WO2018145798A1 - Système de réseau et procédé de contrôle de la fonctionnalité d'une fonction de commande dématérialisée - Google Patents

Système de réseau et procédé de contrôle de la fonctionnalité d'une fonction de commande dématérialisée Download PDF

Info

Publication number
WO2018145798A1
WO2018145798A1 PCT/EP2017/082613 EP2017082613W WO2018145798A1 WO 2018145798 A1 WO2018145798 A1 WO 2018145798A1 EP 2017082613 W EP2017082613 W EP 2017082613W WO 2018145798 A1 WO2018145798 A1 WO 2018145798A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
control function
information
release
functionality
Prior art date
Application number
PCT/EP2017/082613
Other languages
German (de)
English (en)
Inventor
Rainer Falk
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2018145798A1 publication Critical patent/WO2018145798A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity

Definitions

  • the present invention relates to a network system and method for checking the functionality of a cloud-based control function and an associated computer program (product).
  • Cryptographic protections goals can tegrity, confidentiality and authenticity of data transmission ⁇ objects are achieved as home. This avoids intentional, targeted attacks on data transmission.
  • safety refers mainly to the security, confidentiality and / or integrity of data so ⁇ as their transfer and security, confidentiality and / or integrity in accessing relevant data.
  • the authentication in data transfers or data access belongs For example, the term "security.”
  • Cryptographic functionality generally refers, for example, to a function for encryption, protection of confidentiality, integrity protection and / or authentication of data (eg user data, control data, configuration data or administrative data) and / or authentication of users .
  • the cryptographic protection functionality since ⁇ include, for example at one or more of the functionalities positioned below ⁇ resulted:
  • Generating random numbers e.g., seed generation
  • GSM mobile radio interface
  • UMTS Universal Mobile Telecommunication Standard
  • 5G Fifth Generation
  • WLAN Wireless Local Area Network
  • Bluetooth especially used in building services
  • NFC NFC
  • the data interface can be designed and set up as a serial or parallel data interface.
  • Communication between the devices and servers is not limited to point-to-point (peer) communication. There are also group communication, broadcast news or
  • control com- munication On a vehicle bus e.g. CAN bus, the control com- munication is cryptographically protected against manipulation on a vehicle bus. However, this protection relates to individual data packets, not to a control functionality.
  • TPM Trusted Platform Module
  • Edge computing in the area of 5G mobile telephony is also expected to implement control functions in autonomous systems in the future
  • Assistance functions of a vehicle are realized by control units. Whether certain functionality is available, may be determined by the built-specific control unit, or it can be installed an appropriate functionality in Soft ⁇ ware on a controller or unlocked (eg at end-of-line programming at the factory accordingly ordered Equipment variant).
  • the invention claims a system, preferably a network system comprising: a network infrastructure having at least one control function which can be coupled thereto and which can exchange control information with at least one device,
  • the verification function has at least one release function, which is designed to provide in the case of recognized by the verification function lack of functionality and / or faulty functionality, a revocation information, which leads to a revocation of a release activation and / or execution of the control function.
  • the network infrastructure may be a wired or wireless transmission network within which said functions may be organized, for example, in servers.
  • Server or cloud providers can use storage space and
  • the verification ⁇ function may include monitoring and / or detection and / or analysis functions, which network side or
  • the tasks and (partial) functions of the check function can be imple ⁇ mented or be fully implemented in a single device also comparable shares in one or more clouds and in one device.
  • a faulty functionality also includes an impairment or restriction of the functionality.
  • the checking of the functionality can be carried out continuously or permanently and / or once. It can then provide the revocation information, which can directly cause a revocation or initiate a revocation.
  • the revocation information can lead to a one-time withdrawal of a possibly ongoing execution of Steuerungsfunkti ⁇ on or temporary or permanent.
  • the reversal information can also be a
  • Non-revocation information ie a kind of positive confirmation that the control function is not revoked.
  • Devices can be, for example vehicles, driverless transport systems ⁇ , robots, test equipment or other components of an industrial plant.
  • the control function may include safety-related measures, such as stopping a vehicle or robot before a collision occurs. It can be delivered to the devices and nodes / server network infrastructure through the Steue ⁇ approximate function and control of information regarding software or hardware versions to ensure compatibility and full functionality of the versions.
  • the safety or protective measures for a control function are ensured.
  • the invention also serves as a kind of safety watchdog for a network infrastructure, which will be understood as a distributed cloud robotics system (see the following embodiment).
  • This safety-critical "malfunction" can be secured and prevented tamper-resistant in one embodiment.
  • the invention is also characterized in that the Akti ⁇ vation of a non-released version of a prior Steue ⁇ approximation function is reliable and possibly tamper protected prevented. In particular, the compatibility of the device-side and network-side functionality versions is ensured.
