WO2023156005A1 - Central computer system, storage computer, access management computer and method to operate a central computer system - Google Patents

Central computer system, storage computer, access management computer and method to operate a central computer system Download PDF

Info

Publication number
WO2023156005A1
WO2023156005A1 PCT/EP2022/054156 EP2022054156W WO2023156005A1 WO 2023156005 A1 WO2023156005 A1 WO 2023156005A1 EP 2022054156 W EP2022054156 W EP 2022054156W WO 2023156005 A1 WO2023156005 A1 WO 2023156005A1
Authority
WO
WIPO (PCT)
Prior art keywords
measurement data
data
user
computer
computer system
Prior art date
Application number
PCT/EP2022/054156
Other languages
French (fr)
Inventor
Oliver SCHIMMEL
Original Assignee
Cariad Se
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cariad Se filed Critical Cariad Se
Priority to PCT/EP2022/054156 priority Critical patent/WO2023156005A1/en
Publication of WO2023156005A1 publication Critical patent/WO2023156005A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • Central computer system storage computer, access management computer and method to operate a central computer system
  • the invention is concerned with a central computer system, a storage computer, an access management computer and a method to operate a central computer system.
  • the measurement data may be used to find errors occurring during the operation of the vehicles.
  • a necessary amount of measurement data cannot be provided solely by the collection of measurement data provided by special test vehicles, used by test drivers of a manufacturer. Therefore, it is necessary to collect measurement data provided by vehicles of costumers.
  • the collection of measurement data is performed during measurement campaigns, wherein predefined measurement data are recorded by the vehicles.
  • the measurement data are transmitted to a central system of the manufacturer.
  • the measurement data is collected centrally in a mass data storage, from where it can then be made available for analysis.
  • a mass data storage is preferably not provided by the same central computer system that also controls the measurement campaign, but is rented, for example, from a service provider as a so-called cloud storage.
  • this can result in this service provider gaining insight into measurement data, which could allow undesired conclusions to be drawn about motor vehicle-related or even personal data.
  • EP 3 148 152 A1 that control units of motor vehicles can be equipped with a cryptographic master key that can be used for communication of the respective control unit with a stationary central computer system.
  • the measurement data from different measurement campaigns can be encrypted with respective vehicle-specific keys or with a master key that applies to all motor vehicles and then stored in a mass data storage. However, when this mass data storage is accessed, the measurement data from each measurement campaign can then be decrypted, so that a campaign operator of a single measurement campaign may have access to more measurement data than he is entitled to according to the measurement campaign he initiated.
  • the key may be campaign specific.
  • the key may be distributed along authorized users to allow an access to the measurement data.
  • the use of encrypted data may restrict access to the measurement data.
  • users without an authorization may decrypt the measurement data. If a user decrypts the measurement data, the decrypted data are not protected on the users device.
  • WO 2014 / 092 890 A1 describes an encryption-based data access management.
  • the encryption-based data access management may include a variety of processes.
  • a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data.
  • the computing device may then receive a validation token associated with the user’s authentication request, the validation token indicating that the user is authenticated to a domain.
  • the computing device may transmit the validation token to a first key server, different from the data storage server.
  • the computing device may receive, from the first key server a key required for decrypting the encrypted data.
  • the device may then decrypt at least a portion of the encrypted data using the key.
  • the key may be exported by the user. Therefore, it is possible for the authorized user to pass the key to unauthorized users, who can thus gain unauthorized access to the encrypted data.
  • the invention comprises a central computer system configured to provide measurement data.
  • the measurement data may be provided to the central computer system by a fleet of vehicles.
  • the fleet of vehicles may have collected the measurement data in a measurement campaign.
  • the measurement data may comprise operational data of the vehicle’s engine.
  • the measurement data may be provided to authorized users by the central computer system.
  • the central computer system is configured to provide an access to the measurement data to authorized users.
  • the central computer system comprises a storage computer configured to store the measurement data.
  • the storage computer may be designed as a server or a server network.
  • the measurement data may be stored on a hard disc of the storage computer.
  • the measurement data are encrypted by a specific cryptographic key.
  • the central computer system comprises an access management computer configured to store the specific cryptographic key wherein the access management computer is configured to check a data access request of a user for the measurement data.
  • the specific cryptographic key that is needed to decrypt the measurement data on the storage computer is saved in the access management computer.
  • the access management computer is configured to receive the data access request of the user.
  • the data access request may be designed as a message sent from a computer of the user to the access management computer via Ethernet.
  • the message may comprise a request to access the measurement data on the storage computer.
  • the access management computer is configured to prove whether the data access request of the user valid.
  • the access management computer is configured to provide the specific cryptographic key to the storage computer upon approval of the data access request of the user for the measurement data. In other words, the access management computer is configured to prove whether the access to the measurement data, as requested in the data access request is allowed.
  • the access management computer is configured to send the specific cryptographic key to the storage computer in case the data access as requested is allowed, to allow a decryption of the measurement data.
  • the storage computer is configured to decrypt the measurement data by means of the specific cryptographic key and to provide the decrypted measurement data at an output interface to the user. In other words, the storage computer is configured to receive the cryptographic key and to use the received cryptographic key to decrypt the encrypted data.
  • the decrypted measurement data are provided by the storage computer at an output interface of the storage computer.
  • the invention has the advantage that the cryptographic key is stored on the access management computer and provided to the storage computer to decrypt the measurement data. Therefore, the cryptographic key does not leave the central computer system.
  • the invention also comprises embodiments that provide features which afford additional technical advantages.
  • the data access request of the user comprises a cryptographic certificate.
  • the data access request of the user comprises a file to allow an authentication at the access management computer.
  • the cryptographic certificate may be a digital signature, signing a content of the data access request.
