EP3544877A1 - Entrée de données dans un ordinateur embarqué d'un train - Google Patents

Entrée de données dans un ordinateur embarqué d'un train

Info

Publication number
EP3544877A1
EP3544877A1 EP17798134.7A EP17798134A EP3544877A1 EP 3544877 A1 EP3544877 A1 EP 3544877A1 EP 17798134 A EP17798134 A EP 17798134A EP 3544877 A1 EP3544877 A1 EP 3544877A1
Authority
EP
European Patent Office
Prior art keywords
data
train
computer
physical token
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP17798134.7A
Other languages
German (de)
English (en)
Inventor
Peter Parker
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility Ltd
Original Assignee
Siemens Rail Automation Holdings Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Rail Automation Holdings Ltd filed Critical Siemens Rail Automation Holdings Ltd
Publication of EP3544877A1 publication Critical patent/EP3544877A1/fr
Pending legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0018Communication with or on the vehicle or train
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/2018Central base unlocks or authorises unlocking
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0018Communication with or on the vehicle or train
    • B61L15/0027Radio-based, e.g. using GSM-R
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0072On-board train data handling
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/40Handling position reports or trackside vehicle data
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/70Details of trackside communication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly

Definitions

  • the present disclosure relates generally to train control systems and, in particular, to the input of data into an on-board computer of such train control systems.
  • Train control systems typically include train-borne equipment (also often referred to as on-board equipment) that supervises train drivers.
  • train-borne equipment also often referred to as on-board equipment
  • the on-board equipment comprises an ETCS Onboard Unit (OBU) that processes the received data, displays it to the train driver and automatically halts the train before a danger point in the case of danger.
  • the received data includes data that is entered manually by the train driver before the start of the journey as part of a so-called "Start of Mission” procedure, using a driver-machine interface (DMI) installed in the cab of the train.
  • DMI driver-machine interface
  • a system comprising: a server computer; a client computer; and a physical token, which is assigned to a train driver, wherein the server computer is configured to store data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track, and to transmit the data to the client computer, the client computer is configured to display the data, the physical token is configured to store cryptographic data, and, when the physical token is presented by the train driver to a token interface at the client computer, to use the cryptographic data to perform a cryptographic operation to authenticate the train driver, and at least one of the server computer and the client computer is configured to transmit, via a wireless transmitter, the data to the on-board computer, in response to acceptance of the data by the train driver that includes the authentication of the train driver based on the cryptographic operation performed by the physical token.
  • the system can reduce the amount of data entered manually and thus help to avoid mistakes associated with manual data entry. Furthermore, transmitting the data when accepted by an authorised train driver can ensure security of the data. This can be of particular benefit when the data includes train data defining characteristics of the train that are used to supervise the movement of the train. Moreover, transmitting the data to the on-board computer in advance can reduce the time to start the journey.
  • the cryptographic operation is performed in accordance with a Public Key Infrastructure, PKI, based protocol that uses asymmetric cryptography.
  • PKI Public Key Infrastructure
  • other user authentication protocols such as Kerberos, which uses symmetric key cryptography, could be used instead.
  • the acceptance of the data by the train driver includes multi-factor authentication (e.g., two-factor authentication) of the train driver.
  • the multi-factor authentication includes the authentication of the train driver based on the cryptographic operation performed by the physical token (i.e., authentication based on an ownership factor), and authentication of the train driver based on at least one of a knowledge factor and an inherence factor.
  • a knowledge factor is something that the train driver knows, such as a personal identification number (PIN).
  • PIN authentication can be based on verification of a PIN entered by the train driver on an input device at the client terminal.
  • An inherence factor is something that the train driver is or does, such as a biometric identifier.
  • biometric authentication of the train driver can be based on a comparison between a biometric identifier of the train driver obtained by a sensor at the client computer and a reference biometric identifier of the train driver.
  • the reference biometric identifier of the train driver can be stored on the physical token.
  • the comparison can be performed by the physical token.
  • the physical token can store at least one of a qualification and a certification of the train driver. This can enable the system to check that the train driver meets one or more criteria pertaining to the data, thereby ensuring that the train driver is suitably trained for the intended movement of the train along the track.
