IL189095A - Method and system for securely authorising the activation of a critical function on a drone - Google Patents

Method and system for securely authorising the activation of a critical function on a drone

Info

Publication number
IL189095A
IL189095A IL189095A IL18909508A IL189095A IL 189095 A IL189095 A IL 189095A IL 189095 A IL189095 A IL 189095A IL 18909508 A IL18909508 A IL 18909508A IL 189095 A IL189095 A IL 189095A
Authority
IL
Israel
Prior art keywords
module
activation
message
effector module
effector
Prior art date
Application number
IL189095A
Other versions
IL189095A0 (en
Original Assignee
Sagem Defense Securite
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sagem Defense Securite filed Critical Sagem Defense Securite
Publication of IL189095A0 publication Critical patent/IL189095A0/en
Publication of IL189095A publication Critical patent/IL189095A/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/0011Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots associated with a remote control arrangement
    • G05D1/0022Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots associated with a remote control arrangement characterised by the communication link

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • General Physics & Mathematics (AREA)
  • Remote Sensing (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Control Of Position, Course, Altitude, Or Attitude Of Moving Bodies (AREA)
  • Numerical Control (AREA)
  • Manipulator (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Catching Or Destruction (AREA)
  • Radar Systems Or Details Thereof (AREA)
  • Small-Scale Networks (AREA)

Abstract

The system has a ground control station (100) with an activation module (130) comprising a signing module for generating an activation message to activate critical functions (A-1B, A-1C, A-2B) for a designated effector module from a set of effector modules (230, 240, 330) of robotized platforms (200, 300). Each effector module has a verification unit for authenticating the message from the station. The verification unit verifies whether the received message is a signed integrated message for the effector module and authorizes the realization of the critical functions based on needs. An independent claim is also included for a method for authorizing activation of a critical function by a robotized platform.

