Method for encrypted communication in an ad-hoc network

Abstract

A method in a network having a plurality of network nodes comprises the following steps performed in a first node of the network: receiving an initiation message from a second node of the network, the received initiation message comprising a public key of the second node; determining at least one of a proximity or velocity measure of the second node; checking whether the at least one determined measure is below a threshold and, when so, emitting a reply message comprising an encrypted part and an encryption key encrypted with the received public key from the second node; and repeatedly emitting status messages, wherein at least a part of each emitted status message is encrypted with the encryption key.

Claims

1. A method for encrypted communication in an ad-hoc network having a plurality of network nodes, comprising the following steps performed in a first node of the network: receiving an initiation message from a second node of the network, the received initiation message comprising a public key of said second node, the public key being a part of an asymmetric encryption scheme such that only the second node can decrypt messages encrypted with said public key of the second node; determining at least one of a proximity or velocity measure of said second node in relation to the first node; checking whether the at least one determined measure is below a threshold; when the at least one determined measure is below the threshold, emitting a reply message comprising an encrypted part and an encryption key encrypted with the received public key from said second node; and repeatedly emitting status messages, wherein at least a part of each emitted status message is encrypted with the encryption key.

2. The method according to claim 1, wherein the first node is an onboard unit carried by a travelling vehicle.

3. The method according to claim 1, wherein the initiation message and the status message have the same format and the reply message has the same format as the status message with an additional concatenated container comprising the encryption key.

4. The method according to claim 1, wherein the initiation and status messages comprise Cooperative Awareness Messages, CAM, as defined in the standard ETSI EN 302 637.

5. The method according to claim 1, wherein the initiation and status messages comprise Decentralized Environmental Notification Messages, DENM, as defined in the standard ETSI EN 302 637.

6. The method according to claim 1, wherein the encrypted part of the emitted reply and status messages comprise Cooperative Awareness, CA, or Cooperative Adaptive Cruise Control, CACC, messages.

7. The method according to claim 1, wherein the proximity measure is determined by means of measuring the signal strength of the received initiation message.

8. The method according to claim 1, wherein the proximity measure is determined by means of reading a positional information from an unencrypted part of the received initiation message.

9. The method according to claim 1, wherein the velocity measure is determined by means of calculating a difference of proximity measures determined from two received initiation messages.

10. The method according to claim 1, wherein the velocity measure is determined by means of reading a velocity information from an unencrypted part of the received initiation message.

11. The method according to claim 1, wherein the reply message comprising the encryption key is only emitted if it can be determined from the received initiation message that the second node supports a predetermined standard.

12. The method according to claim 1, wherein the encryption key is generated before emitting said reply message comprising the encrypted part.

13. The method according to claim 1, wherein the encryption key is received from another node.

14. A node for an ad-hoc network in which encrypted communication is performed, which node is configured to perform the method according to claim 1.

15. The node according to claim 14, which node is configured to perform the method according to claim 4.

16. The node according to claim 14, which node is configured to perform the method according to claim 5.

17. The node according to claim 14, which node is configured to perform the method according to claim 7.

18. The node according to claim 14, which node is configured to perform the method according to claim 8.

19. The node according to claim 14, which node is configured to perform the method according to claim 9.

20. The node according to claim 14, which node is configured to perform the method according to claim 10.

21. An ad-hoc network comprising a first node and a second node, each configured to perform the method according to claim 1, wherein that one of the nodes that first receives the initiation message comprising the public key of the other node is configured to initiate the method according to claim 1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

(1) The disclosed subject matter shall now be explained in more detail below on the basis of exemplary embodiments thereof with reference to the accompanying drawings, in which:

(2) FIG. 1 shows a schematic top view of a road, on which a plurality of vehicles carrying onboard units (nodes) travel;

(3) FIG. 2a shows a first variant of the format of a status message, initiation message, and reply message, respectively;

(4) FIG. 2b shows a second variant of the format of a status message, initiation message, and reply message, respectively;

(5) FIG. 3 shows a method for encrypted communication according to the state of the art in a sequence diagram; and

(6) FIG. 4 shows the method of the present disclosure for encrypted communication in a sequence diagram.