  • the cryptographic certificate may comply with RSA, DSA and other cryptographic signature standards, known from the state of the art.
  • the check of the data access request comprises a check of a validity of the cryptographic certificate.
  • the access management computer is configured to prove the validity of the cryptographic certificate during the check of the data access request.
  • the approval of the data access request requires a validity of the cryptographic certificate.
  • the access management computer is configured to approve the data access request only if the cryptographic certificate is valid.
  • the validity may require a successful check of the cryptographic certificate, a time validity of a key used for the cryptographic certificate and a non-revoked-state of the key used for the cryptographic certificate.
  • the cryptographic certificate comprises an identity of the user.
  • the cryptographic certificate is linked to the identity of the user.
  • the cryptographic certificate allows an authentication of the identity of the user by the access management computer.
  • the check of the data access request comprises a check of an access authorization of the identity to the measurement data.
  • the access management computer is configured to check the identity's authorization to access the measurement data when checking the data access request.
  • a data base describing identity access rights to the measurement data may be stored in the access management computer.
  • the data access management computer is configured to read the database to verify that the identity is authorized for the requested access to the measurement data.
  • the approval of the data access request requires a valid access authorization of the identity to the measurement data.
  • the access management computer is configured to authorize access to the measurement data only if the identity is authorized to access the requested measurement data.
  • the cryptographic certificate comprises a role description of the user.
  • the cryptographic certificate describes a role or the user's membership in a user group associated with the requested measurement data.
  • the role may depend on the privileges of the user related to the measurement data.
  • the role may include an administrator status that states that the user has the right to describe, read, and execute the measurement data without restriction.
  • the role may include a default status that states that the user has the right to read and execute the measurement data without restriction.
  • the role can include a restricted status, which means that the user has the right to read and execute only a part of the measurement data without restriction.
  • the approval of the data access request requires a valid access authorization of the role description to the measurement data.
  • the access management computer is configured to grant the requested access to the requested measurement data only if a scope of the request is covered by the role privileges of the user's role.
  • the cryptographic certificate complies with X.509-standard.
  • the cryptographic certificate is an end-entity certificate according to X.509-standard.
  • the cryptographic certificate may be digitally signed by means of a certificate of an authority.
  • the embodiment has the advantage of enabling centralized user access management according to a common standard. This means that access management can be carried out by a company's existing systems.
  • the specific cryptographic key is designed as a symmetric key.
  • the decryption and encryption of the measurement data is performed by using the same key.
  • Examples of symmetric encryption methods comprise 3DES (TripleData Encryption Standard) or AES (Advanced Encryption Standard).
  • 3DES TripleData Encryption Standard
  • AES Advanced Encryption Standard
  • the specific cryptographic key is designed as an asymmetric key.
  • at least a part of the encrypted data are encrypted by means of an asymmetric key.
  • the cryptographic key may be designed as a key-pair, wherein the key-pair comprises a private key, configured to encrypt at least the part of the data and a public key configured to decrypt at least the part of the measurement data.
  • Asymmetric encryption methods may comprise ECC (Elliptic-Curve Cryptography) or RSA (Rivest-Shamir-Adleman).
  • the cryptographic key may be configured to decrypt a part of the measurement data comprising a symmetric key, wherein the measurement data are encrypted by the symmetric key. This method is known as hybrid encryption using a key encapsulation mechanism (KEM).
  • KEM key encapsulation mechanism
  • the decrypted measurement data are provided at the output interface inside a sand box environment of the storage computer.
  • the decrypted measurement data are provided in a sandbox environment, that can be accessed by the user via the output interface of the storage computer.
  • the encrypted measurement data may be provided in the sand box environment after decryption.
  • the sand box environment may be configured as a container environment or a virtual machine, wherein an export of the measurement data out of the sandbox environment may be restricted.
  • the user may analyze the measurement data inside the environment using programs inside the sand box environment.
  • An export of the measurement data outside the sand box environment may be restricted. For example, it may be blocked to process the measurement data outside the environment or to export the measurement data from the environment to another device.
  • the embodiment has the advantage that the data can only be accessed via the computer and, unauthorized disclosure of the data after decryption may be prevented.
  • the invention comprises a storage computer of a central computer system, configured to store the measurement data , wherein the measurement data are encrypted by a specific cryptographic key.
  • the storage computer is configured to receive the specific cryptographic key and to decrypt the measurement data by means of the specific cryptographic key, and to provide the decrypted measurement data at an output interface to the user.
  • the invention comprises an access management computer of a central computer system.
  • the access management computer of the central computer system is configured to store a specific cryptographic key to decrypt measurement data, stored on a storage computer.
  • the access management computer is configured to check a data access request of a user for the measurement data.
  • the access management computer is configured to provide the specific cryptographic key to the storage computer upon approval of the data access request of the user for the measurement data.
  • a computer may in particular be understood as a data processing device, which comprises processing circuitry.
  • the computer unit can therefore in particular process data to perform computing operations. This may also include operations to perform indexed accesses to a data structure, for example a look-up table, LUT.
  • the computer may include one or more computers, one or more microcontrollers, and/or one or more integrated circuits, for example, one or more application-specific integrated circuits, ASIC, one or more field-programmable gate arrays, FPGA, and/or one or more systems on a chip, SoC.
  • the computer may also include one or more processors, for example one or more microprocessors, one or more central processing units, CPU, one or more graphics processing units, GPU, and/or one or more signal processors, in particular one or more digital signal processors, DSP.
  • the computer may also include a physical or a virtual cluster of computers or other of said units.
