DESCRIPTION:

The invention is concerned with a central computer system, a storage computer, an access management computer and a method to operate a central computer system.

In order to improve vehicles, it is necessary to collect measurement data provided by vehicles in the field. The measurement data may be used to find errors occurring during the operation of the vehicles. A necessary amount of measurement data cannot be provided solely by the collection of measurement data provided by special test vehicles, used by test drivers of a manufacturer. Therefore, it is necessary to collect measurement data provided by vehicles of costumers. The collection of measurement data is performed during measurement campaigns, wherein predefined measurement data are recorded by the vehicles. The measurement data are transmitted to a central system of the manufacturer.

A measurement campaign using motor vehicles is describes in

DE 10 2017 206 073 A1. The measurement data is collected centrally in a mass data storage, from where it can then be made available for analysis. Nowadays, such a mass data storage is preferably not provided by the same central computer system that also controls the measurement campaign, but is rented, for example, from a service provider as a so-called cloud storage. However, this can result in this service provider gaining insight into measurement data, which could allow undesired conclusions to be drawn about motor vehicle-related or even personal data. It is known from EP 3 148 152 A1 that control units of motor vehicles can be equipped with a cryptographic master key that can be used for communication of the respective control unit with a stationary central computer system. The measurement data from different measurement campaigns can be encrypted with respective vehicle-specific keys or with a master key that applies to all motor vehicles and then stored in a mass data storage. However, when this mass data storage is accessed, the measurement data from each measurement campaign can then be decrypted, so that a campaign operator of a single measurement campaign may have access to more measurement data than he is entitled to according to the measurement campaign he initiated.

In order to protect the measurement data on the central systems, it is common to encrypt the measurement data with a cryptographic key. The key may be campaign specific. The key may be distributed along authorized users to allow an access to the measurement data. The use of encrypted data may restrict access to the measurement data. However, if a user shares or loses his key, users without an authorization may decrypt the measurement data. If a user decrypts the measurement data, the decrypted data are not protected on the users device.

WO 2014 / 092 890 A1 describes an encryption-based data access management. The encryption-based data access management may include a variety of processes. A device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user’s authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server, different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key. As the key is provided to the computing device, the key may be exported by the user. Therefore, it is possible for the authorized user to pass the key to unauthorized users, who can thus gain unauthorized access to the encrypted data.

It is an object of the invention to limit an access to measurement data to authorized users.

The object is accomplished by the subject matter of the independent claims. Advantageous developments with convenient and non-trivial further embodiments of the invention are specified in the following description, the dependent claims and the figures.

The invention comprises a central computer system configured to provide measurement data. The measurement data may be provided to the central computer system by a fleet of vehicles. The fleet of vehicles may have collected the measurement data in a measurement campaign. The measurement data may comprise operational data of the vehicle’s engine. To allow an analysis of the measurement data, the measurement data may be provided to authorized users by the central computer system. In other words, the central computer system is configured to provide an access to the measurement data to authorized users. The central computer system comprises a storage computer configured to store the measurement data. The storage computer may be designed as a server or a server network. The measurement data may be stored on a hard disc of the storage computer. The measurement data are encrypted by a specific cryptographic key. In other words, it is necessary to decrypt the measurement data by means of the specific cryptographic key in order to access the measurement data. The central computer system comprises an access management computer configured to store the specific cryptographic key wherein the access management computer is configured to check a data access request of a user for the measurement data. In other words, the specific cryptographic key that is needed to decrypt the measurement data on the storage computer is saved in the access management computer. The access management computer is configured to receive the data access request of the user. The data access request may be designed as a message sent from a computer of the user to the access management computer via Ethernet. The message may comprise a request to access the measurement data on the storage computer.

The access management computer is configured to prove whether the data access request of the user valid. The access management computer is configured to provide the specific cryptographic key to the storage computer upon approval of the data access request of the user for the measurement data. In other words, the access management computer is configured to prove whether the access to the measurement data, as requested in the data access request is allowed. The access management computer is configured to send the specific cryptographic key to the storage computer in case the data access as requested is allowed, to allow a decryption of the measurement data. The storage computer is configured to decrypt the measurement data by means of the specific cryptographic key and to provide the decrypted measurement data at an output interface to the user. In other words, the storage computer is configured to receive the cryptographic key and to use the received cryptographic key to decrypt the encrypted data. The decrypted measurement data are provided by the storage computer at an output interface of the storage computer.