  • the physical token is configured to receive, via the token interface, the data from the client computer. This can allow verification of whether the wirelessly transmitted data has been correctly received by the on-board computer. For example, when the physical token is presented by the train driver to an on-board token interface at the on-board computer, the on-board computer can compare the wirelessly transmitted data to the data stored on the physical token. Furthermore, it can provide a positive correlation of driver to train to ETCS mission. The transmission of the data to the physical token can be in response to the aforementioned acceptance of the data by the train driver, or it can be a separate process.
  • the physical token is configured to receive, via an on-board token interface connected to or integrated with the on-board computer, data from the onboard computer when the train has completed its movement along the track.
  • the physical token can be configured to transmit, when the physical token is presented by the train driver to the token interface at the client computer or another token interface at another client terminal, the data received from the on-board computer.
  • the data can be checked against data received by the system from the onboard computer independent of the physical token.
  • the data transmitted to the system can serve as a positive recording of driver compliance issues such as, for example, Signal Passed at Danger (SPAD) under ERTMS/ETCS Level NTC (train equipped with ERTMS/ETCS operating on a line equipped with a national system).
  • SPAD Signal Passed at Danger
  • ERTMS/ETCS Level NTC train equipped with ERTMS/ETCS operating on a line equipped with a national system.
  • Either or both of the processes can be performed upon acceptance by the train driver, in a similar manner as described above, which is to say by authentication of the train driver by cryptographic operation and, optionally, biometric authentication.
  • a client computer comprising: a processor; a network interface configured to enable the client computer to communicate over a network; and memory that stores instructions which, when executed by the processor, cause the client computer to: receive, from a server computer, data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track, facilitate performance of a cryptographic operation, by a physical token that stores cryptographic data, to authenticate a train driver to whom the physical token is assigned, when the physical token is presented by the train driver to a token interface connected to or integrated with the client computer, and transmit the data to the on-board computer via a wireless transmitter, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token.
  • a physical token comprising: a processor; an interface configured to allow the physical token to communicate with an external entity; and memory configured to store: cryptographic data, and instructions which, when executed by the processor, cause the physical token to use the cryptographic data to perform a cryptographic operation to authenticate a train driver to whom the physical token is assigned.
  • the memory is configured to store data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track.
  • the memory is configured to store data received from the on-board computer when the train has completed its movement along the track.
  • the physical token is a smart card (also often referred to as a chip card or an integrated circuit card).
  • smart card should not be considered limited to a particular form factor and can be, among other things, a card approximately the same size and shape as an ISO standard credit card, a key fob, a subscriber identification module (SIM), or a USB-based token.
  • SIM subscriber identification module
  • a method performed by a client computer comprising: receiving, from a server computer, data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track; displaying the data; facilitating performance, by a physical token that stores cryptographic data, of a cryptographic operation to authenticate a train driver to whom the physical token is assigned, when the physical token is presented by the train driver to a token interface connected to or integrated with the client computer, and transmitting the data to the on-board computer via a wireless transmitter, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token.
  • a method performed by a physical token that is assigned to a train driver comprising: storing cryptographic data; and using cryptographic data the performing a cryptographic operation to authenticate the train driver, when the physical token is presented by the train driver to a token interface at a computer.
  • a computer program comprising computer-executable instructions to perform any one of the aforementioned methods.
  • an on-board computer for a train comprising: a processor; memory that stores instructions which, when executed by the processor, cause the on-board computer to: receive, from a wireless receiver, data that is provided to the on-board computer in order to allow the train to start its movement along a track, facilitate performance of a cryptographic operation, by a physical token that stores cryptographic data, to authenticate a train driver to whom the physical token is assigned, when the physical token is presented by the train driver to an on-board token interface connected to or integrated with the onboard client computer, and allow the train to start its movement along the track, in response to acceptance of the data by the train driver that includes authentication of the train driver based on the cryptographic operation performed by the physical token.
  • on-board equipment of train comprising: the aforementioned on-board computer; the wireless receiver; and the on-board token interface.