DETAILED DESCRIPTION

(7) FIG. 1 shows an ad-hoc network 1 with a plurality of network nodes N.sub.1, N.sub.2, . . . , generally which communicate via radio-frequency communications 2 with each other. In the shown example, the nodes N.sub.i are embodied as onboard units carried by travelling vehicles (nodes N.sub.1-N.sub.9) and by a roadside communication terminal (node N.sub.10). The shown ad-hoc network 1 could, however, also be used for other applications, for example in which the nodes N.sub.i are telecommunication terminals carried by ships, drones, or humans.

(8) The vehicles carrying nodes N.sub.i travel on a roadway 3 with four lanes 4, on which the vehicles or network nodes N.sub.1-N.sub.9, respectively, each travel with a velocity in a certain direction, as is indicated by velocity vectors 5. In the shown example, the network node N.sub.10 is stationary. According to the spirit of the ad-hoc network 1, the radio-frequency-communications 2 are formed dynamically when a network node N.sub.i is in a communication range R with a respective other node N.sub.j (j≠i). In the present example, communications 2 are performed via WLAN, for example according to standard IEEE 802.11x. Other communication types, in particular short-range communications, can be employed too, for example via Near Field Communication (NFC) or Dedicated Short-Range Communication (DSRC). Ad-hoc networks 1 of these types are known under different names such as vehicular ad-hoc networks (VANETs), car-to-car communications (car2car, C2C), vehicle-to-vehicle communications (V2V), or vehicle-to-infrastructure communications (V2X).

(9) As can be seen from FIG. 1, the nodes N.sub.1, N.sub.2, and N.sub.7 have approximately the same velocity vector 5 and can thus be considered to be “platooning” together in a group G, i.e., travel in a caravan for an extended amount of time. Such platooning vehicles should exchange data with each other that is different to data that is exchanged with passing vehicles (e.g., nodes N.sub.3, N.sub.4). The additional exchanged data serves to keep the nodes N.sub.1, N.sub.2, N.sub.7 in the group G at a constant speed, for example. However, due to privacy concerns, this additional data should not be accessible to all listening nodes N.sub.i such that this data is to be encrypted.

(10) FIGS. 2a and 2b show the format of “regular” messages emitted by the nodes N.sub.i in the ad-hoc network 1, hereinafter called status messages SM.

(11) In the embodiment of FIG. 2a, the status message SM comprises an unencrypted part 6 and a part 7 encrypted with an encryption key sym. The unencrypted part 6 here comprises an authorisation ticket (AT) as well as a Cooperative Awareness Message (CAM) or a Dedicated Environmental Notification Message (DENM). In more general embodiments, the unencrypted part 6 does not even have to be present in the status message SM at all.

(12) The authorisation ticket AT is issued by an authorisation authority (AA) and comprises, for example, an “anonymised identity” of the vehicle carrying the node N.sub.i. Furthermore, the AT comprises a public key pub-i of a node N.sub.i. The public key pub-i is a part of an asymmetric encryption scheme such that only the respective node N.sub.i can decrypt messages encrypted with said public key pub-i of the node which is done by means of a private key priv-i. Such asymmetric encryption scheme may be, e.g., based on the standard IEEE 1609.2 or ETSI TS 103 097. It should be highlighted that the notion of the AT is just one embodiment and the unencrypted part 6 could have any other format and content, e.g., comprise only the public key pub-i.

(13) The CAMs and DENMs are defined in ETSI EN 302 637-2 and usually comprise data of the vehicle, especially a current GNSS (Global Navigation Satellite System) fix of the vehicle carrying the node N.sub.i and a current velocity derived from such GNSS fixes.

(14) The encrypted part 7 comprises sensitive subject matter, for example an identity of the vehicle carrying the node N.sub.i such as a license plate number, a corporate affiliation, or the like. For example, the encrypted part 7 can comprise a Cooperative Adaptive Cruise Control (CACC) message as defined in ETSI TR 103 299.

(15) The encryption key sym, with which the part 7 is encrypted, is a symmetric Advanced Encryption Standard (AES) key, but can also be any other encryption key known in the art, e.g., an RSA or ECIES key. Symmetric keys have the advantage that they can be used for encryption as well as decryption of a file encrypted with the same symmetric key.

