WO2020048612A1 - Secure clock syncronization - Google Patents

Secure clock syncronization Download PDF

Info

Publication number
WO2020048612A1
WO2020048612A1 PCT/EP2018/074152 EP2018074152W WO2020048612A1 WO 2020048612 A1 WO2020048612 A1 WO 2020048612A1 EP 2018074152 W EP2018074152 W EP 2018074152W WO 2020048612 A1 WO2020048612 A1 WO 2020048612A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
receiver
management system
receiver systems
time
Prior art date
Application number
PCT/EP2018/074152
Other languages
French (fr)
Inventor
Zdenek Chaloupka
Lionel Ries
James Curran
Original Assignee
European Space Agency (Esa)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by European Space Agency (Esa) filed Critical European Space Agency (Esa)
Priority to PCT/EP2018/074152 priority Critical patent/WO2020048612A1/en
Publication of WO2020048612A1 publication Critical patent/WO2020048612A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0676Mutual
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W56/00Synchronisation arrangements
    • H04W56/001Synchronization between nodes
    • H04W56/002Mutual synchronization

Definitions

  • the invention relates to a method of enabling secure synchronization of time clocks of a plurality of receiver systems, a method of managing secure time clock synchronization, a receiver method of enabling secure synchronization.
  • the invention further relates to a communication system comprising a plurality of receiver systems, a management system for managing synchronization of said time clocks and a transmitter
  • the invention further relates to a management system, a receiver system for use in such communication system and a computer readable medium.
  • An accurate, secure and reliable time transfer is a key enabler for emerging fixed and mobile services worldwide.
  • applications such as for example autonomous vehicles, terrestrial positioning, 5G mobile broadband, mobile multimedia broadcast, power grids, terrestrial positioning services, financial operations, Internet of Things, big data, cloud processing, etc.
  • reliable time information enables the application to work correctly and efficiently.
  • the time information should be transferred accurately and in a seamless and ubiquitous manner.
  • US2012/0177027 discloses devices and methods for providing a time synchronized Wireless Local Area Network (WLAN) system.
  • WLAN Wireless Local Area Network
  • APs in the WLAN system can determine timing information from Global Navigation Satellite Systems (GNSS) satellite, so as to synchronize with each other.
  • GNSS Global Navigation Satellite Systems
  • the synchronized APs can then be used to determine position information for devices on the network using pseudo-ranging techniques.
  • the access point includes a receiver portion, a timing signal portion and a clock.
  • the receiver portion is configured to obtain a signal transmitted by a navigation satellite.
  • the timing signal portion is configured to extract timing information from the signal obtained by the receiver portion based upon a known position of the access point.
  • the clock is configured to be compensated with the timing information.
  • the access point has a communication link configured to relay timing information to a second access point.
  • the receiver portion is configured to track a satellite common to the second access point.
  • the timing signal portion of the access point is configured to compute a time difference between the access point and the second access point based on a true transit time and a pseudo-transit time for a signal from the satellite.
  • transfer of timing information may be sensitive to, for example jamming, spoofing or meaconing causing an error in the determination of the position information for devices in the network.
  • a receiver method of enabling secure synchronization of time clocks as defined in claim 13.
  • a computer readable medium as defined in claim 14.
  • a management system as defined in claim 15.
  • a receiver system as defined in claim 19.
  • a communication system as defined in claim 22.
  • the communication system comprises a plurality of receiver systems, a management system, which manages synchronization of time clocks of the receiver systems and a transmitter that transmits a common signal to the receiver systems.
  • the receiver systems are configured to mutually synchronize their time clocks based on a difference in time when the common signal is observed by each of the receiver systems.
  • the management system establishes a secure communication channel between the management system and the receiver systems using cryptographic keys. Time clock synchronization in the system occurs via the secure communication channel.
  • the communication channel may be encrypted. For example the data may be transferred through the communication channel in an encrypted form.
  • the receiver systems mutually synchronize their time clocks by exchanging data indicative of the time difference via the secure communication channel.
  • the management system may generate configuration data which configures the receiver systems.
  • Said data comprises the configuration data.
  • This configuration data comprises observation data indicating when the received common signal is to be observed by each receiver system.
  • the configuration data is sent to at least one receiver system via the secure communication channel.
  • the receiver systems configure receiving of the common signal based on the configuration data.
  • the exchanged data further comprises capability data.
  • the receiver systems may send the capability data to the management system.
  • the capability data defines an operational capability of the receiver systems.
  • management system may generate the configuration data based on the capability data.
  • the observation data may comprise specification of a time instant indicating when the received common signal is to be observed by each receiver system.
  • the time instant is used for synchronization of the time clocks. Since the time instant is exchanged between the receiver systems and the management system via the secure communication channel, the time instant is securely exchanged and cannot be easily spoofed or jammed. Security of time synchronization is improved.
  • the observation data of the invention instructs the devices on when the common signal received from the transmitter should be observed. Since the common transmitter does not have to be necessarily a GNSS satellite, the time clock
  • synchronization method of the invention can be used for synchronizing the time clocks of systems placed, for example, indoor. Any signal penetrating indoor locations that could be commonly observed by the receiver systems is a suitable signal for the invention.
  • Such (indoor) receiver systems may be, for example, switching devices of power grid system, home base stations of personal communication system or any other suitable indoor devices.
  • establishing the secure communication channel comprises generating a secret key, sharing the secret key between the receiver systems, encrypting the data prior exchanging the data via the secure communication channel.
  • the capability data may be encrypted with the secret key prior transmitting the capability data to the management system.
  • the configuration data may be encrypted with the secret key prior transmitting the configuration data to the receiver systems.
  • the observation data may comprise a reference timestamping signal.
  • the system further comprises a gateway system configured to trigger the transmitter to send random cryptographic data to the receiver systems.
  • the random cryptographic data may comprise the reference timestamping signal.
  • the two reference timestamping signals are for example, continuously, cross- correlated to generate a cross-correlation function at each receiver system.
  • a timestamp (instant of time) is generated at each receiver system.
  • a difference between the timestamps indicates timing offset between receiver systems and hence is used to synchronize the time clocks of the receiver systems with the time clock of a reference receiver system.
  • the random cryptographic data comprises a public key and a private key corresponding to the public key.
  • the private key is transmitted to the receiver systems, the public key is transmitted to the common transmitter via the gateway system.
  • the private key is a pseudo random sequence of data and the public key is a pseudo sub-sequence of data of the private key.
  • Figure 1 schematically shows an example of an embodiment of a communication system
  • Figure 2 schematically shows an example of an embodiment of a communication system
  • Figure 3 schematically shows an example of an embodiment of a receiver system
  • Figure 4 schematically shows an example of an embodiment of a receiver system
  • Figure 5 schematically shows an example of an embodiment of a management system
  • Figure 6 schematically shows an example of an embodiment of a transmitter
  • FIG. 7 schematically shows an example of an embodiment of a gateway system
  • Figure 8 schematically shows an example of a time clock synchronization method according to an embodiment
  • Figure 9 schematically shows an example of a time clock synchronization method according to an embodiment
  • Figure lOa schematically shows a computer readable medium having a writable part comprising a computer program according to an embodiment
  • Figure lOb schematically shows a representation of a processor system according to an embodiment.
  • Figure 11 schematically shows an example of a cross-correlation function
  • Figure 12 schematically shows an example of an embodiment of a communication system
  • Figure 13 shows a graph of synchronization error measurements for an embodiment of a communication system
  • Figure 14 shows a graph of a cumulative distribution function measured for an embodiment of a communication system
  • Figure 15 shows a graph of synchronization error measurements for an embodiment of a communication system
  • Figure 16 shows a graph of a cumulative distribution function measured for an embodiment of a communication system
  • Figure 17 shows a graph of a cumulative probability of error versus a correlation ratio measured for an embodiment of a communication system.
  • GNSS Global Navigation Satellite Systems
  • time synchronization enables communication between vehicles or between vehicles and other devices of the system.
  • malicious attacks or unintentional jamming of time synchronization infrastructures may lead to vehicle accidents or other massive damages in the system.
  • phase synchronization In power grids, frequency and phase synchronization is critical for a correct balancing of the power grid and efficient power transfer. Any malicious or unintentional interrupt of the power grid synchronization could lead to black-outs and serious economic damages.
  • Proper power grid balancing requires the power grid to adapt efficiently to continuously varying power generation and demand. For example, power generated by renewable energy sources may rapidly change.
  • a load of the power grid In order to maintain the balance between the power generation and demand, a load of the power grid is varied dynamically in response to the available power. Dynamically varying the load involves switching on and off certain loads in a timely manner, for example with sub- millisecond accuracy. Typically these loads can be small-scale commercial devices such as refrigeration, heating, or smelting devices. Many of these switching devices have no visibility to GNSS satellites, so the timing needs to be delivered by other means.
  • GNSS signals without significant costs.
  • the required accuracy is around lOOns.
  • One of such communication system comprises at least a plurality of receiver systems, a management system which manages synchronization of time clocks of the receiver systems and a transmitter that transmits a common signal to the receiver systems.
  • the receiver systems are configured to mutually synchronize their time clocks based on a difference in time when the common signal is observed by each of the receiver systems.
  • the management system establishes a secure communication channel between the management system and the receiver systems using cryptographic keys. Time clock synchronization in the system occurs via the secure communication channel.
  • the communication channel may be encrypted, for example the data be transferred through the communication channel in encrypted form.
  • the management system may generate configuration data which configures the receiver systems. This configuration data may comprise observation data.
  • the observation data indicates when the received common signal is observed by each receiver system. Since the observation data is exchanged between the receiver systems and the management system via the secure communication channel, the observation data is securely exchanged and cannot be easily spoofed or jammed. Security of time synchronization is improved.
  • the invention is not limited to GNSS systems.
  • the observation data of the invention instructs the receiver systems on when the common signal received by the transmitter should be observed. Therefore, the time clock synchronization method of the invention can be used for synchronizing the time clocks of receiver systems placed, for example, indoor, which cannot receive GNSS satellite signals.
  • Such receiver systems may be switching devices of power grid system, home base stations of personal communication system, etc. as reported above.
  • the observation data may comprise a reference timestamping signal which is shared between the receiver systems.
  • the management system may trigger the transmitter, via, for example, a gateway system, to transmit the same reference timestamping signal to the receiver systems.
  • the two signals are for example, continuously, cross-correlated to generate a cross-correlation function at each receiver system. If the output of the cross-correlation function exceeds a certain threshold level then a timestamp (instant of time) is generated at each receiver system.
  • a difference between the timestamps is used to synchronize the time clocks of the receiver systems with the time clock of a reference receiver system.
  • FIG. 1 schematically shows an example of an embodiment of a communication system 10.
  • Communication system 10 may be any systems of the examples described above.
  • Communication system 10 comprises a first receiver system 100 and a second receiver system 200, a management system 300 and a transmitter 400.
  • Communication system 10 may comprise more than two receiver systems and more than one transmitter.
  • the receiver systems may be suitable to receive a common signal from transmitter 400.
  • GNSS Global Navigation Satellite Systems
  • the receiver systems may be GNSS receivers and the transmitter a satellite; in power grid systems, the receiver systems may be implemented in switching devices; in personal communication systems, the receiver systems may be mobile receivers and the transmitter a Power base station, etc.
  • the receiver systems may also have, as in some embodiments shown below, receiving functions, transmitting functions, networking functions, memory and processing functions, be implemented wholly or in part in software programmable devices.
  • the receiver systems may be capable to operate at different carrier frequencies, different bandwidths, etc.
  • One or more receiver system may be used for timing reference to synchronize the time clocks of the other receiver systems in the communication system.
  • one or more receiver systems may be so-called master receiver systems and the remaining receiver systems so-called slave receiver systems.
  • Time clock of the slave receiver systems is synchronized with the time clock of the master receiver systems.
  • Time clocks of master receiver systems may be highly accurate reference clocks, for example atomic clocks or reference clocks which are periodically calibrated with high accurate clocks.
  • receiver system 100 is the master receiver system and receiver system 200 is the slave receiver system.
  • receiver 100 may be configured to obtain a reference time clock from an external device.
  • receiver system 100 comprises a clock generator to generate a master time clock.
  • receiver 100 comprises a processor to process timing signals, e.g., GNSS, eLoran, 3G/4G, IEEE 1588 PTP, NTP signals, to generate a master time clock.
  • master receiver system and slave receiver system maybe interchanged as far as the master receiver system has a master clock used for reference for other receiver systems.
  • the master receiver system is enabled to transmit computed data, for example timestamps, or random sequence of data, to the management system and the slave receiver systems such that the slave receiver systems can be synchronized with such computed data.
  • Management system 300 establishes a secure communication channel 150 between receiver systems 100, 200 and management system 300 using
  • Receiver systems 100 and 200 communicate with management system 300 via secure communication channel 150.
  • Receiver systems 100 and 200 may exchange capability data 412 and 416 with management system 300 via secure communication channel 150.
  • Receiver system 100 and 200 may communicate between each other, and management system 300, via respective communication interfaces as explained below with reference to embodiments of a receiver system and a management system.
  • capability data 412 and 416 define an operational capability of the receiver systems.
  • capability data may comprise one or more of the group of: carrier frequency, frequency bandwidth and time of data recording of the common signal.
  • Receiver systems may be multi-purpose receivers capable to operate across different telecommunication standards. They may capable to operate at different carrier frequencies, different bandwidth, etc. This frequency and/or bandwidth information is included in capability data 412, 416 passed over to management system 300.
  • Receiver systems 100 and 200 receive a common signal 410 from transmitter 400.
  • Management system 300 generates configuration data 414 and 418.
  • Configuration data 414 and 418 is transmitted to receiver system 100 and receiver system 200, respectively.
  • Configuration data operatively configures receiver systems 100, 200.
  • Management system 300 controls receiver systems 100 and 200 via the configuration data.
  • the configuration data may comprise information of the system in which receiver systems 100 and 200 operate.
  • the configuration data configures the receiver systems as GNSS receivers.
  • the receivers In GNSS systems the receivers must be capable of receiving signals from GNSS satellites, thereby the configuration data can configure the receivers within the hardware capabilities of the receivers.
  • the configuration data is generated based upon the capability data.
  • the receiver systems may be off-the-shelf receiver systems capable to work for different communication standards.
  • the configuration data transmitted to receiver systems 100 and 200 may configure the software of receiver systems 100 and 200 such that receiver systems 100 and 200 are configured as GNSS receivers.
  • receiver systems 100 and 200 may be configured as mobile receivers, power grid switching receiver device, etc.
  • the configuration data may include observation data, e.g. time information on when the common signal is observed by the receiver systems.