  • An apparatus or computer program according to one embodiment can comprise any combination of the method aspects. Methods or computer programs according to further embodiments can be described as computer-implemented in that they require processing and memory capability.
  • the apparatus according to embodiments is described as configured or arranged to, or simply "to" carry out certain functions. This configuration or arrangement could be by use of hardware or middleware or any other suitable system. In some embodiments, the configuration or arrangement is by software.
  • a program which, when loaded onto at least one computer, configures the at least one computer to carry out the method steps according to any of the preceding method definitions or any combination thereof.
  • the computer may comprise the elements listed as being configured or arranged to provide the functions defined.
  • this computer may include memory, processing, and a network interface.
  • Embodiments can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them.
  • Embodiments can be implemented as a computer program or computer program product, i.e., a computer program tangibly embodied in a non-transitory information carrier, e.g., in a machine- readable storage device, or in a propagated signal, for execution by, or to control the operation of, one or more hardware modules.
  • a computer program can be in the form of a stand-alone program, a computer program portion or more than one computer program and can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a data processing environment.
  • a computer program can be deployed to be executed on one module or on multiple modules at one site or distributed across multiple sites and interconnected by a communication network.
  • Method steps of embodiments can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output.
  • Apparatus can be implemented as programmed hardware or as special purpose logic circuitry, including e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
  • Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read-only memory or a random access memory or both.
  • the essential elements of a computer are a processor for executing instructions coupled to one or more memory devices for storing instructions and data.
  • Figure 1 is a schematic diagram depicting a system according to an example of the present disclosure
  • Figure 2 is a sequence diagram showing some interactions between entities of the system of Figure 1 according to an example of the present disclosure
  • Figure 3 is a schematic diagram depicting a physical token according to an example of the present disclosure
  • Figure 4 is a schematic diagram depicting components of the physical token of Figure 3 according to an example of the present disclosure
  • Figure 5 is a schematic diagram depicting components of a computer according to an example of the present disclosure
  • Figure 6 is a schematic diagram depicting components of the ETCS as well as interface components.
  • the ERTMS is a signalling and traffic management system. As noted earlier, it has two main components: the ETCS and GSM-R (Global System for Mobile Communications - Railway). As depicted in Figure 6, the ETCS includes trackside and on-board subsystems 602, 604.
  • the track-side sub-system 602 typically comprises the following elements (only some of which are shown): Transparent Eurobalise 606a, a transmission device that sends telegrams to the on-board sub-system; Fixed Eurobalise 606b, a transmission device that sends telegrams to the on-board subsystem based on pre-defined telegrams that are transmitted to every train; Lineside Electronic Unit (LEU) 608, an electronic device that generates telegrams to be sent by Eurobalise 606, based on information received from external track-side systems; Euroloop and Radio infill (not shown), which provide signalling information in advance; and Radio Block Centre (RBC) 610, a computer-based system that elaborates messages to be sent to the train 630, based on information received from external track-side sub-systems and information exchanged with the on-board sub-systems using GSM-R.
  • Interlocking 612 is not an ERTMS component, but it provides safety for train movements or routes and ensures that the route for a
  • the on-board sub-system 604 comprises on-board equipment responsible for supervising the movement of the train to which it belongs, on the basis of information exchanged with track-side sub-system 604 by means of Balise Transmission Unit (BTU) 614 and/or Radio Transmission Unit (RTM) 628, and possibly the on-board part 616 of the GSM-R radio system according to the ETCS level.
  • BTU Balise Transmission Unit
  • RTM Radio Transmission Unit
  • EMC European Vital Computer
  • the Driver Machine Interface (DMI) 622 is the interface between the driver and the on- board equipment, and is typically located on the driver's desk.
  • the DMI 612 can have a display screen that may be touch-sensitive and/or have buttons to permit the driver to input data, request permission to move and acknowledge certain events.
  • Train Interface Unit (TIU) 624 provides the interface between the on-board equipment and other systems of the train 630 such as the brake interface 626.
  • the Juridical Recorder Unit 626 provides 'black box' functions, storing the most important data and variables from train journeys to allow later analysis.
  • a train driver of an ETCS fitted train performs a Start of Mission procedure in order to allow the train to start its movement along the track, according to the planned operative modes and the ERTMS/ETCS level.
  • the train driver enters and/or confirms the following sets of data: train data, and additional data.