(16) FIG. 2b shows a different format of the status message SM. Again, the Authorisation Ticket AT is present in the unencrypted part 6, but here the encrypted part 7 comprises the CAM or DENM in addition to the CACC message. It is, however, also entirely feasible that the encrypted part 7 only contains one of a CAM, DENM, CACC message, or other private data.

(17) FIG. 3 shows a flow of messages according to the state of the art between a first node N.sub.1, a second node N.sub.2, and an arbitrary node N.sub.i. In the beginning (step 8), the first node N.sub.1 broadcasts status messages SM as described above for FIGS. 2a and 2b. These messages are received by the second node N.sub.2 and any other node which at this point do not know the encryption key sym, for which reason the communication path is depicted with a dashed line. Alternatively, one or more of the other nodes N.sub.i could already possess the encryption key sym and decrypt the encrypted part 7, as explained further below.

(18) Because the second node N.sub.2 is interested in the content of the encrypted part 7, it sends a service announcement SAM to the first node N.sub.1 (step 9), which it has identified by means of the content of the unencrypted part 6 of the status message SM. The first node N.sub.1 receives the service announcement message SAM and evaluates the service announcement message SAM by checking whether the second node N.sub.2 is authorised for communication, for example if a valid authorization can be found in the service announcement message SAM. If this is the case, the first node N.sub.1 replies with a response SAM-resp to the service announcement message SAM (step 10). This response SAM-resp may contain the encryption key sym or a link thereto such that the second node N.sub.2 can decrypt each container encrypted with the encryption key sym in the following communications. This service announcement message SAM together with the response resp-SAM thereto is called a handshake HS and serves to register the second node N.sub.2 with the first node N.sub.1.

(19) Thereafter (step 11), the first node N.sub.1 continues to broadcast status messages SM having an unencrypted part 6 and an encrypted part 7, which can now be decrypted by the second node N.sub.2 as it is in possession of the encryption key sym (hence the solid line for the bottom right communications in FIG. 3). The other nodes not having received the encryption key sym from the first node N.sub.1, still cannot decrypt the encrypted part 7 and are thus excluded from this part of the communication (hence the dashed lines for the bottom left communications in FIG. 3).

(20) FIG. 4 shows the flow of messages according to the disclosed subject matter between a first node N.sub.1, a second node N.sub.2, and an arbitrary node N.sub.i. In the beginning (step 12), again the first node N.sub.1 repeatedly emits status messages SM according to FIG. 2a or 2b. However, this is not mandatory as the first node N.sub.1 could also only start emitting status messages SM after having received an initiation message IM from the second node N.sub.2, as will be explained later on.

(21) At some point the second node N.sub.2 itself emits a message (step 13), hereinafter called initiation message IM, may it be in response to receiving a status message SM from the first node N.sub.1 or due to an independent event at the second node N.sub.2. The initiation message IM comprises at least a public key pub-2 of the second node N.sub.2. As mentioned above for the public key pub-1 of the first node N.sub.1, the public key pub-2 of the second node N.sub.2 is part of an asymmetric encryption scheme such that only the second node N.sub.2 can encrypt messages encrypted with the public key pub-2 of the second node N.sub.2, which is done by means of a private key priv-2 of the second node N.sub.2. Again, this asymmetric encryption scheme may be, e.g., based on the standard IEEE 1609.2 or ETSI TS 103 097.

(22) Upon receiving the initiation message IM, the first node N.sub.1 determines in a process 14 at least one of a proximity measure PM and a velocity measure VM of said second node N.sub.2 in relation to the first node N.sub.1 (step 15). The proximity measure PM is a measure of how far the second node N.sub.2 is located away from the first node N.sub.1. This can be achieved in a couple of ways, two of which will be detailed in the following.

(23) Firstly, the signal strength (RSSI, Received Signal Strength Indication) of the received initiation message IM can be measured. The received signal strength is a direct measure of the distance of the second node N.sub.2 to the first node N.sub.1. Measurement is usually performed directly by a transceiver of the node N.sub.1.

