METHOD FOR TRANSMITTING INFORMATION

Abstract

A method for transmitting information between a data processing system external to the vehicle and systems using the information in a vehicle employs integrity protection and/or encryption mechanisms. The integrity and/or encryption mechanisms are used with different levels of protection, wherein the level of protection is selected and/or adjusted based on the information or a classification of the information, the provided use of the information, the state of the vehicle, the surroundings of the vehicle, the origin of the information, the protection goal, and/or the resource consumption.

Claims

1-10. (canceled)

11. A method, comprising: selecting integrity protection or encryption mechanisms for transmitting information between a data processing system external to a vehicle and systems using the information in the vehicle; and transmitting the information using the selected integrity protection or encryption mechanisms, wherein the integrity protection or encryption mechanisms are selected from a plurality of integrity protection and encryption mechanisms having different levels of protection, and wherein the integrity protection or encryption mechanisms are selected for transmitting the information based on at least one of the information or a classification of the information; a provided use of the information; a state of the vehicle; surroundings of the vehicle; an origin of the information; a protection goal for the information; and a resource consumption of the integrity protection or encryption mechanisms.

12. The method of claim 11, wherein the plurality of integrity protection or encryption mechanisms are categorized as providing a low, medium and high level of protection and no level of protection, wherein the high level of protection provides more protection than the medium level of protection, and the medium level of protection provides more protection than the low level of protection.

13. The method of claim 12, wherein integrity protection or encryption mechanisms categorized as providing the high level of protection are selected for information relating to assistance functions of the vehicle.

14. The method of claim 11, wherein the systems in the vehicle discard all information having a level of protection that is lower than a level of protection selected for the information.

15. The method of claim 14, wherein a transmission from the vehicle to the data processing system external to the vehicle is performed via the discarded information.

16. The method of claim 11, wherein classifications of the information are predetermined by an information provider, which are considered when selecting or adjusting the level of protection.

17. The method of claim 11, wherein the surroundings of the vehicle are recorded via surroundings sensors of the vehicle and at a greater spatial distance based on the transmitted information.

18. The method of claim 17, wherein events beyond immediate surroundings of the vehicle are evaluated in terms of an influence of the events on the level of protection based on spatial or temporal distance of the vehicle relative to the event.

19. The method of claim 11, wherein levels of protection used for transmitting the information are stored in the data processing system and are evaluated at least in terms of occurrence of a temporal or spatial classification to improve the adaptation and allocation.

20. The method of claim 11, wherein the transmitted information contains at least one piece of information of a traffic service provider.

Description

BRIEF DESCRIPTION OF THE DRAWING FIGURES

[0022] Here are shown:

[0023] FIG. 1 a schematic scenario with a vehicle and a data processing system external to the vehicle, which is here depicted by way of example as a Cloud; and

[0024] FIG. 2 a schematic depiction of exemplary procedures for setting the level of protection (SN) in the data processing system external to the vehicle.

DETAILED DESCRIPTION

[0025] In the depiction of FIG. 1, a vehicle 1 can be seen in an exemplary depiction, in which vehicle different systems 2 are present that use information originating from a data processing system 5 external to the vehicle and depicted here by way of example as a Cloud via a receiver 3 and a communication connection 4. In practice, it is such that a blanket securing of the communication connection 4, as is usual with the Internet, for example via TLS (previously SSL), is typically not sufficient. Instead, the information must be secured via an end-to-end securing of the source of the information up to the system 2 in the vehicle 1 as a kind of “end consumer” of the information. Now it is known, in principle, that various integrity protection and/or encryption mechanisms are available for such securing. These are available with different levels of protection. In this context, differently strong security mechanisms with which the information is correspondingly protected are also discussed. Along with the different technical effort which cause these different levels of protection, they are also differently performant and use different amounts of resources of their terminal devices. Furthermore, it is such that they use different resources in the communication due to the different length of the transmitted messages and thus burden the communication connection 4 to different degrees which, on one hand, can limit their bandwidth and, on the other hand, is associated with the corresponding costs for the transmission of the respective information.