Description

189095 ,7'ji I 453563- τηκ >o y n»o>*ip n>-<pJio yan v> no-nxe ΊΙ¾»ΝΪ> nmyai iio>w Method and system for securely authorising the activation of a critical function on a drone Sagem Defense Securite C. 181255 METHOD AND SYSTEM FOR SECURELY AUTHORISING THE ACTIVATION OF A CRITICAL FUNCTION ON A DRONE The field of the invention is that of robot platforms of the air or ground drone type.
The invention relates in general to the insertion of secure functions within complex systems. It relates more specifically to the authorisation of the activation of a critical function requiring a high level of security, for implementation within a complex system such as a drone system comprising one or more robot platforms. By way of non-limiting example of a critical function, mention will be ' made of the triggering of a firing of munitions from such a platform.
Within complex systems, some particular functions require high levels of security due to the nature of the actions that- they deliver, for example for their direct contribution to the security of the system. These functions are thus commonly referred to as critical functions .
In particular, the object here is to prevent the inopportune activation of these critical functions. The terminology "authorisation of the critical function" is therefore used. The non-performance of the function is not deemed to be critical; on the other hand, the untimely performance thereof is deemed to be critical. For the cited use example, the firing of the munition is not per se deemed to be critical with regard to security, but the unauthorised activation thereof is deemed to be critical.
In order to guarantee the security of their operation, and to facilitate the theoretical demonstration thereof, the conventional approach is to isolate these functions and also their entire command and control chain. This may prove to be a severe handicap when these functions are to be inserted within systems which' either already exist or are too complex to be able to be developed integrally with the intended high levels ■ of security. The invention deals with this problem, and in particular aims to make it possible to insert such functions without having to justify the robustness of each link in the; control- chain of the function in question .
Returning to the case of robot drones, there is a tendency to want to equip these drones with a missile system. However, these drones were initially developed without any security objective with regard to "missile security" .
Although in a conventional aeronautical system it is the pilot who is responsible for releasing a safety lock which makes it possible to authorise the triggering of the firing of the missile (final security authorisation), it will be understood that, in the context of a robot drone, the task of releasing this safety lock has to be handed over to the system control centre (in this case a ground station housing the people operating the system) .
However, it is then necessary to ensure, with a · particularly high level of security, that the activation of the critical function "missile firing" is not triggered inopportunely.
An immediate solution to this problem of integrating the critical function of the missile firing type is shown in figure 1.
This figure 1 shows a ground station 10 and a deployed robot drone 20 · which is controlled from the ground station 10 via a radio link 32.
As shown schematically, the ground station 10 comprises a central command and control module, referred to as the core, module 11, and a transmission module 12 which is connected to the core module 11.
The drone 20 comprises a central command and control module, referred to as the core module 21, a missile system 23 which is connected to the core module 21, and a transmission module 22 which is also connected to the core module 21.
The radio link 32 provides the functional link between the core modules 11, 21 of the station 10 and the drone 20, via the transmission modules 12, 22.
These elements 11, 12, 32, 22, 21, 23, which are conventional per se and which have just been presented, are shown in solid lines in this figure 1.
The chain of critical elements, referred to as the firing authorisation chain, which transmits the firing authorisation to the missile system 23, is shown in dashed lines in this same figure 1. This segregated architecture is one possible solution to the problem of integrating the activation of the missile firing operation .
The firing authorisation chain comprises secure modules (i.e. modules formed with a sufficiently high level of criticality for the function in question) which are connected to one another by a dedicated link. Thus the station 20 comprises a firing authorisation module 14 •and the drone comprises a firing authorisation module 24, these modules 14, 24 being connected by a dedicated link illustrated by the bold arrow bearing reference 34.
It will therefore be understood that, in this architecture, -a choice has been made to segregate the chain for authorising the activation of the critical function, by separating this chain from the rest of the system.
Although this architecture proves useful to demonstrate rigorously and with reasonable effort the overall security of operation of the firing chain, it nevertheless has certain disadvantages.
For multiple drones (controlling a fleet of drones from the ground station and deploying multiple systems in a theatre of war) , this solution makes it necessary to implement and to house together multiple additional links, which proves to be relatively difficult to envisage in an operational context.
The object of the invention is to propose another solution for integrating a critical function, for example commanding the firing of a missile, in a complex system, and in particular a solution which does not have the disadvantages of the solution in figure 1 which uses an additional dedicated link.
According to a first aspect, the invention relates to a system for authorising the activation of a critical function, such as the triggering of a firing of munitions, by a robot drone of the air or ground type which is able to communicate with a ground station via a radio link, the system being characterised in that the station comprises an activation module and the drone •comprises at least one effector module, the activation module comprising generation means for generating a critical function activation message signed for a designated effector module, and each effector module comprising authentication means for authenticating signed activation messages coming from the station via the radio link, said authentication means being able to verify whether a received message is a genuine message signed for said effector module, and where appropriate to authorise the activation of the critical function.