The invention has the advantage that the cryptographic key is stored on the access management computer and provided to the storage computer to decrypt the measurement data. Therefore, the cryptographic key does not leave the central computer system.

The invention also comprises embodiments that provide features which afford additional technical advantages.

According to a further embodiment of the invention, the data access request of the user comprises a cryptographic certificate. In other words, the data access request of the user comprises a file to allow an authentication at the access management computer. The cryptographic certificate may be a digital signature, signing a content of the data access request. The cryptographic certificate may comply with RSA, DSA and other cryptographic signature standards, known from the state of the art. The check of the data access request comprises a check of a validity of the cryptographic certificate. In other words, the access management computer is configured to prove the validity of the cryptographic certificate during the check of the data access request. The approval of the data access request requires a validity of the cryptographic certificate. In other words, the access management computer is configured to approve the data access request only if the cryptographic certificate is valid. The validity may require a successful check of the cryptographic certificate, a time validity of a key used for the cryptographic certificate and a non-revoked-state of the key used for the cryptographic certificate.

According to a further embodiment of the invention, the cryptographic certificate comprises an identity of the user. In other words, the cryptographic certificate is linked to the identity of the user. In other words, the cryptographic certificate allows an authentication of the identity of the user by the access management computer. The check of the data access request comprises a check of an access authorization of the identity to the measurement data. In other words, the access management computer is configured to check the identity's authorization to access the measurement data when checking the data access request. As an example, a data base describing identity access rights to the measurement data may be stored in the access management computer. The data access management computer is configured to read the database to verify that the identity is authorized for the requested access to the measurement data. The approval of the data access request requires a valid access authorization of the identity to the measurement data. The access management computer is configured to authorize access to the measurement data only if the identity is authorized to access the requested measurement data.

According to a further embodiment of the invention, the cryptographic certificate comprises a role description of the user. In other words, the cryptographic certificate describes a role or the user's membership in a user group associated with the requested measurement data. The role may depend on the privileges of the user related to the measurement data. For example, the role may include an administrator status that states that the user has the right to describe, read, and execute the measurement data without restriction. The role may include a default status that states that the user has the right to read and execute the measurement data without restriction. The role can include a restricted status, which means that the user has the right to read and execute only a part of the measurement data without restriction. The approval of the data access request requires a valid access authorization of the role description to the measurement data. In other words, the access management computer is configured to grant the requested access to the requested measurement data only if a scope of the request is covered by the role privileges of the user's role.

According to a further embodiment of the invention, the cryptographic certificate complies with X.509-standard. In other words, the cryptographic certificate is an end-entity certificate according to X.509-standard. The cryptographic certificate may be digitally signed by means of a certificate of an authority. The embodiment has the advantage of enabling centralized user access management according to a common standard. This means that access management can be carried out by a company's existing systems.

According to a further embodiment of the invention, the specific cryptographic key is designed as a symmetric key. In other words, the decryption and encryption of the measurement data is performed by using the same key. Examples of symmetric encryption methods comprise 3DES (TripleData Encryption Standard) or AES (Advanced Encryption Standard). The use of a symmetrical encryption method has the advantage that no runtime losses are caused by the computational complexity of the encryption method, as would be the case with asymmetrical encryption methods.

According to a further embodiment of the invention, the specific cryptographic key is designed as an asymmetric key. In other words, at least a part of the encrypted data are encrypted by means of an asymmetric key. The cryptographic key may be designed as a key-pair, wherein the key-pair comprises a private key, configured to encrypt at least the part of the data and a public key configured to decrypt at least the part of the measurement data. Asymmetric encryption methods may comprise ECC (Elliptic-Curve Cryptography) or RSA (Rivest-Shamir-Adleman). The cryptographic key may be configured to decrypt a part of the measurement data comprising a symmetric key, wherein the measurement data are encrypted by the symmetric key. This method is known as hybrid encryption using a key encapsulation mechanism (KEM).

According to a further embodiment of the invention, the decrypted measurement data are provided at the output interface inside a sand box environment of the storage computer. In other words, the decrypted measurement data are provided in a sandbox environment, that can be accessed by the user via the output interface of the storage computer. The encrypted measurement data may be provided in the sand box environment after decryption. The sand box environment may be configured as a container environment or a virtual machine, wherein an export of the measurement data out of the sandbox environment may be restricted. As an example, the user may analyze the measurement data inside the environment using programs inside the sand box environment. An export of the measurement data outside the sand box environment may be restricted. For example, it may be blocked to process the measurement data outside the environment or to export the measurement data from the environment to another device. The embodiment has the advantage that the data can only be accessed via the computer and, unauthorized disclosure of the data after decryption may be prevented.

