Secure method of exchanging information messages

Abstract

A secure method of exchanging information messages sent successively from a sending platform to a receiving platform includes:

Description

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The invention relates to a secure method of exchanging information messages sent successively, at given time intervals, from a sending platform to a receiving platform. The invention relates more particularly to a method which ensures that the last message picked up by the receiving platform corresponds to the last message sent by the sending platform.

[0003] 2. Description of the Prior Art

[0004] The method according to the invention finds one application in train control and/or supervision systems, which are known in France as control, operation and maintenance aid systems (SACEM) and include a centralized control station, fixed installations along the tracks, and a control unit in each train. In control systems of this kind, the centralized control station sends the fixed installations at regular time intervals information messages including information relating to traffic conditions on one or more track sections downstream of the fixed installation. The control unit of any train in the network then receives from the fixed installations the last information message received by the fixed installation and deduces therefrom the running speed to adopt. When exchanging information messages of the above kind it is essential, for safety reasons, to be sure that the last message received by the fixed installations corresponds to the last information message sent by the centralized control station. Given the various components involved in transmitting messages, and the fact that there may be relatively great distances between the centralized control station and the fixed installations, it is possible for some messages to suffer interference or to be delayed during transmission and to reach the fixed installations late, so modifying the order in which the fixed installation receives the information messages compared to the order in which they are sent by the centralized control station. In this case the updated information message at the fixed installation no longer corresponds to the last message sent by the centralized control station. Although such phenomena are rare, to ensure traffic safety it is absolutely essential that they are detected.

[0005] A standard way to make the transmission of information messages secure is to employ continuous bidirectional exchanges of data so that an information message received by a fixed installation is sent back to the centralized control station, which checks that it corresponds to the information message sent. However, methods of this kind relying on bidirectional exchanges of data use complex processing methods necessitating costly systems at the sender and the receiver.

[0006] The object of the present invention is therefore to propose a secure method of exchanging information messages which, in the course of successive unidirectional exchanges of information messages between a sending platform and a receiving platform, ensures that the last message picked up by the receiving platform corresponds to the last message sent by the sending platform, in order to be able to validate correct updating of the information message at the receiving platform.

SUMMARY OF THE INVENTION

[0007] To this end, the invention provides a secure method of exchanging information messages sent successively from a sending platform to a receiving platform which includes:

[0008] a) an initialization sequence in which an initialization message containing information relating to a date t1 for sending a first information message M1 is exchanged between the sending platform and the receiving platform so that the sending platform and the receiving platform then both know the date t1 for sending the first information message M1, and

[0009] b) an information message transmission sequence in which:

[0010] the information messages are sent successively by the sending platform at given time intervals ΔTE with a sending time tolerance δ (δ<ΔTE) based on a clock specific to the sending platform, so that the first message M1 is sent at the date t1 on the clock and the nth message Mn is sent at the date tn=t1+(n−1).ΔTE+δ, each message Mn being coded by means of a dynamic code Cn specific to the date tn of sending the message (the information message data is advantageously coded using a code defined as a function of the security criteria of the application, so that the information messages are rendered incomprehensible in the event of a transmission error, for example the SACEM code), and

[0011] the messages received by the receiving platform are processed as a function of their reception date tr based on a clock specific to the receiving platform so that the messages received in an observation window Fn in the vicinity of tn are decoded using a decoding sequence DCn adapted to decode the dynamic code Cn, the clock of the receiving platform being synchronized to the date t1 on receiving the first message M1.

[0012] Particular embodiments of the method according to the invention can include one or more of the following features, individually or in any technically feasible combination:

[0013] during the initialization sequence a) a coded initialization message M0 is sent from the sending platform to the receiving platform and a coded initialization message M′0 is sent from the receiving platform to the sending platform, the initialization messages M0, M′0 containing the information relating to the date t1 for sending the first information message M1, and the initialization messages M0, M′0 being decoded by the sending platform and the receiving platform which then know the date t1 for sending the first information message M1;

[0014] if the first message M1 is not received within an allotted time after reception of the initialization message, the clock of the sending platform is automatically synchronized to the date t1 at the moment corresponding to the end of the allotted time;