  • the computing unit includes one or more hardware and/or software interfaces and/or one or more memory units.
  • a memory unit may be implemented as a volatile data memory, for example a dynamic random access memory, DRAM, or a static random access memory, SRAM, or as a non-volatile data memory, for example a read-only memory, ROM, a programmable read-only memory, PROM, an erasable read-only memory, EPROM, an electrically erasable read-only memory, EEPROM, a flash memory or flash EEPROM, a ferroelectric random access memory, FRAM, a magnetoresistive random access memory, MRAM, or a phase-change random access memory, PCRAM.
  • a volatile data memory for example a dynamic random access memory, DRAM, or a static random access memory, SRAM
  • a non-volatile data memory for example a read-only memory, ROM, a programmable read-only memory, PROM, an erasable read-only memory, EPROM, an electrically erasable read-only memory, EEPROM, a flash memory or flash EEPROM,
  • the invention comprises a method to operate a central computer system.
  • a data access request of a user to access measurement data stored on a storage computer of the central computer system is checked by an access management computer of the central computer system.
  • the measurement data are encrypted by a specific cryptographic key.
  • the specific cryptographic key is provided to the storage computer by the access management computer upon approval of the data access request of the user for the measurement data.
  • the measurement data are decrypted by the storage computer by means of the specific cryptographic key.
  • the decrypted measurement data are provided by the storage computer at an output interface of the storage computer to the user.
  • FIG. 1 shows a schematic illustration of an embodiment of the a central computer system.
  • the central computer system 1 may comprise a storage computer 5 configured to store measurement data 4 provided by a fleet of vehicles 2 during one or more measurement campaigns.
  • the measurement data 4 of a specific measurement campaign may be encrypted by means of a specific cryptographic key 3.
  • the cryptographic key 3 may be designed as a symmetric or as an asymmetric cryptographic key 3.
  • the specific cryptographic key 3 may be designed as a symmetric or as an asymmetric key.
  • the storage computer 5 may be designed as a single computer or as a cloud network.
  • the central computer system 1 may be configured to provide the measurement data 4 to authorized users only 10 in order to allow an analysis of the measurement data 4.
  • the measurement data 4 may comprise elements that may be sensitive in terms of a privacy of the users of the vehicles of the fleet. It is therefore necessary to restrict access to the measurement data 4 to authorized users 10 and to exclude unauthorized users 11 from access.
  • the central computer system 1 may comprise an access management computer 6, configured to store the specific cryptographic key 3 that may be necessary to decrypt the encrypted measurement data 4 stored on the storage computer 5 of the central computer system 1 .
  • the access management computer 6 may be another computer device than the central computer system 1 . Therefore, the specific cryptographic key 3 is stored on another device which is different than the storage computer 5 storing the measurement computer.
  • the access management computer 6 may be configured to run an Azure Active directory that offers a key vault and user 10 management to allow an access management.
  • the access management computer 6 may be configured to check a data access request 8 of a user 10 for the measurement data 4.
  • the access management computer 6 may check whether an access to the measurement data 4 according to the a data access request 8 is allowed
  • the data access request 8 may comprise a cryptographic certificate 9, which may comprise an identity 12 of the user 10 and or a role 13 description of the user 10.
  • the cryptographic certificate 9 may comply with X.509 standard.
  • the access management computer 6 may be configured to check the validity of the cryptographic certificate 9 during the check of the data access request 8.
  • the access management computer 6 may check the role 13 description of the user 10 and or the identity 12 of the user 10 in order to prove whether the user 10 or the role 13 of the user 10 is allowed to access the measurement data 4.
  • the access management computer 6 may approve the data access request 8.
  • the access management computer 6 may transmit the specific cryptographic key 3 to the storage computer 5 (S3).
  • the access management computer 6 may also transmit a token to the storage computer 5 and/or the user 10 to enable a login of the user 10 at an output interface 14 of the storage computer 5.
  • the token may enable a login at the output interface 14 by means of the cryptographic certificate 9 provided in the data access request 8.
  • the storage computer 5 may be configured to receive the specific cryptographic key 3 from the access management computer 6 and to decrypt the measurement data 4 by means of the specific cryptographic key 3 (S4).
  • the decrypted measurement data 7 may be stored in a non-permanent memory of the storage computer 5.
  • the encrypted measurement data 4 may remain encrypted in a permanent memory of the storage computer 5.
  • the decrypted measurement data 7 maybe provided by the storage computer 5 at the output interface 14 of the storage computer 5 (S5).
  • the decrypted measurement data 7 may be provided inside a sand box environment at the output interface 14.
  • the sand box environment may be designed as a virtual machine that may be accessed by the user 10 in order to read the decrypted measurement data 7.
  • the user may login at the output interface 14 by means of his cryptographic certificate 9.
  • the sand box environment may be configured as a container environment or a virtual machine, wherein an export of the decrypted measurement data 7 out of the sandbox environment may be restricted.
  • the applications PCT/EP2021/081967 and PCT/EP2021/081966 describe steps of a data collection campaign until the measurement data are transferred to a trustworthy end point (e.g. data scientist), but it is not clarified in detail, how the access to the measurement data is handled.
  • a trustworthy end point e.g. data scientist
  • the cryptographic key can be given to one or more data scientists and handled like a symmetric group key.
  • Symmetric group keys always have the disadvantage of a risk of untrustworthy entities in the group. Instead of giving one symmetric key to every data scientist, the symmetric key will stay at one location, users authorized to this location (e.g. based on access certificates), the location decrypts the data with the symmetric key based on user access results.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention is concerned with a central computer system (1), configured to provide measurement data (4), wherein the central computer system (1) comprises a storage computer (5), configured to store the measurement data (4), wherein the measurement data (4) are encrypted by a specific cryptographic key (3), an access management computer (6), configured to store the specific cryptographic key (3), wherein the access management computer (6) is configured to check a data access request (8) of a user (10) for the measurement data (4). The access management computer (6) is configured to provide the specific cryptographic key (3) to the storage computer (5) upon approval of the data access request (8). The storage computer (5) is configured to decrypt the measurement data (4) by means of the specific cryptographic key (3), and to provide the decrypted measurement data (7) at an output interface (1) to the user (10).