  • a development of the invention provides a with a network infrastructure in communication and controllable with the control function test device from which is to be ⁇ sets to monitor the functioning of at least one product and to certify them to the network infrastructure for the control function ,
  • the test device can be provide speaking monitoring information regarding the functionality of one or more devices.
  • the Testge ⁇ advises, the received control information actually execute (physical) or simulated (virtual).
  • a development of the invention provides that the
  • Revocation information can then be provided if a cryptographically protectable blocking information is present or an expected cryptographically protectable release information fails.
  • a development of the invention provides that the release and / or blocking information can be predetermined or determined by the checking function.
  • a development of the invention provides that the checking of the functionality of the control function comprises a cryptographically protectable integrity check.
  • a development of the invention provides that a
  • Cloud processing center is arranged within the network infrastructure and is adapted to process the task of the at least one device instructed by the control ⁇ function and / or stop and / or to end, the cloud processing center provided by the release ⁇ function and the control function forwarded revocation information receives.
  • a further aspect of the invention provides a device for checking the functionality of a control function having at least one checking function for checking the functionality, wherein this is coupled with a network infrastructure bar, to which at least one control function for controlling at least one device is coupling bar, and at least one release function, which is designed, in the case of a detected by the verification ⁇ function lack of functionality and / or faulty functionality, a revocation information to provide, which leads to a revocation of a release ei ⁇ ner activation and / or execution of the control function.
  • a further aspect of the invention provides a method for operating the system of the type described above, wel ⁇ ches method for operating the system according to one of the preceding system claims, which
  • a network infrastructure with at least one control function which can exchange control information with at least one device
  • a revocation information is ⁇ provides, which leads to a revocation of a free ⁇ task of activation and / or execution of the control function ,
  • the above functions may be implemented in software, firmware and / or hardware. They can be understood as ei ⁇ ne kind of functional units into a single unit (component or server or device) integrated into your function in any combination be Kings ⁇ nen.
  • Another aspect of the invention may be a computer program or a computer program product with at least one Compu ⁇ terprogramm with means for carrying out the method and its referred embodiments when the computer program (product) and the at least one computer program ver ⁇ divides within the communication apparatus according to above described type is carried out for execution.
  • Methods, and optionally the Compu ⁇ terprogramm (product) may be substantially analogous off accordingly or be formed as the system or the arrangement and its embodiments or further developments.
  • FIG. 1 schematically shows a network infrastructure to which the procedure according to the invention can be applied
  • FIG. 2 is a flowchart.
  • FIG. 1 shows a possible embodiment of the invention.
  • a network infrastructure such as a 5G 5G network has a control function CRS, the network side as a cloud service or as a function of a cloud server out ⁇ makes its can.
  • the cloud server is a "cloud robotics server" for controlling critical control functions on a robot, and other devices V to be controlled in the form of autonomous vehicles are also conceivable
  • a verification function in the form of a server is provided to continuously verify the correct functionality of the Cloud Robotics server, through another second network infrastructure such as a public network PN
  • the verification function is directly or indirectly via the network PN with the first network infrastructure coupled.
  • a Cloud Robotics security Operati ⁇ on Center CRO is provided to detect security incidents and analyze them. It can be used as check function besides another Cloud Robotics test server CRT provided be, for example, includes a release function, the activation of unreleased version versions of said control function by providing a
  • a test device TD is provided which, like the devices V and R, is controlled by the Cloud Robotics server and which monitors the correct functionality (e.g.
  • the Cloud Robotics server can be arranged, not shown in the figure cloud processing location in the network infrastructure of the 5G network, the quasi represents the "intelligence" of the device V and R. You can handle operations of Robo ⁇ ters and is in communication with the control function
  • the control function can also be integrated into the device eg V instead of as a Cloud Robotics Server CRS, which is more likely to be the case with an autonomously driving vehicle which, even in the absence of a network connection to the 5G network must continue to function "autonomously”.
  • Both the verification function and the control function can be flexibly implemented in different forms within the network infrastructures.
  • the verification function may also be integrated into the above-mentioned cloud processing site.
  • the provided revocation information can be cryptographically encrypted.
  • the revocation information is provided when there is cryptographically protectable blocking information or when there is no expected cryptographically releasable release information.
