EP1642185A1 - Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle - Google Patents

Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle

Info

Publication number
EP1642185A1
EP1642185A1 EP20040740198 EP04740198A EP1642185A1 EP 1642185 A1 EP1642185 A1 EP 1642185A1 EP 20040740198 EP20040740198 EP 20040740198 EP 04740198 A EP04740198 A EP 04740198A EP 1642185 A1 EP1642185 A1 EP 1642185A1
Authority
EP
Grant status
Application
Patent type
Prior art keywords
authentication
software
terminal
provided
characterized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP20040740198
Other languages
German (de)
French (fr)
Inventor
Burkhard Kuhls
Harry Knechtel
Marco Hofmann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bayerische Motoren Werke AG
Original Assignee
Bayerische Motoren Werke AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Abstract

The invention relates to a method for authenticating a software package, which is furnished by a software supplier and which contains a software component that can be loaded into a terminal. The software component is provided with an authentication appendix, which is verified in order to carry out an authentication test in the terminal. A higher order authentication location is provided that performs authenticating measures on the software package in order to increase security. The invention is characterized in that, after a successful testing of the software package (13, 14), which is furnished by the software supplier (11, 12) and which contains, in addition to the software component (SW, FSC), a first authentication appendix (XZ), the measures carried out by the higher order authentication location (15, 16) consist in providing the software package (13, 14; 18, 19) with at least one second authentication appendix (IZ) in place of the first authentication appendix (XZ).

Description

A method for authentication of particular loadable into a control unit of a motor vehicle software components

The invention relates to a method for authenticating a provided by a software provider software package containing a loadable into a terminal software component, the software component is provided with an authentication attachment, which is checked for performing an authenticity test in the terminal, wherein a superordinate Authentisie-'s development agency provided which performs authenticating measures to the software package to increase safety.

Such a method is known for the provision of loading software for use by a control device of a vehicle for example, from DE 101 40 721 A1. Basic task of such authentication method is to ensure that no unauthorized and / or malicious software components are loaded into a software-controlled device. This problem is particularly in the automotive field of high explosive issue because modern cars are equipped with a variety of software-driven control units whose cor- rect function is a prerequisite for safe operation of the vehicle. Loading unauthorized software may in this case be a significant security risk. In addition, many performance and / or comfort features of modern cars today are software-based. Ie, vehicles will be equipped with a suitable for high power and / or comfort level hardware, but individually may incur additional charges driven them to customer by software. The appropriate software can either be loaded individually into corresponding control devices or pre-installed software individually, for example, are activated by charging so-called activation code. By unauthorized loading and / or unlocking software to vehicle manufacturers can result in substantial economic losses if this is done without payment of the requisite fees. On the other hand, the division of labor industrial and social structure requires the outsourcing of many important tasks to suppliers, workshops, etc., so that an authentication system is required, the overall endures one hand, strict control over the implementation of software in devices, but on the other hand, the necessary flexibility for a customer-friendly service management allows.

In the known method it is provided that a software signature site, in particular, the software manufacturer, the software to be loaded components, such as program code and / or activation code signed with a private for her key, and so-called the so-signed software to a master authentication center, which-based, for example at the vehicle manufacturer Trust Center, to be forwarded. an examination of the signature of the software provider's and a "legalization" of the signature then carried out in the Trust Center. The "certification" takes the form of attaching a trust center certificate, which in addition to a private with a key of the trust center created signature preferably the public key of the software provider's and one or more validity restrictions on the software component.

When loading the software component, the trust center signature is then first of all by means of a stored in the terminal public key of the trust center examined, then using the transmitted public key of the software provider's, checks its signature, and optionally decrypts encrypted areas of the software Pact and finally the software component installed in consideration of the validity constraints provided by the trust center certificate.

This method has the disadvantage that each terminal must be able to process both the signatures / certificates of the trust center as well as the software the provider. With the large number of different terminals of different manufacturers and a similarly wide variety of different software providers, this requires a considerable complexity of construction of each terminal. Or the technical binding to certain suppliers, which can thus secure a de facto monopoly supply by creating its own standards.

