This disclosure relates to active suspension systems, such as those used in vehicles.
Active vehicle suspension systems employ actuators coupled between the vehicle's wheels and the vehicle body, to continuously control motion of the wheels relative to the vehicle body as the wheels encounter changing road and driving conditions. By constantly adjusting the wheel position, velocity, and or acceleration to respond to varying road and driving conditions, an active suspension system can offer superior handling, road feel, responsiveness and safety to a conventional passive suspension system.
In one aspect the invention feature an active suspension system in which some or all of the data that is exchanged between the system's components (e.g., control commands sent from a controller to an actuator) is encrypted.
In another aspect, the invention features an active suspension system for a vehicle that includes a first component (e.g., a controller element) in communication with a second component (e.g., an actuator assembly) using a network of any known topology (e.g., bus, ring, point-to-point, etc.). The first component is configured to encrypt at least some of the data (e.g., control commands) it transmits to the second component.
Embodiments may include one or more of the following features. The second component may be configured to decrypt the data, and an private (or secret) key or public key encryption scheme may be used for the encryption. The second component may be a linear actuator and may include motion sensors (e.g., position, velocity, acceleration) that feed back motion information to the first component (e.g., a controller). The sensor information that is fed back to the first component may also be encrypted.
In another aspect, the invention features an active suspension system that includes a first actuator that includes a stator coupled to the body of the vehicle an dan armature coupled to a first wheel of the vehicle, and a controller configured to issue control commands to the first actuator using a network. The controller is configured to encrypt the control commands prior to transmitting the control commands to the first actuator.
In another aspect, the invention features a method for managing encryption keys for a mass-produced active suspension system, wherein each mass-produced active suspension system includes one or more components that require an encryption key. The method includes using a first encryption key for a first set of suspension system component, using a second encryption key for component for a second set of suspension system components, and maintaining a database for tracking encryption keys that are used in the first and second sets of components.
Embodiments may include one or more of the following. The first encryption key may be used for suspension system components supplied to a first automobile manufacturer, a first make of vehicle, or a first model of vehicle while the second encryption key may be used for suspension system components supplied to a second automobile manufacture, a second make of vehicle, or a second model of vehicle. Similarly, the first encryption key may used for a first number of suspension systems components supplied over a first time period, while the second set of encryption key may be used for a second number suspension system components supplied over a second time period.
Referring to
The active suspension system 12 also includes a central controller 18 that is in communication with each of the four actuators over a data bus 19, such as a FlexRay™ optical or electrical bus, a MOST bus, or other known technology.
As the vehicle 10 is driven over a road surface, the central controller receives motion information (such as acceleration signals) from each of the sensors and sends control commands to each of the four actuators 14a-14c. The control commands cause the actuators to output controlled forces, which in turn to cause the vehicle body to respond in a desired manner to road disturbances. For example, a controller may issue commands to actuators to minimize the vertical acceleration of the vehicle body as the wheels of the vehicle travel over uneven surfaces (e.g., pot holes, banked road surface, etc.) or as the vehicle performs a turning maneuver.
In a typical vehicle active suspension system, the actuators are capable of generating substantial amounts of force to maintain control over motion of the body of the vehicle as the vehicle's wheels travel over uneven surfaces or when the vehicle performs a turning maneuver. Because the actuators are capable of generating such force, they can be controlled to cause the vehicle to perform dangerous maneuvers. For example, in some implementations, the actuators are powerful enough to cause some or all of the vehicle's wheels to lose contact with the road surface while the vehicle is stopped or traveling on a flat roadway. Controlling the actuators in this way creates safety concerns for people located both inside and outside of the vehicle, and, therefore, may not be a capability that is desired in a commercially-available vehicle. While the controller that is supplied in a commercially-sold active suspension system may not be programmed with a control sequence to cause the vehicle to “jump” or perform other dangerous maneuvers, there is risk that persons may re-program the controller or install other controllers to enable this capability.
To prevent unsafe or undesirable control of an active suspension system, an active suspension system encrypts control commands and other information exchanged between the system's components. For example, as shown in
The encryption modules 32a-32e encrypt data (e.g., control commands and acceleration data) prior to being sent on the network. When a system component, such as one of the actuators, receives the encrypted data, it decrypts the data using its decryption module 34a-34e. By encrypting the data exchanged between the system's components, the risk of altering the system's control scheme is reduced.
The encryption and decryption modules may be implemented in hardware, software or a combination thereof and may use any known encryption scheme, including private key encryption or public key encryption. The network 26 over which data is exchanged among system components may be of any known topology (e.g., point-to-point, bus, star, ring, etc.) and may use any appropriate synchronous or asynchronous communications protocol.
For example, the network 26 shown in
the payload of the FlexRay packet, which contains the data that is to be transported between system components, may be encrypted using a shared secret key or a public key of the component to which the data is being sent.
In an active suspension system that uses a private key encryption scheme, each of the components (e.g., the controller and actuators) use the same secret key to encrypt and decrypt data. A private key encryption scheme, such as the Data Encryption Standard (DES), requires a system for managing the secret key(s) used in mass-produced active suspension systems.
Key management can be handled in a variety of ways. For example, a supplier of active suspension systems may use a single secret key for all components produced by the supplier. However, if this shared secret key is revealed, the integrity of all suspension systems produced by that supplier are jeopardized.
To reduce the harm in a secret key being revealed, the supplier may use different secret keys for components of active suspension systems supplied to different automobile manufactures (e.g., one key for General Motors vehicles and a second key for Ford vehicles), or different keys for components of active suspension systems supplied for different makes (e.g., one key for General Motors Chevrolet vehicle and a second key for General Motors Cadillac vehicles), different models (e.g., one key for Cadillac STS vehicle and a second key for Cadillac Escalade vehicles), or specific individual vehicles. The supplier may also periodically change the secret keys that are incorporated into the active suspension systems. For example, the supplier may use one secret key in year 1 and then switch to a second secret key in year 2. Or the supplier may change secret keys after manufacturing a certain number of units (e.g., the components of the first 1,000 active suspension systems manufactured by the supplier include one secret key, while the components of the next 1,000 active suspension systems have a second secret key, and so on).
In order for a supplier to replace broken or defective components, the supplier preferably maintains a secure database that tracks the secret keys that have been used in the active suspension components sold by the supplier. For example, if a supplier changes secret keys each 1,000 active suspension systems produced, the supplier would keep a database that matches private keys to ranges of component serial numbers. If a component broke or failed, the suppler could use the database to obtain the key that was used in the particular active suspension system and supply a new component (e.g., a new actuator) with the proper secret key.
In some implementations, a supplier of active suspension systems may use a public key encryption scheme. In a public key scheme, a “public key” associated with the component to which data is being sent is used to encrypt data by the component sending the data, while a private key associated with the receiving component is required to decrypt the message. Because a system that uses a public key encryption scheme still requires the use of private (or secret) keys, a key management scheme is required for maintaining and tracking the private keys that are used in components sold by a supplier.
In some implementations, an active suspension system may use a distributed control scheme, rather than a centralized control scheme. In such a system, communication between the system's components may be encrypted. For example, as shown in
A number of embodiments of the invention have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the invention. For example, while two-way secure communication has been illustrated in
Under 35 U.S.C. §119(e)(1), this application claims the benefit of prior U.S. provisional application 60/733,960, entitled SECURE ACTIVE SUSPENSION SYSTEM, filed Nov. 4, 2005.
Number | Date | Country | |
---|---|---|---|
60733960 | Nov 2005 | US |