  • a cryptographic key and a digital certificate that includes a cryptographic key be revoked wi ⁇ . It is possible to perform or a certificate in a certificate revocation list to use an OCSP Response to confirm the current revocation status of a digita ⁇ len certificate. Such a kind of revocation can use the invention if the encrypted or certified fected release information should be revoked in this way.
  • a control function can only be activated if there is a cryptographically protected release information (release attestation) that can be assigned to the control function. This can be specified or administratively or automatically issued by a self-test or by the verification function. Several approvals require sary (eg no administrative revocation and positi ve ⁇ confirm the self-test).
  • the several releases may relate in particular to different components of a cloud solution (eg backend self-test, released vehicle control function for current backend version status). This makes it possible to reliably prevent an outdated version level the equipment side is activated, which is not quige ⁇ give for the current version of the cloud side. Furthermore, it can reliably be prevented that a control function, in particular a device-side control function, is activated if the cloud side has a malfunction.
  • For the revocation can be a whitelisting or a
  • Blacklisting strategy can be used individually or in combination:
  • the release or blocking information can refer to an abstract functionality, to a special software version of a firmware or to a combination of software versions of several control functions or control devices. Furthermore, the information can specify the hardware version of the control unit. Furthermore, a geographic area are specified, to which the release information or the lock information refers.
  • the release or blocking information is preferably protected by a cryptographic checksum (digital signature, message authentication code).
  • the release of information in particular a Rooskriti ⁇ rule control function according to the invention is variable, ie it can be restricted on the fly. This may in particular when a safety-relevant Steue ⁇ insurance function for autonomous or assisted driving has proven to be unreliable, flawed, manipulated or tampered already in practice, be disabled and no more threat emanating from it. The activation of a corresponding driving function in a vehicle can hereby be reliably prevented.
  • Cloud Robotics Security Operation Server CRO issues a release information (evaluated by Cloud Robotics
  • Test device TD issues attestation (evaluated by
  • a shutdown occurs (eg transfer to driver) or an activation of an autonomous emergency program (eg stop at the edge of the lane).
  • the check can be done locally on a vehicle or in a backend system (cloud robotics).
  • Integrity check is preferably cryptographically protected (attestation of the release confirmation). This is described as above, as a cryptographically protected release formation used for the activation of a control function. This means that the release information (or blocking information) can both be administered administratively (eg in the case of recognized weak points) or can be determined by checking the functionality (attested self-test) itself.
  • FIG. 2 shows a flow chart for the procedure according to the invention, which indicates the starting point in step S0.
  • a control function is activated.
  • step S2 a check is performed by the checking function of this control function. It is checked whether there is a release information (release attestation) for the control function. This is the case if there is neither faulty functionality of the control function nor a lack of functionality. Is the result of the examination in order ⁇ (see step S3), then in step S4, the control function is activated. Is not the result of the check in order, then in step 6, a revocation information is provided which leads already acti ⁇ fourth and operating control function to revoke the activation released. Ultimately, it comes to tempo ⁇ Raeren or one-time or permanent blocking or deactivating control function. Step S6 marks the end of the procedure explained above.
  • the implementation of the processes and procedures described above may be based on instructions SUC ⁇ gen, which (collectively referred to as computer readable storage) on computer readable storage media or in volatile computer memories.
  • computer readable Memory is, for example, volatile memory such as caches, buffers or RAM and non-volatile memory such as Kirda ⁇ tenities, hard disks, etc.
  • the functions or steps described above may be in the form of at least one instruction set in / on a computer-readable memory. The functions or steps are not specific to a particular instruction ⁇ set or to a particular form of instruction sets, or to a particular storage medium or to a
  • Processor or bound to specific execution schemes can be performed by software, firmware, microcode, hardware, Prozes ⁇ sensors, integrated circuits, etc. in stand-alone mode or in any combination.
  • Various processing strategies can be used, for example serial processing by a single processor or multiprocessing or multitasking or parallel processing, etc.
  • the instructions can be stored in local memories, but it is also possible to store the instructions on a remote system and then via Network access.
  • processor central signal processing
  • Control unit or “data evaluation means” as here USAGE ⁇ det, processing means includes in the broad sense, that is, for example, servers, general purpose processors, Gardnerluxo ⁇ ren, digital signal processors, application specific inte ⁇ grated circuits (ASICs), programmable logic circuits, such as FPGAs, discrete analog or digital circuits and be ⁇ undesirables combinations thereof, and any other processing means known in the art or developed in the future.
  • Processors can consist of one or more devices or devices or units. If a processor consists of several devices, these can be designed or configured for the parallel or sequential processing or execution of instructions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Debugging And Monitoring (AREA)