[0015] the observation window Fn corresponds to a time window [t1+(n−1).ΔTE−ΔTF*ε, t1+(n−1).ΔTE+ΔTF*(1−ε)], where n is an integer, ≢TF corresponds to the width of the observation window and satisfies the equation ΔTF<ΔTE and ε is from 0 to 1;

[0016] a clock synchronization signal is sent regularly by the sending platform between sending messages Mn, the synchronization signal being used to correct the frequency or the phase of the internal clock of the receiving platform dynamically in order to reduce the phase or frequency error between the internal clocks of the receiving platform and the sending platform;

[0017] the information messages decoded by the receiving platform are transmitted to an information processing module;

[0018] the messages received by the receiving platform during an observation window Fn are stored sequentially in a memory able to store only one message at a time and only the message stored in the memory at the end of the observation window Fn is transmitted to the information processing module; and

[0019] the sending platform is part of a centralized control station of a rail traffic supervision and control system, the receiving platform is part of a fixed installation disposed alongside a rail track, and the information processing module is a control unit on board a train circulating on a track section associated with the fixed installation.

[0020] Objects, aspects and advantages of the present invention will be better understood from the following description of one particular embodiment of the invention, which is offered by way of non-limiting example and refers to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] FIG. 1 is a partial diagrammatic representation of a train supervision installation employing a secure method in accordance with the invention of exchanging information messages.

[0022] FIG. 2 is a flowchart showing the main steps of a sending method conforming to the secure exchange method according to the invention employed by a sending platform.

[0023] FIG. 3 is a flowchart showing the main steps of a processing method conforming to the secure exchange method according to the invention employed by a receiving platform.

[0024] FIG. 4 is a timing diagram showing the sending of information messages from the sending platform, the reception of the messages at the receiving platform, and the processing of the messages in conformance with the secure exchange method according to the invention.

[0025] To clarify the drawings, only the system components necessary for understanding the invention are shown. The same components carry the same reference numbers if shown in more than one figure.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0026] FIG. 1 shows diagrammatically a centralized control station 1 communicating to fixed installations 2 disposed alongside a rail track section information messages including information relating to traffic conditions on one or more track sections downstream of the fixed installation 2. The messages are then transmitted, in a manner that is known in the art, from the fixed installations 2 via a track circuit to a train 5 which carries a control unit 6 which uses the information messages to determine, among other things, how to proceed, for example the speed to adopt or if it is necessary to initiate an emergency stop.

[0027] For transmitting the information messages, the centralized control station 1 includes a sending platform 10 connected by transmission cables 4 to a receiving platform 20 in the fixed installation 2. The sending platform 10 and the receiving platform 20 each have an internal clock.

[0028] The sequence of information messages sent by the sending platform 10 using the secure exchange method according to the invention is described next with reference to FIG. 2.

[0029] In that figure, in a first step 101 of the secure exchange method, an initialization sequence is executed during which a coded initialization message M0 is transmitted from the sending platform 10 to the receiving platform 20. The message M0 contains a portion of the information of the initial date of the first information message, for example a random number, generated by the sending platform. In a second step 102, the sending platform receives the message M 0 sent by the receiving platform. The message M′0 contains a portion of the information of the initial date of the first information message, for example a random number, generated by the receiving platform. In a step 103 the sending platform 10 decodes the messages M0, M′0 to generate the initial date of the first message. An implicit portion can optionally complement the initial date.

[0030] The transmission of the initialization sequence is conventionally made secure by executing a bidirectional exchange method to check that the correlation between the received message and the sent message is correct.

[0031] The initialization sequence previously described is followed by a step 104 of the method in which no message is sent by the sending platform 10 until the time te on the internal clock of the sending platform 10 reaches the date t1 for sending the first message M1. At that date t1, the sending platform 10 sends the first message M1, after which messages are sent at constant time intervals ΔTE such that the nth message Mn is sent at the date tn=t1+(n−1).ΔTE+δ, where n is an integer and δ is the sending time tolerance (δ<ΔTE).

