EP1642185A1 - Procede d'authentification de composantes de logiciel pouvant etre notamment chargees dans un appareil de commande d'automobile - Google Patents
Procede d'authentification de composantes de logiciel pouvant etre notamment chargees dans un appareil de commande d'automobileInfo
- Publication number
- EP1642185A1 EP1642185A1 EP04740198A EP04740198A EP1642185A1 EP 1642185 A1 EP1642185 A1 EP 1642185A1 EP 04740198 A EP04740198 A EP 04740198A EP 04740198 A EP04740198 A EP 04740198A EP 1642185 A1 EP1642185 A1 EP 1642185A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication
- software
- terminal
- software package
- attachment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
Definitions
- the invention relates to a method for authenticating a software package provided by a software provider, which contains a software component that can be loaded into a terminal, the software component being provided with an authentication attachment, which is checked to carry out an authenticity check in the terminal, a higher-level one Authentication point is provided, which carries out authenticating measures on the software package in order to increase security.
- Such a method is known for example from DE 101 40 721 A1 for the provision of software for use by a control unit of a vehicle.
- the basic task of such authentication methods is to ensure that no unauthorized and / or harmful software components are loaded into a software-controlled end device.
- This problem is particularly explosive in the motor vehicle sector, since modern motor vehicles are equipped with a large number of software-controlled control devices, the correct function of which is a prerequisite for the safe operation of the motor vehicle. Loading unauthorized software can pose a significant security risk.
- many of the performance and / or comfort features of modern motor vehicles are software-based today. This means that vehicles are equipped with hardware suitable for a high level of performance and / or comfort, but this is controlled individually by software, if required, at the customer's request.
- the corresponding software can either be loaded individually into the corresponding control units or pre-installed software can be activated individually, for example by loading so-called activation codes. Unauthorized loading and / or activation of software can result in considerable economic losses for vehicle manufacturers if this is done without paying the planned fees.
- the industrial and social structure based on the division of labor requires many essential tasks to be outsourced to suppliers, workshops, etc., so that an authentication system is required that, on the one hand, has strict control over the implementation of software in end devices. lasts, but on the other hand enables the necessary flexibility for customer-friendly service management.
- a software signature point in particular the software manufacturer
- the software components to be loaded e.g. Program codes and / or activation codes are signed with a private key for them and the software thus signed is forwarded to a higher-level authentication point, the so-called trust center located at the vehicle manufacturer, for example.
- the signature of the software provider is then checked in the trust center and the signature is "authenticated”.
- the "authentication” is carried out in the form of attaching a trust center certificate which, in addition to one with a private key of the trust center created signature preferably contains the public key of the software provider and one or more validity restrictions for the software component.
- the trust center signature is then first checked using a public key of the trust center stored in the terminal device, then with the help of the transmitted public key of the software provider, its signature is checked and, if necessary, encrypted areas of the software package are decrypted and finally installed the software component taking into account the validity limits transmitted with the trust center certificate.
- the measures carried out by the higher-level authentication center provide the software package with the software package after successful verification of the software package provided by the software provider and, in addition to the software component, comprising a first authentication appendix comprise at least one second authentication attachment instead of the first authentication attachment.
- the respective end devices are released from the task, the authentication attachments, e.g. Signatures and / or certificates that the software provider must interpret and take into account.
- the software providers instead of the "authentication" of software providers, which has been customary up to now, the software providers have replaced them according to the invention with authentication attachments issued centrally, for example by the trust center.
- the end devices therefore only have to use the signature used by the trust center and / or certification procedures and can be correspondingly simpler than before, but at the same time there is no security gap since the central authentication attachment is only assigned after the authentication attachments of the software providers have been checked. This also offers the possibility of short-term changes the authorization of individual software providers to respond to the provision of software.
- the terms "replace” and "in place of” an authentication attachment refer to functional replacement. Preferably, but not necessarily, this is also accompanied by a physical replacement of the corresponding data in the software package.
- the object of the invention is also achieved in that the overall system is set up such that when the software component is loaded into the terminal, only the authentication attachments of the trust center are taken into account and the authentication attachments of the software provider that have already been checked by the trust center are ignored.
- the method according to the invention offers the possibility of the software package being checked by the higher-level authentication point a check of the current authorization of the software provider to provide software components. In an advantageous development of the method according to the invention, this option is actually implemented.
- the method according to the invention according to the PKI concept (public key infrastructure).
- PKI concept public key infrastructure
- the first authentication attachment of the software package provided by the software provider is at least partially encrypted with a private key for this private key and can be decrypted with a public key known to the higher-level authentication point.