[0026] However, it is often such that different information is present with different levels of significance for the systems 2 in the vehicle 1. With dynamic information services such as, for example, a traffic service, notifications, and information are always present with different significance for the respective vehicle 1 or a system 2 in the vehicle 1, for example a navigation system. These can be present, for example, based on the so-called three-phase traffic theory, which Professor Boris Kerner established, with different degrees of significance. These can be notifications about free traffic, so-called synchronized traffic or a wide moving traffic jam. The free traffic is here defined in such a way that drivers of vehicles can extensively freely choose their speed. In congested traffic, this is no longer possible. In synchronized traffic, a movement extensively free of standstill, yet typically with a speed slower than the desired speed, nevertheless emerges. In a wide moving traffic jam, there are also individual stationary phases. All this can be seen in the corresponding publications and documents relating to the three-phase theory and is only of explanatory significance here.

[0027] In order to now be able to ensure such information, for example, that the information about the traffic flow or also a lot of different information, for example about construction sites, blockages, wrong-way drivers, dangerous locations, or similar, can be sufficiently protected with the protection requirement reasonable for them and, nevertheless, can be transmitted in a manner processed to save resources, a corresponding assessment is not undertaken. This prevents, on one hand, the resource consumption getting too great because unimportant information is provided with too high a level of protection, while it is, however, prevented that correspondingly critical messages are provided with too weak security mechanisms and thus would be correspondingly easy to read and, in particular, to tamper with.

[0028] Three integrity protection and/or encryption mechanisms with a low, medium, and high level of protection are again taken as a starting point by way of example below, for which reference can be made to the examples of the symmetrical integrity protection already described above and the asymmetrical integrity protection with keys of different lengths. Here, these examples are only to be understood by way of example and in a non-limiting manner.

[0029] In the depiction of FIG. 2, the central data processing system 5 formed, for example, as a Cloud and external to the vehicle is depicted again. Different information accrues to this from one or more information service providers, which come from traffic service providers, for example. This information accruing to the data processing system 5 is indicated, purely by way of example, by the arrows labeled with the reference numerals 6, 7 and 8. The information 6, 7, 8 reaches an input module 9 of the data processing system 5. There, they are combined with each other, for example, if this is necessary, and correspondingly filtered. They are further provided with corresponding parameters, which emerge either from the information, the source of the information, the potential use of the information in the vehicle 1 or also from data of the vehicle 1. Here, the vehicle 1 is in bidirectional contact with the data processing system 5 via the communication system 4, such that information coming from the vehicle can be passed along as needed to the input module via an evaluation module 10. The data reaches an indicated evaluation unit via the input module 9, in which evaluation unit it is evaluated corresponding to one of more parameters in order to establish a suitable level of protection (SN) depending on traffic phase, notification or use, with which level of projection the processing and transmission of the data via the communication connection 4 is to be carried out from the data processing system 5 to the vehicle 1 or its systems 2. As already explained above, the levels of protection are here divided into a low, a medium, and a high level of protection.

[0030] If, for example, a traffic service provider signals free traffic for the route planned via a navigation system as one of the systems 2 of the vehicle 1, then this information is not to be estimated as particularly high in terms of need for protection, since even in the event of tampering with this information, a security risk can hardly be expected. The request as to whether protection is necessary at all can thus be answered with no for such a situation, such that the information is transmitted without further mechanisms for encryption and/or for integrity protection via the communication connection 4 to the vehicle 1. Such a traffic phase of the free traffic can then be correspondingly depicted in a navigation system, for example, of the vehicle by a suitable notification, for example green coloring.

[0031] A further example would be a piece of information about a traffic phase of the synchronized traffic, which could be displayed in the vehicle with a yellow color, analogously to the statements just made. Since it has a certain influence on the arrival time and the route choice, a low level of protection, for example, can be provided with this information. The question as to whether protection is necessary would accordingly be answered with yes. The question as to whether a low level of protection is sufficient is also answered with yes. A low level of protection is then assigned to the information and, when transmitting the information via the communication path 4 from the central data processing system 5 to the vehicle 1 or its systems 2, this is correspondingly applied, for example by a symmetrical integrity protection being used with a quick hash value and common symmetrical key.

[0032] A further example would be the traffic phase of a wide moving traffic jam. Analogously to the statements already made, this could be visualized in the vehicle 1, for example via the color red. In any case, it influences the arrival time and route selection and serves as an active warning for a driver of the vehicle or for corresponding systems inside the vehicle. Accordingly, a medium level of protection would be assigned to it, i.e., for example an asymmetrical integrity protection with a short key. Thus, following the flow diagram in FIG. 2, here the question as to whether a low level of protection is sufficient would also be answered with no. Thus, a medium level of protection would, however, be sufficient, such that this is correspondingly assigned.