Some preferred, but non-limiting, aspects of this system are as follows: - a system comprising a signature key and an authentication key is used by the activation module and each effector module in order to respectively sign and authenticate an activation message, a different signature key/authentication key pair being associated with each activation module/effector module pair; the signature key/authentication key pair . is defined for a use that is limited with regard to time or for a use that is limited to a certain number of uses; - the system of keys is a system of asymmetrical keys in which the activation module (for sending an order) uses a private signature key selected as a function of the designated effector module, and each effector module is designated by a public authentication key; - each effector module may in turn use a specific internal private key to send its status (activated or not) back to the activation module. For this, the activation module has a public authentication key which is specific to it; - the activation module comprises a memory which stores each of the signature keys designed to be used by the generation means to sign a critical function activation message for a designated effector module; each effector module comprises a memory which stores authentication keys designed to be used by the authentication means to verify whether a received message is a genuine message, and to code in return the status of the effector module.
According to a second aspect, the invention relates to a method for authorising the activation of a critical function, such as the triggering of a firing of munitions', by a robot drone of the air or ground type which is able to communicate with a ground station via a radio link-, the ground station comprising an activation module and the drone- comprising at least one effector module, characterised in that said method comprises the following steps: - generation, by the -activation module of the ground station, of a critical function activation message signed for a designated effector module; -- transmission of the message via the radio link from the activation module to the designated effector module; - authentication, by the designated effector module, of the signed activation message in order to verify whether the received message is a genuine message signed for said module, and - authorisation, ' where appropriate, of the activation , of the critical function by the designated effector module.
'Some preferred, but non-limiting, aspects of this method are as follows: - it uses a system comprising a signature key and an authentication key in order to respectively sign and authenticate an activation message, with a different signature key/authentication key pair for each activation module/effector module pair; - the system of keys is a system of asymmetrical keys, the activation module using a private signature key selected as a function of the designated effector module, and each effector module using a public authentication key; - it activates the critical function upon receipt of the order, according to which the activation message is permanently transmitted to the designated effector module, and any break in the transmission of the activation message deactivates the critical function after a given delay; - it also comprises a step of return transmission to the station of a message concerning the status of the designated effector module, comprising in a symmetrical manner the operations of signing of said message by the effector module and authentication of said message by the activation module of the station.
According to other aspects, the invention relates to a -ground control station and a robot drone for a system according to the first aspect.
Other aspects, objects and advantages of the present invention -will become■ more clearly apparent upon reading the , following detailed description of preferred embodiments thereof, said description being given by way of non-limiting example and with reference to the appended drawings, in which, besides figure 1 which has already been discussed: figure 2 shows a diagram of a system for activating a critical function according to one possible embodiment of the first aspect of the invention; figure 3 shows a diagram of one possible embodiment of an activation module according to the invention; - figure 4 shows a diagram of one possible embodiment of an effector module according to the invention .
Figure 2 shows a diagram of a system for activating a critical function, · for example a firing of munitions, by a robot platform of the air or ground drone type, the system comprising a ground control station 100 and a fleet of platforms consisting of at least one robot platform (here two platforms 200, 300) deployed from the station 100 and linked to the station.
The ground - station 100 comprises a core command and control module 110 and . also a transmission module 120 ■ which is connected to the core module 110.
Each of the drones 200, 300 comprises a core command and control module 210, 310, a missile system (not shown) ■ which is connected to the core module 210, 310, and also a transmission module 220, 320 which is likewise connected to the core module 210, 310.
The radio link 32 provides the link between the core module 110 of the station 100 and each of the core modules 210, 310 of the drones 200, 300, via the transmission modules 120, 220, 320.
In the same way as in figure 1, the critical elements of the firing chains are shown in dashed lines. The station 100 thus comprises one (or more) activation module (s) 130 for activating the critical function; and each of the drones 200, 300 comprises one (or more) effector module (s) 230, 240, 330.
The activation module 130 makes it possible to generate different critical function activation orders for each of the effector modules 230, 240, .330, and the aim of the system, is to propagate these orders to the relevant effector module.
Each effector module 230, 240, 330 receives its activation order but does not authorise the performance of the function, which is expected (deemed) to be critical, until it has been authenticated that the order is indeed intended for it.