Abstract

La présente invention concerne un système de réseau et un procédé de contrôle de la fonctionnalité d'une fonction de commande dématérialisée ainsi qu'un programme informatique (produit) associé. L'invention revendique un système ou un agencement, de préférence un système de réseau ou un agencement de réseau comportant : - une infrastructure de réseau comportant une fonction de commande qui peut lui être couplée, laquelle peut échanger des informations de commande avec au moins un appareil, - caractérisée par au moins une fonction de contrôle pouvant être couplée à l'infrastructure de réseau pour le contrôle de la fonctionnalité de la fonction de commande, la fonction de contrôle comportant au moins une fonction de libération qui est configurée, en cas d'un défaut de la fonctionnalité et/ou d'une fonctionnalité défectueuse reconnus par la fonction de contrôle, pour préparer une information de rappel, laquelle conduit à un rappel d'une libération d'une activation et/ou d'une mise en œuvre de la fonction de commande.
PCT/EP2017/082613 2017-02-07 2017-12-13 Système de réseau et procédé de contrôle de la fonctionnalité d'une fonction de commande dématérialisée WO2018145798A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102017201857.7 2017-02-07
DE102017201857.7A DE102017201857A1 (de) 2017-02-07 2017-02-07 Netzwerksystem und Verfahren zur Überprüfung der Funktionsfähigkeit einer Cloud-basierten Steuerungsfunktion

Publications (1)

Publication Number Publication Date
WO2018145798A1 true WO2018145798A1 (fr) 2018-08-16

Family

ID=61024713

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2017/082613 WO2018145798A1 (fr) 2017-02-07 2017-12-13 Système de réseau et procédé de contrôle de la fonctionnalité d'une fonction de commande dématérialisée

Country Status (2)

Country Link
DE (1) DE102017201857A1 (fr)
WO (1) WO2018145798A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111273892A (zh) * 2020-02-13 2020-06-12 济南浪潮高新科技投资发展有限公司 一种基于云端技术和边缘计算实现智能机器人的方法
DE102021203940A1 (de) 2021-04-21 2022-10-27 Robert Bosch Gesellschaft mit beschränkter Haftung Verfahren und Vorrichtung zum Verarbeiten von mit einem elektronischen Gerät für ein Fahrzeug assoziierten Daten

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010102222A2 (fr) * 2009-03-05 2010-09-10 Interdigital Patent Holdings, Inc. Procédé et appareil destinés à vérifier et à valider l'intégrité de h(e)nb
US20120265976A1 (en) * 2011-04-18 2012-10-18 Bank Of America Corporation Secure Network Cloud Architecture

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010102222A2 (fr) * 2009-03-05 2010-09-10 Interdigital Patent Holdings, Inc. Procédé et appareil destinés à vérifier et à valider l'intégrité de h(e)nb
US20120265976A1 (en) * 2011-04-18 2012-10-18 Bank Of America Corporation Secure Network Cloud Architecture