- the public key of the software provider can be transmitted as part of a certificate to the higher-level authentication center or can be brought to the attention of this in another way, so that a simple signing of the software provider is sufficient instead of a certificate.
- the at least one second authentication attachment can be at least partially encrypted by the higher-level authentication point with a private key for these and decrypted with a public key known in the terminal ,
- the public key can be transmitted as part of a certificate.
- the basic idea of the method according to the invention allows a high degree of flexibility.
- it can be provided, for example, that the software package is successively provided with several authentication attachments by the higher-level authentication point, an authentication attachment with which the software package was provided at an earlier point in time for carrying out an authenticity check before a subsequent one Provide the software package with 005/003936
- an authentication attachment is used. This allows, for example, a system of signing and "authentication", which can be of two or more stages, within the higher-level authentication center.
- an authentication attachment attached by the higher-level authentication point contains data relating to a restriction of the functionality of the software component concerned.
- this option is actually implemented.
- the functionality or validity restrictions can relate to the activation of certain applications and, if applicable, version statuses of the respective applications.
- individualizations are made to the vehicle (e.g. via the chassis number) or certain vehicle types or to one or more control units or control unit types (e.g. via a control unit number), to individual people (e.g. integrated via an individualized chip card in the vehicle key, for example) or via a GSM Card possible in the car phone.
- Temporary validity restrictions can also be implemented.
- the software components to be loaded into the terminal can contain, for example, program codes and / or activation codes for program codes installed in the terminal.
- control device is preferably a control device of a motor vehicle, the term “control device” meaning both control devices in the actual sense for controlling certain vehicle components and further comfort equipment such as navigation or information systems.
- FIG. 1 shows a block diagram of an authentication infrastructure for performing the method according to the invention.
- FIG. 1 shows an infrastructure as is suitable for carrying out an embodiment of the method according to the invention in an application for the management of software, which is intended in particular for the operation of control units in motor vehicles (FZG).
- FZG motor vehicles
- the central point of the infrastructure is the so-called Trust Center (TC) 10, which is usually under the direct control of a vehicle manufacturer.
- the TC 10 exchanges information with external software providers.
- This can be, for example, external software signature points (X- SWSS) 11 act, which is usually located at an external software manufacturer who, for example, generates software (SW) in the form of program instructions for control units.
- SW software
- 1 also shows the possibility that it is an external activation code point (X-FSCS) 12, via which activation codes (FSC) are provided for software that is already installed in a control unit of a vehicle but is deactivated.
- X-FSCS external activation code point
- FSC activation codes
- the general term “software component” used here includes both FSC and program instructions as well as further software that can be loaded into a terminal.
- the software components are signed by the external providers, for example by generating a signature and / or a certificate.
- These and similar signing results are generally referred to here as “authentication attachments” since they are suitable for having the origin and integrity of the software treated in this way checked during an authenticity check. According to their origin from an external provider, they are labeled "XZ" in FIG. 1.
- the authentication attachments are checked according to the prior art by the TC 10 and, if the check is successful, are confirmed by attaching a further signature and / or a further certificate
- Software components signed and "authenticated” in this way are then loaded into a control unit of a vehicle, with both the authentication attachments of the TC 10 and those of the X-SWSS 11 or X-FSCS 12 having to be checked, each using the method specifically required for this.
- X-SWSS 11 and X-FSCS 12 deliver software packages 13 and 14, each consisting of SW or FSC and authentication attachment XZ, to internal software signature points (l-SWSS) 15 or internal activation codes (l-FSCS) 16.
- the internal positions I-SWSS 15 and I-FSCS 16 are preferably solely under the control of the vehicle manufacturer, and are in particular part of a hierarchically structured vehicle trust center FZG-TC 17.
- the internal bodies l-SWSS 15 and l-FSCS 16 now check the authentication attachments XZ of the external bodies X-SWSS 11 and X-FSCS 12 and preferably carry out a comparison with an internal database in which, for example, information about the current authorization of the external bodies 11 and 12 for the provision of Software components are stored. If the check is successful, the external authentication attachments XZ are replaced by internal authentication attachments IZ. This is preferably done by physically replacing the corresponding memory contents.
- modified software packages 18 and 19 which, in addition to SW or FSC, contain an internal authentication attachment IZ, which is checked when the software component is loaded into the control unit of the vehicle FZG and / or repeatedly during operation of the control unit.
- the internal authentication attachments IZ can additionally contain information about validity restrictions of the software components.
- control device used only has to be compatible with the authentication methods used by the internal bodies instead of having to be able to process the authentication methods used by the external bodies as before.