In the example shown here, and on the order of the ground station, the effector module 230 of the drone 200 can authorise the performance of the function A_1B, the module 240 of the drone 200 can authorise the performance of th'e function A_2B, and the module 330 of the drone 300 can authorise the performance of the function A_1C.
It will be understood that the desired objective is to make secure the functions A_1B, A_2B, A_1C since the inopportune (i.e. not intentionally commanded) activation thereof would cause great damage.
The propagation of the authorisation orders by the system is not critical since only receipt of the correct order, signed for a specific effector, can authorise this effector module to allow the intended function.
The non-propagation of the authorisation orders is also not critical since, as noted in the preamble, only an inopportune activation of the function is deemed to be undesirable .
The activation module 130 and the effector modules 230, 240, 330 are thus formed with the desired level of criticality (therefore relatively high) for the desired level of security of the function. The rest of the system may have a much lower level of criticality, without any effect on the overall security of the function (from the point of view of its inopportune activation) .
The activation module 130 comprises means for generating a critical function activation message which is signed, and therefore specific, for each of the possible effector modules. This might involve for example generating a message for activating the function A_1B, this message then being explicitly signed for the effector module 230 of the platform 200.
As indicated, the activation message is signed for a designated effector module. This effectively involves sending a order that has been made secure by using a signature, so as to guarantee that only the activation module 130 is able to generate valid orders for the intended effector, and that only the addressed effector module (the designated module 230 in the example shown here) is able to confirm the validity of these orders, by authenticating these orders as being intended for it, and therefore to be able then to activate the function A_1B.
In order to sign the activation message, a cryptographic signature algorithm is used for example which makes it possible to guarantee mathematically, with a high level of security, the integrity of the information contained in the message and also the authentication of this information.
More specifically, a system comprising a signature key and an authentication key is used respectively by the activation module and each effector module in order to respectively sign and authenticate an activation message, a different signature key/authentication key pair being associated with each activation module/effector module pair .
This signature key/authentication key pair may be defined for a permanent use (for example throughout the whole of a mission), or for a use that is limited with regard to time or for a use that is limited to a certain, number of uses (for example a single use) .
According to one preferred embodiment, the selected solution uses a system of asymmetrical keys. A signature key of the private key type is used by the activation module 130- to sign the message transmitted by the ground station 100 for a designated effector module. A signature key of the public key type, which is different from the private key, is used in each effector module 230, 240, 330 to validate the authenticity of the message coming from the activation module.
The private key used by the activation module 130 is specific to each effector module to be designated, and the public key used by an effector module may be specific to this effector module (in other words, each effector module then has its own public key) or may be identical for all or some of the effector modules.
There is therefore a different public key/private key pair for each- effector module. This enables each effector module to be rigorously, differentiated.
Furthermore, compromising the public key present in an effector module has no effect on the security of the system since it does not make it possible to generate signatures but only to verify them. In particular, it is understood that, by recovering a drone, a malevolent person would at most be able to obtain the public key(s) or the effector■ module ( s ) of this drone. However, this person would not be able to obtain the private key which makes it possible to generate the activation messages.
This preferred embodiment proves to be advantageous since it makes it possible to rigorously differentiate different systems (thus with several activation modules, and other effector modules) in the same theatre of war. This is partially of interest since multiple systems in the presence of one another are always faced with the risk .of interfering with one another, due to operator error; or a technical fault.
It will be understood that, in the context of the invention, the size of the signature keys used is dimensioned in such a way as to avoid the risks of inopportune message errors/distortions in the non-secure intermediate part of the system. The use of cryptographic algorithms according to the prior art makes it possible in particular to guarantee that the generation of a signature in a random manner can be valid only with a largely negligible probability.
The activation of the critical function will be described in greater detail below, in particular . with reference to Figs. 3 and 4 which respectively show one possible embodiment of an activation module 130 and of an effector module 230.
The activation module 130 comprises a memory 131 in which the private key associated with each effector module 230, 240, 330 is stored.
Upon receipt of an order E identifying the effector module that is to perform the critical function (effector module designated by the activation) , the memory 131 presents at its output the private key CP associated with the designated effector module.
The .activation module 130 also comprises a signature module 132 which receives as input an order A to activate (or to deactivate) the function - for example a manual or secure order - for a designated effector module, and the private key CP associated with this effector module. The signature module 132 then generates a message Ma to activate (or deactivate) the function, signed for the designated effector.