Description

Central computer system, storage computer, access management computer and method to operate a central computer system
DESCRIPTION:
The invention is concerned with a central computer system, a storage computer, an access management computer and a method to operate a central computer system.
In order to improve vehicles, it is necessary to collect measurement data provided by vehicles in the field. The measurement data may be used to find errors occurring during the operation of the vehicles. A necessary amount of measurement data cannot be provided solely by the collection of measurement data provided by special test vehicles, used by test drivers of a manufacturer. Therefore, it is necessary to collect measurement data provided by vehicles of costumers. The collection of measurement data is performed during measurement campaigns, wherein predefined measurement data are recorded by the vehicles. The measurement data are transmitted to a central system of the manufacturer.
A measurement campaign using motor vehicles is describes in
DE 10 2017 206 073 A1. The measurement data is collected centrally in a mass data storage, from where it can then be made available for analysis. Nowadays, such a mass data storage is preferably not provided by the same central computer system that also controls the measurement campaign, but is rented, for example, from a service provider as a so-called cloud storage. However, this can result in this service provider gaining insight into measurement data, which could allow undesired conclusions to be drawn about motor vehicle-related or even personal data. It is known from EP 3 148 152 A1 that control units of motor vehicles can be equipped with a cryptographic master key that can be used for communication of the respective control unit with a stationary central computer system. The measurement data from different measurement campaigns can be encrypted with respective vehicle-specific keys or with a master key that applies to all motor vehicles and then stored in a mass data storage. However, when this mass data storage is accessed, the measurement data from each measurement campaign can then be decrypted, so that a campaign operator of a single measurement campaign may have access to more measurement data than he is entitled to according to the measurement campaign he initiated.
In order to protect the measurement data on the central systems, it is common to encrypt the measurement data with a cryptographic key. The key may be campaign specific. The key may be distributed along authorized users to allow an access to the measurement data. The use of encrypted data may restrict access to the measurement data. However, if a user shares or loses his key, users without an authorization may decrypt the measurement data. If a user decrypts the measurement data, the decrypted data are not protected on the users device.
WO 2014 / 092 890 A1 describes an encryption-based data access management. The encryption-based data access management may include a variety of processes. A device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user’s authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server, different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key. As the key is provided to the computing device, the key may be exported by the user. Therefore, it is possible for the authorized user to pass the key to unauthorized users, who can thus gain unauthorized access to the encrypted data.
It is an object of the invention to limit an access to measurement data to authorized users.
The object is accomplished by the subject matter of the independent claims. Advantageous developments with convenient and non-trivial further embodiments of the invention are specified in the following description, the dependent claims and the figures.
The invention comprises a central computer system configured to provide measurement data. The measurement data may be provided to the central computer system by a fleet of vehicles. The fleet of vehicles may have collected the measurement data in a measurement campaign. The measurement data may comprise operational data of the vehicle’s engine. To allow an analysis of the measurement data, the measurement data may be provided to authorized users by the central computer system. In other words, the central computer system is configured to provide an access to the measurement data to authorized users. The central computer system comprises a storage computer configured to store the measurement data. The storage computer may be designed as a server or a server network. The measurement data may be stored on a hard disc of the storage computer. The measurement data are encrypted by a specific cryptographic key. In other words, it is necessary to decrypt the measurement data by means of the specific cryptographic key in order to access the measurement data. The central computer system comprises an access management computer configured to store the specific cryptographic key wherein the access management computer is configured to check a data access request of a user for the measurement data. In other words, the specific cryptographic key that is needed to decrypt the measurement data on the storage computer is saved in the access management computer. The access management computer is configured to receive the data access request of the user. The data access request may be designed as a message sent from a computer of the user to the access management computer via Ethernet. The message may comprise a request to access the measurement data on the storage computer.
The access management computer is configured to prove whether the data access request of the user valid. The access management computer is configured to provide the specific cryptographic key to the storage computer upon approval of the data access request of the user for the measurement data. In other words, the access management computer is configured to prove whether the access to the measurement data, as requested in the data access request is allowed. The access management computer is configured to send the specific cryptographic key to the storage computer in case the data access as requested is allowed, to allow a decryption of the measurement data. The storage computer is configured to decrypt the measurement data by means of the specific cryptographic key and to provide the decrypted measurement data at an output interface to the user. In other words, the storage computer is configured to receive the cryptographic key and to use the received cryptographic key to decrypt the encrypted data. The decrypted measurement data are provided by the storage computer at an output interface of the storage computer.
The invention has the advantage that the cryptographic key is stored on the access management computer and provided to the storage computer to decrypt the measurement data. Therefore, the cryptographic key does not leave the central computer system.
The invention also comprises embodiments that provide features which afford additional technical advantages.
According to a further embodiment of the invention, the data access request of the user comprises a cryptographic certificate. In other words, the data access request of the user comprises a file to allow an authentication at the access management computer. The cryptographic certificate may be a digital signature, signing a content of the data access request. The cryptographic certificate may comply with RSA, DSA and other cryptographic signature standards, known from the state of the art. The check of the data access request comprises a check of a validity of the cryptographic certificate. In other words, the access management computer is configured to prove the validity of the cryptographic certificate during the check of the data access request. The approval of the data access request requires a validity of the cryptographic certificate. In other words, the access management computer is configured to approve the data access request only if the cryptographic certificate is valid. The validity may require a successful check of the cryptographic certificate, a time validity of a key used for the cryptographic certificate and a non-revoked-state of the key used for the cryptographic certificate.