  • Train data refer to rolling stock characteristics and include: train running number, maximum train speed, ERTMS train category, train length, deceleration data, power supply, loading gauge, axle load, train fitted with airtight system, list of Specific Transmission Module (STM) available.
  • a system comprises a server computer 102 and one or more client computers 104, 106 (which may the same or different types of computing devices) that are configured to communicate over network 108.
  • the network 108 can be any type of wired or wireless network or combination thereof, such as the Internet, a local area network (LAN), a wide area network (WAN), or the like.
  • a token interface 1 10 is connected to (or integrated with) at least one of the client computers 104.
  • the token interface 1 10 allows physical token 1 12 to interact with external entities, for example in order to perform a cryptographic operation when the physical token 1 12 is presented to the token interface 1 10 by a user (in this example, a train driver) to whom the physical token 1 12 is assigned.
  • a user in this example, a train driver
  • the token interface 110 can be a smart card reader configured to establish contact with the card, supply it with necessary electrical energy and act as a clock for the card processor.
  • the physical token 1 12 can also be involved in biometric authentication of the train driver.
  • a wireless transmitter 1 14 that is configured to use a wireless communication protocol to wirelessly transmit signals to a wireless communication receiver 118 on board a train 122.
  • the wireless transmission can take place through any suitable radio interface including, for example, 2G, 3G, LTE, 802.1 1 , etc.
  • the train 122 can be an individual vehicle or a formation of vehicles formed from a plurality of individual vehicles. Data received by the wireless communication receiver 1 18 can be input to an on-board computer 120 that is configured to supervise movement of the train 122.
  • the train 122 also includes an on-board token interface 124 connected to (or integrated with) the on-board computer 120, and which may be substantially the same as token interface 1 10 so that the physical token 1 12 can be used with both token interfaces 1 10, 124.
  • the receiver 1 18 can be the on-board part 616 of the GSM-R system; the on-board computer 120 can be and EVC 618; the wirelessly transmitted data can be at least some of the data typically entered manually as part of Start of Mission procedure; and the token interface 124 can be implemented as part of the DMI 622. It will be understood, of course, that embodiments are not limited to ETCS.
  • Figure 2 is a sequence diagram showing some of the interactions between entities shown in Figure 1 . As will be apparent, some entities such as the client computer 106 and the token interfaces 1 10, 124 are not shown in the interests of clarity.
  • Data (e.g., ETCS mission data) that is to be provided to the on-board computer 120 is generated by input of planning information at, for example, the client computer 106, and stored on the server computer 102 (step S202).
  • the data is batch processed and made available for transmission to the on-board unit 120 and to the physical token 1 12.
  • the data is transmitted over the network 108 to the client computer 104. This can be in response to a request, instruction, or other indication received from the client computer 104, for example after a train driver has performed a log-in procedure using the client computer 104.
  • the data are displayed on a display device connected to or integrated with the client computer 104, so that the train driver can view them.
  • the train driver accepts the data.
  • acceptance includes multi-factor authentication of the train driver.
  • the multi-factor authentication includes authentication based on a cryptographic operation using the physical token 1 12 (step S210) and authentication based either on a secure PIN or a biometric of the train driver (step S212). It will appreciated that steps S210 and S212 can be carried out in any order.
  • the cryptographic operation can be a PKI-cryptographic operation.
  • the authenticity of the pair of keys is ensured by means of a certificate, which associates the public key with identification data of the key holder.
  • the certificate is issued by an authentication entity (e.g., a server) which can be, for example, a private Certification Authority (CA) or a public (third-party) CA.
  • CA Certification Authority
  • the authentication entity can be part of the system or a trusted third party.
  • Authentication by PIN can be performed by entry of the PIN via an input device, and verification against a PIN stored in the physical token.
  • Suitable input devices include a keypad, a keyboard, a touchscreen or other user interfaces.
  • the input device can be connected to or integrated with the client computer 104.
  • an on-board input device it can be connected to or integrated with the on-board computer 120 (i.e., the DMI 622).
  • the on-board computer 120 i.e., the DMI 622.
  • other secrets can be used for authentication, such as passwords, patterns, and touch gestures.
  • Biometric authentication uses one or more biometric identifiers, i.e., distinctive, measurable characteristics of a person, to authenticate that person.
  • biometric identifiers include, but are not limited to, fingerprint, palm veins, face recognition, retina, and voice.
  • Suitable hardware e.g., fingerprint reader, palm scanner, face scanner, retina scanner, and voice recognition device, which may be connected to or integrated with client computer 104, can be used to scan the biometric characteristic(s), extract critical information, and then store the results.
  • the biometric authentication S212 is shown as being performed by the client computer 104, though it will be appreciated that other or different entities may be involved.