[0033] If such a medium level of protection is also not sufficient, which applies, in particular, for notifications and information which lead to adjusting an assistance function in the vehicle, i.e., for example when a traffic jam notification on the route can trigger a braking intervention, these would accordingly be provided with a high level of protection. Something comparable applies to information, for example, about wrong-way drivers or direct dangerous locations, such as people in the driving lane, for example, stone-throwing demonstrators on a bridge or similar. In this case, in FIG. 2 corresponding to the selection, the question as to whether a medium level of protection is sufficient would be answered with no, such that, in this case, a high level of protection is assigned and is correspondingly used for the processing and the transmission of the data via the communication path 4.

[0034] Here, a temporally-spatially delimited level of protection can be predetermined for the information, such that only the vehicles in the surroundings of, for example, 10 kilometers or a driving time of 5 minutes or less are warned of a traffic jam or a wrong-way driver, for example. The limits can here be classified, for example, by means of the events and/or by means of the position of the vehicle and/or their planned route. Furthermore, it is such that additions that can be obtained by the information providers, for example a traffic service provider, in addition to the actual information, can also be used. This can be, in particular, danger levels, which classify traffic notifications, for example, into different levels of danger. Thus, wrong-way drivers or warning notifications are categorized more highly as urgent notifications than, for example, a declaration about a traffic jam or stop-go traffic. This can also be used, in addition to many other factors, to influence how the level of protection is adjusted for the corresponding piece of information when transmitting.

[0035] Furthermore, all notifications, which are merged as information 6, 7, 8 in the central data processing system 5, can be classified in terms of the origin of the information or notification. Thus, for example, a particular level of protection cannot be set for user-generated notifications or correspondingly higher levels of protection can be implemented for notifications from particularly trustworthy communication sources.

[0036] The protection targets, i.e., what is to be ensured by the protection, can be correspondingly adapted in order to adjust the level of protection. If the information is thus to be integral, if its authenticity, its trustworthiness, its non-repudiation, or similar can be established, then this can correspondingly influence the level of protection. Of course, the information itself or its planned use can also be influenced. Moreover, a state of the vehicle, for example whether it is in a stable or unstable driving situation, can correspondingly be taken into consideration in order to adjust the level of protection for transmitting the information. Something comparable applies to the surroundings of the vehicle, which can be recorded in the direct surroundings by the vehicle or its surroundings sensors itself, or which could be ascertained from data from other vehicles and/or traffic data.

[0037] A further possibility is now the vehicle 1 or its receiving module 3 or one of its systems 2 being protected itself by all encrypted notifications signaled not corresponding to the expected specifications, i.e., all notifications that do not correspond to the expected level of protection, being discarded. In the evaluation module 10, a communication to the data processing system 5 external to the vehicle enables a statistical evaluation in the evaluation module 10, the evaluation being able to recognize potential tampering with information in the greater scope, for example in good time, and thus enabling countermeasures.

[0038] A further possibility of using the evaluation module 10 is, for example, an evaluation being carried out across all levels of protection used, which can be correspondingly stored and evaluated for all vehicles. Here, this can be analyzed, in particular, according to temporal-spatial accumulation points for the corresponding level of protection, in particular with the goal of correspondingly improving the adjustment and allocation of the level of protection and thus being able to better get by with the resources present both in the vehicle 1 and in the communication path 4 and, ultimately, also in the region of the central data processing system 5, for example of a backend server of the vehicle manufacturer.

[0039] Although the invention has been illustrated and described in detail by way of preferred embodiments, the invention is not limited by the examples disclosed, and other variations can be derived from these by the person skilled in the art without leaving the scope of the invention. It is therefore clear that there is a plurality of possible variations. It is also clear that embodiments stated by way of example are only really examples that are not to be seen as limiting the scope, application possibilities or configuration of the invention in any way. In fact, the preceding description and the description of the figures enable the person skilled in the art to implement the exemplary embodiments in concrete manner, wherein, with the knowledge of the disclosed inventive concept, the person skilled in the art is able to undertake various changes, for example, with regard to the functioning or arrangement of individual elements stated in an exemplary embodiment without leaving the scope of the invention, which is defined by the claims and their legal equivalents, such as further explanations in the description.

TABLE-US-00001 FIG. 2/3 Schutz erforderlich? Protection required? ja yes nein no leichtes SN ausreichend? low level of protection sufficient? mittleres SN ausreichend? medium level of protection sufficient? SN = leicht level of protection = low SN = mittel level of protection = medium SN = hoch level of protection = high