According to a further embodiment of the invention, the cryptographic certificate comprises an identity of the user. In other words, the cryptographic certificate is linked to the identity of the user. In other words, the cryptographic certificate allows an authentication of the identity of the user by the access management computer. The check of the data access request comprises a check of an access authorization of the identity to the measurement data. In other words, the access management computer is configured to check the identity's authorization to access the measurement data when checking the data access request. As an example, a data base describing identity access rights to the measurement data may be stored in the access management computer. The data access management computer is configured to read the database to verify that the identity is authorized for the requested access to the measurement data. The approval of the data access request requires a valid access authorization of the identity to the measurement data. The access management computer is configured to authorize access to the measurement data only if the identity is authorized to access the requested measurement data.
According to a further embodiment of the invention, the cryptographic certificate comprises a role description of the user. In other words, the cryptographic certificate describes a role or the user's membership in a user group associated with the requested measurement data. The role may depend on the privileges of the user related to the measurement data. For example, the role may include an administrator status that states that the user has the right to describe, read, and execute the measurement data without restriction. The role may include a default status that states that the user has the right to read and execute the measurement data without restriction. The role can include a restricted status, which means that the user has the right to read and execute only a part of the measurement data without restriction. The approval of the data access request requires a valid access authorization of the role description to the measurement data. In other words, the access management computer is configured to grant the requested access to the requested measurement data only if a scope of the request is covered by the role privileges of the user's role.
According to a further embodiment of the invention, the cryptographic certificate complies with X.509-standard. In other words, the cryptographic certificate is an end-entity certificate according to X.509-standard. The cryptographic certificate may be digitally signed by means of a certificate of an authority. The embodiment has the advantage of enabling centralized user access management according to a common standard. This means that access management can be carried out by a company's existing systems.
According to a further embodiment of the invention, the specific cryptographic key is designed as a symmetric key. In other words, the decryption and encryption of the measurement data is performed by using the same key. Examples of symmetric encryption methods comprise 3DES (TripleData Encryption Standard) or AES (Advanced Encryption Standard). The use of a symmetrical encryption method has the advantage that no runtime losses are caused by the computational complexity of the encryption method, as would be the case with asymmetrical encryption methods.
According to a further embodiment of the invention, the specific cryptographic key is designed as an asymmetric key. In other words, at least a part of the encrypted data are encrypted by means of an asymmetric key. The cryptographic key may be designed as a key-pair, wherein the key-pair comprises a private key, configured to encrypt at least the part of the data and a public key configured to decrypt at least the part of the measurement data. Asymmetric encryption methods may comprise ECC (Elliptic-Curve Cryptography) or RSA (Rivest-Shamir-Adleman). The cryptographic key may be configured to decrypt a part of the measurement data comprising a symmetric key, wherein the measurement data are encrypted by the symmetric key. This method is known as hybrid encryption using a key encapsulation mechanism (KEM).
According to a further embodiment of the invention, the decrypted measurement data are provided at the output interface inside a sand box environment of the storage computer. In other words, the decrypted measurement data are provided in a sandbox environment, that can be accessed by the user via the output interface of the storage computer. The encrypted measurement data may be provided in the sand box environment after decryption. The sand box environment may be configured as a container environment or a virtual machine, wherein an export of the measurement data out of the sandbox environment may be restricted. As an example, the user may analyze the measurement data inside the environment using programs inside the sand box environment. An export of the measurement data outside the sand box environment may be restricted. For example, it may be blocked to process the measurement data outside the environment or to export the measurement data from the environment to another device. The embodiment has the advantage that the data can only be accessed via the computer and, unauthorized disclosure of the data after decryption may be prevented.
The invention comprises a storage computer of a central computer system, configured to store the measurement data , wherein the measurement data are encrypted by a specific cryptographic key. The storage computer is configured to receive the specific cryptographic key and to decrypt the measurement data by means of the specific cryptographic key, and to provide the decrypted measurement data at an output interface to the user. The invention comprises an access management computer of a central computer system. The access management computer of the central computer system is configured to store a specific cryptographic key to decrypt measurement data, stored on a storage computer. The access management computer is configured to check a data access request of a user for the measurement data. The access management computer is configured to provide the specific cryptographic key to the storage computer upon approval of the data access request of the user for the measurement data.
A computer may in particular be understood as a data processing device, which comprises processing circuitry. The computer unit can therefore in particular process data to perform computing operations. This may also include operations to perform indexed accesses to a data structure, for example a look-up table, LUT.
In particular, the computer may include one or more computers, one or more microcontrollers, and/or one or more integrated circuits, for example, one or more application-specific integrated circuits, ASIC, one or more field-programmable gate arrays, FPGA, and/or one or more systems on a chip, SoC. The computer may also include one or more processors, for example one or more microprocessors, one or more central processing units, CPU, one or more graphics processing units, GPU, and/or one or more signal processors, in particular one or more digital signal processors, DSP. The computer may also include a physical or a virtual cluster of computers or other of said units. In various embodiments, the computing unit includes one or more hardware and/or software interfaces and/or one or more memory units.
A memory unit may be implemented as a volatile data memory, for example a dynamic random access memory, DRAM, or a static random access memory, SRAM, or as a non-volatile data memory, for example a read-only memory, ROM, a programmable read-only memory, PROM, an erasable read-only memory, EPROM, an electrically erasable read-only memory, EEPROM, a flash memory or flash EEPROM, a ferroelectric random access memory, FRAM, a magnetoresistive random access memory, MRAM, or a phase-change random access memory, PCRAM.