  • the result can then be compared to a reference biometric characteristic, and, if there is sufficient commonality, a pass is achieved.
  • the reference biometric characteristic is securely stored on the physical token 1 12.
  • the physical token 1 12 can be configured to carry out the comparison.
  • step S212 Once the driver has accepted the data, it is transmitted via secure wireless transmission to the train (steps S212, S214).
  • This data can be stored by the on-board computer 120 in, for example, secure memory of the EVC 618.
  • the data is also transmitted to the physical token 1 12 (step S216). This can be after the transmission to the on-board computer 120, before the transmission to the onboard computer 120, or substantially in parallel.
  • the train driver After entering the cab of the train 122, the train driver inserts the physical token 1 12 into the on-board token interface 124 on, for example, the driver's console. There is an authentication step in which the train driver is authenticated via PIN or biometric ID on a driver-machine interface (not shown in Figure 1 ) such as, for example, DMI 622. Once authentication is complete, the driver-machine interface displays the data for the driver to accept. Once the driver accepts the data, which can involve authentication based on a cryptographic operation using the physical token 1 12, they are able to begin the movement of the train along the track (e.g., begin the ETCS mission).
  • the physical token 1 12 should remain inserted in the on-board token interface 124 at all times during the movement of the train along the track, and removal of the physical token 1 12 will result in activation of the service or emergency brake (depending on the train's speed / location / national rules etc.) and the train coming to a halt.
  • the train 122 transmits the data to the central system (e.g., server 102) via a secure wireless link.
  • the central system e.g., server 102
  • wireless transmitter 1 14 it will be appreciated that there may also be a wireless receiver.
  • the driver can access a computer terminal 102, 104 with the physical token 1 12 to allow transmission of the data back to the central system (e.g., server 102) which batch processes the data from the physical token 1 12 and the data transmitted by the train 122 via the wireless link.
  • a physical token 1 12 is a smart card 302 comprising an integrated circuit 304 and, in this particular case, an antenna (RFID loop) 306 to allow the smart card 302 to be programmed for additional access security measures (e.g., doors & gates to offices/compounds etc.) and for driver Clock On/Clock Off.
  • RFID loop antenna
  • Other suitable physical tokens 1 12 can include a USB device or a mobile device (SIM card).
  • the integrated circuit 304 comprises a processor 402, memory 404, 406, 408, and an Input/Output (I/O) interface 410.
  • the processor 402 embedded in the card can manipulate and control the data present in the smart card 302.
  • the memory comprises a Read Only Memory (ROM) 404, a Random Access Memory (RAM) 406, and a Non-Volatile Memory (NVM) such as an Electrically Erasable Programmable Read Only Memory (EEPROM).
  • ROM 404 contains the smart card operating system.
  • the RAM 406 provides working memory for card operations, such as encryption and decryption.
  • the EEPROM 408 is where applications and their persistent associated data are stored.
  • the EEPROM 408 can store cryptographic data such as a private key and a digital certificate/public key, applications for performing cryptographic operations such as cryptographic calculations involving the private key, a biometric characteristic of the train driver, and the train driver's qualifications and certifications.
  • the cryptographic operation can be in accordance with a PKI-based authentication protocol.
  • An example of a digital certificate is a X.509 certificate.
  • the I/O interface 410 is one point of communication with the smart card 302. This can be a contact interface or a remote contactless radio frequency interface.
  • the I/O interface can be a conductive contact module provided on a surface of the smart card 302.
  • the I/O interface 410 can be an internal antenna (separate from antenna 306) so that the integrated circuit 304 can communicate wirelessly by way of an electromagnetic interface when the smart card 302 is placed in proximity of a card reader.
  • FIG. 5 is a block diagram of a computing device, such as server computer 102, client computer 104, 106, and on-board computer 120, which embodies the present invention, and which may be used to implement method of the present disclosure.
  • the relationship of client computers 104, 106 and server computer 102 arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • Client computers 104, 106 can include, but are not limited to, personal computers (whether desktop, laptop, or otherwise), personal digital assistants (PDAs), cellular telephones and smartphones, or the like.
  • PDAs personal digital assistants
  • the client computers 104, 106 are secure terminals.
  • Server devices are any computerized component, system or entity regardless of form which is adapted to provide data, files, applications, content, or other services to one or more other devices or entities on a computer network.
  • the client and server computers 102, 104, 106 are generally remote (separate) from the train.
  • the computing device comprises a processor 502, and memory 504.
  • the computing device also includes a network interface 510 for communication with other computing devices, for example with other computing devices of invention embodiments.
  • a network interface 510 for communication with other computing devices, for example with other computing devices of invention embodiments.