This signed activation message Ma is then conveyed by the system to the designated effector module (for example to the module 230, passing via an interface module 133 for dialoguing with the station, the core module 110 and the transmission module 120 of the station 100, the radio link 32, and the transmission module 220 and the core module 210 of the drone 200) .
As shown in figure 4, the effector module 230 comprise means 231 for verifying the signature of the signed message, said means receiving as input the signed activation message Ma and the public key Cpu which it has in a memory 232, these signature verification means 231 making it possible to verify whether the message is indeed intended for said effector module and whether it authorises said effector module to activate the function that it assumes (function A_1B in the case of effector module 230 ) .
In other words, the signature verification means 231 make it possible to authenticate a message received by the effector module 230, thus verifying whether it is a genuine message, effectively signed for this effector module .
The effector module 230 also comprises an interface module 233 for dialoguing with the missile system, which is able to transmit to the latter the result of the signature verification, namely an information item which does or does not authorise it to perform the critical function (triggering of a missile firing operation) .
All the effector modules are based on the same model, so that any effector module (in the example, modules 240, 330) other than the designated effector module (module 230) which receives the same message but which is associated with a different private key/public key pair will conclude a false signature and will not trigger the function that it controls (the functions A_2B and A_1C will therefore not be able to be performed) .
Furthermore, any transmission error or alteration of the activation messages via the message-carrying chain, or any generation of a message due to a malfunction of the system, will produce a message which will not be recognised by the effector module since it is not correctly signed.
It will be understood that, in order to securely address a plurality- of effector modules, it is sufficient to differentiate the keys of these modules by providing a key specific to each module (permanently loaded within each module or loaded by manual preparation before a mission, depending on the desired versatility) .
It will be noted that the invention is not limited to the use of an asymmetrical cryptography system, and that it is also possible, particularly if the compromise aspect is deemed not to be critical, to use a symmetrical cryptography system for which the same key is used by the activation module and the designated effector module (this key of course being valid only for one particular activation module/effector module pair) .
It has been seen above that, in order to ensure that an effector module is able to act only when the correct order is received, the order transmitted by the activation module is signed using the signature method described above.
Different variant embodiments will be described below .
- In order to ensure at all times that the function is activated only upon receipt of . the order, the activation message is transmitted permanently to the designated effector module, and any break in transmission of the activation message deactivates the critical function after a given delay (fail-safe mode).
- Securing the return of information regarding the status of the function (status of the effector module) can similarly be carried out by the reverse method, with different keys (one signature key, for example a private key, in each effector module) , signing of the information (sending of a signed message concerning the status of the effector module) , transmission of the signed message by the effector module to the activation module, and authentication of said message by the activation module of the station. Consolidated information about the status of the effector module is thus available on the ground. Its active (or inactive) state can thus be transmitted with a very good level of security, which is also very important for monitoring the system from the ground station .
- It will also be mentioned that, in the context of the invention, the guaranteed level of security can very easily be adapted as a function of the environment encountered, for example by restricting the use of the keys to a single use, a use limited with regard to time, etc .
The invention described above therefore makes it possible to address, securely and independently, several sub-assemblies within a complex system (for example an air drone within a fleet of air drones, a munition within a set of munitions on one or more drones).
The invention also makes it possible for several systems of the same type to be located in the same zone without any risk .of security interference (even in the event of a common frequency) , by making specific the signatures of each system and each sub-system.
The invention also offers a high level of security against adverse deception, since simply knowing the public key does not make it possible to activate the functions, and since the pair of keys can be defined for a limited use or even a single use (by then multiplying the keys for each munition, or each drone, or each request for action) .
Moreover, it will be understood that the invention is not limited to authorising the activation of the triggering of a missile firing operation, but rather extends more widely to authorising the activation of all functions deemed critical or relevant to security. By way of non-limiting examples, the following will be mentioned : delivering or authorising the delivery of a munition within a system; activating particular items of equipment with potentially hazardous effects for the system or its environment (laser equipment, radar transmissions, lighting of pyrotechnic devices, etc.); - activating/neutralising the security chain for implementing the secure mode of a system: interrupting the flight of an aircraft or missile by activating a chain for recovering, stopping the propulsion, neutralising/destroying in flight, inhibiting the nominal recovery chain, inhibiting a security device such as the transponder; - activating functions which are essential to the security of operation: redeploying wings, controlling flaps, deploying air brakes.
Of- course, the invention also extends to the ■different elements of the system taken separately, and in particular to a ground station equipped with an activation module and to a drone equipped with an effector module.