The invention comprises a method to operate a central computer system. In a first step of the method a data access request of a user to access measurement data stored on a storage computer of the central computer system, is checked by an access management computer of the central computer system. The measurement data are encrypted by a specific cryptographic key. In a second step the specific cryptographic key is provided to the storage computer by the access management computer upon approval of the data access request of the user for the measurement data. In a third step, the measurement data are decrypted by the storage computer by means of the specific cryptographic key. In a fourth step, the decrypted measurement data are provided by the storage computer at an output interface of the storage computer to the user.
In the following an exemplary implementation of the invention is described. The only figure Fig. shows a schematic illustration of an embodiment of the a central computer system.
The embodiment explained in the following is a preferred embodiment of the invention. However, in the embodiment, the described components of the embodiment each represent individual features of the invention which are to be considered independently of each other and which each develop the invention also independently of each other and thereby are also to be regarded as a component of the invention in individual manner or in another than the shown combination. Furthermore, the described embodiment can also be supplemented by further features of the invention already described.
In the figure identical reference signs indicate elements that provide the same function. Fig. shows a central computer system. The central computer system 1 may comprise a storage computer 5 configured to store measurement data 4 provided by a fleet of vehicles 2 during one or more measurement campaigns. The measurement data 4 of a specific measurement campaign may be encrypted by means of a specific cryptographic key 3. The cryptographic key 3 may be designed as a symmetric or as an asymmetric cryptographic key 3. In order to access the measurement data 4 which may comprise a reading, an execution or a changing of the measurement data 4, it may be necessary to use the specific cryptographic key 3 for decryption of the measurement data 4. The specific cryptographic key 3 may be designed as a symmetric or as an asymmetric key. The storage computer 5 may be designed as a single computer or as a cloud network. The central computer system 1 may be configured to provide the measurement data 4 to authorized users only 10 in order to allow an analysis of the measurement data 4. The measurement data 4 may comprise elements that may be sensitive in terms of a privacy of the users of the vehicles of the fleet. It is therefore necessary to restrict access to the measurement data 4 to authorized users 10 and to exclude unauthorized users 11 from access.
To provide a data access management, the central computer system 1 may comprise an access management computer 6, configured to store the specific cryptographic key 3 that may be necessary to decrypt the encrypted measurement data 4 stored on the storage computer 5 of the central computer system 1 . The access management computer 6 may be another computer device than the central computer system 1 . Therefore, the specific cryptographic key 3 is stored on another device which is different than the storage computer 5 storing the measurement computer. The access management computer 6 may be configured to run an Azure Active directory that offers a key vault and user 10 management to allow an access management. The access management computer 6 may be configured to check a data access request 8 of a user 10 for the measurement data 4. In other words, in order to access the measurement data 4 stored on the storage computer 5 of the central computer system 1 , it is necessary to send a data access request 8 to access the measurement data 4 to the access management computer 6 (51 ). The access management computer 6 may check whether an access to the measurement data 4 according to the a data access request 8 is allowed
(52). The data access request 8 may comprise a cryptographic certificate 9, which may comprise an identity 12 of the user 10 and or a role 13 description of the user 10. The cryptographic certificate 9 may comply with X.509 standard. The access management computer 6 may be configured to check the validity of the cryptographic certificate 9 during the check of the data access request 8.
When the cryptographic certificate 9 is valid, the access management computer 6 may check the role 13 description of the user 10 and or the identity 12 of the user 10 in order to prove whether the user 10 or the role 13 of the user 10 is allowed to access the measurement data 4. When the role 13 of the user 10 or the identity 12 of the user 10 is authorized to access the measurement data 4, the access management computer 6 may approve the data access request 8. Upon approval of the data access request 8, the access management computer 6 may transmit the specific cryptographic key 3 to the storage computer 5 (S3). The access management computer 6 may also transmit a token to the storage computer 5 and/or the user 10 to enable a login of the user 10 at an output interface 14 of the storage computer 5. As an example, the token may enable a login at the output interface 14 by means of the cryptographic certificate 9 provided in the data access request 8.
The storage computer 5 may be configured to receive the specific cryptographic key 3 from the access management computer 6 and to decrypt the measurement data 4 by means of the specific cryptographic key 3 (S4). The decrypted measurement data 7 may be stored in a non-permanent memory of the storage computer 5. The encrypted measurement data 4 may remain encrypted in a permanent memory of the storage computer 5. The decrypted measurement data 7 maybe provided by the storage computer 5 at the output interface 14 of the storage computer 5 (S5). The decrypted measurement data 7 may be provided inside a sand box environment at the output interface 14. The sand box environment may be designed as a virtual machine that may be accessed by the user 10 in order to read the decrypted measurement data 7. The user may login at the output interface 14 by means of his cryptographic certificate 9. The sand box environment may be configured as a container environment or a virtual machine, wherein an export of the decrypted measurement data 7 out of the sandbox environment may be restricted.
For several different use cases it is mandatory in future to collect data from vehicles - not only from development vehicles, but also from customer vehicles - and process them in a backend system. Use cases can be: data driven development, legally required monitoring, market research, scientific research, anomaly detection, etc. Backend systems are nowadays often outsourced to third parties (cloud providers), where the IT (Security) is not completely under the control of our enterprise. Therefore a system is needed to protect the privacy of individuals, who’s data will be processed, from the source (vehicle) to the sink (e.g. data scientist).
The applications PCT/EP2021/081967 and PCT/EP2021/081966 describe steps of a data collection campaign until the measurement data are transferred to a trustworthy end point (e.g. data scientist), but it is not clarified in detail, how the access to the measurement data is handled. One possibility is that the cryptographic key can be given to one or more data scientists and handled like a symmetric group key. Symmetric group keys always have the disadvantage of a risk of untrustworthy entities in the group. Instead of giving one symmetric key to every data scientist, the symmetric key will stay at one location, users authorized to this location (e.g. based on access certificates), the location decrypts the data with the symmetric key based on user access results.
Applications PCT/EP2021/081967 and PCT/EP2021/081966 already describe two ways on how two encrypt data with a campaign specific key. The central computer system adds a user management on top which allows to grant access to several authorized users (e.g. data scientist) to a specific or several specific campaigns. Instead of sharing the decryption key with all of the users, the users will authorize themselves to a user-management system (e.g. active directory) which holds the campaign specific key and can grant access to decrypted data. Overall, the example shows how an access management to measurement data is provided by the invention.