  • Synchronization between time clocks of receiver system 100 and receiver system 200 is based on a time difference between two time instants of observation of the common signal by receiver system 100 and receiver system 200, respectively.
  • Observation in this invention means measurement of one or more signals. Observation may involve cross-correlating two signals at each receiver system, one signal transmitted from the common transmitter to the receiver systems and the other signal passed from the management system to the receiver systems that includes the observation data. Alternatively, observation may involve cross-correlating two signals at one receiver system, each signal comprising a predetermined number of samples of the common signal received by each receiver system, e.g. a (random) sequence of data.
  • the observation data comprises samples of a timestamping reference signal.
  • Synchronization may comprise cross-correlating, e.g. in time or frequency, the samples of the timestamping reference signal with samples of the common signal to generate a first cross-correlation function and a second cross correlation function.
  • the instants of time observation are determined from the first cross-correlation function and second cross-correlation function, respectively. This determination may be based on an output of the cross-correlation function exceeding a certain threshold value. This output is broadcasted via the secure communication channel to the receiver system which needs clock synchronization.
  • Samples of the timestamping reference signal may be random cryptographic data, for example a random sequence of data like numbers, binary, alphanumeric or other type of suitable codes.
  • the data may be encrypted.
  • the common signal received from the transmitter comprises the same random data.
  • the two sequences of data are cross-correlated at each receiver system and the respective output of the respective cross correlation function calculated.
  • the timestamping reference signal is generated in the management system and is securely shared with the receiver systems.
  • the transmitter is triggered by the management system to send the same random data with the common signal.
  • configuration data 414 and 418 is periodically re- generated by management system 300 and sent by management system 300 to first receiver system 100 and second receiver system 200 via secure communication channel 150.
  • the carrier- frequency or the frequency bandwidth may periodically change.
  • One advantage is that, for example, an attacker would not know at which carrier frequency or in which frequency bandwidth the data are transmitted.
  • the observation data may be periodically re-generated and sent to the receiver systems.
  • An advantage of periodically changing the observation data is that, for example, an attacker would have even lesser chances of success trying to spoof the sequence of data transmitted from the transmitter to the receiver systems.
  • the transmitter is triggered by the management system to transmit a specific sequence of data.
  • the receiver systems may each time agree on, for example, a new specific carrier frequency or new frequency bandwidth.
  • the transmitter may send a specific sequence of data in that carrier frequency or frequency bandwidth only known to the receiver systems.
  • the transmitter may be triggered to send a specific sequence of data in different alternative ways.
  • the transmitter may be periodically triggered to send a specific sequence of data. For example, as it will be described in an embodiment below, when high cross-correlation output level is found between this specific sequence data sent by the transmitter and the specific sequence of data generated by the management system, the time clocks can be synchronized.
  • the transmitter may be triggered by the management system via a gateway system.
  • Figure 2 shows an example of such an embodiment of a communication system 20.
  • Communication system 20 differs from communication system 10 shown in Figure 1, in that it further comprises a gateway system 500.
  • Gateway system 500 may be arranged to trigger transmitter 400 to transmit a specific sequence of data which is only known to receiver systems 100 and 200.
  • management system 300 generates for example random cryptographic data and broadcasts the generated random cryptographic data to first receiver system 100 and the second receiver system 200 via secure communication channel 150.
  • Management system 300 may transmit the random cryptographic data to the common transmitter 400 via gateway system 500 as schematically indicated by the dashed line in Figure 2.
  • Transmitter 400 transmits the random cryptographic data to first receiver system 100 and second receiver system 200.
  • Management system 300 may regenerate the configuration data based upon a reception of the random cryptographic data. For example, if the cryptographic data known by the receiver systems match the cryptographic data sent by transmitter 400, management system 300 is triggered to regenerate the configuration data, for example a new time of recording or a new carrier frequency or even a new timestamping reference signal may be set. Random
  • cryptographic data is only known to the receiver systems.
  • An advantage is that, for example, an attacker would not know how to interpret the random cryptographic data sent by transmitter 400 to receiver systems 100 and 200.
  • the random cryptographic data may be updated periodically.
  • One of the advantages of periodically updating the random cryptographic data is to enhance security. For example, an attacker has less chances of intercepting valid data.
  • communication system 20 may be an Iridium satellite system.
  • Gateway system 300 may be an Iridium internet gateway, transmitter 400 an Iridium satellite constellation and receiver systems 100 and 200, Iridium receivers.
  • the signal triggering Iridium satellite constellation 400 (dashed line in Figure 2) may be a Short Burst Data (SBD) message.
  • SBD Short Burst Data
  • satellite signals may be used and/or other satellite constellations contemplated, for example satellite mega- constellation, satellite television (TV) or terrestrial infrastructures like mobile network signals, etc.
  • satellite mega- constellation satellite television (TV)
  • TV satellite television
  • terrestrial infrastructures like mobile network signals, etc.
  • the random cryptographic data comprises a public key and a private key corresponding to the public key.
  • the private key is transmitted to first receiver system 100 and the second receiver system 200.
  • the public key is transmitted to common transmitter 400.
  • management system 300 may trigger re-generation of the configuration data.
  • the private key may be a pseudo random sequence of data, e.g., numbers, and the public key a pseudo sub-sequence of data, e.g., numbers, of the private key.
  • the management system may comprise a pseudo random number generator to generate a pseudo random sequence of numbers.
  • the pseudo random number generator may use the random sequence of data, for example the timestamping reference data mentioned above, as a seed for generating the pseudo random sequence of numbers.
  • the seed allows the pseudo random generator to generate, for example, arbitrarily long, sequences. Smaller portions of these sequences can be transmitted to transmitter 400 via gateway system 500 only once.
  • these smaller sequence portions can be updated, for example periodically, and re-transmitted again.
  • FIG. 3 and Figure 4 schematically show an example of an embodiment of a first receiver system 100 and a second receiver system 200. It is understood that receiver system 200 is a receiver system similar to receiver system 100. Receiver system 200 may differ from receiver system 100 in that receiver system 100 is a master receiver system and receiver system 200 is a slave receiver system as described with reference to communication systems 10 and 20.
  • Receiver system 100 comprises an antenna interface 120, a communication interface 130, a storage interface 192, a processor 194, a memory 196 and a first time clock 198.
  • Antenna interface 120 is configured to receive a common signal from common transmitter 400 shown in Figure 1 and 2.
  • Communication interface 130 is configured to securely communicate with management system 300 shown in system 10 and 20 of Figure 1 and 2
  • Communication interface 130 can securely exchange data with the management system indicative of a time when the common signal is to be observed by receiver system 100
  • Clock generators 198, 298 are configured to generate a first time clock and a second time clock.
  • the first time clock may be a master time clock and the second time clock a slave time clock requiring synchronization from the first time clock.
  • Processors 194, 294 may be configured to generate s capability data defining an operational capability of receiver systems 100 and 200.
  • Processor 194 may be configured to generate the time indicating when the received common signal is observed by receiver system 100, and to synchronize the time clock with another time clock of another receiver system, based on a time difference between a time indicating when the received common signal is observed by the other receiver system and the generated time of observation. Synchronization is performed when required. It may be that the receiver system is a master receiver system and synchronization with another receiver system of the system is not required.
  • Antenna interfaces 120, 220 may be any type of antenna suitable for the specific implementation.
  • antenna interface 120 may be, but it is not limited to, e.g., a Wi-Fi antenna, 3G, 4G or 5G antenna, or a satellite antenna, e.g., a GPS, GALILEO antenna, etc., or a combination thereof.
  • Receiver systems 100, 200 and the various systems 300, 500 of communication system 10 and 20 may communicate with each other over a secure communication channel 150, for example a computer network.
  • Computer network 150 may be an internet, an intranet, a LAN, a WLAN, etc.
  • Computer network 150 may be the Internet.
  • the computer network may be wholly or partly wired, and/or wholly or partly wireless.
  • the computer network may comprise Ethernet connections.
  • the computer network may comprise wireless connections, such as Wi-Fi, ZigBee, and the like.
  • computer network 150 may be encrypted, for example a data stream encrypted by TCP/IP using e.g. asymmetric keys (RSA, DSA, etc.) may be used to encrypt the computer network.
  • the receiver systems comprise a connection interface which is arranged to communicate with other receiver systems of systems 10, 20 as needed.
  • the connection interface may comprise a connector, e.g., a wired connector, e.g., an Ethernet connector, or a wireless connector, e.g., an antenna, e.g., a Wi-Fi, 4G or 5G antenna.
  • first receiver system 100, and second receiver system 200 may comprise communication interface 130, 230 respectively.
  • Communication interface 130, 230 may, e.g., be configured to send capability data to management system 300 and/or to receive configuration data from management system 300.
  • Computer network 150 may comprise additional elements, e.g., a router, a hub, etc.
  • first receiver system 100 and second receiver system 200 may be implemented in a processor, e.g., a processor circuit, examples of which are shown herein.
  • first receiver system 100 in particular processor 194 of first receiver system 100, may generate the cross-correlating function by cross- correlating (samples of) timestamping reference signals received from the management system and the common transmitter.
  • the second receiver system 200 in particular processor 294 of second receiver system, 200 may generate the cross-correlating function by comparing timestamping reference signals received from the management system and the common transmitter.
  • Processors 194 and 294 determine first and second time instants (timestamps) as outputs of the respective cross-correlation functions, for example, when a cross correlating level of the respective cross-correlating function exceeds a predetermined threshold.
  • processors 194 and 294 may be configured to record a predetermined number of samples of the received common signal, broadcast the samples of the common signal received by the communication interfaces 130, 230 via secure communication channel 150.
  • the processors may be also configured to cross-correlate, e.g. in time or frequency, the samples of the received common signal with the samples of the common signal received by a reference receiver system.
  • Cross- correlation generates a cross-correlation function.
  • the time of observation may be determined from, e.g. an output of, the cross-correlation function.
  • these cross-correlation functions may be wholly or partially be implemented in computer instructions that are stored at receiver systems 100, or 200, e.g., in an electronic memory of the receiver system, and are executable by a
  • microprocessor of the receiver system In hybrid embodiments, functional units are implemented partially in hardware, e.g., as coprocessors, e.g., crypto coprocessors, and partially in software stored and executed on receiver system 100, or 200.
  • coprocessors e.g., crypto coprocessors
  • Receiver systems 100, and 200 may comprise a storage interface to store and/or retrieve messages, possibly encrypted messages.
  • the storage interface may be implemented locally, e.g., as an interface to a memory comprised in the receiver system, e.g., memory 196, or 296, respectively.
  • the storage interface may also interface with offline, e.g., non-local, storage, e.g., cloud storage, e.g., a storage such as a memory or a drive located in another receiver system.
  • cloud storage e.g., a storage such as a memory or a drive located in another receiver system.
  • the receiver systems may comprise a local storage as well, e.g., a memory.
  • the memory may be used to store computer programming instructions, temporary storage of files and the like.
  • Memories 196 and 296 may be used to store time stamps, outputs of the respective cross-correlating function. Alternatively, memories 196 and 296 may be used to store whole or part of random, e.g., cryptographic data used for triggering transmitter 400 and/or time clock synchronization.
  • Figure 5 schematically shows an example of an embodiment of a management system 300.
  • Management system 300 comprises a cryptographic data generator 315, a communication interface 330, a storage interface 392, a processor 394, and a memory 396.
  • Cryptographic data generator 315 may be a public key and/or private key generator, or a pseudo-random sequence generator.
  • Generator 315 may include a true random generator, usually hardware-based, that is used to obtain a random seed that is used to generate a pseudo-random sequence. Instead of a true random number generator a pseudo random number may be used.
  • Communication interface 330 is configured to securely communicate with the receiver systems and in some embodiments with the gateway.
  • Management system 300 is configured to receive via the communication interface 330 the capability data of receiver systems.
  • cryptographic data generator 315 may generate a secret key in order to establish a secure communication with receiver systems and in some embodiments with gateway system.
  • the secret key may be shared with the receiver systems via the respective communication interfaces.
  • Processor 394 is configured to generate the configuration data for operatively configuring the receiver systems based on the capability data.
  • the data transferred from the receiver systems to the management system e.g. the capability data, may be encrypted with the secret key prior transmitting them to the management system.
  • the data transferred from the management system to the receiver systems e.g., the configuration data, may encrypted with the secret key.
  • Communication interface 330 is configured to send the configuration data, e.g., encrypted with the secret key, to the receiver systems which may receive it via their respective communication interfaces.
  • Storage interface 392 of management system 300 may be configured to store the capability data of the respective receiver systems.
  • Processor 394 may be configured to decrypt the capability data when the data is encrypted with, e.g., the secret key.
  • the processors of the receiver systems may be configured to decrypt the data received from the management system.
  • a secure communication channel may thus be established using the secret key.
  • Figure 6 schematically shows an example of an embodiment of a transmitter 400.
  • Transmitter 400 comprises an antenna interface 420, a storage interface 492, a processor 494, and a memory 496.
  • Antenna interface 420 may be configured to transmit the common signal to the receiver systems and/or to broadcast random cryptographic data received from the gateway system.
  • Processor 494 may be configured to modulate a carrier signal with a modulating signal according to a modulation scheme according to a suitable application.
  • Storage interface 492 and/or memory 496 may be configured to store random
  • Storage interface 492 may retrieve such random cryptographic data from memory 496 and send it to the receiver systems via antenna interface 420.
  • FIG. 7 schematically shows an example of an embodiment of a gateway system 500.
  • Gateway system 500 comprises an antenna interface 520, a communication interface 530, a storage interface 592, a processor 594, a memory 596.
  • Antenna interface 520 may transmit random cryptographic data to the transmitter. Similarly to the transmitter, random cryptographic data may be stored in storage interface 592 and/or memory 596 prior being sent to the transmitter.
  • gateway system 500 may be an Iridium gateway
  • Communication interface 530 may securely communicate with management system 300 shown with reference to Figures 2 and 5.
  • Gateway system may re-transmit data from the management system to the transmitter.
  • An uplink wired or wireless communication is established with the transmitter.
  • the transmitter can be triggered by the gateway system to send the common signal and/or random
  • the common signal may comprise a timestamping reference signal as described above.
  • the communication interface may be selected from various alternatives.
  • the interface may be a network interface to a local or wide area network, e.g., the Internet, a storage interface to an internal or external data storage, an application interface (API), etc.
  • API application interface
  • the receiver systems 100, 200 and management system 300, gateway 500 may have a user interface, which may include well-known elements such as one or more buttons, a keyboard, display, touch screen, etc.
  • the user interface may be arranged for accommodating user interaction for initiating a key agreement protocol, responding to a key agreement protocol, sending a message encrypted with a public key, decrypting a message with a public key, etc.
  • Storage may be implemented as an electronic memory, say a flash memory, or magnetic memory, say hard disk or the like. Storage may comprise multiple discrete memories together making up storage. Storage may also be a temporary memory, say a RAM.
