data may also include a configuration of the first motor vehicle. The configuration may, for example, be visually recognizable from the outside and relate to a complete closing of a door or a window, a glass or sliding roof or a top. A functional state of a lighting device can also be included in the configuration of the first motor vehicle. Thus, a simple visual inspection from an external vehicle perspective can be used to detect a possible misconfiguration of the first motor vehicle. In the case of the lighting system, for example, it may be determined whether or not a predetermined lighting is provided to the outside. A faulty measurement of the first sensor, which determines only a current flow through the lighting system, for example, can be detected.
  • The sensor data may relate to an object or a condition of a subsurface in an area of a planned route of the first motor vehicle. In this case, the first sensor may in particular comprise a so-called prospective sensor which operates, for example, on the basis of a pictorial scanning, a radar or LiDAR scanning.
  • A first device on board a first motor vehicle comprises a first sensor for providing first sensor data; a processing device; and communication means for transmitting the first sensor data and for receiving a result of determining whether the first sensor data corresponds to second sensor data. In this case, the second sensor data are sampled by a second sensor in the region of the first motor vehicle and the second sensor is arranged on board a second motor vehicle or on an infrastructure. In this variant, the first sensor data outside the first motor vehicle can be compared with second sensor data. By way of example, the comparison on board a second motor vehicle, where the second sensor is mounted, can be carried out in the area of a fixed scanning device of an infrastructure or in the region of a central device. The central device can be realized in particular as a server or service, for example also abstracted in a cloud.
  • A second device on board a first motor vehicle comprises a first sensor for providing first sensor data; a processing device; and communication means for receiving second sensor data; wherein the second sensor data is sampled by a second sensor in the region of the first motor vehicle, wherein the second sensor is arranged on board a second motor vehicle or on an infrastructure, wherein the processing device is set up to trust the first sensor data, if the first Sensor data to the second sensor data correspond. In this variant, the comparison between first and second sensor data can be made by the first motor vehicle. The received second sensor data may be transmitted in response to a corresponding request from the first motor vehicle or, for example, periodically transmitted by the second motor vehicle, infrastructure or central facility.
  • The processing device is preferably set up to carry out a method described herein in whole or in part. For this purpose, the processing device may in particular comprise a programmable microcomputer or microcontroller and the method may be in the form of a computer program product with program code means. Advantages or features of the method, the device can be obtained and vice versa.
  • A system includes a first motor vehicle having a first sensor, a second motor vehicle and a central device. In this case, the central device comprises a data memory which is adapted to store second sensor data, which are each scanned by a second sensor, which is located in the region of the first sensor and either on board other than the first motor vehicle or on an infrastructure. The central device further comprises a communication device for communication with the first and / or second motor vehicle.
  • The invention will now be described in more detail with reference to the attached figures, in which:
    • 1 a system with a first motor vehicle; and
    • 2 a flowchart of a method
    represents.
  • 1 shows a system 100 with a first motor vehicle 105 with a device 110 , The device 110 includes a first processing device 115 , a first sensor 120 and a first communication device 125 , In a first embodiment, on board a second motor vehicle 135 a second sensor 140 such as optionally a second processing device 145 and a second communication device 150 be provided. The second sensor 140 , the second processing device 145 and the communication device 150 can also work on an infrastructure 160 in the area of the first motor vehicle 105 to be appropriate. The infrastructure 160 can in particular in the area of a by the first motor vehicle 105 be used on busy road, such as in a traffic control system or a particular optical monitoring device. In summary, the second motor vehicle 110 and the infrastructure 160 in the following setup 162 if they serve the same purpose, namely the provision of second sensor data.
  • A central point 165 can for example be realized as a server or service, possibly abstracted in a cloud. The central place 165 comprises a third processing device 170 , a third communication device 175 as well as a data memory 180 , The communication devices 125 . 150 , and 175 are preferably each set up for wireless information transmission with each other, as far as this is required for one of the embodiments considered below. The communication is preferably at least partially wireless and may be any communication network 185 use that in 1 schematically indicated as a cloud.
  • The first sensor 120 on board the first motor vehicle 105 In particular, it may be a forward-looking sensor that scans an area located in front of the first motor vehicle. Sensor data provided thereby may be, for example, a controller of the first motor vehicle 105 as part of a determination of a driving trajectory of the first motor vehicle 105 or an automatic obstacle avoidance. The first sensor 120 can also be used to determine a driving condition of the first motor vehicle 105 be set up and, for example, a position, a speed, an acceleration or a distance to a predetermined object, such as a lane marking or another motor vehicle include. In further embodiments, the first sensor 120 be configured to a configuration of the first motor vehicle 105 to determine. For this purpose, the first sensor 120 for example, for determining an opening state of a door, a window, a glass or steel sliding roof or a top of the first motor vehicle 105 be furnished. In general, the first sensor 120 be adapted to any condition or any event in the area of the first motor vehicle 105 that also from the sensor 140 can be detected that is not on board the first motor vehicle 105 located.
  • It is proposed sensor data of the second sensor 140 with sensor data of the first sensor 120 compare to determine if that from the first sensor 120 sampled sensor data are trusted or not. For this purpose, it can be determined whether the first and second sensor data correspond to one another or not. The sensor data correspond if they indicate the same state or event. A quantitative deviation of sensor data or results derived therefrom may be below a predetermined threshold to determine the correspondence. If the sensor data correspond to one another, then the first sensor data are trustworthy and can be used by a controller of the first motor vehicle 105 or a system on board the first motor vehicle 105 be based on. In one embodiment, the second sensor data corresponding to the first sensor data may also be used as a basis for the control, for example if the second sensor data are more accurate or more reliable than the first sensor data.