  • an embodiment may be composed of a network of such computing devices.
  • the computing device also includes one or more input mechanisms such as keyboard and mouse (generally referred to as input 508), and a display 506 such as one or more monitors.
  • the components are connectable to one another via a bus 512.
  • the memory 504 may include a computer readable medium, which term may refer to a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) configured to carry computer-executable instructions or have data structures stored thereon.
  • Computer-executable instructions may include, for example, instructions and data accessible by and causing a general purpose computer, special purpose computer, or special purpose processing device (e.g., one or more processors) to perform one or more functions or operations.
  • the term "computer-readable storage medium” may also include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methods of the present disclosure.
  • computer-readable storage medium may accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
  • computer-readable media may include non-transitory computer-readable storage media, including Random Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices).
  • RAM Random Access Memory
  • ROM Read-Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • CD-ROM Compact Disc Read-Only Memory
  • flash memory devices e.g., solid state memory devices
  • the processor 502 is configured to control the computing device and execute processing operations, for example executing code stored in the memory to implement the various different functions described here and in the claims.
  • the memory 504 stores data being read and written by the processor 502.
  • a processor may include one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like.
  • the processor may include a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or a processor implementing other instruction sets or processors implementing a combination of instruction sets.
  • CISC complex instruction set computing
  • RISC reduced instruction set computing
  • VLIW very long instruction word
  • the processor may also include one or more special- purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like.
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • DSP digital signal processor
  • a processor is configured to execute instructions for performing the operations and steps discussed herein.
  • the display 506 may display a representation of data stored by the computing device and may also display a cursor and dialog boxes and screens enabling interaction between a user and the programs and data stored on the computing device.
  • the input mechanisms 508 may enable a user to input data and instructions to the computing device.
  • the network interface (network l/F) 510 may be connected to a network, such as the Internet, and is connectable to other such computing devices via the network.
  • the network l/F 510 may control data input/output from/to other apparatus via the network.
  • Other peripheral devices such as microphone, speakers, printer, power supply unit, fan, case, scanner, trackerball etc may be included in the computing device.
  • Methods embodying the present invention may be carried out on a computing device such as that illustrated in Figure 5.
  • a computing device need not have every component illustrated in Figure 5, and may be composed of a subset of those components.
  • the ETCS is only one example of a train control system in which embodiments of the invention can be practiced.
  • Another example is the Communication Based Train Control (CBTC) systems which are often used in light rail/metro systems.
  • CBTC systems an Automatic Train Supervision (ATS) system functions as an interface between an operator and the system, managing the traffic according to the specific regulation criteria. It is responsible for sending data used in the Start of Mission procedure and during the train running.
  • the mission contains a set of information for each stop that the train must perform during the service.
  • a wayside Automatic Train Protection (ATP) system undertakes the management of all the communications with the trains in its area. Additionally, it calculates the limits of movement authority that every train must respect while operating in the mentioned area.
  • a wayside Automatic Train Operation (ATO) system is in charge of controlling the destination and regulation targets of every train. The wayside ATO functionality provides all the trains in the system with their destination as well as with other data such as the dwell time in the stations. On board the train, an on-board ATO system controls the speed of the train. The on-board ATO is monitored and, if necessary, corrected by an on-board ATP system.
  • the client terminal 104 can be part of the ATS system which an operator uses to accept mission data that is to be sent to the on-board ATO if the operator is authenticated.
  • the train driver is only an example of person (user) to whom a physical token can be assigned and with which physical token the person (user) can be authorised, and who can accept data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track.
  • the person (user) entering data can be performed by somebody who may not be the driver, e.g., a train preparer.
  • a train preparer is another example of person (user) to whom a physical token can be assigned and with which physical token the person (user) can be authorised, and who can accept data that is to be provided to an on-board computer of a train in order to allow the train to start its movement along a track.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Train Traffic Observation, Control, And Security (AREA)