Claims (15)

189095/2 20 CLAIMS:
1. A system for authorizing the activation of a critical function (A_1B, A_2B, A_1C) , such as the triggering of a firing of munitions, by a robot drone of the air or ground type , the system being characterized in that: it comprises a ground station that can release a safety lock protecting a non authorizing activation of a critical function by an effector module of a robot drone appertaining to a fleet of robot drones, the ground station comprising a transmission module capable to ensure a radio link with each drone of the fleet of drones, the ground station being characterized in that it comprises an activation module having generation means for generating a critical function activation message signed for a designated effector module of a drone so that only the designated effector module of the said drone can authorize the critical function activation, and in that the transmission module is configured to transmit the said critical function activation message to the designated effector module.
2. A system according to claim 1 further comprising a robot drone to appertain to a fleet of robot drones, comprising a transmission module capable to ensure a radio link with said ground station, and at least one effector module capable of performing a critical function upon order from the ground station, the non authorized activation of the critical function being protected by a safety lock, characterized in that it comprises authentication means for authenticating messages received from the ground station, said authentication means being configured to verify whether a received message is a genuine message signed for a designated effector module of the drone and in that event to release the safety lock protecting activation of the critical function by said designated effector module.
3. A system according to the preceding claim, characterized in that a system comprising a signature key and an authentication key is used by the activation module and each effector module in order to respectively sign and authenticate an activation message, a different signature key/authentication key pair being associated with each activation module/effector module pair.
4. A system according to the preceding claim, characterized in that the 01812551X40-01 189095/2 21 signature key/authentication key pair is defined for a use that is limited with regard to time or for a use that is limited to a certain number of uses.
5. A system according to any one of claims 3 to 4, characterized in that the system of keys is a system of asymmetrical keys in which the activation module uses a private signature key selected as a function of the designated effector module, and each effector module uses a public authentication key.
6. A system according to the preceding claim, characterized in that each effector module uses a public authentication key which is specific to it.
7. A system according to any one of claims 3 to 6, characterized in that the activation module comprises a memory which stores each of the signature keys designed to be used by the generation means to sign a critical function activation message for a designated effector module.
8. A system according to any one of claims 3 to 7, characterized in that each effector module comprises a memory which stores the authentication key designed to be used by the authentication means to verify whether a received message is a genuine message.
9. A method for authorizing the activation of a critical function (A_1B, A_2B, A_1C) , such as the triggering of a firing of munitions, by a robot drone of the air or ground type which is able to communicate with a ground station via a radio link , the ground station comprising an activation module and the drone comprising at least one effector module (230, 240, 330), characterized in that said method comprises the following steps: - generation, by the activation module of the ground station, of a critical function activation message (Ma) signed for a designated effector module; transmission of the message via the radio link from the activation module to the designated effector module; - authentication, by the designated effector module, of the signed activation message in order to verify whether the received message is a genuine message signed for : said module, and authorization, where appropriate, of the activation of the critical function by the designated effector module. 01812551\40-01 189095/2 22
10. A method according to the preceding claim, characterized in that it uses a system comprising a signature key and an authentication key in order to respectively sign and authenticate an activation message, with a different signature key/authentication key pair for each activation module/effector module pair.
11. A method according to the preceding claim, characterized in that the system of keys is a system of asymmetrical keys, the activation module using a private signature key selected as a function of the designated effector module, and each effector module using a public authentication key.
12. A method according to any one of claims 9 to 11, characterized in that it activates the critical function upon receipt of the order, according to which the activation message is permanently transmitted to the designated effector module, and any break in the transmission of the activation message deactivates the critical function after a given delay.
13. A method according to any one of claims 9 to 11, characterized in that it also comprises a step of return transmission to the station of a message concerning the status of the designated effector module, comprising the operations of signing of said message by the effector module and authentication of said message by the activation module of the station.
14. A method according to the preceding claim, characterized in that the effector module uses a private key which is specific to it for signing a return message, and the activation module uses a public key which is specific to it for authenticating the return message.
15. A robot drone to appertain to a fleet of robot drones, comprising a transmission module capable to ensure a radio link with a ground station, and at least one effector module capable of performing a critical function upon order from the ground station, the non authorized activation of the critical function being protected by a safety lock, characterized in that it comprises authentication means for authenticating messages received from the ground station, said authentication means being configured to verify whether a received message is a genuine message signed for a designated effector module of the drone and in that event to release the safety 01812551X40-01 189095/2 23 lock protecting activation of the critical function by said designated effector module. PARTNERS 01812551X40-01
IL189095A 2007-01-31 2008-01-29 Method and system for securely authorising the activation of a critical function on a drone IL189095A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
FR0752984A FR2912022B1 (en) 2007-01-31 2007-01-31 METHOD AND SYSTEM FOR SECURE AUTHORIZATION OF ACTIVATION OF A CRITICAL FUNCTION ON A DRONE