[0032] According to one feature of the invention, each message Mn sent is coded with a dynamic code Cn specific to the date tn for sending the message. The dynamic code Cn is of a type chosen from dynamic codes known in the art which have coding properties such that the decoding of the message Mn using a decoding sequence other than the decoding sequence DCn for decoding the code Cn produces a message that is incomprehensible given the coding defined at the level of the application. For example, the code chosen can be a superimposed pseudo-random sequence based on applying to each of the data bits the primitive polynomial X32+X22+X2+X+1.

[0033] The processing executed in parallel by the receiving platform 20 while the sending platform 10 is sending the sequence of information messages is described next with reference to FIG. 3.

[0034] As shown in FIG. 3, in a first step 201 of the method, the receiving platform 20 receives the message M0 contained in the initialization sequence sent by the sending platform during the step 101. In a second step 202, the receiving platform 20 sends the message M′0 which is received by the sending platform during the step 102. In a step 203, the messages M0, M′0 are decoded by the receiving platform 20 to obtain the initial date t1 of the first message M1, as in step 103 of the method as executed at the sending platform.

[0035] In a subsequent step 204 of the method, which is triggered when the receiving platform 20 receives the first message M1, the internal clock of the receiving platform 20 is synchronized to the date t1 so that tr=t1 at the time the first message M1 is received, where tr is the time on the internal clock of the receiving platform 20. The internal clock of the receiving platform 20 is synchronized by default to the date t1 if the first message M1 does not reach the receiving platform 20 within an allotted time after reception of the initialization message M0.

[0036] After the message M1 is received, the clock of the receiving platform 20 is preferably synchronized regularly to the clock of the sending platform 10 using clock synchronization frames sent regularly by the sending platform 10 in the same cycle as the messages Mn. These frames are either dedicated frames or the messages Mn themselves. Accordingly, if a synchronization error (phase, frequency, average, least squares, etc.) is measured between the internal clock of the sending platform 10 and the internal clock of the receiving platform 20, the frequency or the phase of the internal clock of the receiving platform 20 is corrected dynamically to reduce the phase or frequency error between the two clocks.

[0037] During the next step 205 of the method, the first message M1 received is decoded by means of a decoding sequence DC1 adapted to decode the dynamic code C1 and the result of decoding the message M1 is transmitted to the track circuit by the receiving platform 20.

[0038] The next step 206 of the method is triggered iteratively when the receiving platform 20 receives a new message M?, a priori the message Mn, at a time tr in an observation time window Fn that corresponds to a time window [t1+(n−1).ΔTE−ΔTF*ε, t1+(n−1).ΔAT+ΔTF*(1−ε)], where ΔTF is the width of the observation window, n is an integer and ε is from 0 to 1.

[0039] During the next step 207 of the method, the message M? received from the sending platform 20 in an observation window Fn is decoded using a decoding sequence DCn allotted to the observation window Fn which corresponds to the inverse coding sequence DCn and is adapted to decode only the dynamic code Cn of the nth message sent by the sending platform 10.

[0040] In a preferred embodiment of the invention, in a step that is not shown in FIG. 3, the message M? decoded by the receiving platform 20 is then stored temporarily in a memory having a capacity such that it is able to store only one message at a time, before being sent to the track circuit at the time tr corresponding to the end of the observation window Fn. In a simplified variant, the message M? can be transmitted to the track circuit immediately at the end of the step 207, without being stored in a memory.

[0041] The train 5 on the track section then receives, via the track circuit, the messages decoded by the receiving platform 20, with the assurance that the messages M? received, which are comprehensible given the decoding defined in the application, are correctly updated messages Mn, the information in which must be acted on. Moreover, to ensure the safety of trains circulating on the track, the control unit 6 on board the train 5 triggers an emergency stop if the train 5 receives a plurality of successive incomprehensible messages, for example five such messages one after the other, with a result that the train is stopped when it no longer has sufficient information on traffic conditions in the downstream track section.