  • systems or devices 100, 200, 300, 400 and 500 each comprise a microprocessor which executes appropriate software stored at the system or device; for example, that software may have been downloaded and/or stored in a corresponding memory, e.g., a volatile memory such as RAM or a non-volatile memory such as Flash.
  • a corresponding memory e.g., a volatile memory such as RAM or a non-volatile memory such as Flash.
  • systems or devices 100, 200, 300, 400 and 500 in whole or in part, be implemented in programmable logic, e.g., as field-programmable gate array (FPGA).
  • FPGA field-programmable gate array
  • Systems or devices 100, 200, 300, 400 and 500 may be implemented, in whole or in part, as a so-called application-specific integrated circuit (ASIC), e.g., an integrated circuit (IC) customized for their particular use.
  • ASIC application-specific integrated circuit
  • IC integrated circuit
  • circuits may be implemented in CMOS, e.g., using a hardware description language such as Verilog, VHDL etc.
  • systems or devices 100-500 may comprise one or more circuits to implement one or more or all of the functions of the respective system or device.
  • the circuits may implement the corresponding functions described herein.
  • the circuits may be a processor circuit and storage circuit, the processor circuit executing instructions represented electronically in the storage circuits.
  • a processor circuit may be implemented in a distributed fashion, e.g., as multiple sub-processor circuits.
  • a storage may be distributed over multiple distributed sub-storages.
  • Part or all of the memory may be an electronic memory, magnetic memory, etc.
  • the storage may have volatile and a non-volatile part.
  • Part of the storage may be read-only.
  • the circuits may also be, FPGA, ASIC or the like.
  • Figure 8 schematically shows an example of a time clock synchronization method 600 according to an embodiment.
  • Method 600 enables secure synchronization of time clocks of receiver systems 100 and 200.
  • Method 600 comprises: establishing 605 a secure communication channel 150 between the receiver systems 100 and 200, and a management system 300 using cryptographic keys; transmitting 610, 710 capability data 412, 416 to management system 300 via secure communication channel 150.
  • Capability data 412, 416 defines an operational capability of receiver systems 100 and 200.
  • Method 600 comprises generating 617 by the management system configuration data 414, 418 for operatively configuring the receiver systems based on the capability data (412, 416).
  • the configuration data comprises at least observation data indicating when a common signal is to be observed by each receiver system.
  • Method 600 further comprises sending 618 configuration data 414, 418 to receiver systems 100, 200 via the secure communication channel 150 and receiving 619, 719 configuration data from management system 300 via the secure
  • Method 600 comprises configuring 620, 720 reception of the common signal at receiver systems 100 and 200, respectively, based on configuration data.
  • the configuration data may set a reception bandwidth, a carrier frequency of receiver systems 100 and/or 200, in order for the receiver systems to receive a valid signal.
  • the configuration data may comprise observation based on which
  • Method 600 further comprises receiving 625, 725 by receiver systems 100, 200 the common signal via the secure communication channel, e.g. from a common transmitter 400 as shown in Figures 1, 2, and 6.
  • system receivers 100 and 200 are configured to receive a valid common signal from the transmitter.
  • Method 600 may further comprises synchronizing 690, 790 a first time clock of first receiver system 100 with a second time clock of second receiver system 200, based on a time difference between a first time indicating when the received common signal is observed by the first receiver system 100 and a second time indicating when the received common signal is observed by the second receiver system 200.
  • the first receiver system may be a master receiver system and the second receiver system a slave receiver system.
  • the master receiver system comprises a master time clock used as reference for the slave receiver systems.
  • Synchronizing 690, 790 may further comprises: cross-correlating 630,
  • the observation data e.g. a timestamping reference signal or a random sequence of data
  • samples of the common signal e.g., also a timestamping reference signal or a random sequence of data included in the received common signal
  • the process is iterative. If high enough correlation is found between the two signals a time, e.g., a timestamp, is generated.
  • Synchronizing 690 further comprises sending 650 the timestamp determined for receiver system 100 to receiver system 200 via secure channel 150.
  • Synchronizing 790 further comprises retrieving 750 the timestamps of receiver systems 100 and 200, comparing 760 such timestamps to determine the time difference between the two and correcting 770 the time clock of receiver system 200 based on a difference between the two timestamps.
  • Synchronization may be performed differently, in any other manner suitable for the specific implementation.
  • Figure 9 schematically shows an example of a time clock synchronization method 700 according to another embodiment.
  • Method 700 differs from method 600 in that method 700 comprises a different synchronization 695 and 795 in receiver systems 100 and 200, respectively.
  • Synchronization 695 comprises recording 622 a predetermined number of samples of the common signal, e.g., of random sequence of data included in the common signal; optionally compressing 624 the samples with any compressing algorithm suitable for the specific implementation.
  • compressing 624 may be a lossy-compression, e.g., a low resolution compression like a sub-Nyquist with reduce/sparse bandwidth to optimize the tradeoff between data size and time-transfer performance; measuring 626 energy levels of the (compressed) samples to estimate signal activity and hence being able to select high quality common signal; broadcasting 626 the (compressed) samples of the common signal received by the first receiver system to the second receiver system via secure communication channel (150).
  • Synchronization 795 comprises 732 obtaining a coarse time and frequency synchronization from communication channel 150.
  • synchronization may be obtained, for example, through standard NTP implementation, allowing to synchronize receivers to, e.g., millisecond accuracy; recording 634 a predetermined number of samples of the common signal, e.g., of random sequence of data included in the common signal received by receiver system 200; retrieving 755 the data, the random sequence of data/sequence of samples; cross-correlating 765 in time the samples of the common signal received by the first receiver system with the samples of the common signal received by the second receiver system to generate a cross- correlation function; determining 767 the time difference between the two sets of sequence from (an output of) the cross-correlation function, and correcting 770 the time clock of receiver system 200 by using the time difference.
  • each method 600 or 700, or part of the methods 600 or 700 can be performed in any of receiver systems 100 and/or 200 for example enabling secure synchronization of the time clocks, management system 300 for managing secure synchronization of the time clocks, transmitter 440 or gateway system 500.
  • Cross-correlation of different samples or sequence of samples to calculate the time difference can be done in any manner suitable for the specific implementation. In the following it is described a method of cross-correlating samples or sequences of samples. Cross-correlation can be performed at the processor of the receiver system and/or management system. The management system may be wholly or partially integrated in one of the receiver system.
  • the times or difference in time when the common signal is received by each of the receiver system correspond to an output of a cross- relation function related to that time determination, e.g. exceeding a predetermined cross-correlation level.
  • Figure 11 schematically shows an example of a cross- correlation function.
  • the graph in Figure 11 shows the output of a cross-correlation function 250.
  • the output of cross-correlation function 250 e.g. correlation values.
  • the time lag as number of samples.
  • Function 250 may have several peaks indicative of observed samples having high correlation with, e.g., reference samples, high correlation values at certain time.
  • first peak Pl and second peak P2 next to each other, indicating a relatively high correlation value at the corresponding (sample) time points.
  • the processor of the receiver system or management system is configured to determine a number of correlation values e.g. exceeding a predetermined threshold.
  • the processor may be configured to determine the time instants corresponding to said correlation values.
  • the peaks of the cross-correlation values above a certain predetermined cross-correlation are for example determined and stored in the memory interface.
  • the predetermined cross-correlation level is based on a ratio between two successive correlation peak values in the cross-correlation function.
  • the processor may be configured to determine a second peak correlation value in a time region in proximity of a first correlation peak value.
  • the time region where the second peak is determined is based on a multipath delay spread.
  • the multipath delay spread is due to the delay of reception of the common signal due multipath reflection of the signal. This is visible in cross-correlation function 250, where multipath delay spread has a bell shape around the first peak Pl .
  • the time region may be located next to the multipath delay spread, be proportional to the multipath delay spread, e.g., be a fraction or a multiple integer of the multipath delay spread.
  • the processor may be configured to look for the second peak within a predetermined time window based on the multipath delay spread. In Figure 11, the second peak P2 is found on the left side of the first peak Pl . However, the time window where the processor is looking for can be in the left side or right side of the first peak.
  • the processor may be configured to compute the ratio between the first peak Pl and the second peak P2. This is the so-called correlation ratio.
  • the correlation ratio is compared to a predetermined threshold. If the correlation ratio is above a predetermined threshold, this may be an indication of high (true) correlation between the samples of the common signal and, e.g., reference samples of a reference signal.
  • the correlation ratio may be used to reject ambiguous measurement and/or to weight correction of the clock correction.
  • synchronization of the time clocks may comprise generation of a clock correction factor.
  • the clock correction factor may be used by the slave receiver system to correct its time clock with that of a master receiver system.
  • the clock correction factor may be based on the correlation ratio.
  • the clock correlation factor may be further processed, e.g., with time correction algorithm, e.g., a Kalman Filter, etc.
  • Figure 12 schematically shows an example of such communication system 11.
  • Communication system 11 comprises receiver systems 101 and 201 and management system 301.
  • a secure communication channel is established between system receivers 101 and 201 and management system 301.
  • System 11 has been tested using Software Defined Radio (SDR) platforms.
  • SDR Software Defined Radio
  • the system sampling bandwidth was set to 2, 5 and lOMHz, and the carrier frequency was 1 62GHz, which is inside the spectrum assigned to Iridium’s satellites.
  • Two Iridium’s patch antennas 121 and 221 were used for the measurement. The two receivers had not direct line of sight of the satellite.
  • the method of enabling secure synchronization of time clock of system receiver 201 by means of the (master) time clock of system receiver 101 is similar to that described with reference to Figure 9. Synchronization/ verification of the time clocks is performed offline after capturing the samples using the management system 301, e.g. a host computer, and a software, in this example Matlab software.
  • the method steps are as follows: 1) Establishing a secure connection between system receivers 101, 201 and management system 301.
  • a LAN secured network or the Internet can be used to connect system receivers 101, 201 with management system 301.
  • any percentage below or above 50% may be taken for receiver system 101 and any percentage below 100% may be taken for receiver system 201.
  • a predetermined threshold ignore the measurement and return to step 1.
  • the threshold may be any number suitable for the specific implementation.
  • Figure 13 to 17 show the results obtained using the synchronization method above with regard to the accuracy of computing the timing error. It is noted that in all these measurements, for test purposes and in order to validate the method above, the time clocks of the two receivers systems were mutually pre-synchronized. The measured timing error should therefore be or close to zero.
  • Figure 13 shows a graph of synchronization timing error measurements for an embodiment of a communication system similar to system 11 described with reference to Figure 12.
  • the timing error shown in the lower graph computed with the method above is closer to the real value than the timing error shown in the upper graph computed for all measurements.
  • Figure 14 shows a graph of a cumulative distribution function of an absolute value of the measured timing error versus the (absolute value of) timing error measured in nanoseconds (ns) shown in Figure 13.
  • the cumulative distribution function of Figure 14 shows how much samples (indicated in percent on the Y axis) have a timing error below a certain value (indicated in nanoseconds on the X axis).
  • Cumulative distribution function 262 corresponds to the unfiltered measurements of the upper graph of Figure 13. Cumulative distribution function 262 is much lower than 1.
  • Cumulative distribution function 261 corresponds to the filtered measurements of the lower graph of Figure 13. Cumulative distribution function 261 is close to 1 meaning that the filtered measurements, i.e. based on the cross-correlation ratio give much more accurate results. In particular, cumulative distribution function 261 shows that approximately 95% of the samples have a timing error below 1000ns or that
  • curve 272 shows the cumulative distribution function of the unfiltered measurements of the upper graph of Figure 15. Cumulative distribution function 272 is much lower than 1. Cumulative distribution function 271 corresponds to the filtered measurements of the lower graph of Figure 15. Cumulative distribution function 271 is close to 1 , meaning that the filtered
  • Figure 17 shows a graph of a cumulative probability of error in percentage versus a cross-correlation ratio measured for an embodiment of a
  • the probability of error is shown for four different accuracy levels 281, 282, 283 and 284 corresponding to 0ns, 500ns, 1000ns and 1500ns, respectively.
  • the measurements are performed at a specific bandwidth, in this exemplary test at 2MHz bandwidth.
  • Figure 17 shows that for high accuracy larger value of the correlation peak can be chosen.
  • the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice.
  • the program may be in the form of source code, object code, a code intermediate source, and object code such as partially compiled form, or in any other form suitable for use in the implementation of an embodiment of the methods.
  • An embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the processing steps of at least one of the methods set forth. These instructions may be subdivided into subroutines and/or be stored in one or more files that may be linked statically or dynamically.
  • Another embodiment relating to a computer program product comprises computer executable instructions
  • Figure 10a shows a computer readable medium 1000 having a writable part 1010 comprising a computer program 1020, the computer program 1020 comprising instructions for causing a processor system to perform method of enabling secure synchronization of time clocks, a method of managing secure synchronization of time clocks, or a receiver method of enabling secure synchronization of time clocks according to an embodiment.
  • the computer program 1020 may be embodied on the computer readable medium 1000 as physical marks or by means of magnetization of the computer readable medium 1000. However, any other suitable embodiment is conceivable as well.
  • the computer readable medium 1000 is shown here as an optical disc, the computer readable medium 1000 may be any suitable computer readable medium, such as a hard disk, solid state memory, flash memory, etc., and may be non-recordable or recordable.
  • the computer program 1020 comprises instructions for causing a processor system to perform said clock synchronization method.
  • Figure 10b shows in a schematic representation of a processor system 1140 according to an embodiment of a device, e.g., a receiver system or management system or a gateway system.
  • the processor system comprises one or more integrated circuits 1110.
  • the architecture of the one or more integrated circuits 1110 is
  • Circuit 1110 comprises a processing unit 1120, e.g., a CPU, for running computer program components to execute a method according to an embodiment and/or implement its modules or units.
  • Circuit 1110 comprises a memory 1122 for storing programming code, data, etc. Part of memory 1122 may be read-only.
  • Circuit 1110 may comprise a communication element 1126, e.g., an antenna, connectors or both, and the like.
  • Circuit 1110 may comprise a dedicated integrated circuit 1124 for performing part or all of the processing defined in the method.
  • Processor 1120, memory 1122, dedicated IC 1124 and communication element 1126 may be connected to each other via an interconnect 1130, say a bus.
  • the processor system 1110 may be arranged for contact and/or contact-less communication, using an antenna and/or connectors, respectively.
  • processor system 1140 e.g., the receiver system, the management system or the gateway system may comprise a processor circuit and a memory circuit, the processor being arranged to execute software stored in the memory circuit.
  • the processor circuit may be an Intel Core i7 processor, ARM Cortex-R8, etc.
  • the processor circuit may be ARM Cortex M0.
  • the memory circuit may be an ROM circuit, or a non-volatile memory, e.g., a flash memory.
  • the memory circuit may be a volatile memory, e.g., an SRAM memory.
  • the device may comprise a non-volatile software interface, e.g., a hard drive, a network interface, etc., arranged for providing the software.
  • any reference signs placed between parentheses shall not be construed as limiting the claim.
  • Use of the verb‘comprise’ and its conjugations does not exclude the presence of elements or steps other than those stated in a claim.
  • the article‘a’ or‘an’ preceding an element does not exclude the presence of a plurality of such elements.
  • the invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
  • references in parentheses refer to reference signs in drawings of exemplifying embodiments or to formulas of embodiments, thus increasing the intelligibility of the claim. These references shall not be construed as limiting the claim.