The invention comprises a storage computer of a central computer system, configured to store the measurement data , wherein the measurement data are encrypted by a specific cryptographic key. The storage computer is configured to receive the specific cryptographic key and to decrypt the measurement data by means of the specific cryptographic key, and to provide the decrypted measurement data at an output interface to the user. The invention comprises an access management computer of a central computer system. The access management computer of the central computer system is configured to store a specific cryptographic key to decrypt measurement data, stored on a storage computer. The access management computer is configured to check a data access request of a user for the measurement data. The access management computer is configured to provide the specific cryptographic key to the storage computer upon approval of the data access request of the user for the measurement data.

A computer may in particular be understood as a data processing device, which comprises processing circuitry. The computer unit can therefore in particular process data to perform computing operations. This may also include operations to perform indexed accesses to a data structure, for example a look-up table, LUT.

In particular, the computer may include one or more computers, one or more microcontrollers, and/or one or more integrated circuits, for example, one or more application-specific integrated circuits, ASIC, one or more field-programmable gate arrays, FPGA, and/or one or more systems on a chip, SoC. The computer may also include one or more processors, for example one or more microprocessors, one or more central processing units, CPU, one or more graphics processing units, GPU, and/or one or more signal processors, in particular one or more digital signal processors, DSP. The computer may also include a physical or a virtual cluster of computers or other of said units. In various embodiments, the computing unit includes one or more hardware and/or software interfaces and/or one or more memory units.

A memory unit may be implemented as a volatile data memory, for example a dynamic random access memory, DRAM, or a static random access memory, SRAM, or as a non-volatile data memory, for example a read-only memory, ROM, a programmable read-only memory, PROM, an erasable read-only memory, EPROM, an electrically erasable read-only memory, EEPROM, a flash memory or flash EEPROM, a ferroelectric random access memory, FRAM, a magnetoresistive random access memory, MRAM, or a phase-change random access memory, PCRAM.

The invention comprises a method to operate a central computer system. In a first step of the method a data access request of a user to access measurement data stored on a storage computer of the central computer system, is checked by an access management computer of the central computer system. The measurement data are encrypted by a specific cryptographic key. In a second step the specific cryptographic key is provided to the storage computer by the access management computer upon approval of the data access request of the user for the measurement data. In a third step, the measurement data are decrypted by the storage computer by means of the specific cryptographic key. In a fourth step, the decrypted measurement data are provided by the storage computer at an output interface of the storage computer to the user.

In the following an exemplary implementation of the invention is described. The only figure Fig. shows a schematic illustration of an embodiment of the a central computer system.

The embodiment explained in the following is a preferred embodiment of the invention. However, in the embodiment, the described components of the embodiment each represent individual features of the invention which are to be considered independently of each other and which each develop the invention also independently of each other and thereby are also to be regarded as a component of the invention in individual manner or in another than the shown combination. Furthermore, the described embodiment can also be supplemented by further features of the invention already described.

In the figure identical reference signs indicate elements that provide the same function. Fig. shows a central computer system. The central computer system 1 may comprise a storage computer 5 configured to store measurement data 4 provided by a fleet of vehicles 2 during one or more measurement campaigns. The measurement data 4 of a specific measurement campaign may be encrypted by means of a specific cryptographic key 3. The cryptographic key 3 may be designed as a symmetric or as an asymmetric cryptographic key 3. In order to access the measurement data 4 which may comprise a reading, an execution or a changing of the measurement data 4, it may be necessary to use the specific cryptographic key 3 for decryption of the measurement data 4. The specific cryptographic key 3 may be designed as a symmetric or as an asymmetric key. The storage computer 5 may be designed as a single computer or as a cloud network. The central computer system 1 may be configured to provide the measurement data 4 to authorized users only 10 in order to allow an analysis of the measurement data 4. The measurement data 4 may comprise elements that may be sensitive in terms of a privacy of the users of the vehicles of the fleet. It is therefore necessary to restrict access to the measurement data 4 to authorized users 10 and to exclude unauthorized users 11 from access.