  • It is further proposed, the second sensor data of the second sensor 140 only for the determination of the trustworthiness of the first sensor data of the first sensor 120 to use if the source of the second sensor data can be checked. For this purpose, the second sensor data can be an identification of the device 162 include and the identification may be by the first motor vehicle 105 be verifiable. In various embodiments, the identification may be explicit, for example in the form of an identification number, name, description or other indication. In another embodiment, the identification may be implicit, for example by the device 162 is demonstrably in possession of information associated with the identity used. In particular, such information may be a private cryptographic key, the corresponding public key from the first motor vehicle 105 is known or can be determined in a secure manner. In an asymmetric encryption method, encryption with a private key can be reversed by decryption with a public key of a party - or vice versa. Communicating parties each require a pair of a public and a private key, with the public key usually being made available to the communication partner.
  • A comparison of the first and second sensor data may in different embodiments aboard the first motor vehicle 105 , on board the second motor vehicle 110 , on the part of the infrastructure 160 or the central office become. Find the comparison of the second sensor 140 sampled second sensor data with the first sensor data away from the second sensor 140 instead, the second sensor data can be initiated by means of the communication device 150 or only after receiving an appropriate request. Second sensor data can be in the central location 165 in the data store 180 be filed. On the basis of several second sensor data, a plausibility check can also be carried out. In particular, it may be determined whether or not the plural second sensor data correspond to each other. Such a plausibility check can be done, in particular, by the central point and in the data memory 180 stored second sensor data. A plausibility check of second sensor data may also be based on third sensor data coming from any source other than the second sensor 140 can come. This plausibility can, for example, on the part of the second motor vehicle 110 be performed.
  • If sensor data compared to one another correspond to one another, then they can be determined to be plausible or trustworthy. Trusted sensor data may be associated with information that indicates trustworthiness gradually or in binary. This information can be secured in particular by means of cryptographic methods, such as signing based on a cryptographic certificate in an asymmetric public-private-key infrastructure, in particular against forgery, duplication or modification.
  • 2 shows a flowchart of a method 200 , The procedure 200 can be used to obtain first sensor data by means of the first sensor 120 on board the first motor vehicle 105 be checked for trustworthiness.
  • In one step 205 becomes the first sensor 120 sampled to get the first sensor data. In an independent or concurrent step 210 can from the second sensor 140 second sensor data are sampled. The second sensor data 140 in this case preferably relate to the same object or area as the first sensor data. The second sensor data are outside the first motor vehicle 105 recorded and can in particular on board the second motor vehicle 110 or by means of the infrastructure 160 be scanned. In one embodiment, the second sensor data may be based on third sensor data generated in a step 215 be detected by a third sensor to be checked for trustworthiness. Trustworthiness is generally present if at least two sensor data compared with one another agree sufficiently precisely or allow conclusions to be drawn about the same facts.
  • In one step 220 the first sensor data are compared with the second sensor data. For this purpose, the first sensor data can be transmitted to where the second sensor data are located, or the second sensor data are transmitted to where the first are located, or the first and second sensor data are both transmitted to a different location for comparison, in particular to the central location 165 , The transmission of second sensor data can be done proactively, periodically or on request. Second sensor data can be collected from different sources and compared to make it plausible.
  • A trustworthiness of the first sensor data can be done in one step 225 can be determined by comparing with the second sensor data. When comparing sensor data, in general, those that have already been checked for plausibility are given higher trustworthiness than non-plausible sensor data. After determining whether the first sensor data is plausible or trustworthy, a determination result may be sent to the first motor vehicle 105 if the comparison is outside the first motor vehicle 105 took place. Optionally, second sensor data with which the first sensor data were compared can also be transmitted.
  • 3 shows a flowchart of another method 300 , especially in combination with the procedure 200 from 2 can be executed. The procedure 300 is an example of an authentication method with which the first motor vehicle 105 an identification or identity of the device 162 can check. The procedure 300 is preferred before the step 220 of the procedure 200 carried out. May be the identification of the device 162 can not be determined successfully, so the procedure 200 terminate or waive second sensor data from the device 162 continue working.
  • By way of illustration, steps are the method 300 preferred by the first motor vehicle 105 be carried out in a left area and those preferred by the institution 162 performed in a right-hand area. Steps of communication are shown in a middle area.
  • In a first step 305 may be the first motor vehicle 105 determine a random number and in one step 310 to the institution 162 to transfer. Should the random number be manipulated, a check of the identification will later be negative, so that in the worst case correct second sensor data are discarded, but incorrect second sensor data can not be accepted. In one step 315 can the decor 162 encrypt the received random number with their private cryptographic key and in one step 320 to the first motor vehicle 105 submit back. On the part of the first motor vehicle 105 can receive the received, encrypted random number by means of the public key of the device 162 be decrypted. Contains the clear text contained in the step 305 certain random number, so can the identification of the device 162 be checked successfully.
  • The procedure shown 300 can in another variant, the device 162 the authentication of the first motor vehicle 105 check. Public cryptographic keys of the first motor vehicle 105 or the institution 162 can be managed by a central office, such as the office 165 in the system 100 in 1 , The procedure can be used to retrieve public keys 300 or a modification thereof.
  • LIST OF REFERENCE NUMBERS
  • 100
    system
    105.
    first motor vehicle
    110
    device
    115
    first processing device
    120
    first sensor
    125
    first communication device
    135
    second motor vehicle
    140
    second sensor
    145
    second processing device
    150
    second communication device
    160
    infrastructure
    162
    Facility
    165
    central location
    170
    third processing device
    175
    third communication device
    180
    data storage
    185
    communication network
    200
    method
    205
    Scanning first sensor
    210
    Scanning second sensor
    215
    Scan third sensor, verify
    220
    to compare
    225
    Determine a trustworthiness of the first sensor data
    300
    method
    305
    Determine random number
    310
    To transfer
    315
    Encrypt with private key of the device
    320
    To transfer
    325
    Decrypt with public key of the facility
    330
    to compare