Abstract

A communication system (10) comprises a plurality of receiver systems (100, 200), a management system (300) which manages synchronization of time clocks of the receiver systems and a transmitter (400) that transmits a common signal to the receiver systems. The management system (300) establishes a secure communication channel between the receiver systems and the management system. The receiver systems are configured to mutually synchronize their time clocks by exchanging data via the secure communication channel. The data is indicative of a difference in time when the common signal is observed by each of the receiver system. Since the data is exchanged between the receiver systems and the management system via the secure communication channel, the data is securely exchanged and cannot be easily spoofed or jammed. Security of time synchronization is improved.

Description

SECURE CLOCK SYNCRONIZATION
FIELD OF THE INVENTION
The invention relates to a method of enabling secure synchronization of time clocks of a plurality of receiver systems, a method of managing secure time clock synchronization, a receiver method of enabling secure synchronization. The invention further relates to a communication system comprising a plurality of receiver systems, a management system for managing synchronization of said time clocks and a transmitter The invention further relates to a management system, a receiver system for use in such communication system and a computer readable medium.
BACKGROUND OF THE INVENTION
An accurate, secure and reliable time transfer is a key enabler for emerging fixed and mobile services worldwide. In applications such as for example autonomous vehicles, terrestrial positioning, 5G mobile broadband, mobile multimedia broadcast, power grids, terrestrial positioning services, financial operations, Internet of Things, big data, cloud processing, etc., reliable time information enables the application to work correctly and efficiently. The time information should be transferred accurately and in a seamless and ubiquitous manner.
For example, US2012/0177027 discloses devices and methods for providing a time synchronized Wireless Local Area Network (WLAN) system.
Stationary Access Points (APs) in the WLAN system can determine timing information from Global Navigation Satellite Systems (GNSS) satellite, so as to synchronize with each other. The synchronized APs can then be used to determine position information for devices on the network using pseudo-ranging techniques.
The access point includes a receiver portion, a timing signal portion and a clock. The receiver portion is configured to obtain a signal transmitted by a navigation satellite. The timing signal portion is configured to extract timing information from the signal obtained by the receiver portion based upon a known position of the access point. The clock is configured to be compensated with the timing information. The access point has a communication link configured to relay timing information to a second access point. The receiver portion is configured to track a satellite common to the second access point. The timing signal portion of the access point is configured to compute a time difference between the access point and the second access point based on a true transit time and a pseudo-transit time for a signal from the satellite.
However, in US2012/0177027, transfer of timing information may be sensitive to, for example jamming, spoofing or meaconing causing an error in the determination of the position information for devices in the network.
SUMMARY OF THE INVENTION
There is thus a need for an alternative method of synchronizing time clocks of a plurality of devices. In particular, there is a need for a more secure synchronization of the time clocks. It would be advantageous to have an improved method of enabling synchronization of time clocks, especially with reference to security aspects.
It is an object of the invention to provide a method of enabling secure synchronization of time clocks of a plurality of receiver systems, a method of managing secure synchronization of time clocks, a receiver method of enabling secure
synchronization of time clocks, a communication system, a management system and a receiver system for use in said communication system that solve the aforementioned problems of the prior art.
According to a further aspect of the invention there is provided a method of enabling secure syncronization of time clocks of a plurality of receiver systems as defined in claim 1. According to a further aspect of the invention there is provided a method of managing secure time clock synchronization as claimed in claim 12.
According to a further aspect there is provided a receiver method of enabling secure synchronization of time clocks as defined in claim 13. According to a further aspect of the invention there is provided a computer readable medium as defined in claim 14. According to a further aspect of the invention there is provided a management system as defined in claim 15. According to a further aspect of the invention there is provided a receiver system as defined in claim 19. According to a further aspect of the invention there is provided a communication system as defined in claim 22.
The communication system comprises a plurality of receiver systems, a management system, which manages synchronization of time clocks of the receiver systems and a transmitter that transmits a common signal to the receiver systems. The receiver systems are configured to mutually synchronize their time clocks based on a difference in time when the common signal is observed by each of the receiver systems. The management system establishes a secure communication channel between the management system and the receiver systems using cryptographic keys. Time clock synchronization in the system occurs via the secure communication channel. The communication channel may be encrypted. For example the data may be transferred through the communication channel in an encrypted form. The receiver systems mutually synchronize their time clocks by exchanging data indicative of the time difference via the secure communication channel.
Since data is exchanged between the receiver systems and the
management system via the secure communication channel, data is securely exchanged.
In an embodiment, the management system may generate configuration data which configures the receiver systems. Said data comprises the configuration data. This configuration data comprises observation data indicating when the received common signal is to be observed by each receiver system. The configuration data is sent to at least one receiver system via the secure communication channel. The receiver systems configure receiving of the common signal based on the configuration data.
In an embodiment, the exchanged data further comprises capability data. The receiver systems may send the capability data to the management system. The capability data defines an operational capability of the receiver systems. The
management system may generate the configuration data based on the capability data.
For example, the observation data may comprise specification of a time instant indicating when the received common signal is to be observed by each receiver system. The time instant is used for synchronization of the time clocks. Since the time instant is exchanged between the receiver systems and the management system via the secure communication channel, the time instant is securely exchanged and cannot be easily spoofed or jammed. Security of time synchronization is improved.
The observation data of the invention instructs the devices on when the common signal received from the transmitter should be observed. Since the common transmitter does not have to be necessarily a GNSS satellite, the time clock
synchronization method of the invention can be used for synchronizing the time clocks of systems placed, for example, indoor. Any signal penetrating indoor locations that could be commonly observed by the receiver systems is a suitable signal for the invention. Such (indoor) receiver systems may be, for example, switching devices of power grid system, home base stations of personal communication system or any other suitable indoor devices. In an embodiment, establishing the secure communication channel comprises generating a secret key, sharing the secret key between the receiver systems, encrypting the data prior exchanging the data via the secure communication channel.
For example, in the embodiment above, the capability data may be encrypted with the secret key prior transmitting the capability data to the management system. Alternatively or additionally the configuration data may be encrypted with the secret key prior transmitting the configuration data to the receiver systems.
In an embodiment, the observation data may comprise a reference timestamping signal.
In an embodiment, the system further comprises a gateway system configured to trigger the transmitter to send random cryptographic data to the receiver systems. The random cryptographic data may comprise the reference timestamping signal. The two reference timestamping signals are for example, continuously, cross- correlated to generate a cross-correlation function at each receiver system.
In an embodiment, if the output of the cross-correlation function exceeds a certain threshold level then a timestamp (instant of time) is generated at each receiver system. A difference between the timestamps indicates timing offset between receiver systems and hence is used to synchronize the time clocks of the receiver systems with the time clock of a reference receiver system.
In an embodiment, the random cryptographic data comprises a public key and a private key corresponding to the public key. The private key is transmitted to the receiver systems, the public key is transmitted to the common transmitter via the gateway system.
In an embodiment, the private key is a pseudo random sequence of data and the public key is a pseudo sub-sequence of data of the private key.
BRIEF DESCRIPTION OF THE DRAWINGS
Further details, aspects, and embodiments of the invention will be described, by way of example only, with reference to the drawings. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. In the Figures, elements which correspond to elements already described may have the same reference numerals. In the drawings,
Figure 1 schematically shows an example of an embodiment of a communication system,
Figure 2 schematically shows an example of an embodiment of a communication system,
Figure 3 schematically shows an example of an embodiment of a receiver system,
Figure 4 schematically shows an example of an embodiment of a receiver system,
Figure 5 schematically shows an example of an embodiment of a management system,
Figure 6 schematically shows an example of an embodiment of a transmitter,
Figure 7 schematically shows an example of an embodiment of a gateway system,
Figure 8 schematically shows an example of a time clock synchronization method according to an embodiment,
Figure 9 schematically shows an example of a time clock synchronization method according to an embodiment,
Figure lOa schematically shows a computer readable medium having a writable part comprising a computer program according to an embodiment,
Figure lOb schematically shows a representation of a processor system according to an embodiment.
Figure 11 schematically shows an example of a cross-correlation function,
Figure 12 schematically shows an example of an embodiment of a communication system,
Figure 13 shows a graph of synchronization error measurements for an embodiment of a communication system,
Figure 14 shows a graph of a cumulative distribution function measured for an embodiment of a communication system,
Figure 15 shows a graph of synchronization error measurements for an embodiment of a communication system, Figure 16 shows a graph of a cumulative distribution function measured for an embodiment of a communication system,
Figure 17 shows a graph of a cumulative probability of error versus a correlation ratio measured for an embodiment of a communication system.
List of Reference Numerals for Figures 1-7, l0a-l2, 14 and 16:
10 a communication system
11 a communication system
20 a communication system
100 a first receiver system
101 a first receiver system
120 an antenna interface
121 an antenna interface
130 a communication interface
150 a secure communication channel
192 a storage interface
194 a processor
196 a memory
198 a clock generator
200 a second receiver system
201 a second receiver system
220 an antenna interface
221 an antenna interface
230 a communication interface
250 a cross-correlation function
261 a cumulative distribution function
262 a cumulative distribution function
271 a cumulative distribution function
272 a cumulative distribution function
281 a cumulative probability of error
282 a cumulative probability of error
283 a cumulative probability of error
284 a cumulative probability of error
292 a storage interface 294 a processor
296 a memory
298 a clock generator
300 a management system
301 a management system
315 a cryptographic data generator
330 a communication interface
392 a storage interface
394 a processor
396 a memory
400 a transmitter
410 a common signal
412 capability data
414 configuration data
416 capability data
418 configuration data
420 an antenna interface
492 a storage interface
494 a processor
496 a memory
500 a gateway system
520 an antenna interface
530 a communication interface
592 a storage interface
594 a processor
596 a memory
1000 a computer readable medium
1010 a writable part
1020 a computer program
1110 integrated circuit(s)
1120 a processing unit
1122 a memory
1124 a dedicated integrated circuit 1126 a communication element 1130 an interconnect
1140 a processor system
DETAILED DESCRIPTION OF THE EMBODIMENTS
While this invention is susceptible of embodiment in many different forms, there are shown in the drawings and will herein be described in detail one or more specific embodiments, with the understanding that the present disclosure is to be considered as exemplary of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
In the following, for the sake of understanding, elements of embodiments are described in operation. However, it will be apparent that the respective elements are arranged to perform the functions being described as performed by them.
Further, the invention is not limited to the embodiments, and the invention lies in each and every novel feature or combination of features described herein or recited in mutually different dependent claims.
A problem of some communication systems is that time clock
synchronization of devices of the system is sensitive to external attacks causing malfunctioning of the system and economic losses.
For example, in known Global Navigation Satellite Systems (GNSS), timing information between GNSS satellites and receivers is prone to security threats like spoofing and jamming, making the system sensitive to external attacks.
For example, in autonomous transportation, time synchronization enables communication between vehicles or between vehicles and other devices of the system. In autonomous transportation, malicious attacks or unintentional jamming of time synchronization infrastructures may lead to vehicle accidents or other massive damages in the system.
In power grids, frequency and phase synchronization is critical for a correct balancing of the power grid and efficient power transfer. Any malicious or unintentional interrupt of the power grid synchronization could lead to black-outs and serious economic damages. Proper power grid balancing requires the power grid to adapt efficiently to continuously varying power generation and demand. For example, power generated by renewable energy sources may rapidly change. In order to maintain the balance between the power generation and demand, a load of the power grid is varied dynamically in response to the available power. Dynamically varying the load involves switching on and off certain loads in a timely manner, for example with sub- millisecond accuracy. Typically these loads can be small-scale commercial devices such as refrigeration, heating, or smelting devices. Many of these switching devices have no visibility to GNSS satellites, so the timing needs to be delivered by other means.
In financial market systems an accurate and traceable
timestamping is now required by authorities to be able to audit the trading
processes. Hence a secure and cheap time transfer is needed so that companies are, for example, safe against timing attacks which could make them appear
trading ahead of market. A secure time transfer would prevent these companies from, for example, consequences of malicious timing attacks.
In personal communication systems the number of home base stations will increase significantly in order to enable the next generation of mobile services in a cost efficient way. The problem to solve here is how to deliver secure and reliable synchronization for home located base stations in indoor locations (without
GNSS signals) without significant costs. The required accuracy is around lOOns.