Abstract

La présente invention concerne un système comprenant : un ordinateur serveur; un ordinateur client; et un jeton physique, qui est attribué à un conducteur de train, l'ordinateur serveur étant conçu pour stocker des données qui doivent être fournies à un ordinateur embarqué d'un train afin de permettre au train de démarrer son mouvement le long d'une voie, et pour transmettre les données à l'ordinateur client, l'ordinateur client étant conçu pour afficher les données, le jeton physique étant conçu pour stocker des données cryptographiques et, lorsque le jeton physique est présenté par le conducteur de train à une interface de jeton au niveau de l'ordinateur client, pour utiliser les données cryptographiques pour effectuer une opération cryptographique pour authentifier le conducteur de train, et au moins l'un de l'ordinateur serveur et de l'ordinateur client est conçu pour transmettre les données à l'ordinateur embarqué par l'intermédiaire d'un émetteur sans fil en réponse à l'acceptation des données par le conducteur de train qui comprend l'authentification du pilote de train sur la base de l'opération cryptographique effectuée par le jeton physique.
EP17798134.7A 2016-11-23 2017-10-27 Entrée de données dans un ordinateur embarqué d'un train Pending EP3544877A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1619807.9A GB2556893A (en) 2016-11-23 2016-11-23 Input of data into an on-board computer of a train
PCT/EP2017/077667 WO2018095696A1 (fr) 2016-11-23 2017-10-27 Entrée de données dans un ordinateur embarqué d'un train

Publications (1)

Publication Number Publication Date
EP3544877A1 true EP3544877A1 (fr) 2019-10-02

Family

ID=57993911

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17798134.7A Pending EP3544877A1 (fr) 2016-11-23 2017-10-27 Entrée de données dans un ordinateur embarqué d'un train

Country Status (3)

Country Link
EP (1) EP3544877A1 (fr)
GB (1) GB2556893A (fr)
WO (1) WO2018095696A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102491371B1 (ko) * 2017-11-02 2023-01-26 현대자동차주식회사 원격 조작 장치 및 이를 포함하는 차량
CN110435590A (zh) * 2019-09-17 2019-11-12 河海大学常州校区 一种用于公交车辆驾驶系统的保护系统
CN113050875A (zh) * 2019-12-27 2021-06-29 北京百度网讯科技有限公司 数据搬迁系统、方法、电子设备及存储介质
CN112918517B (zh) * 2021-02-01 2023-02-17 中国神华能源股份有限公司神朔铁路分公司 铁路机车驾驶参数设置方法、装置、计算机设备和存储介质
CN113022662B (zh) * 2021-04-16 2022-10-18 湖南中车时代通信信号有限公司 一种车载atc网络系统及轨道交通系统
CN113641306A (zh) * 2021-07-28 2021-11-12 通号城市轨道交通技术有限公司 车载ato与车载atp的数据交互方法及装置
CN115465336A (zh) * 2022-08-29 2022-12-13 通号万全信号设备有限公司 一种基于有轨电车运行图统计司乘行车数据的方法及装置
CN116373961B (zh) * 2023-06-07 2023-11-17 北京全路通信信号研究设计院集团有限公司 一种列控系统信号接口的监测系统及方法