Publications (2)

Publication Number Publication Date
IL189095A0 IL189095A0 (en) 2008-11-03
IL189095A true IL189095A (en) 2011-11-30

Family

ID=38535646

Family Applications (1)

Application Number Title Priority Date Filing Date
IL189095A IL189095A (en) 2007-01-31 2008-01-29 Method and system for securely authorising the activation of a critical function on a drone

Country Status (4)

Country Link
EP (1) EP1956451B1 (en)
AT (1) ATE556363T1 (en)
FR (1) FR2912022B1 (en)
IL (1) IL189095A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016160593A1 (en) * 2015-03-27 2016-10-06 Amazon Technologies, Inc. Authenticated messages between unmanned vehicles
US9663226B2 (en) 2015-03-27 2017-05-30 Amazon Technologies, Inc. Influencing acceptance of messages in unmanned vehicles
US9714088B2 (en) 2015-03-27 2017-07-25 Amazon Technologies, Inc. Unmanned vehicle rollback
US10979415B2 (en) 2015-03-27 2021-04-13 Amazon Technologies, Inc. Unmanned vehicle message exchange

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2416707T3 (en) 2008-08-08 2013-08-02 Saab Ab System of safely lowering a UAV
GB201110820D0 (en) 2011-06-24 2012-05-23 Bae Systems Plc Apparatus for use on unmanned vehicles
ITTO20110681A1 (en) * 2011-07-27 2013-01-28 Csp Innovazione Nelle Ict Scarl METHOD TO ALLOW MISSIONS OF AIR VEHICLES WITHOUT PILOT, IN PARTICULAR IN NON-SEGREGATED AIR SPACES
DE102013202585A1 (en) 2013-02-18 2014-08-21 Hochschule Ostwestfalen-Lippe Control unit for a flying object
FR3023636B1 (en) 2014-07-08 2017-11-10 Sagem Defense Securite ARCHITECTURE FOR TELE-OPERATED SYSTEMS
GB201715760D0 (en) 2017-09-28 2017-11-15 A P Møller Mærsk As A method and system for operating a ship

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1091273B1 (en) * 1999-08-31 2005-10-05 Swisscom AG Mobile robot and method for controlling a mobile robot
DE10229704A1 (en) * 2002-07-02 2004-01-29 Endress + Hauser Process Solutions Ag Process for protection against unauthorized access to a field device in process automation technology
FR2843668B3 (en) * 2002-08-14 2004-11-05 France Telecom REMOTE CONTROL SYSTEM FOR THE OPERATION OF AT LEAST ONE EQUIPMENT

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016160593A1 (en) * 2015-03-27 2016-10-06 Amazon Technologies, Inc. Authenticated messages between unmanned vehicles
US9663226B2 (en) 2015-03-27 2017-05-30 Amazon Technologies, Inc. Influencing acceptance of messages in unmanned vehicles
US9714088B2 (en) 2015-03-27 2017-07-25 Amazon Technologies, Inc. Unmanned vehicle rollback
CN107438989A (en) * 2015-03-27 2017-12-05 亚马逊技术有限公司 Certification message between unmanned vehicle
CN107438989B (en) * 2015-03-27 2020-08-11 亚马逊技术有限公司 Authentication messages between unmanned vehicles
US10979415B2 (en) 2015-03-27 2021-04-13 Amazon Technologies, Inc. Unmanned vehicle message exchange

Also Published As

Publication number Publication date
ATE556363T1 (en) 2012-05-15
EP1956451B1 (en) 2012-05-02
EP1956451A1 (en) 2008-08-13
FR2912022A1 (en) 2008-08-01
FR2912022B1 (en) 2009-04-10
IL189095A0 (en) 2008-11-03

Similar Documents

Publication Publication Date Title
IL189095A (en) Method and system for securely authorising the activation of a critical function on a drone
JP7391424B2 (en) System for verifying the integrity of unmanned aircraft
US6860206B1 (en) Remote digital firing system
US7559269B2 (en) Remote digital firing system
US9871772B1 (en) Cryptographic system for secure command and control of remotely controlled devices
CN101350725A (en) Safety unit
US9355228B2 (en) System and method for policy driven protection of remote computing environments
CN108400919A (en) System and method for emitting message in controller zone network
US20170170972A1 (en) Unmanned aerial vehicle operator identity authentication system
US20180270052A1 (en) Cryptographic key distribution
CN106027260A (en) Key pre-distribution based automobile ECU integrity authentication and encrypted communication method
CN105094082B (en) Method for performing communication between control devices
CN109941228B (en) Device and method for unlocking vehicle component, vehicle and vehicle communication module
US5046006A (en) Mutual missile control system
Tayeb et al. Securing the positioning signals of autonomous vehicles
US9893886B2 (en) Communication device
US20090129594A1 (en) System and method for providing a trusted network facilitating inter-process communications via an e-box
Kent et al. Assuring vehicle update integrity using asymmetric public key infrastructure (PKI) and public key cryptography (PKC)
Iclodean et al. Safety and cybersecurity
FR3023636A1 (en) ARCHITECTURE FOR TELE-OPERATED SYSTEMS
KR20180058210A (en) Data verification method
Deshpande et al. Integrated vetronics survivability: Architectural design and framework study for vetronics survivability strategies
US20060237955A1 (en) Method and device for deactivating a pyrotechnic actuator in a motor vehicle
Schalk et al. Detection and mitigation of vulnerabilities in space network software bus architectures
Wei et al. Hazop-based security analysis for embedded systems: Case study of open

Legal Events

Date Code Title Description
FF Patent granted
KB Patent renewed
KB Patent renewed
KB Patent renewed