It is therefore an object of the present invention, a generic Au thentifikationsverfahren further develop such a way that, without sacrificing security increases the flexibility of the overall system and the construction of individual system components is simplified.

This object is demanding in conjunction with the features of the preamble of arrival 1 achieved in that the steps performed by the higher-level authentication station measures after successful check of provided by the software provider and adjacent to the software component, a first authentication Annex comprehensive software package with providing the software package comprise at least a second authentication attachment in place of the first authentication Annex. This means that the respective terminals are relieved of the task of authentication attachments, eg signatures and / or certificates, the software provider to interpret and take into account the need. Instead of the usual "legalization" of certificates, signatures, etc. of the software provider this example, assigned by the trust center authentication attachments invention by central replaced. The terminals have therefore only to the one used by the trust center signature and / or certification procedures to be compatible and can be constructed in accordance easier than before. However, the same time creates a security gap since the award of the central authentication Annex after examination of the Au- thentifikationsanhänge the software provider is performed This also provides the possibility of short-term changes. the authorization of individual software to respond provider for providing software.

Note that the terms "replacement" and "in place of" a Authentifika- tion Annex here on a functional replacement relate. Preferably, but not necessarily, this is associated with a physical replacement of the corresponding data in the software package. The object of the invention is, however, also met by the whole system is set up so that only takes into account the authentication trailer of the trust center to load the software component in the terminal and the already accepted by the trust center authentication attachments of software the provider are ignored.

As already mentioned, the method of the invention offers the possibility that the examination of the software package by the master authentication center comprises a test of current authorization of the software provider's for providing software components. In an advantageous development of the method according to the invention, this option is actually implemented.

to the inventive method after the PKI concept (public key infrastructure) build is particularly favorable. For this purpose, may be about provided that the first authentication Appendix of the software package provided by the software provider at least partially encrypted with a private key for this and known to one of the higher-level authentication station, the public key can be decrypted. This corresponds to the signature or certification by the known PKI concept. The public key of the software the provider can then be transmitted to the higher-level authentication station as part of a certificate or other means that are brought to notice, so that instead of a certificate a simple signing of the software provider's sufficient.

In a consistent continuation of the PKI concept, can be provided in a further development of the method according to the invention that the at least partially encrypted at least one second authentication Annex by the master authentication center with a private for these keys and known with in the terminal device, the public key is decrypted , Here, too, the public key can if encryption exists for reasons of confidentiality, be communicated as part of a certificate. On the other hand, it is also possible to the public key in an inaccessible storage cherbereichs of the terminal, that lay in secrecy.

The basic idea of ​​the inventive method allows for a high degree of flexibility. In particular, it is possible to create an authentication hierarchy within the parent authentication station. So may be approximately provided at a forward part of refinement that is provided, the software package from the parent authentication station successively tion attach multiple Authentifika-, wherein an authentication attachment, with which the software package has been provided at an earlier stage, subsequent to perform an authenticity check in front of a provided the software package with 005/003936

an authentication attachment is used. This can, for example, a system of signing and "certification", which may be two or more stages trained, within the parent authentication station to.

If such a hierarchically structured authentication concept used, it is advantageous if an authenticity test is carried out using a plurality of authentication attachments of the parent authentication center loading of the software component in the terminal and / or execution of the software component in the terminal. This means, in other words, that the terminal in the multi-level authentication can be followed step by step or checked, but only compatibility with the parent of the authentication center signature and certification process is required as a positive effect of the present invention.

As mentioned above, there is a possibility that an attached from the parent authentication center authentication appendix contains a limitation of the functionality of the software component related data affected. In an advantageous embodiment of the method according to the invention, this option is actually implemented. The effects of functionality or Gültigkeitsbeschrän- may affect the activation of certain applications and, where appropriate version status of the respective applications. Further, customizations to the vehicle (eg the vehicle identification number), or certain types of vehicle or (integrated, for example, an individualized smart card as in the vehicle key) on one or more control devices or control device types (for example, via a control unit number), on an individual or a GSM card in the car phone possible. Next temporary validity constraints can be installed. Examples include the limited validity for a period of time, a number of operating hours, a mileage or (application-specific) a certain number of function calls. Next Gültigkeitsbe- selective restrictions may be provided, that is application-specific limitations in terms of a demo version or a version with reduced functionality. Finally, the possibility of a regional validity restrictions, coupled for example to the current location of a vehicle is composed. Such validity or functionality limitations are particularly effective when a review of the validity by the terminal are not, or not only performed the first time you load the software components, but also repeated during subsequent operation. In this self-evident one A boolean linking several validity constraints is possible.