To provide a data access management, the central computer system 1 may comprise an access management computer 6, configured to store the specific cryptographic key 3 that may be necessary to decrypt the encrypted measurement data 4 stored on the storage computer 5 of the central computer system 1 . The access management computer 6 may be another computer device than the central computer system 1 . Therefore, the specific cryptographic key 3 is stored on another device which is different than the storage computer 5 storing the measurement computer. The access management computer 6 may be configured to run an Azure Active directory that offers a key vault and user 10 management to allow an access management. The access management computer 6 may be configured to check a data access request 8 of a user 10 for the measurement data 4. In other words, in order to access the measurement data 4 stored on the storage computer 5 of the central computer system 1 , it is necessary to send a data access request 8 to access the measurement data 4 to the access management computer 6 (51 ). The access management computer 6 may check whether an access to the measurement data 4 according to the a data access request 8 is allowed

(52). The data access request 8 may comprise a cryptographic certificate 9, which may comprise an identity 12 of the user 10 and or a role 13 description of the user 10. The cryptographic certificate 9 may comply with X.509 standard. The access management computer 6 may be configured to check the validity of the cryptographic certificate 9 during the check of the data access request 8.

When the cryptographic certificate 9 is valid, the access management computer 6 may check the role 13 description of the user 10 and or the identity 12 of the user 10 in order to prove whether the user 10 or the role 13 of the user 10 is allowed to access the measurement data 4. When the role 13 of the user 10 or the identity 12 of the user 10 is authorized to access the measurement data 4, the access management computer 6 may approve the data access request 8. Upon approval of the data access request 8, the access management computer 6 may transmit the specific cryptographic key 3 to the storage computer 5 (S3). The access management computer 6 may also transmit a token to the storage computer 5 and/or the user 10 to enable a login of the user 10 at an output interface 14 of the storage computer 5. As an example, the token may enable a login at the output interface 14 by means of the cryptographic certificate 9 provided in the data access request 8.

The storage computer 5 may be configured to receive the specific cryptographic key 3 from the access management computer 6 and to decrypt the measurement data 4 by means of the specific cryptographic key 3 (S4). The decrypted measurement data 7 may be stored in a non-permanent memory of the storage computer 5. The encrypted measurement data 4 may remain encrypted in a permanent memory of the storage computer 5. The decrypted measurement data 7 maybe provided by the storage computer 5 at the output interface 14 of the storage computer 5 (S5). The decrypted measurement data 7 may be provided inside a sand box environment at the output interface 14. The sand box environment may be designed as a virtual machine that may be accessed by the user 10 in order to read the decrypted measurement data 7. The user may login at the output interface 14 by means of his cryptographic certificate 9. The sand box environment may be configured as a container environment or a virtual machine, wherein an export of the decrypted measurement data 7 out of the sandbox environment may be restricted.

For several different use cases it is mandatory in future to collect data from vehicles - not only from development vehicles, but also from customer vehicles - and process them in a backend system. Use cases can be: data driven development, legally required monitoring, market research, scientific research, anomaly detection, etc. Backend systems are nowadays often outsourced to third parties (cloud providers), where the IT (Security) is not completely under the control of our enterprise. Therefore a system is needed to protect the privacy of individuals, who’s data will be processed, from the source (vehicle) to the sink (e.g. data scientist).

The applications PCT/EP2021/081967 and PCT/EP2021/081966 describe steps of a data collection campaign until the measurement data are transferred to a trustworthy end point (e.g. data scientist), but it is not clarified in detail, how the access to the measurement data is handled. One possibility is that the cryptographic key can be given to one or more data scientists and handled like a symmetric group key. Symmetric group keys always have the disadvantage of a risk of untrustworthy entities in the group. Instead of giving one symmetric key to every data scientist, the symmetric key will stay at one location, users authorized to this location (e.g. based on access certificates), the location decrypts the data with the symmetric key based on user access results.

Applications PCT/EP2021/081967 and PCT/EP2021/081966 already describe two ways on how two encrypt data with a campaign specific key. The central computer system adds a user management on top which allows to grant access to several authorized users (e.g. data scientist) to a specific or several specific campaigns. Instead of sharing the decryption key with all of the users, the users will authorize themselves to a user-management system (e.g. active directory) which holds the campaign specific key and can grant access to decrypted data. Overall, the example shows how an access management to measurement data is provided by the invention.