In the following, there are described time clock synchronization methods and communication systems using such methods. One of such communication system comprises at least a plurality of receiver systems, a management system which manages synchronization of time clocks of the receiver systems and a transmitter that transmits a common signal to the receiver systems. The receiver systems are configured to mutually synchronize their time clocks based on a difference in time when the common signal is observed by each of the receiver systems. The management system establishes a secure communication channel between the management system and the receiver systems using cryptographic keys. Time clock synchronization in the system occurs via the secure communication channel. The communication channel may be encrypted, for example the data be transferred through the communication channel in encrypted form. The management system may generate configuration data which configures the receiver systems. This configuration data may comprise observation data. The observation data indicates when the received common signal is observed by each receiver system. Since the observation data is exchanged between the receiver systems and the management system via the secure communication channel, the observation data is securely exchanged and cannot be easily spoofed or jammed. Security of time synchronization is improved.
The invention is not limited to GNSS systems. The observation data of the invention instructs the receiver systems on when the common signal received by the transmitter should be observed. Therefore, the time clock synchronization method of the invention can be used for synchronizing the time clocks of receiver systems placed, for example, indoor, which cannot receive GNSS satellite signals. Such receiver systems may be switching devices of power grid system, home base stations of personal communication system, etc. as reported above.
In an embodiment, the observation data may comprise a reference timestamping signal which is shared between the receiver systems. The management system may trigger the transmitter, via, for example, a gateway system, to transmit the same reference timestamping signal to the receiver systems. The two signals are for example, continuously, cross-correlated to generate a cross-correlation function at each receiver system. If the output of the cross-correlation function exceeds a certain threshold level then a timestamp (instant of time) is generated at each receiver system.
A difference between the timestamps is used to synchronize the time clocks of the receiver systems with the time clock of a reference receiver system.
For example, Figure 1 schematically shows an example of an embodiment of a communication system 10. Communication system 10 may be any systems of the examples described above. Communication system 10 comprises a first receiver system 100 and a second receiver system 200, a management system 300 and a transmitter 400.
Communication system 10 may comprise more than two receiver systems and more than one transmitter. The receiver systems may be suitable to receive a common signal from transmitter 400. For example, in Global Navigation Satellite Systems (GNSS), the receiver systems may be GNSS receivers and the transmitter a satellite; in power grid systems, the receiver systems may be implemented in switching devices; in personal communication systems, the receiver systems may be mobile receivers and the transmitter a Power base station, etc. The receiver systems may also have, as in some embodiments shown below, receiving functions, transmitting functions, networking functions, memory and processing functions, be implemented wholly or in part in software programmable devices. The receiver systems may be capable to operate at different carrier frequencies, different bandwidths, etc.
One or more receiver system may be used for timing reference to synchronize the time clocks of the other receiver systems in the communication system. In other words, one or more receiver systems may be so-called master receiver systems and the remaining receiver systems so-called slave receiver systems. Time clock of the slave receiver systems is synchronized with the time clock of the master receiver systems. Time clocks of master receiver systems may be highly accurate reference clocks, for example atomic clocks or reference clocks which are periodically calibrated with high accurate clocks.
In the example shown in Figure 1, receiver system 100 is the master receiver system and receiver system 200 is the slave receiver system.
In an embodiment, receiver 100 may be configured to obtain a reference time clock from an external device. In another embodiment, receiver system 100 comprises a clock generator to generate a master time clock. In other embodiments, receiver 100 comprises a processor to process timing signals, e.g., GNSS, eLoran, 3G/4G, IEEE 1588 PTP, NTP signals, to generate a master time clock. However, master receiver system and slave receiver system maybe interchanged as far as the master receiver system has a master clock used for reference for other receiver systems. The master receiver system is enabled to transmit computed data, for example timestamps, or random sequence of data, to the management system and the slave receiver systems such that the slave receiver systems can be synchronized with such computed data.
Management system 300 establishes a secure communication channel 150 between receiver systems 100, 200 and management system 300 using
cryptographic keys. Receiver systems 100 and 200 communicate with management system 300 via secure communication channel 150. Receiver systems 100 and 200 may exchange capability data 412 and 416 with management system 300 via secure communication channel 150. Receiver system 100 and 200 may communicate between each other, and management system 300, via respective communication interfaces as explained below with reference to embodiments of a receiver system and a management system.
For example, capability data 412 and 416 define an operational capability of the receiver systems.
In an embodiment, capability data may comprise one or more of the group of: carrier frequency, frequency bandwidth and time of data recording of the common signal. Receiver systems may be multi-purpose receivers capable to operate across different telecommunication standards. They may capable to operate at different carrier frequencies, different bandwidth, etc. This frequency and/or bandwidth information is included in capability data 412, 416 passed over to management system 300.
Receiver systems 100 and 200 receive a common signal 410 from transmitter 400. Management system 300 generates configuration data 414 and 418. Configuration data 414 and 418 is transmitted to receiver system 100 and receiver system 200, respectively. Configuration data operatively configures receiver systems 100, 200. Management system 300 controls receiver systems 100 and 200 via the configuration data. The configuration data may comprise information of the system in which receiver systems 100 and 200 operate.
For example, in a GNSS system, the configuration data configures the receiver systems as GNSS receivers. In GNSS systems the receivers must be capable of receiving signals from GNSS satellites, thereby the configuration data can configure the receivers within the hardware capabilities of the receivers. The configuration data is generated based upon the capability data. The receiver systems may be off-the-shelf receiver systems capable to work for different communication standards. The configuration data transmitted to receiver systems 100 and 200 may configure the software of receiver systems 100 and 200 such that receiver systems 100 and 200 are configured as GNSS receivers. Similarly, for example, receiver systems 100 and 200 may be configured as mobile receivers, power grid switching receiver device, etc.
The configuration data may include observation data, e.g. time information on when the common signal is observed by the receiver systems.
Synchronization between time clocks of receiver system 100 and receiver system 200 is based on a time difference between two time instants of observation of the common signal by receiver system 100 and receiver system 200, respectively.
Observation in this invention means measurement of one or more signals. Observation may involve cross-correlating two signals at each receiver system, one signal transmitted from the common transmitter to the receiver systems and the other signal passed from the management system to the receiver systems that includes the observation data. Alternatively, observation may involve cross-correlating two signals at one receiver system, each signal comprising a predetermined number of samples of the common signal received by each receiver system, e.g. a (random) sequence of data.
For example, in an embodiment, the observation data comprises samples of a timestamping reference signal. Synchronization may comprise cross-correlating, e.g. in time or frequency, the samples of the timestamping reference signal with samples of the common signal to generate a first cross-correlation function and a second cross correlation function. The instants of time observation are determined from the first cross-correlation function and second cross-correlation function, respectively. This determination may be based on an output of the cross-correlation function exceeding a certain threshold value. This output is broadcasted via the secure communication channel to the receiver system which needs clock synchronization. Upon broadcasting such instant of time/timestamp, a difference between the two instants of time can be determined and used to correct the time clock of the receiver system requiring synchronization, i.e. the slave receiver system. Samples of the timestamping reference signal may be random cryptographic data, for example a random sequence of data like numbers, binary, alphanumeric or other type of suitable codes. The data may be encrypted. The common signal received from the transmitter comprises the same random data. The two sequences of data are cross-correlated at each receiver system and the respective output of the respective cross correlation function calculated. The timestamping reference signal is generated in the management system and is securely shared with the receiver systems. The transmitter is triggered by the management system to send the same random data with the common signal. Even if the common signal transmitted from the transmitter to the receiver systems is jammed or spoofed, only the managed receiver systems know the correct sequence of data which is used for synchronizing the time clocks. The receiver systems do not need to necessarily understand the content of the signal they receive from the common transmitter in order to synchronize their time clocks. The random data used by the receiver systems for the synchronization of their time clocks is instead known by the receiver systems.
In an embodiment, configuration data 414 and 418 is periodically re- generated by management system 300 and sent by management system 300 to first receiver system 100 and second receiver system 200 via secure communication channel 150. This may increase further security of the system. The carrier- frequency or the frequency bandwidth may periodically change. One advantage is that, for example, an attacker would not know at which carrier frequency or in which frequency bandwidth the data are transmitted. Additionally or alternatively, the observation data may be periodically re-generated and sent to the receiver systems. An advantage of periodically changing the observation data is that, for example, an attacker would have even lesser chances of success trying to spoof the sequence of data transmitted from the transmitter to the receiver systems.
However, it is not necessary that the transmitter is triggered by the management system to transmit a specific sequence of data. By periodically generating configuration data, the receiver systems may each time agree on, for example, a new specific carrier frequency or new frequency bandwidth. The transmitter may send a specific sequence of data in that carrier frequency or frequency bandwidth only known to the receiver systems. Alternatively, the transmitter may be triggered to send a specific sequence of data in different alternative ways.
In an embodiment, the transmitter may be periodically triggered to send a specific sequence of data. For example, as it will be described in an embodiment below, when high cross-correlation output level is found between this specific sequence data sent by the transmitter and the specific sequence of data generated by the management system, the time clocks can be synchronized.
In another embodiment the transmitter may be triggered by the management system via a gateway system.
Figure 2 shows an example of such an embodiment of a communication system 20.
Communication system 20 differs from communication system 10 shown in Figure 1, in that it further comprises a gateway system 500. Gateway system 500 may be arranged to trigger transmitter 400 to transmit a specific sequence of data which is only known to receiver systems 100 and 200.
In this embodiment management system 300 generates for example random cryptographic data and broadcasts the generated random cryptographic data to first receiver system 100 and the second receiver system 200 via secure communication channel 150. Management system 300 may transmit the random cryptographic data to the common transmitter 400 via gateway system 500 as schematically indicated by the dashed line in Figure 2. Transmitter 400 transmits the random cryptographic data to first receiver system 100 and second receiver system 200. Management system 300 may regenerate the configuration data based upon a reception of the random cryptographic data. For example, if the cryptographic data known by the receiver systems match the cryptographic data sent by transmitter 400, management system 300 is triggered to regenerate the configuration data, for example a new time of recording or a new carrier frequency or even a new timestamping reference signal may be set. Random
cryptographic data is only known to the receiver systems. An advantage is that, for example, an attacker would not know how to interpret the random cryptographic data sent by transmitter 400 to receiver systems 100 and 200.
In this embodiment, more observations can be performed on demand each time transmitter 400 is triggered.
In an embodiment, the random cryptographic data may be updated periodically. One of the advantages of periodically updating the random cryptographic data is to enhance security. For example, an attacker has less chances of intercepting valid data.
In an embodiment, communication system 20 may be an Iridium satellite system. Gateway system 300 may be an Iridium internet gateway, transmitter 400 an Iridium satellite constellation and receiver systems 100 and 200, Iridium receivers. The signal triggering Iridium satellite constellation 400 (dashed line in Figure 2) may be a Short Burst Data (SBD) message.
However, in other embodiments, other suitable satellite signals may be used and/or other satellite constellations contemplated, for example satellite mega- constellation, satellite television (TV) or terrestrial infrastructures like mobile network signals, etc.
In an embodiment, the random cryptographic data comprises a public key and a private key corresponding to the public key. The private key is transmitted to first receiver system 100 and the second receiver system 200. The public key is transmitted to common transmitter 400. Thus when receiver systems 100 and 200 verify that the public key sent by transmitter to receiver systems 100 and 200 correspond to the private key, for example stored in receiver systems 100 and 200, management system 300 may trigger re-generation of the configuration data.
In an embodiment, the private key may be a pseudo random sequence of data, e.g., numbers, and the public key a pseudo sub-sequence of data, e.g., numbers, of the private key.
In an embodiment as shown below, the management system may comprise a pseudo random number generator to generate a pseudo random sequence of numbers. The pseudo random number generator may use the random sequence of data, for example the timestamping reference data mentioned above, as a seed for generating the pseudo random sequence of numbers. The seed allows the pseudo random generator to generate, for example, arbitrarily long, sequences. Smaller portions of these sequences can be transmitted to transmitter 400 via gateway system 500 only once.
After that, these smaller sequence portions can be updated, for example periodically, and re-transmitted again.
Figure 3 and Figure 4 schematically show an example of an embodiment of a first receiver system 100 and a second receiver system 200. It is understood that receiver system 200 is a receiver system similar to receiver system 100. Receiver system 200 may differ from receiver system 100 in that receiver system 100 is a master receiver system and receiver system 200 is a slave receiver system as described with reference to communication systems 10 and 20.
Receiver system 100 comprises an antenna interface 120, a communication interface 130, a storage interface 192, a processor 194, a memory 196 and a first time clock 198.
Antenna interface 120 is configured to receive a common signal from common transmitter 400 shown in Figure 1 and 2.
Communication interface 130 is configured to securely communicate with management system 300 shown in system 10 and 20 of Figure 1 and 2