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2373614B (en) * 2001-03-21 2004-11-10 Int Computers Ltd Vehicle security system and method
US7401224B2 (en) * 2002-05-15 2008-07-15 Qualcomm Incorporated System and method for managing sonic token verifiers
JP2004086547A (ja) * 2002-08-27 2004-03-18 Matsushita Electric Ind Co Ltd 携帯型電子鍵
US8108914B2 (en) * 2006-04-25 2012-01-31 Vetrix, Llc Converged logical and physical security
GB201004536D0 (en) * 2010-03-18 2010-05-05 Westinghouse Brake & Signal A data device for a train driver
GB2478922A (en) * 2010-03-23 2011-09-28 Ian Ratcliffe Authorisation device for a vehicle starting system
KR101881167B1 (ko) * 2011-06-13 2018-07-23 주식회사 케이티 차량 제어 시스템
WO2015121893A1 (fr) * 2014-02-14 2015-08-20 株式会社ソウ・システム・サービス Système pour opérations d'authentification d'opérateurs

Also Published As

Publication number Publication date
WO2018095696A1 (fr) 2018-05-31
GB2556893A (en) 2018-06-13
GB201619807D0 (en) 2017-01-04

Similar Documents

Publication Publication Date Title
WO2018095696A1 (fr) Entrée de données dans un ordinateur embarqué d'un train
KR20110038563A (ko) 운전자 인증을 통한 차량 제어 방법, 차량 단말기, 생체인식 카드 및 시스템과, 생체인식 카드와 단말기를 이용한 탑승자 보호 추적 기능을 제공하는 방법
US11716194B2 (en) Vehicle communication for authorized entry
WO2013093070A1 (fr) Système d'accès pour véhicule et procédé de gestion d'accès à un véhicule
CN108023943A (zh) App控制车辆系统
CN112888607B (zh) 辨识输送的乘客和货物的方法和设备
CN105323821A (zh) 近距离交通工具数据发送
CN104583049A (zh) 铁路轨道设施的部件的本地操作
KR101864792B1 (ko) 셔틀버스 탑승객 확인을 위한 셔틀버스 탑승객 확인 단말, 셔틀버스 관리 시스템, 및 셔틀버스 탑승객 확인 방법
CN108701384A (zh) 用于监控对能电子控制的装置的访问的方法
EP2757533B1 (fr) Système et procédé de suivi en ligne des heures de conduite avec signature électronique
CN109890009A (zh) 一种车辆通讯系统
CN106850638A (zh) 一种车载设备访问控制方法及系统
US11558906B2 (en) Operator authentication with a vehicle using different pathways
US11485317B2 (en) Concept for provision of a key signal or an immobilizer signal for a vehicle
US20190028487A1 (en) Indirect Authorization Transport
WO2016136798A1 (fr) Procédé d'authentification à combinaison, dispositif d'authentification à combinaison et système d'authentification pour équipement de services de gare
CN107077666B (zh) 用于对自助系统处的动作进行授权的方法和装置
CN113632415A (zh) 安全紧急车辆通信
CN109451468A (zh) 智能网联汽车共享系统及其安全实现方法
US20170351725A1 (en) Validator Device For a Ticketing System
KR101024678B1 (ko) 관리자 카드를 이용한 전자여권 판독 시스템, 장치 및 그 방법
KR102326153B1 (ko) 근거리 무선 통신을 이용한 열차 임무 개시 데이터 입력 방법 및 그를 위한 차상 신호 시스템
JP6340273B2 (ja) 認証システム
Hartong Secure communications based train control (CBTC) operations

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190524

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: SIEMENS MOBILITY LIMITED

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: SIEMENS MOBILITY LIMITED

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20211026

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: SIEMENS MOBILITY LIMITED