Claims

CLAIMS:
1 . Central computer system (1 ), configured to provide measurement data (4), wherein the central computer system (1 ) comprises a storage computer (5), configured to store the measurement data (4) , wherein the measurement data (4) are encrypted by a specific cryptographic key (3), an access management computer (6), configured to store the specific cryptographic key (3), wherein the access management computer (6) is configured to check a data access request (8) of a user (10) for the measurement data (4), characterized in that the access management computer (6) is configured to provide the specific cryptographic key (3) to the storage computer (5) upon approval of the data access request (8) of the user (10) for the measurement data (4), the storage computer (5) is configured to decrypt the measurement data (4) by means of the specific cryptographic key (3), and to provide the decrypted measurement data (7) at an output interface (1 ) to the user (10).
2. Central computer system (1 ) according to claim 1 , characterized in that the data access request (8) of the user (10) comprises a cryptographic certificate (9), the check of the data access request (8) comprises a check of a validity of the cryptographic certificate (9), and the approval of the data access request (8) requires a validity of the cryptographic certificate (9).
3. Central computer system (1 ) according to claim 2, characterized in that the cryptographic certificate (9) comprises an identity (12) of the user (10), the check of the data access request (8) comprises a check of an access authorization of the identity (12) to the measurement data (4), and the approval of the data access request (8) requires a valid access authorization of the identity (12) to the measurement data (4).
4. Central computer system (1 ) according to claim 2 or 3, characterized in that the cryptographic certificate (9) comprises a role (13) description of the user (10), the check of the data access request (8) comprises a check of an access authorization of the role (13) description to the measurement data (4), and the approval of the data access request (8) requires a valid access authorization of the role (13) description to the measurement data (4).
5. Central computer system (1 ) according to one of the claims 2 to 4, characterized in that the cryptographic certificate (9) complies with X.509-standard.
6. Central computer system (1 ) according to one of the preceding claims, characterized in that the specific cryptographic key (3) is designed as a symmetric key.
7. Central computer system (1 ) according to one of the claims 1 to 5, characterized in that the specific cryptographic key (3) is designed as an asymmetric key.
8. Central computer system (1 ) according to one of the preceding claims, characterized in that the decrypted measurement data (7) are provided at the output interface (1) inside a sandbox environment of the storage computer (5). Storage computer (5) of a central computer system (1 ), configured to store the measurement data (4) , wherein the measurement data (4) are encrypted by a specific cryptographic key (3), characterized in that the storage computer (5) is configured to receive the specific cryptographic key (3) and to decrypt the measurement data (4) by means of the specific cryptographic key (3), and to provide the decrypted measurement data (7) at an output interface (1) to the user (10). Access management computer (6) of a central computer system (1 ), configured to store a specific cryptographic key (3) to decrypt measurement data (4), stored on a storage computer (5), wherein the access management computer (6) is configured to check a data access request (8) of a user (10) for the measurement data (4), characterized in that the access management computer (6) is configured to provide the specific cryptographic key (3) to the storage computer (5) upon approval of the data access request (8) of the user (10) for the measurement data (4). Method to operate a central computer system (1 ), wherein a data access request (8) of a user (10) to access measurement data (4) stored on a storage computer (5) of the central computer system (1 ), is checked by an access management computer (6) of the central computer system (1 ), wherein the measurement data
(4) are encrypted by a specific cryptographic key (3), the specific cryptographic key (3) is provided to the storage computer (5) by the access management computer (6) upon approval of the data access request (8) of the user (10) for the measurement data (4), the measurement data (4) are decrypted by the storage computer
(5) by means of the specific cryptographic key (3), and the decrypted measurement data (7) are provided by the storage computer (5) at an output interface (1 ) of the storage computer (5) to the user (10).
PCT/EP2022/054156 2022-02-18 2022-02-18 Central computer system, storage computer, access management computer and method to operate a central computer system WO2023156005A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/054156 WO2023156005A1 (en) 2022-02-18 2022-02-18 Central computer system, storage computer, access management computer and method to operate a central computer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/054156 WO2023156005A1 (en) 2022-02-18 2022-02-18 Central computer system, storage computer, access management computer and method to operate a central computer system