respectively. Communication interface 130 can securely exchange data with the management system indicative of a time when the common signal is to be observed by receiver system 100
Clock generators 198, 298 are configured to generate a first time clock and a second time clock. For example the first time clock may be a master time clock and the second time clock a slave time clock requiring synchronization from the first time clock.
Processors 194, 294 may be configured to generate s capability data defining an operational capability of receiver systems 100 and 200.
Processor 194 may be configured to generate the time indicating when the received common signal is observed by receiver system 100, and to synchronize the time clock with another time clock of another receiver system, based on a time difference between a time indicating when the received common signal is observed by the other receiver system and the generated time of observation. Synchronization is performed when required. It may be that the receiver system is a master receiver system and synchronization with another receiver system of the system is not required.
Antenna interfaces 120, 220 may be any type of antenna suitable for the specific implementation. For example antenna interface 120 may be, but it is not limited to, e.g., a Wi-Fi antenna, 3G, 4G or 5G antenna, or a satellite antenna, e.g., a GPS, GALILEO antenna, etc., or a combination thereof.
Receiver systems 100, 200 and the various systems 300, 500 of communication system 10 and 20 may communicate with each other over a secure communication channel 150, for example a computer network. Computer network 150 may be an internet, an intranet, a LAN, a WLAN, etc. Computer network 150 may be the Internet. The computer network may be wholly or partly wired, and/or wholly or partly wireless. For example, the computer network may comprise Ethernet connections. For example, the computer network may comprise wireless connections, such as Wi-Fi, ZigBee, and the like. In order to be secure, computer network 150 may be encrypted, for example a data stream encrypted by TCP/IP using e.g. asymmetric keys (RSA, DSA, etc.) may be used to encrypt the computer network.
The receiver systems comprise a connection interface which is arranged to communicate with other receiver systems of systems 10, 20 as needed. For example, the connection interface may comprise a connector, e.g., a wired connector, e.g., an Ethernet connector, or a wireless connector, e.g., an antenna, e.g., a Wi-Fi, 4G or 5G antenna. For example, first receiver system 100, and second receiver system 200 may comprise communication interface 130, 230 respectively. Communication interface 130, 230 may, e.g., be configured to send capability data to management system 300 and/or to receive configuration data from management system 300. Computer network 150 may comprise additional elements, e.g., a router, a hub, etc.
The execution of first receiver system 100 and second receiver system 200 may be implemented in a processor, e.g., a processor circuit, examples of which are shown herein.
In an embodiment, first receiver system 100, in particular processor 194 of first receiver system 100, may generate the cross-correlating function by cross- correlating (samples of) timestamping reference signals received from the management system and the common transmitter. The second receiver system 200, in particular processor 294 of second receiver system, 200 may generate the cross-correlating function by comparing timestamping reference signals received from the management system and the common transmitter. Processors 194 and 294 determine first and second time instants (timestamps) as outputs of the respective cross-correlation functions, for example, when a cross correlating level of the respective cross-correlating function exceeds a predetermined threshold.
In another embodiment, processors 194 and 294 may be configured to record a predetermined number of samples of the received common signal, broadcast the samples of the common signal received by the communication interfaces 130, 230 via secure communication channel 150.
For slave receiver systems, the processors may be also configured to cross-correlate, e.g. in time or frequency, the samples of the received common signal with the samples of the common signal received by a reference receiver system. Cross- correlation generates a cross-correlation function. The time of observation may be determined from, e.g. an output of, the cross-correlation function. For example, these cross-correlation functions may be wholly or partially be implemented in computer instructions that are stored at receiver systems 100, or 200, e.g., in an electronic memory of the receiver system, and are executable by a
microprocessor of the receiver system. In hybrid embodiments, functional units are implemented partially in hardware, e.g., as coprocessors, e.g., crypto coprocessors, and partially in software stored and executed on receiver system 100, or 200.
Receiver systems 100, and 200 may comprise a storage interface to store and/or retrieve messages, possibly encrypted messages. For example, the storage interface may be implemented locally, e.g., as an interface to a memory comprised in the receiver system, e.g., memory 196, or 296, respectively. The storage interface may also interface with offline, e.g., non-local, storage, e.g., cloud storage, e.g., a storage such as a memory or a drive located in another receiver system. If cloud storage is used the receiver systems may comprise a local storage as well, e.g., a memory. For example, the memory may be used to store computer programming instructions, temporary storage of files and the like. Memories 196 and 296 may be used to store time stamps, outputs of the respective cross-correlating function. Alternatively, memories 196 and 296 may be used to store whole or part of random, e.g., cryptographic data used for triggering transmitter 400 and/or time clock synchronization.
Figure 5 schematically shows an example of an embodiment of a management system 300.
Management system 300 comprises a cryptographic data generator 315, a communication interface 330, a storage interface 392, a processor 394, and a memory 396.
Cryptographic data generator 315 may be a public key and/or private key generator, or a pseudo-random sequence generator. Generator 315 may include a true random generator, usually hardware-based, that is used to obtain a random seed that is used to generate a pseudo-random sequence. Instead of a true random number generator a pseudo random number may be used.
Communication interface 330 is configured to securely communicate with the receiver systems and in some embodiments with the gateway. Management system 300 is configured to receive via the communication interface 330 the capability data of receiver systems.
In an embodiment, cryptographic data generator 315 may generate a secret key in order to establish a secure communication with receiver systems and in some embodiments with gateway system. The secret key may be shared with the receiver systems via the respective communication interfaces. Processor 394 is configured to generate the configuration data for operatively configuring the receiver systems based on the capability data. The data transferred from the receiver systems to the management system, e.g. the capability data, may be encrypted with the secret key prior transmitting them to the management system. Similarly, the data transferred from the management system to the receiver systems, e.g., the configuration data, may encrypted with the secret key. Communication interface 330 is configured to send the configuration data, e.g., encrypted with the secret key, to the receiver systems which may receive it via their respective communication interfaces.
Storage interface 392 of management system 300 may be configured to store the capability data of the respective receiver systems.
Processor 394 may be configured to decrypt the capability data when the data is encrypted with, e.g., the secret key.
Similarly, the processors of the receiver systems may be configured to decrypt the data received from the management system. A secure communication channel may thus be established using the secret key.
Figure 6 schematically shows an example of an embodiment of a transmitter 400.
Transmitter 400 comprises an antenna interface 420, a storage interface 492, a processor 494, and a memory 496. Antenna interface 420 may be configured to transmit the common signal to the receiver systems and/or to broadcast random cryptographic data received from the gateway system.
Processor 494 may be configured to modulate a carrier signal with a modulating signal according to a modulation scheme according to a suitable application. Storage interface 492 and/or memory 496 may be configured to store random
cryptographic data sent by the gateway system to transmitter 400. Storage interface 492 may retrieve such random cryptographic data from memory 496 and send it to the receiver systems via antenna interface 420.
Figure 7 schematically shows an example of an embodiment of a gateway system 500.
Gateway system 500 comprises an antenna interface 520, a communication interface 530, a storage interface 592, a processor 594, a memory 596.
Antenna interface 520 may transmit random cryptographic data to the transmitter. Similarly to the transmitter, random cryptographic data may be stored in storage interface 592 and/or memory 596 prior being sent to the transmitter. In an embodiment, gateway system 500 may be an Iridium gateway
Communication interface 530 may securely communicate with management system 300 shown with reference to Figures 2 and 5. Gateway system may re-transmit data from the management system to the transmitter. An uplink wired or wireless communication is established with the transmitter. The transmitter can be triggered by the gateway system to send the common signal and/or random
cryptographic data to the receiver systems. The common signal may comprise a timestamping reference signal as described above.
In the various embodiments of receiver systems 100, 200, management system 300, transmitter 400 and gateway system 500, the communication interface may be selected from various alternatives. For example, the interface may be a network interface to a local or wide area network, e.g., the Internet, a storage interface to an internal or external data storage, an application interface (API), etc.
The receiver systems 100, 200 and management system 300, gateway 500 may have a user interface, which may include well-known elements such as one or more buttons, a keyboard, display, touch screen, etc. The user interface may be arranged for accommodating user interaction for initiating a key agreement protocol, responding to a key agreement protocol, sending a message encrypted with a public key, decrypting a message with a public key, etc.
Storage may be implemented as an electronic memory, say a flash memory, or magnetic memory, say hard disk or the like. Storage may comprise multiple discrete memories together making up storage. Storage may also be a temporary memory, say a RAM.
Typically, systems or devices 100, 200, 300, 400 and 500 each comprise a microprocessor which executes appropriate software stored at the system or device; for example, that software may have been downloaded and/or stored in a corresponding memory, e.g., a volatile memory such as RAM or a non-volatile memory such as Flash. Alternatively, systems or devices 100, 200, 300, 400 and 500, in whole or in part, be implemented in programmable logic, e.g., as field-programmable gate array (FPGA). Systems or devices 100, 200, 300, 400 and 500 may be implemented, in whole or in part, as a so-called application-specific integrated circuit (ASIC), e.g., an integrated circuit (IC) customized for their particular use. For example, the circuits may be implemented in CMOS, e.g., using a hardware description language such as Verilog, VHDL etc. In an embodiment, systems or devices 100-500 may comprise one or more circuits to implement one or more or all of the functions of the respective system or device. The circuits may implement the corresponding functions described herein.
The circuits may be a processor circuit and storage circuit, the processor circuit executing instructions represented electronically in the storage circuits.
A processor circuit may be implemented in a distributed fashion, e.g., as multiple sub-processor circuits. A storage may be distributed over multiple distributed sub-storages. Part or all of the memory may be an electronic memory, magnetic memory, etc. For example, the storage may have volatile and a non-volatile part. Part of the storage may be read-only.
The circuits may also be, FPGA, ASIC or the like.
Figure 8 schematically shows an example of a time clock synchronization method 600 according to an embodiment.
Method 600 enables secure synchronization of time clocks of receiver systems 100 and 200. Method 600 comprises: establishing 605 a secure communication channel 150 between the receiver systems 100 and 200, and a management system 300 using cryptographic keys; transmitting 610, 710 capability data 412, 416 to management system 300 via secure communication channel 150. Capability data 412, 416 defines an operational capability of receiver systems 100 and 200.
Method 600 comprises generating 617 by the management system configuration data 414, 418 for operatively configuring the receiver systems based on the capability data (412, 416). The configuration data comprises at least observation data indicating when a common signal is to be observed by each receiver system.
Method 600 further comprises sending 618 configuration data 414, 418 to receiver systems 100, 200 via the secure communication channel 150 and receiving 619, 719 configuration data from management system 300 via the secure
communication channel 150.
Method 600 comprises configuring 620, 720 reception of the common signal at receiver systems 100 and 200, respectively, based on configuration data. For example, the configuration data may set a reception bandwidth, a carrier frequency of receiver systems 100 and/or 200, in order for the receiver systems to receive a valid signal. The configuration data may comprise observation based on which
synchronization is performed.
Method 600 further comprises receiving 625, 725 by receiver systems 100, 200 the common signal via the secure communication channel, e.g. from a common transmitter 400 as shown in Figures 1, 2, and 6. At this point system receivers 100 and 200 are configured to receive a valid common signal from the transmitter.
Method 600 may further comprises synchronizing 690, 790 a first time clock of first receiver system 100 with a second time clock of second receiver system 200, based on a time difference between a first time indicating when the received common signal is observed by the first receiver system 100 and a second time indicating when the received common signal is observed by the second receiver system 200. The first receiver system may be a master receiver system and the second receiver system a slave receiver system. The master receiver system comprises a master time clock used as reference for the slave receiver systems.
Synchronizing 690, 790 may further comprises: cross-correlating 630,
730 the observation data, e.g. a timestamping reference signal or a random sequence of data, with samples of the common signal, e.g., also a timestamping reference signal or a random sequence of data included in the received common signal, to generate a first cross-correlation function and a second cross correlation function; determining 640 from the first cross-correlation function a first time and determining 740 from the second cross-correlation function a second time. This can be determined based on an output of the cross-correlation function. The process is iterative. If high enough correlation is found between the two signals a time, e.g., a timestamp, is generated. Otherwise cross-correlation is executed at the receiver systems until high enough correlation is found between the two signals. Synchronizing 690 further comprises sending 650 the timestamp determined for receiver system 100 to receiver system 200 via secure channel 150. Synchronizing 790 further comprises retrieving 750 the timestamps of receiver systems 100 and 200, comparing 760 such timestamps to determine the time difference between the two and correcting 770 the time clock of receiver system 200 based on a difference between the two timestamps.
Synchronization may be performed differently, in any other manner suitable for the specific implementation.
For example, Figure 9 schematically shows an example of a time clock synchronization method 700 according to another embodiment. Method 700 differs from method 600 in that method 700 comprises a different synchronization 695 and 795 in receiver systems 100 and 200, respectively.
Synchronization 695 comprises recording 622 a predetermined number of samples of the common signal, e.g., of random sequence of data included in the common signal; optionally compressing 624 the samples with any compressing algorithm suitable for the specific implementation. For example, compressing 624 may be a lossy-compression, e.g., a low resolution compression like a sub-Nyquist with reduce/sparse bandwidth to optimize the tradeoff between data size and time-transfer performance; measuring 626 energy levels of the (compressed) samples to estimate signal activity and hence being able to select high quality common signal; broadcasting 626 the (compressed) samples of the common signal received by the first receiver system to the second receiver system via secure communication channel (150).