(24) Secondly, a positional information can be read out from an unencrypted part 6 of the received initiation message IM. If the Common Awareness Message CAM is in the unencrypted part 6 of the initiation message IM, a GNSS fix stored therein can be used as the positional information. In this case, the proximity measure PM can be determined by calculating the difference of an own GNSS fix of the first node N.sub.1 and the read-out positional information of the second node N.sub.2.

(25) If the proximity measure PM is determined in more than one way, a plurality of proximity measures PM can be used to calculate a more accurate proximity measure PM (e.g., by averaging) or to verify one thereof.

(26) The velocity measure VM can also be determined in a number of ways, three of which will be detailed in the following.

(27) Firstly, a difference of proximity measures PM determined from two received initiation messages IM can be calculated. Together with a time difference between reception of said initiation messages IM, the velocity measure VM can be determined therefrom.

(28) Secondly, the received signal strength RSS of initiation messages IM can be determined and thereafter the velocity measure VM is determined therefrom.

(29) Thirdly, the velocity measure VM can be determined by reading a velocity information from the unencrypted part 6 of the received initiation message IM. For example, if the Common Awareness Message CAM is not encrypted, the velocity measure VM can be read out therefrom.

(30) The velocity measure VM may be either in terms of a scalar indicating the speed of the node N.sub.2 or in terms of a vector indicating the speed and heading of the node N.sub.2. The indication of speed and optionally heading may be given either absolutely or relatively to the node N.sub.1.

(31) Again, velocity measures VM determined in different ways can be used to calculate a more accurate velocity measure VM or to verify one thereof.

(32) In addition to determining the proximity and/or velocity measures PM, VM, other factors can be considered, too. For example, as an additional factor it can be determined whether a node N.sub.i supports a certain standard or not. To this end, in the unencrypted part 6 of the initiation message IM there can be an indication of the standards supported by the respective node N.sub.i.

(33) As has been outlined above, in many cases only specific types of messages are encrypted, for example CAM or CACC. If it is determined that the second node N.sub.2 does not support any of those standards, the second node N.sub.2 is not considered trustworthy for two reasons: Firstly, the second node N.sub.2 is unwilling to share the same information with the first node N.sub.1 and secondly it could mean that the second node N.sub.2 had not been authorised by a third party to use said standard.

(34) Determining the proximity and/or velocity measure PM, VM serves to determine whether the second node N.sub.2 is trustworthy without actually receiving a service announcement message SAM. Returning to the example of FIG. 1, it can be seen that the velocity vectors 5 of the first node N.sub.1, the second node N.sub.2, and the seventh node N.sub.7 are approximately the same. Therefore, it can be assumed that these nodes N.sub.1, N.sub.2, and N.sub.7 are all part of a group G, i.e., they are “platooning”. Therefore, these nodes N.sub.1, N.sub.2, and N.sub.7 should trust each other to exchange CACC messages.

(35) From the viewpoint of the first node N.sub.1, the nodes N.sub.2, N.sub.4, N.sub.5, N.sub.6 and N.sub.10 are in a communication distance with the first node N.sub.1. However, for the first node N.sub.1 only the second node N.sub.2 should be classified as a trusted communication partner since the other nodes are either too far away (N.sub.8, N.sub.9) or have different velocities (N.sub.3, N.sub.4, N.sub.5, N.sub.6, N.sub.8, N.sub.9, N.sub.10), such that they are not platooning together. On the other hand, while node N.sub.7 could be trusted because of the same velocity, it is outside of the communication range R of the first node N.sub.1.

(36) To analytically determine which node N.sub.i the first node N.sub.1 should trust, the first node N.sub.1 checks whether the determined measure/s PM and/or VM is/are below a threshold TH (step 16). This threshold TH can be pre-set to a predetermined value to set the “range of trust”. The threshold TH can also be application specific, e.g., for CACC applications the proximity measure PM should be in a predetermined range and the velocity measure VM (its absolute value in case of a vectorial VM) should be zero or close to zero. For collision avoidance applications the proximity measure PM should be in a predetermined range and the velocity measure VM should be “negative”, i.e., should indicate that the nodes N.sub.1 and N.sub.2 are moving towards each other with a speed of approach exceeding a predetermined critical value.