- the method according to the invention particularly preferably runs automatically, the software components to be signed / certified being sent online to an internal server which carries out an authentication check and further distributes the re-signed / re-certified software packages, e.g. at workshops, production sites, online centers etc. for transfer to the control devices intended for this purpose.
Abstract
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10330439 | 2003-07-04 | ||
DE10354107A DE10354107A1 (de) | 2003-07-04 | 2003-11-19 | Verfahren zur Authentifikation von insbesondere in ein Steuergerät eines Kraftfahrzeugs ladbaren Softwarekomponenten |
PCT/EP2004/006776 WO2005003936A1 (fr) | 2003-07-04 | 2004-06-22 | Procede d'authentification de composantes de logiciel pouvant etre notamment chargees dans un appareil de commande d'automobile |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1642185A1 true EP1642185A1 (fr) | 2006-04-05 |
Family
ID=33566021
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP04740198A Ceased EP1642185A1 (fr) | 2003-07-04 | 2004-06-22 | Procede d'authentification de composantes de logiciel pouvant etre notamment chargees dans un appareil de commande d'automobile |
Country Status (5)
Country | Link |
---|---|
US (1) | US7748043B2 (fr) |
EP (1) | EP1642185A1 (fr) |
JP (1) | JP2007527044A (fr) |
KR (1) | KR100974419B1 (fr) |
WO (1) | WO2005003936A1 (fr) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8205217B2 (en) * | 2007-09-29 | 2012-06-19 | Symantec Corporation | Methods and systems for configuring a specific-use computing system limited to executing predetermined and pre-approved application programs |
US8769373B2 (en) | 2010-03-22 | 2014-07-01 | Cleon L. Rogers, JR. | Method of identifying and protecting the integrity of a set of source data |
US10017067B2 (en) * | 2012-08-09 | 2018-07-10 | Technische Universitat Dortmund | Method for ensuring functional reliability in electromobility by means of digital certificates |
JP6197000B2 (ja) * | 2015-07-03 | 2017-09-13 | Kddi株式会社 | システム、車両及びソフトウェア配布処理方法 |
DE102016202527A1 (de) | 2016-02-18 | 2017-08-24 | Robert Bosch Gmbh | Recheneinheit für ein Kraftfahrzeug |
JP6440334B2 (ja) * | 2017-08-18 | 2018-12-19 | Kddi株式会社 | システム、車両及びソフトウェア配布処理方法 |
DE102018003281B4 (de) | 2018-04-23 | 2019-12-05 | Daimler Ag | Fahrzeugbetriebssystem |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4685055A (en) * | 1985-07-01 | 1987-08-04 | Thomas Richard B | Method and system for controlling use of protected software |
US4868877A (en) * | 1988-02-12 | 1989-09-19 | Fischer Addison M | Public key/signature cryptosystem with enhanced digital signature certification |
EP0946019A1 (fr) | 1998-03-25 | 1999-09-29 | CANAL+ Société Anonyme | Authentification des données dans un système de transmission numérique |
DE10008974B4 (de) * | 2000-02-25 | 2005-12-29 | Bayerische Motoren Werke Ag | Signaturverfahren |
DE10008973B4 (de) | 2000-02-25 | 2004-10-07 | Bayerische Motoren Werke Ag | Autorisierungsverfahren mit Zertifikat |
JP3971890B2 (ja) * | 2000-11-01 | 2007-09-05 | 日本電信電話株式会社 | 署名検証支援装置、署名検証支援方法、及び電子署名検証方法 |
SE0100474D0 (sv) | 2001-02-14 | 2001-02-14 | Ericsson Telefon Ab L M | A security architecture |
DE10131394A1 (de) | 2001-06-28 | 2003-02-06 | Daimler Chrysler Ag | Verfahren zum Übertragen von Software-Modulen |
DE10141737C1 (de) * | 2001-08-25 | 2003-04-03 | Daimler Chrysler Ag | Verfahren zur sicheren Datenübertragung innerhalb eines Verkehrsmittels |
DE10140721A1 (de) * | 2001-08-27 | 2003-03-20 | Bayerische Motoren Werke Ag | Verfahren zur Bereitstellung von Software zur Verwendung durch ein Steuergerät eines Fahrzeugs |
-
2004
- 2004-06-22 JP JP2006518025A patent/JP2007527044A/ja active Pending
- 2004-06-22 KR KR1020067000204A patent/KR100974419B1/ko active IP Right Grant
- 2004-06-22 WO PCT/EP2004/006776 patent/WO2005003936A1/fr active Application Filing
- 2004-06-22 EP EP04740198A patent/EP1642185A1/fr not_active Ceased
-
2006
- 2006-01-04 US US11/324,219 patent/US7748043B2/en active Active
Non-Patent Citations (1)
Title |