Synchronization 795 comprises 732 obtaining a coarse time and frequency synchronization from communication channel 150. The coarse
synchronization may be obtained, for example, through standard NTP implementation, allowing to synchronize receivers to, e.g., millisecond accuracy; recording 634 a predetermined number of samples of the common signal, e.g., of random sequence of data included in the common signal received by receiver system 200; retrieving 755 the data, the random sequence of data/sequence of samples; cross-correlating 765 in time the samples of the common signal received by the first receiver system with the samples of the common signal received by the second receiver system to generate a cross- correlation function; determining 767 the time difference between the two sets of sequence from (an output of) the cross-correlation function, and correcting 770 the time clock of receiver system 200 by using the time difference.
It is understood that each method 600 or 700, or part of the methods 600 or 700 can be performed in any of receiver systems 100 and/or 200 for example enabling secure synchronization of the time clocks, management system 300 for managing secure synchronization of the time clocks, transmitter 440 or gateway system 500.
Cross-correlation of different samples or sequence of samples to calculate the time difference can be done in any manner suitable for the specific implementation. In the following it is described a method of cross-correlating samples or sequences of samples. Cross-correlation can be performed at the processor of the receiver system and/or management system. The management system may be wholly or partially integrated in one of the receiver system.
In an embodiment, the times or difference in time when the common signal is received by each of the receiver system correspond to an output of a cross- relation function related to that time determination, e.g. exceeding a predetermined cross-correlation level. For example, Figure 11 schematically shows an example of a cross- correlation function. The graph in Figure 11 shows the output of a cross-correlation function 250. In the graph in the ordinates are shown the output of cross-correlation function 250, e.g. correlation values. In the abscissae is shown the time lag as number of samples. Function 250 may have several peaks indicative of observed samples having high correlation with, e.g., reference samples, high correlation values at certain time.
In the example shown there are two peaks, first peak Pl and second peak P2 next to each other, indicating a relatively high correlation value at the corresponding (sample) time points.
In an embodiment, the processor of the receiver system or management system is configured to determine a number of correlation values e.g. exceeding a predetermined threshold. The processor may be configured to determine the time instants corresponding to said correlation values.
The peaks of the cross-correlation values above a certain predetermined cross-correlation are for example determined and stored in the memory interface.
In an embodiment, the predetermined cross-correlation level is based on a ratio between two successive correlation peak values in the cross-correlation function.
For example, in an embodiment, the processor may be configured to determine a second peak correlation value in a time region in proximity of a first correlation peak value. In an embodiment, the time region where the second peak is determined is based on a multipath delay spread. The multipath delay spread is due to the delay of reception of the common signal due multipath reflection of the signal. This is visible in cross-correlation function 250, where multipath delay spread has a bell shape around the first peak Pl . For example, in an embodiment, the time region may be located next to the multipath delay spread, be proportional to the multipath delay spread, e.g., be a fraction or a multiple integer of the multipath delay spread. The processor may be configured to look for the second peak within a predetermined time window based on the multipath delay spread. In Figure 11, the second peak P2 is found on the left side of the first peak Pl . However, the time window where the processor is looking for can be in the left side or right side of the first peak.
In an embodiment, the processor may be configured to compute the ratio between the first peak Pl and the second peak P2. This is the so-called correlation ratio. The correlation ratio is compared to a predetermined threshold. If the correlation ratio is above a predetermined threshold, this may be an indication of high (true) correlation between the samples of the common signal and, e.g., reference samples of a reference signal.
The correlation ratio may be used to reject ambiguous measurement and/or to weight correction of the clock correction.
For example, in an embodiment, synchronization of the time clocks may comprise generation of a clock correction factor. The clock correction factor may be used by the slave receiver system to correct its time clock with that of a master receiver system.
In an embodiment, the clock correction factor may be based on the correlation ratio. For example, the clock correlation factor may be further processed, e.g., with time correction algorithm, e.g., a Kalman Filter, etc.
The advantage of using the method described with reference to Figure 10 is to prevent or reduce the occurrence of false positive results. In fact, if the correlation function outputs multiple peaks having similar correlation values, then there may be little confidence that the received common signal is unambiguous enough to produce an accurate estimate of a true clock delay. In the following the benefits of using such method are demonstrated by the results achieved with synchronizing the time clocks of receiver systems of an exemplary communication system.
For example, Figure 12 schematically shows an example of such communication system 11.
Communication system 11 comprises receiver systems 101 and 201 and management system 301. A secure communication channel is established between system receivers 101 and 201 and management system 301. System 11 has been tested using Software Defined Radio (SDR) platforms.
The system sampling bandwidth was set to 2, 5 and lOMHz, and the carrier frequency was 1 62GHz, which is inside the spectrum assigned to Iridium’s satellites. Two Iridium’s patch antennas 121 and 221 were used for the measurement. The two receivers had not direct line of sight of the satellite.
The method of enabling secure synchronization of time clock of system receiver 201 by means of the (master) time clock of system receiver 101 is similar to that described with reference to Figure 9. Synchronization/ verification of the time clocks is performed offline after capturing the samples using the management system 301, e.g. a host computer, and a software, in this example Matlab software. The method steps are as follows: 1) Establishing a secure connection between system receivers 101, 201 and management system 301. For example, a LAN secured network or the Internet can be used to connect system receivers 101, 201 with management system 301.
2) Record samples of the common signal received by receiver system 101 and receiver system 201. For example the samples may be recorded for 500ms. However, it is understood that any suitable time window shorter or longer than 500ms can be chosen.
3) Read samples from receiver system 101 and receiver system 201.
4) Taking a predetermined number of samples of the signal received by receiver system 101 and receiver system 201. For example 50% of the samples within 500ms time window may be taken for receiver system 101 and 100% for system receiver 201.
However, any percentage below or above 50% may be taken for receiver system 101 and any percentage below 100% may be taken for receiver system 201.
5) Determine a maximum peak (Pl) value in the cross correlation function within the observed time window. Determine a second peak P2 outside in the vicinity of the first peak (Pl), for example, with an embodiment described above. Determine the peak indexes, i.e. the corresponding time samples, corresponding to said peak value Pl and P2
6) Compute Correlation Ratio (CR) as the ratio of the first peak Pl to the second peak P2, i.e. P1/P2.
7) If the correlation ratio is smaller than a predetermined threshold ignore the measurement and return to step 1. The threshold may be any number suitable for the specific implementation.
8) Compute the timing error between the time clock of receiver system 201 with reference to the time clock of receiver system 101 as a difference between the peak index corresponding to peak Pl and expected delay in samples.
Figure 13 to 17 show the results obtained using the synchronization method above with regard to the accuracy of computing the timing error. It is noted that in all these measurements, for test purposes and in order to validate the method above, the time clocks of the two receivers systems were mutually pre-synchronized. The measured timing error should therefore be or close to zero.
Figure 13 shows a graph of synchronization timing error measurements for an embodiment of a communication system similar to system 11 described with reference to Figure 12.
These measurements are performed with a sampling bandwidth of 2 MHz, i.e. with 500ns resolution. In the upper graph of Figure 13 is shown the timing error versus the number of measurements without filtering the measurements with the method step 7) described above. In other words, in the upper graph, the condition sets out in step 7) is skipped and all measurements are used for calculating the timing error.
In the lower graph of Figure 13, the timing error versus samples is shown in case step 7) above is performed. Measurements with a cross-correlation ratio below a predetermined threshold are skipped. Measurements with a cross-correlation ratio exceeding a predetermined threshold are taken into account.
As it can be seen from the graphs, the timing error shown in the lower graph computed with the method above is closer to the real value than the timing error shown in the upper graph computed for all measurements.
The accuracy has been drastically improved.
Figure 14 shows a graph of a cumulative distribution function of an absolute value of the measured timing error versus the (absolute value of) timing error measured in nanoseconds (ns) shown in Figure 13. The cumulative distribution function of Figure 14 shows how much samples (indicated in percent on the Y axis) have a timing error below a certain value (indicated in nanoseconds on the X axis). Cumulative distribution function 262 corresponds to the unfiltered measurements of the upper graph of Figure 13. Cumulative distribution function 262 is much lower than 1. Cumulative distribution function 261 corresponds to the filtered measurements of the lower graph of Figure 13. Cumulative distribution function 261 is close to 1 meaning that the filtered measurements, i.e. based on the cross-correlation ratio give much more accurate results. In particular, cumulative distribution function 261 shows that approximately 95% of the samples have a timing error below 1000ns or that
approximately 98% of the samples have a timing error below 2000ns.
Similarly Figure 15 and 16 show similar graphs to the graphs shown in
Figure 13 and 14, respectively, but for a higher frequency bandwidth, i.e. for lOMHz bandwidth, i.e. for a lower resolution of lOOns.
As it can be seen in Figure 16, curve 272 shows the cumulative distribution function of the unfiltered measurements of the upper graph of Figure 15. Cumulative distribution function 272 is much lower than 1. Cumulative distribution function 271 corresponds to the filtered measurements of the lower graph of Figure 15. Cumulative distribution function 271 is close to 1 , meaning that the filtered
measurements, i.e. based on the cross-correlation ratio give much more accurate results. By performing synchronization by means of the cross-correlation ratio described above accuracy is improved. For example, Figure 16 shows that accuracy below lOOns (less than 1 sample error) is achieved in more than 90% of observed samples.
It is noted that the error typically decreases proportionally with the bandwidth. Larger bandwidths lead to lower errors and vice versa.
Figure 17 shows a graph of a cumulative probability of error in percentage versus a cross-correlation ratio measured for an embodiment of a
communication system. The probability of error is shown for four different accuracy levels 281, 282, 283 and 284 corresponding to 0ns, 500ns, 1000ns and 1500ns, respectively. The measurements are performed at a specific bandwidth, in this exemplary test at 2MHz bandwidth. Figure 17 shows that for high accuracy larger value of the correlation peak can be chosen.
It will be appreciated that the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source, and object code such as partially compiled form, or in any other form suitable for use in the implementation of an embodiment of the methods. An embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the processing steps of at least one of the methods set forth. These instructions may be subdivided into subroutines and/or be stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer executable instructions
corresponding to each of the means of at least one of the systems and/or products set forth.
Figure 10a shows a computer readable medium 1000 having a writable part 1010 comprising a computer program 1020, the computer program 1020 comprising instructions for causing a processor system to perform method of enabling secure synchronization of time clocks, a method of managing secure synchronization of time clocks, or a receiver method of enabling secure synchronization of time clocks according to an embodiment. The computer program 1020 may be embodied on the computer readable medium 1000 as physical marks or by means of magnetization of the computer readable medium 1000. However, any other suitable embodiment is conceivable as well. Furthermore, it will be appreciated that, although the computer readable medium 1000 is shown here as an optical disc, the computer readable medium 1000 may be any suitable computer readable medium, such as a hard disk, solid state memory, flash memory, etc., and may be non-recordable or recordable. The computer program 1020 comprises instructions for causing a processor system to perform said clock synchronization method.
Figure 10b shows in a schematic representation of a processor system 1140 according to an embodiment of a device, e.g., a receiver system or management system or a gateway system. The processor system comprises one or more integrated circuits 1110. The architecture of the one or more integrated circuits 1110 is
schematically shown in Fig. 8b. Circuit 1110 comprises a processing unit 1120, e.g., a CPU, for running computer program components to execute a method according to an embodiment and/or implement its modules or units. Circuit 1110 comprises a memory 1122 for storing programming code, data, etc. Part of memory 1122 may be read-only. Circuit 1110 may comprise a communication element 1126, e.g., an antenna, connectors or both, and the like. Circuit 1110 may comprise a dedicated integrated circuit 1124 for performing part or all of the processing defined in the method. Processor 1120, memory 1122, dedicated IC 1124 and communication element 1126 may be connected to each other via an interconnect 1130, say a bus. The processor system 1110 may be arranged for contact and/or contact-less communication, using an antenna and/or connectors, respectively.
For example, in an embodiment, processor system 1140, e.g., the receiver system, the management system or the gateway system may comprise a processor circuit and a memory circuit, the processor being arranged to execute software stored in the memory circuit. For example, the processor circuit may be an Intel Core i7 processor, ARM Cortex-R8, etc. In an embodiment, the processor circuit may be ARM Cortex M0. The memory circuit may be an ROM circuit, or a non-volatile memory, e.g., a flash memory. The memory circuit may be a volatile memory, e.g., an SRAM memory. In the latter case, the device may comprise a non-volatile software interface, e.g., a hard drive, a network interface, etc., arranged for providing the software.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments. For example, in the embodiment describing methods 600 and 700 methods’ steps are presented in a certain order. However, the order may be swapped.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb‘comprise’ and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article‘a’ or‘an’ preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
In the claims references in parentheses refer to reference signs in drawings of exemplifying embodiments or to formulas of embodiments, thus increasing the intelligibility of the claim. These references shall not be construed as limiting the claim.