(37) If the velocity measure VM is a vector, the threshold TM may be a scalar compared to the length of that vector. Alternatively, if the velocity measure VM is a vector, the threshold VM can also take into account the angle of divergence of the heading of the node N.sub.2 from the heading of the node N.sub.1.

(38) If the determined measure/s PM and/or VM is/are below the threshold TH, i.e., the node N.sub.2 is trusted, the first node N.sub.1 emits a reply message RM comprising at least the encrypted part 7 and the encryption key sym encrypted with the received public key pub-2 from said second node N.sub.2 (step 17). This serves two purposes: Firstly, in a process 18 the second node N.sub.2 can now retrieve the encryption key sym by applying its private key priv-2 onto the encryption key encrypted with the public key pub-2, such that it possesses the encryption key sym (step 19). Thereafter, the second node N.sub.2 can retrieve the content of the encrypted part 7 of the reply message RM (step 20). Secondly, all other nodes N.sub.i receiving the reply message RM can decrypt the container 7 if they already have the encryption key sym. Other nodes N.sub.i that do not have the encryption key sym can only access the unencrypted part 6 of the reply message RM.

(39) From now on (steps 21), the first node N.sub.1 repeatedly emits status messages SM, of which at least a part is encrypted with the encryption key sym. As the second node N.sub.2 is now in possession of the encryption key sym, it can decrypt each encrypted part 7 of a received status message SM (steps 22).

(40) In theory, initiation message IM, reply message RM and status message SM can have different formats, for example the initiation message IM could only comprise a public key pub-2, the reply message RM could only comprise the encrypted part 7 and the encryption key sym encrypted with the public key pub-2 from the second node N.sub.2, and the status messages SM could only comprise the encrypted part 7. Usually, however, all communications 2 in the ad-hoc network 1 are of the approximately same format, meaning the initiation message IM and the status message SM have the same format, for example have an unencrypted part 6 and an encrypted part 7 as shown in FIGS. 2a, 2b. The reply message RM also has the same format as the status message SM but with an additional concatenated container 23 comprising the encryption key sym (see also FIGS. 2a and 2b). This ensures that each message sent within the ad-hoc message 1 comprises at least an unencrypted part 6 and an encrypted part 7 to achieve uniform communication.

(41) Depending on whether the second node N.sub.2 is the initial node that starts communication with the first node N.sub.1, the first node N.sub.1 may already repeatedly emit status messages SM or not (step 12). As status messages SM are usually emitted at a certain rate, the reply message RM can be just one of those status messages SM but with the additional container 23 comprising the encryption key sym. Thereby, the periodicity of status messages SM is not interrupted (one of the status messages SM being the reply message RM).

(42) The encryption key sym can be generated by the first node N.sub.1 itself or the first node N.sub.1 can receive the encryption key sym from another node N.sub.i. If the first node N.sub.1 generates the encryption key sym itself, this is usually done when the second node N.sub.2 is the first trusted node that seeks communication with the first node N.sub.1. In this case, the encryption key sym is generated usually directly before emitting said reply message RM comprising the encrypted part 7. If the first node N.sub.1 has, on the other hand, received the encryption key from another node this means that the first node N.sub.1 and the other node N.sub.i are already platooning together and “add” the second node N.sub.2 for platooning. This can be important in cases in which the second node N.sub.2 and the other node N.sub.i are too far apart to directly communicate but are still part of the same trusted group G, as can be seen in FIG. 1 for the nodes N.sub.1 and N.sub.7.

(43) In case both the first node N.sub.1 and the second node N.sub.2 support the method described above for FIG. 4, the one of the nodes N.sub.1, N.sub.2 that first receives the initiation message IM comprising the public key pub-1, pub-2 of the other node N.sub.1, N.sub.2 is configured to initiate the method by determining the proximity measure PM and/or velocity measure VM and so forth to avoid two encryption keys sym being used in parallel. By means of this, also two groups G of platooning vehicles can be merged.

CONCLUSION

(44) The disclosed subject matter is not restricted to the specific embodiments described in detail herein, but encompasses all variants, combinations, and modifications thereof that fall within the framework of the appended claims.