To be loaded into the terminal software components may include, for example, program code and / or unlock codes for installed in the terminal program code.

The terminal is, as already indicated above, preferably a control unit of a motor vehicle, wherein the term "control unit" control units, in the strict sense for the control of certain vehicle components are intended, as well as other comfort features such as navigation, or information systems.

Further details of the invention will become apparent from the following detailed description and the accompanying drawings in which a preferred embodiment of the invention is exemplary illustrated.

In the drawing:

1 shows a block diagram of an authentication infrastructure for implementing the method according to the invention.

In Figure 1, an infrastructure is illustrated, as it is suitable for carrying out one embodiment of the method according to the invention in an application for managing software, which is intended in particular for the operation of control devices in motor vehicles (FZG). shown in dashed lines, the information channels in methods according to the prior art.

Central point of the infrastructure according to the prior art is the so-called. Trust center (TC) 10, which typically is under direct control of a vehicle manufacturer. The TC 10 is the exchange of information with external software Already plates. It may be, for example external software signing authority (X- SWSS) act 11 which is usually located in an external software maker which (SW) is generated, for example, software in the form of program instructions for control units. also shown in FIG. 1 is a possibility that it is (X-FSCS) 12 is an external activation code-point through the activation code (FSC) is provided for already installed in a control unit of a vehicle, but disabled software. The general, as used herein term "software component" includes both FSC and program instructions and more, can be downloaded to a terminal software. According to the prior art, the software components of the external Already plates are signed, for example by creating a signature and / or a certificate. these and similar Signierungsergebnisse are commonly known as "authentication attachments" referred to here, as they are likely to have it checked the origin and integrity of software so treated in an authenticity check. According to their origin from an external provider they are in Fig. 1 are denoted by "XZ". The authentication attachments are tested according to the prior art from the TC 10 and confirmed by appending a further signature and / or a further certificate upon successful verification. The as signed and "authenticated" software components are then loaded into a control unit of a vehicle, wherein both the authentication attachments of TC 10 and that of the X-SWSS must be 11 or X-FSCS 12 tested - in each case with the specially necessary for this method.

The inventive method is shown in FIG. 1 by solid arrows. Thereafter provide X-SWSS 11 or X-FSCS 12 Software Packages 13 and 14, respectively con- sisting of SW or FSC and authentication Annex XZ to internal software signing authority (l-SWSS) 15 or internal activation codes (l-FSCS) 16th the internal sites l-15 and l-SWSS FSCS 16 are preferably solely under control of the vehicle manufacturer, are in particular part of a hierarchically structured vehicle trust center TC FZG 17th

The internal sites l-SWSS 15 and l-FSCS 16 now check the authentication attachments XZ the external bodies X-SWSS 11 and X-FSCS 12 and preferably perform an alignment with an internal database by, in the example information about the current authorization of external bodies 11 and 12 are stored for providing software components. The external authentication XZ attachments are on successful examination replaced by internal attachments authentication IZ. This is preferably done by physically replacing the corresponding memory contents.

This results in modified software packages 18 and 19, which include an internal authentication Annex IZ next SW or FSC, which is repeatedly checked during the loading of the software component in the control device of the vehicle FZG and / or during operation of the control unit. In particular, the inter- nal authentication attachments IZ can also contain information about validity constraints of the software components.

In this way it is achieved that the control device used must be compatible with those used by the internal job authentication method, rather than how far, and can process the authentication method used by the external agencies to have.

Especially preferred method of the invention takes place automatically, with the to be signed / certified software components are sent online to a inter- nal server performs an authentication check and distributed the re-signed / re-certified software packages, eg in workshops, factories, Online -center etc. for transmission in the space provided in each control device.