Publications (1)

Publication Number Publication Date
WO2023156005A1 true WO2023156005A1 (en) 2023-08-24

Family

ID=80928790

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/054156 WO2023156005A1 (en) 2022-02-18 2022-02-18 Central computer system, storage computer, access management computer and method to operate a central computer system

Country Status (1)

Country Link
WO (1) WO2023156005A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120297189A1 (en) * 2011-05-18 2012-11-22 Citrix Systems, Inc. Systems and Methods for Secure Handling of Data
US20140164774A1 (en) * 2012-12-12 2014-06-12 Citrix Systems, Inc. Encryption-Based Data Access Management
EP3148152A1 (en) 2015-09-22 2017-03-29 BAE Systems PLC Cryptographic key distribution
DE102017206073A1 (en) 2017-04-10 2018-10-11 Audi Ag Method for collecting data

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120297189A1 (en) * 2011-05-18 2012-11-22 Citrix Systems, Inc. Systems and Methods for Secure Handling of Data
US20140164774A1 (en) * 2012-12-12 2014-06-12 Citrix Systems, Inc. Encryption-Based Data Access Management
WO2014092890A1 (en) 2012-12-12 2014-06-19 Citrix Systems, Inc. Encryption-based data access management
EP3148152A1 (en) 2015-09-22 2017-03-29 BAE Systems PLC Cryptographic key distribution
DE102017206073A1 (en) 2017-04-10 2018-10-11 Audi Ag Method for collecting data

Similar Documents

Publication Publication Date Title
CN109104281B (en) Tokenized hardware security module
US11178143B2 (en) System, method and apparatus for device authentication
US5651068A (en) International cryptography framework
US7503074B2 (en) System and method for enforcing location privacy using rights management
IE20180051A2 (en) Tokenized hardware security modules
CN111914293B (en) Data access right verification method and device, computer equipment and storage medium
US20050166051A1 (en) System and method for certification of a secure platform
EP2251810B1 (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
CA3081876A1 (en) System and method for secure communication in a retail environment
US10303886B2 (en) Component for processing a protectable datum and method for implementing a security function for protecting a protective datum in such a component
US20230021749A1 (en) Wrapped Keys with Access Control Predicates
CN111475823A (en) Data sharing method, equipment, server and readable storage medium
WO2012120313A1 (en) A cryptographic system and method
WO2022132718A1 (en) Technologies for trust protocol with immutable chain storage and invocation tracking
EP3836478A1 (en) Method and system of data encryption using cryptographic keys
CN115514578B (en) Block chain based data authorization method and device, electronic equipment and storage medium
WO2023156005A1 (en) Central computer system, storage computer, access management computer and method to operate a central computer system
US20140082364A1 (en) Collaborative Uses of a Cloud Computing Confidential Domain of Execution
JP2003518283A (en) Hardware token self-registration process
US20240291651A1 (en) Embedded data harvesting
CN116361841A (en) Access authentication method, system, terminal device, server and storage medium
WO2023088548A1 (en) Method and system for carrying out measurement campaigns by means of motor vehicles using a centrally-controlled campaign-specific end-to-end encryption of the measurement data
CN114039721A (en) Key management method and device for vehicle-mounted multimedia system
Padma et al. Trusted Attestation Key with Windows Management using Direct Anonymous Attestation Protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22711879

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2022711879

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2022711879

Country of ref document: EP

Effective date: 20240808