Claims (9)

  1. A method (200), the method (200) comprising the steps of: sampling (205) first sensor data from a first sensor (120) aboard a first motor vehicle (105); Scanning (210) second sensor data from a second sensor (140) located in the region of the first motor vehicle (105), wherein the second sensor (140) in a device (162), in particular aboard a second motor vehicle (110) or is arranged on an infrastructure (160); Comparing (220) the sampled first and second sensor data with each other; and determining (225) that the first sensor data is trustworthy if it corresponds to the second sensor data, characterized in that the second sensor data comprises an identification of the device (162) and the comparison is performed only if the identification of the device (162 ) can be checked successfully.
  2. Method according to Claim 1 wherein the identification is checked by means of an asymmetric cryptographic method.
  3. Method according to Claim 2 wherein a message is generated by the first motor vehicle (105) and transmitted to the device (162); the message is encrypted by the device (162) with a private key of the device (162) and transmitted back to the first motor vehicle (105); the transmitted message is decrypted by the first motor vehicle (105) with a public key of the device and compared with the original message.
  4. Method according to Claim 3 wherein the public key of the device (162) is obtained from a central location.
  5. Method according to Claim 4 , where the central body of a success or failure of a Checking the identification of the device (162) is notified.
  6. Method (200) according to one of the preceding claims, wherein the identification comprises a feature which can be scanned by means of a sensor (120) of the first motor vehicle (105).
  7. Method (200) according to Claim 6 wherein the feature comprises at least one of a color, type, design, equipment or registration number of the device (162).
  8. The method (200) of any one of the preceding claims, wherein the identification comprises a location of the device (162).
  9. The method (200) of any one of the preceding claims, wherein it is determined that the second sensor data is less trustworthy than the first sensor data and a message of lack of trustworthiness is sent to the device (162), another device (162), or a central point (165 ) is sent.
DE102018207661.8A 2018-05-16 2018-05-16 Verification of sensor data Pending DE102018207661A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE102018207661.8A DE102018207661A1 (en) 2018-05-16 2018-05-16 Verification of sensor data