Of course, it is in the embodiment described herein is merely a special, particularly advantageous embodiment of the present invention. The expert has in the context of the invention a variety of modification options. In particular, the concrete structure of the internal authentication attachments IZ, if necessary, their production and their hierarchical special interpretation in a control unit can be the subject of a variety of embodiments.

Claims

claims
1. A method for authentication of a software package readiness provided by a software provider, which contains a loadable into a terminal software component, the software component is provided with an authentication attachment, is which checks for performing an authenticity test in the terminal, wherein a higher-level authentication station provided is that performs to increase the safety authentic sierende measures of the software package, characterized in that the of the parent authentication center (15, 16) measures carried out after successful testing of by the software provider (11, 12) provided and next to the software component (SW, FSC) comprises a first authentication appendix (XZ) comprehensive software package (13, 14) providing the software package (13, 14; 18, 19) with at least one second authentication appendix (IZ) instead of the first authentication Annex (XZ) COVERED SEN.
2. The method according to any one of the preceding claims, marked thereby characterized, that the examination of the software package (13, 14) by the master authentication center (15, 16) a check of the current permission of the software provider's (11, 12) for providing software components (SW, FSC) comprises.
3. The method according to any one of the preceding claims, characterized in that the first authentication appendix (XZ) of the software package of the software provider (11, 12) provided (13, 14) at least partially encrypted with a private for this key and with one of the parent authentication center (15, 16) known public key is decrypted loan.
4. The method according to any one of the preceding claims, characterized in that the at least one second authentication appendix (IZ) by the master authentication center (15, 16) at least partially encrypted with a private for these keys and known with in the terminal public key decryptable is.
5. The method according to any one of the preceding claims, characterized in that the software package from the parent authentication site is provided with a plurality of authentication appending successively, wherein an authentication attachment, with which the software package has been provided at an earlier stage, for carrying out an authentication check prior to a subsequent provided the software package is used with an authentication appendix.
6. The method according to claim 5, characterized in that an authenticity check is performed using a plurality of attachments authentication of the superordinate Authentisie- accumulation point loading of the software component in the terminal and / or execution of the software component in the terminal.
7. The method according to any one of the preceding claims, characterized in that an attached by the master authentication center authentication appendix (IZ) contains related to a restriction on the functionality of the software component concerned (SW, FSC) data.
8. The method according to any one of the preceding claims, characterized in that the software components of the program code (SW) and / or activation code (FSC) for installed in the terminal program codes included.
Method according to one of the preceding claims, characterized in that the terminal is a control unit of a motor vehicle.
EP20040740198 2003-07-04 2004-06-22 Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle Ceased EP1642185A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
DE10330439 2003-07-04
DE2003154107 DE10354107A1 (en) 2003-07-04 2003-11-19 A method for authentication of particular loadable into a control unit of a motor vehicle software components
PCT/EP2004/006776 WO2005003936A1 (en) 2003-07-04 2004-06-22 Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle

Publications (1)

Publication Number Publication Date
EP1642185A1 true true EP1642185A1 (en) 2006-04-05

Family

ID=33566021

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20040740198 Ceased EP1642185A1 (en) 2003-07-04 2004-06-22 Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle

Country Status (5)

Country Link
US (1) US7748043B2 (en)
EP (1) EP1642185A1 (en)
JP (1) JP2007527044A (en)
KR (1) KR100974419B1 (en)
WO (1) WO2005003936A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100574367C (en) 2007-07-18 2009-12-23 中国联合网络通信集团有限公司 Set-top box software updating method and system
US8205217B2 (en) 2007-09-29 2012-06-19 Symantec Corporation Methods and systems for configuring a specific-use computing system limited to executing predetermined and pre-approved application programs
WO2011119137A1 (en) 2010-03-22 2011-09-29 Lrdc Systems, Llc A method of identifying and protecting the integrity of a set of source data
WO2014023349A1 (en) * 2012-08-09 2014-02-13 Technische Universität Dortmund Method for ensuring functional reliability in electromobility by means of digital certificates
JP6197000B2 (en) * 2015-07-03 2017-09-13 Kddi株式会社 System, vehicles and software distribution processing method
DE102016202527A1 (en) 2016-02-18 2017-08-24 Robert Bosch Gmbh Processing unit for a motor vehicle