---|
See references of WO2005003936A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2005003936A1 (fr) | 2005-01-13 |
KR20060034273A (ko) | 2006-04-21 |
US7748043B2 (en) | 2010-06-29 |
US20060143474A1 (en) | 2006-06-29 |
JP2007527044A (ja) | 2007-09-20 |
KR100974419B1 (ko) | 2010-08-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2689553B1 (fr) | Appareil de commande pour véhicule automobile avec dispositif cryptographique | |
DE102012110499B4 (de) | Sicherheitszugangsverfahren für elektronische Automobil-Steuergeräte | |
DE10008973B4 (de) | Autorisierungsverfahren mit Zertifikat | |
EP1959606B1 (fr) | Unité de protection | |
DE102007022100B4 (de) | Kraftfahrzeugsteuergerätedatenübertragungssystem und -verfahren | |
EP1999725A1 (fr) | Procédé de protection d'un bien mobile, notamment d'un véhicule, contre toute utilisation non autorisée | |
WO2019034509A1 (fr) | Procédé de remplacement sécurisé d'un premier certificat de fabricant déjà introduit dans un appareil | |
WO2019175006A1 (fr) | Procédé pour échanger des données avec un appareil de commande de véhicule | |
EP1741019A1 (fr) | Authentification d'appareils de commande dans un vehicule | |
EP1185026A2 (fr) | Procédé de transmission de données | |
WO2005003936A1 (fr) | Procede d'authentification de composantes de logiciel pouvant etre notamment chargees dans un appareil de commande d'automobile | |
DE102010021257A1 (de) | Steckverbindungssystem zum geschützten Aubau einer Netzwerkverbindung | |
DE102011002713A1 (de) | Verfahren und Vorrichtung zum Bereitstellen von kyptographischen Credentials für Steuergeräte eines Fahrzeugs | |
DE102007051440A1 (de) | Verfahren und Vorrichtung zur Freischaltung von Software in einem Kraftfahrzeug | |
DE10354107A1 (de) | Verfahren zur Authentifikation von insbesondere in ein Steuergerät eines Kraftfahrzeugs ladbaren Softwarekomponenten | |
EP3078769A1 (fr) | Procede de validation de fonctions de machine dans un metier a tisser | |
WO2005025128A1 (fr) | Procede pour signer une quantite de donnees dans un systeme a cle publique et systeme de traitement de donnees pour la mise en oeuvre dudit procede | |
EP1455312B1 (fr) | Procédé et dispositif pour la maintenance de code de programmation de sécurité d'un vehicule | |
DE102009053230A1 (de) | Verfahren zur Autorisierung eines externen Systems auf einem Steuergerät eines Fahrzeugs, insbesondere eines Kraftfahrzeugs | |
DE102004021145A1 (de) | Verfahren und System zum drahtlosen Übertragen von Daten zwischen einer Datenverarbeitungseinrichtung eines Fahrzeugs und einer lokalen externen Datenverarbeitungseinrichtung | |
EP3693233B1 (fr) | Mode de sécurité en cas de calculateurs moteur remplacés | |
DE102018209757B3 (de) | Schutz einer Fahrzeugkomponente | |
DE102004064292B3 (de) | Verfahren und System zum drahtlosen Übertragen von Daten zwischen einer Datenverarbeitungseinrichtung eines Fahrzeugs und einer lokalen externen Datenverarbeitungseinrichtung | |
DE102015222099A1 (de) | Verfahren und Steuergerät zum koordinierten Aktualisieren eines einfachen Moduls mit differentiellen Aktualisierungsdaten | |
DE102015015468A1 (de) | Verfahren zum Ausführen einer sicherheitskritischen Funktion in einem Fahrzeug |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20051215 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): DE ES FR GB IT SE |
|
DAX | Request for extension of the european patent (deleted) | ||
RBV | Designated contracting states (corrected) |
Designated state(s): DE ES FR GB IT SE |
|
APBN | Date of receipt of notice of appeal recorded |
Free format text: ORIGINAL CODE: EPIDOSNNOA2E |
|
APBR | Date of receipt of statement of grounds of appeal recorded |
Free format text: ORIGINAL CODE: EPIDOSNNOA3E |
|
APAF | Appeal reference modified |
Free format text: ORIGINAL CODE: EPIDOSCREFNE |
|
APAF | Appeal reference modified |
Free format text: ORIGINAL CODE: EPIDOSCREFNE |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
APBT | Appeal procedure closed |
Free format text: ORIGINAL CODE: EPIDOSNNOA9E |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20110728 |