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102018207661.8A DE102018207661A1 (en) 2018-05-16 2018-05-16 Verification of sensor data
PCT/EP2019/061491 WO2019219421A1 (en) 2018-05-16 2019-05-06 Verification of sensor data

Publications (1)

Publication Number Publication Date
DE102018207661A1 true DE102018207661A1 (en) 2019-11-21

Family

ID=66429392

Family Applications (1)

Application Number Title Priority Date Filing Date
DE102018207661.8A Pending DE102018207661A1 (en) 2018-05-16 2018-05-16 Verification of sensor data

Country Status (2)

Country Link
DE (1) DE102018207661A1 (en)
WO (1) WO2019219421A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170032671A1 (en) * 2015-07-30 2017-02-02 Toyota Jidosha Kabushiki Kaisha System and method for detecting attack
EP3165940A1 (en) * 2015-11-04 2017-05-10 Nxp B.V. Embedded communication authentication
DE102016207836A1 (en) * 2016-05-06 2017-11-09 Robert Bosch Gmbh Method and system for updating the software of a motor vehicle sensor

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015200586A1 (en) * 2015-01-15 2016-07-21 Zf Friedrichshafen Ag Transmission control for a motor vehicle
DE102015218455A1 (en) * 2015-09-25 2017-03-30 Bayerische Motoren Werke Aktiengesellschaft Method and device for detecting a vehicle condition
US10154048B2 (en) * 2016-03-18 2018-12-11 Qualcomm Incorporated Methods and systems for location-based authentication using neighboring sensors
DE102016209679A1 (en) * 2016-06-02 2017-12-07 Ford Global Technologies, Llc A method of preventing vehicle theft
DE102016212195A1 (en) * 2016-07-05 2018-01-11 Robert Bosch Gmbh Method for performing an automatic intervention in the vehicle guidance of a vehicle

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170032671A1 (en) * 2015-07-30 2017-02-02 Toyota Jidosha Kabushiki Kaisha System and method for detecting attack
EP3165940A1 (en) * 2015-11-04 2017-05-10 Nxp B.V. Embedded communication authentication
DE102016207836A1 (en) * 2016-05-06 2017-11-09 Robert Bosch Gmbh Method and system for updating the software of a motor vehicle sensor

Also Published As

Publication number Publication date
WO2019219421A1 (en) 2019-11-21

Similar Documents

Publication Publication Date Title
Engoulou et al. VANET security surveys
JP6668360B2 (en) Autonomous transporter, automated delivery system, method of controlling autonomous transporter, automated delivery method, and computer program product for controlling autonomous transporter (autonomous delivery of goods)
EP3393086B1 (en) Security processing method and server
Wang et al. 2FLIP: A two-factor lightweight privacy-preserving authentication scheme for VANET
US20190069179A1 (en) Authorized access to vehicle data
Soleymani et al. Trust management in vehicular ad hoc network: a systematic review
US9286741B2 (en) Apparatus and method for access control
CN106330910B (en) Strong secret protection double authentication method in car networking based on node identities and prestige
Petit et al. Pseudonym schemes in vehicular networks: A survey
Raya et al. Securing vehicular ad hoc networks
WO2015080108A1 (en) Program update system and program update method
JP2016116075A (en) On-vehicle communication system
DE112017004838T5 (en) Reliable vehicle telematics using block chain data analysis
US8314718B2 (en) Reducing the computational load on processors by selectively discarding data in vehicular networks
EP2195790B1 (en) System comprising a tachograph and a toll onboard unit as data communication partners
JP5958535B2 (en) Authentication system and authentication method
Gillani et al. A survey on security in vehicular ad hoc networks
Zhang et al. On batch verification with group testing for vehicular communications
Leinmuller et al. Security requirements and solution concepts in vehicular ad hoc networks
JP5442633B2 (en) Generation and use of biometric keys
CN1707999B (en) Distributed management of a certificate revocation list
US9601016B2 (en) Communication system, vehicle-mounted terminal, roadside device
JP4890248B2 (en) Control access to a given area
US9641541B2 (en) Data processing apparatus
CA2677148C (en) Method and system to authorize and assign digital certificates without loss of privacy

Legal Events

Date Code Title Description
R012 Request for examination validly filed
R016 Response to examination communication