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4685055A (en) * 1985-07-01 1987-08-04 Thomas Richard B Method and system for controlling use of protected software
US4868877A (en) * 1988-02-12 1989-09-19 Fischer Addison M Public key/signature cryptosystem with enhanced digital signature certification
EP0946019A1 (en) 1998-03-25 1999-09-29 CANAL+ Société Anonyme Authentification of data in a digital transmission system
DE10008974B4 (en) * 2000-02-25 2005-12-29 Bayerische Motoren Werke Ag signature methods
DE10008973B4 (en) * 2000-02-25 2004-10-07 Bayerische Motoren Werke Ag Authorization procedure with certificate
JP3971890B2 (en) * 2000-11-01 2007-09-05 日本電信電話株式会社 Signature verification support apparatus, signature verification support method, and an electronic signature verification method
WO2002065696A1 (en) 2001-02-14 2002-08-22 Gatespace Ab A security architecture
DE10131394A1 (en) 2001-06-28 2003-02-06 Daimler Chrysler Ag A method for transferring software modules
DE10141737C1 (en) * 2001-08-25 2003-04-03 Daimler Chrysler Ag Secure communication method for use in vehicle has new or updated programs provided with digital signature allowing checking by external trust centre for detection of false programs
DE10140721A1 (en) * 2001-08-27 2003-03-20 Bayerische Motoren Werke Ag A method of providing software for use by a control device of a vehicle

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2005003936A1 *

Also Published As

Publication number Publication date Type
WO2005003936A1 (en) 2005-01-13 application
KR20060034273A (en) 2006-04-21 application
JP2007527044A (en) 2007-09-20 application
US7748043B2 (en) 2010-06-29 grant
KR100974419B1 (en) 2010-08-05 grant
US20060143474A1 (en) 2006-06-29 application

Similar Documents

Publication Publication Date Title
US6968060B1 (en) Method for verifying the use of public keys generated by an on-board system
Hoffman et al. Trust beyond security: an expanded trust model
US20130212659A1 (en) Trusted connected vehicle systems and methods
US20080005577A1 (en) Subsidy lock enabled handset device with asymmetric verification unlocking control and method thereof
US20050166051A1 (en) System and method for certification of a secure platform
US20030005317A1 (en) Method and system for generating and verifying a key protection certificate
US20070074033A1 (en) Account management in a system and method for providing code signing services
US20100031025A1 (en) Method and system to authorize and assign digital certificates without loss of privacy, and/or to enhance privacy key selection
US20030163685A1 (en) Method and system to allow performance of permitted activity with respect to a device
EP1770586A1 (en) Account management in a system and method for providing code signing services
US20020023223A1 (en) Authorization process using a certificate
US20080082828A1 (en) Circuit arrangement and method for starting up a circuit arrangement
US20040172542A1 (en) Application authentication system, secure device, and terminal device
US20020194479A1 (en) Method of protecting a microcomputer system against manipulation of data stored in a storage assembly of the microcomputer system
JP2003223235A (en) Application authentication system
US20020038290A1 (en) Digital notary system and method
US20050187674A1 (en) Program distribution system, program distribution device, and in-vehicle gateway device
US7797545B2 (en) System and method for registering entities for code signing services
WO2002086684A2 (en) An information security system
US20030086571A1 (en) System and method for generating symmetric keys within a personal security device having minimal trust relationships
US7010682B2 (en) Method and system for vehicle authentication of a component
US20030059049A1 (en) Method and apparatus for secure mobile transaction
US7131005B2 (en) Method and system for component authentication of a vehicle
US20080114982A1 (en) Method and arrangement for generation of a secret session key
JP2007233705A (en) Token transfer method, token transfer system, and authority authentication permission server

Legal Events

Date Code Title Description
AK Designated contracting states:

Kind code of ref document: A1

Designated state(s): DE ES FR GB IT SE

17P Request for examination filed

Effective date: 20051215

DAX Request for extension of the european patent (to any country) deleted
RBV Designated contracting states (correction):

Designated state(s): DE ES FR GB IT SE

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

18R Refused

Effective date: 20110728