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
STEFAN BERGER; KENNETH GOLDMAN; DIMITRIOS PENDARAKIS; DAVID SAFFORD; ENRIQUILLO VALDEZ; MIMI ZOHAR; SCALABLE ATTESTATION: "A Step toward Secure and Trusted Clouds", IEEE CLOUD COMPUTING, vol. 2, no. 05, September 2015 (2015-09-01), Retrieved from the Internet <URL:https://www.computer.org/csdl/mags/cd/2015/05/mcd2015050010-abs.html>

Also Published As

Publication number Publication date
DE102017201857A1 (de) 2018-08-09

Similar Documents

Publication Publication Date Title
DE112014005412B4 (de) Programmaktualisierungssystem und Programmaktualisierungsverfahren
EP3451576B1 (fr) Système et procédé de surveillance cryptographique protégée d&#39;au moins un composant d&#39;un appareil ou d&#39;une installation
EP2586178B1 (fr) Méthode inviolable de gestion de clés
WO2018010949A1 (fr) Procédé permettant la réalisation de connexions de communication sécurisées à un système d&#39;automatisation industriel et système pare-feu
DE102018103772A1 (de) Überwachungssystem für eine Schutzeinrichtung und Schutzeinrichtung
DE102018101479A1 (de) Steuerungsschnittstelle für ein autonomes fahrzeug
EP3582033A1 (fr) Procédé et dispositif de fonctionnement sûr d&#39;un appareil de terrain
WO2018157960A1 (fr) Procédé et système pour libérer un accès utilisateur à un serveur couplé à un système intégré
EP3582521A1 (fr) Dispositif et procédé d&#39;agencement et/ou fourniture d&#39;un environnement de travail, en particulier appliqués dans un environnement économique des machines
WO2018145798A1 (fr) Système de réseau et procédé de contrôle de la fonctionnalité d&#39;une fonction de commande dématérialisée
EP2548358A1 (fr) Procédé d&#39;autorisation dynamique d&#39;un appareil de communication mobile
EP3439229A1 (fr) Procédé et dispositif permettant la réalisation d&#39;une fonction de sécurité, notamment dans l&#39;environnement d&#39;une commande d&#39;appareil et/ou d&#39;installation
EP3525390A1 (fr) Dispositif et procédé de fourniture d&#39;au moins une clé cryptographique sécurisée pour une protection de données cryptographique initiée par un appareil de commande
WO2019243052A1 (fr) Procédé et dispositif de surveillance et/ou de commande mutuelle de systèmes techniques autonomes
EP3541009A1 (fr) Procédé et dispositif permettant de garantir une transmission de données protégée de manière cryptographique entre un premier appareil et un second appareil
WO2019175086A1 (fr) Procédé et dispositif de transmission de données protégée de manière cryptographique entre un premier appareil et un deuxième appareil
DE112019005250T5 (de) Steuereinrichtung, industrielles Steuersystem und Verfahren zur Verlängerung der Gültigkeitsdauer von Verschlüsselungsschlüsseln
EP3252990A1 (fr) Procede et dispositif de preparation d&#39;un secret destine a authentifier un systeme et/ou des composants du systeme
EP3401831B1 (fr) Dispositif et procédé de détection d&#39;une manipulation physique sur un module de sécurité électronique
DE102016106638B4 (de) Verfahren zum Freischalten einer Funktion einer Mess- und/oder Stellvorrichtung sowie entsprechend ausgebildete Mess- und/oder Stellvorrichtung
WO2021023754A1 (fr) Détection de clients manipulés dans un système de commande
EP3439228B1 (fr) Procédé et dispositif permettant la réalisation d&#39;une fonction de sécurité, notamment dans l&#39;environnement d&#39;une commande d&#39;appareil et/ou d&#39;installation
EP3832508B1 (fr) Blocage ou annulation d&#39;un certificat d&#39;appareil
DE102022123225A1 (de) Verifizierung einer rechenvorrichtung
EP3347851A1 (fr) Dispositif de protection, système de sécurité et procédé de protection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17835462

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17835462

Country of ref document: EP

Kind code of ref document: A1