Claims

1. Method (600, 700) of enabling secure synchronization of time clocks of a plurality of receiver systems (100, 200), comprising
by a management system, establishing (605) a secure communication channel (150) between the receiver systems (100, 200) and the management system (300) using cryptographic keys,
by the receiver systems (100, 200), receiving (625, 725) a common signal (410) from a common transmitter (400), the receiver systems being configured to mutually synchronize their time clocks based on a difference in time when the common signal is to be observed by each of the receiver system, and
mutually synchronizing (690, 790; 695, 795) the time clocks by exchanging data via the secure communication channel, the data being indicative of said difference in time.
2. Method according to claim 1, further comprising:
by the management system, generating (617) configuration data (414, 418) for operatively configuring the receiver systems, the configuration data comprising observation data indicating when the received common signal is to be observed by each receiver system, the exchanged data comprising said configuration data,
- by the management system, sending (618) the configuration data (414,
418) to the receiver systems (100, 200) via the secure communication channel (150), and
by the receiver systems, configuring (620, 720) said receiving of the common signal (410) based on the configuration data.
3. Method according to claim 2, further comprising:
by the receiver systems (100, 200), sending (610, 710) capability data to the management system (300) via the secure communication channel (150), the capability data defining an operational capability of the receiver systems, the exchanged data comprising said capability data, and
by the management system (300), generating (617) the configuration data for the receiver systems based on the capability data.
4. Method (600) according to any of the claims 2 or 3, wherein the observation data comprises samples of a timestamping reference signal, and wherein synchronizing (690, 790) comprises
cross-correlating (630, 730) the samples of the timestamping reference signal with samples of the common signal to generate a cross-correlation function,
by each receiver, determining (640, 740) a timestamp output from the cross-correlation function,
broadcasting (650) the timestamp output of a first receiver system to at least a second receiver system (200) via the secure communication channel,
- by the second receiver system (200) determining (760) a difference in time between the timestamp outputs,
correcting (770) the clock time of the second receiver system by using the time difference.
5. Method (700) according to any of the claims 2 or 3, wherein the observation data comprises a predetermined time at which at least a receiver system (100, 200) start recording a predetermined number of samples of the common signal, and wherein synchronizing comprises
by the receiver systems recording (622, 634) the predetermined number of samples of the common signal,
by at least a first receiver system (100) broadcasting (626) the samples of the common signal to at least a second receiver system via the secure communication channel,
by the second receiver system cross-correlating (765) the samples of the common signal received from the first receiver system with the samples of the common signal received by the second receiver system to generate a cross-correlation function, determining (767) the time difference from the cross-correlation function, correcting (770) the time clock of the second receiver by using the time difference, and optionally, prior broadcasting (626) the samples of the common signal.
6. Method according to any of the claims 4 or 5, wherein the timestamp output or the time difference is determined based an output of the respective cross-correlation function exceeding a predetermined cross-correlation level.
7. Method according to claim 6, wherein the predetermined cross-correlation level is based on a ratio between two successive correlation peak values in the cross-correlation function.
8. Method according to any one of the preceding claims, wherein establishing the secure communication channel (150) comprises:
generating a secret key,
sharing the secret key between the receiver systems,
encrypting the data with the secret key prior exchanging the data.
9. Method according to any of the claims 2 to 8, wherein
the configuration data further comprise one or more of the group of: carrier frequency, frequency bandwidth, and time of data recording of the common signal, and/or wherein
the configuration data is periodically re-generated by the management system and sent by the management system to the receiver systems via the secure communication channel.
10. Method according to any of claims 2 to 9, further comprising by the management system, generating random cryptographic data, broadcasting the random cryptographic data to the receiver systems via the secure communication channel,
sending the random cryptographic data to the common transmitter via a gateway system,
sending the random cryptographic data to the receiver systems from the common transmitter,
re-generating the configuration data based on a reception of the random cryptographic data, and optionally
updating periodically the random cryptographic data.
11. Method according to any of the claims 9 or 10, wherein the random cryptographic data comprises a public key and a private key corresponding to the public key, the private key being transmitted to the receiver systems, the public key being transmitted to the common transmitter.
12. A method of managing secure synchronization of time clocks of a plurality of receiver systems, wherein the receiver systems are configured to mutually synchronize their time clocks by exchanging data via a secure communication channel, the method comprising:
by a management system, generating cryptographic keys to establish the secure communication channel (150) between the receiver systems (100, 200) and the management system,
by the management system, securely communicating with the receiver systems (100, 200) via the secure communication channel to exchange said data, the data indicative of a difference in time when a common signal received by the receiver systems is to be observed by each receiver system, and
13. A receiver method of enabling secure synchronization of time clocks of a plurality of receiver systems, comprising
by the receiver systems, securely communicating with a management system via a secure communication channel using cryptographic keys,
by the receiver systems, receiving a common signal from a common transmitter (400),
- mutually synchronizing the time clocks by exchanging data with the management system via the secure communication channel, the data indicative of a difference in time when the common signal is received by each of the receiver systems.
14. A computer readable medium (1000) comprising transitory or non-transitory data (1020) representing instructions to cause a processor system to perform the method according to claims 1 to 11 or the method of claim 12 or the method of claim 13.
15. A management system (300) for managing secure synchronization of time clocks of a plurality of receiver systems, comprising:
- a processor (394) configured to generate cryptographic keys to establish a secure communication channel (150) with the plurality of receiver systems (100, 200), a communication interface (330) configured to securely communicate with the receiver systems (100, 200) via the secure communication channel using the cryptographic keys and to exchange, via said channel, data indicative of the difference in time when a common signal received by the receiver systems is to be observed by each receiver system.
16. A management system (300) according to claim 15, wherein
the processor (394) is configured to generate configuration data (414,
418) for operatively configuring the receiver systems, the configuration data comprising observation data indicating when the received common signal is to be observed by each receiver system, the exchanged data comprising said configuration data, and wherein the communication interface (330) is configured to send the configuration data to the receiver systems via the secure communication channel.
17. A management system (300) according to claim 16, wherein
the communication interface is configured to receive capability data from the receiver systems (100, 200) via the secure communication channel, the capability data defining an operational capability of the at least one receiver, the exchanged data comprising said capability data, and wherein
the processor (394) is configured to generate the configuration data based on the capability data.
18. A management system (300) according to any of the claims 15 to 17, further comprising a cryptographic data generator (315) configured to generate random cryptographic data.
19. A receiver system (100, 200) comprising:
- an antenna interface (120, 220) configured to receive a common signal from a common transmitter (400),
a communication interface (130, 230) configured to securely
communicate channel with a management system (300) to establish a secure communication channel with the management system (300) using cryptographic keys, and to exchange data with the management system via the secure communication channel, the data indicative of a time when the common signal is to be observed by the receiver system,
a clock generator (198, 298) configured to generate a time clock, a processor (294) configured to synchronize the time clock with another time clock of another receiver system (100) based on exchanged data indicative of a difference in time when the common signal is observed by the other receiver system (100) and the receiver system (200).
20. A receiver system (100) according to claim 19, wherein
the communication interface (130) is configured to receive configuration data from the management system (300) , the configuration data for operatively configuring the receiver system, the configuration data comprising observation data indicating when the received common signal is to be observed by each receiver system, the exchanged data comprising said configuration data, and wherein
the processor (194, 294) is configured to configure a reception of the common signal (410) based on the configuration data.
21. A receiver system (100) according to claim 20, wherein
the processor (194, 294) is configured to generate capability data defining an operational capability of the receiver system, the exchanged data comprising said capability data, wherein
the communication interface (130, 230) is configured to send the capability data to the management system via the secure communication channel, and wherein the management system is configured to generated the configuraton data based on said capability data.
22. A communication system (10) comprising
a plurality of receiver systems (100, 200) according to any of the claims
19 to 21,
a management system (300) according to any of the claims 15 to 18, wherein the management system (300) is configured to establish the secure
communication channel (150) between the communication interfaces of the receiver systems (100, 200) and the management system (300) using cryptographic keys, and a transmitter (400) configured to transmit the common signal to the receiver systems (100, 200).
23. A communication system (20) according to claim 22 and dependent on claim 18, further comprising a gateway system (500) configured to trigger the transmitter (400) to send the random cryptographic data to the receiver systems (100, 200).
PCT/EP2018/074152 2018-09-07 2018-09-07 Secure clock syncronization WO2020048612A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/074152 WO2020048612A1 (en) 2018-09-07 2018-09-07 Secure clock syncronization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/074152 WO2020048612A1 (en) 2018-09-07 2018-09-07 Secure clock syncronization

Publications (1)

Publication Number Publication Date
WO2020048612A1 true WO2020048612A1 (en) 2020-03-12

Family

ID=63528794

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/074152 WO2020048612A1 (en) 2018-09-07 2018-09-07 Secure clock syncronization

Country Status (1)

Country Link
WO (1) WO2020048612A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100127923A1 (en) * 2008-11-24 2010-05-27 Andrew Llc System and method for determining falsified satellite measurements
US20120177027A1 (en) 2011-01-06 2012-07-12 Atheros Communications, Inc. System and method for time synchronizing wireless network access points
US20170195362A1 (en) * 2015-12-30 2017-07-06 Schweitzer Engineering Laboratories, Inc. Time Signal Manipulation and Spoofing Detection Based on a Latency of a Communication System

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100127923A1 (en) * 2008-11-24 2010-05-27 Andrew Llc System and method for determining falsified satellite measurements
US20120177027A1 (en) 2011-01-06 2012-07-12 Atheros Communications, Inc. System and method for time synchronizing wireless network access points
US20170195362A1 (en) * 2015-12-30 2017-07-06 Schweitzer Engineering Laboratories, Inc. Time Signal Manipulation and Spoofing Detection Based on a Latency of a Communication System

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security of Home Node B (HNB) / Home evolved Node B (HeNB) (Release 15)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.320, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V15.0.0, 22 June 2018 (2018-06-22), pages 1 - 40, XP051473872 *

Similar Documents

Publication Publication Date Title
Chen et al. Robustness, security and privacy in location-based services for future IoT: A survey
US11175634B2 (en) Robust and resilient timing architecture for critical infrastructure
O'Hanlon et al. Real‐time GPS spoofing detection via correlation of encrypted signals
US20220283260A1 (en) Sdr for navigation with lte signals
US9519043B2 (en) Estimating network based locating error in wireless networks
JP6425722B2 (en) Digitally signed satellite radio navigation signal
EP3491420B1 (en) Method and system for radionavigation authentication
CA2854213C (en) A system and method for secure communication
CN113614572A (en) Base station location authentication
Walker et al. Galileo open service authentication: a complete service design and provision analysis
US20180034631A1 (en) Authentication tag, device, system and method
US8130948B2 (en) Addressing of groups of broadcast satellite receivers within a portion of the satellite footprint
Wu et al. ECDSA-based message authentication scheme for BeiDou-II navigation satellite system
CN107040511A (en) Location-based trust computing node in cloud computing architecture
WO2019002235A1 (en) Authentication of satellite navigation system receiver
EP2799908A1 (en) A device and methods for processing encrypted navigation signals
CN103946721A (en) SPS authentication
WO2020048612A1 (en) Secure clock syncronization
Pozzobon et al. Supersonic GNSS authentication codes
Spanghero et al. Detecting GNSS misbehavior leveraging secure heterogeneous time sources
Muzi et al. Randomly Flipped Chip based signal power authentication for GNSS civilian signals
US20110216903A1 (en) Method and device for emitting messages for guaranteeing the authenticity of a system and method and device for verifying the authenticity of such a system
Minetto et al. Nanosecond-Level Resilient GNSS-Based Time Synchronization in Telecommunication Networks Through WR-PTP HA
EP3258292A1 (en) Technique for position calculation of a receiver under use of encrypted signals of a public regulated service
Marucco et al. Galileo open service navigation message authentication: Exploitation in the frame of an E-security infrastructure

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18766238

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 10.06.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18766238

Country of ref document: EP

Kind code of ref document: A1