[0042] FIG. 4 shows one example of a sequence of information messages exchanging in conformance with a method according to the invention. In this figure, the sending of messages M1 to M6 is shown on the top axis te, this axis corresponding to the time on the internal clock of the sending platform 10, and the reception of messages is shown on the axis tr corresponding to the time on the clock of the receiving platform 20. In the example described with reference to FIG. 4, the initialization sequence, not shown in this figure, is considered to be initiated at the time te=4 h59 min and the date t1 of sending the first message is considered to be t1=5 h. The interval ΔTE is of the order of a few milliseconds, for example ΔTE=50 ms, with the result that the updating of the information messages is regular. In the example shown, the sending time tolerance δ is zero and the observation windows Fn have the characteristics ε=0.5 and ΔTF=25 ms.

[0043] Accordingly, referring to FIG. 4, and in particular to the reception of messages shown on the bottom axis tr representing the time on the clock of the receiving platform 20, a few moments after the first message M1 is sent the receiving platform 20 receives the message M1. The receiving platform 20 then synchronizes its internal clock so that tr=t1 at the moment the message M1 is received. The message M1 is then decoded by the receiving platform using the decoding sequence DC1 and is then transmitted to the track circuit and thus to any train 5 on the track section.

[0044] A few moments later, the receiving platform 20 receives the message M2 in an observation window F2 of width ≢TF centered on t2. The receiving platform 20 then decodes the message M2 using the decoding sequence DC2. The decoded message is stored in a memory of the receiving platform having a capacity able to store only one message at a time and is then transmitted to the track circuit at the time tr corresponding to the end of the observation window F2: tr=t2+ΔTF/2. The control unit 6 of the train 5 on the track section is then informed of traffic conditions by the message M2.

[0045] Because of interference affecting the transmission of the message M3, the receiving platform 20 does not receive any message during the observation window F3. In this case, the message transmitted by the receiving platform 20 to the track circuit at the time tr corresponding to the end of the observation window F3 is incomprehensible when decoded by the application, which informs the control unit 6 of the train 5 on the track section of this information message updating error.

[0046] In due course the message M3 is received in the observation window F4 and is then decoded using the decoding sequence DC4 allotted to the window F4, which produces a decoded message that is incomprehensible, given the coding defined by the application and stored in the memory of the receiving platform 20. The incomprehensible message is transmitted to the track circuit at a time tr corresponding to the end of the observation window F4 and the control unit 6 of the train 5 receives the incomprehensible message and interprets it as another information message updating error. The control unit 6 then registers two successive information message updating errors, but does not yet bring about emergency stopping of the train if the allowed tolerance is five successive errors.

[0047] Two messages M4 and M5 are received successively by the receiving platform 20 during an observation window F5. The receiving platform 20 receives the message M4 first and then the message M5 in the same observation window F5. The receiving platform decodes the message M5 using the decoding sequence DC5, producing a decoded message that is comprehensible, given the coding defined by the application and stored in the memory of the receiving platform 20 in place of the preceding message. The message M5 is transmitted to the track circuit at a time tr corresponding to the end of the observation window F5. The control unit 6 of the train 5 then receives a message which is comprehensible, given the coding defined by the application, i.e. the message M5, with the assurance that the information contained in that message has been updated correctly.

[0048] During an observation window F6, the receiving platform 20 receives the message M6, which is decoded using the decoding sequence DC6 and then stored in the memory before it is sent to the track circuit at a time tr corresponding to the end of the window F6. The control unit 6 of the train 5 then receives a message that is comprehensible, given the coding defined by the application, i.e. the message M6, with the assurance that the information contained in the message has been updated.

[0049] Thus, thanks to the regular unidirectional exchange of messages between a sending platform and a receiving platform, a secure method of exchanging information messages of the kind described above guarantees correct updating of the information messages that reach the destination in a comprehensible form, without using complex processing. A method of the above kind has the advantage that it is relatively inexpensive to implement and transmits information at high speed, unlike the usual bidirectional transmission systems, in which the information verification sequence considerably slows the transmission of messages, and therefore action taken in response to them. The method according to the invention therefore refreshes information messages received by a train at a relatively high rate.

[0050] Of course, the invention is in no way limited to the embodiment described and shown, which is offered by way of example only and can be modified, in particular from the point of view of the composition of the various components or by substituting technical equivalents, without departing from the scope of protection of the invention.

Claims

1. A secure method of exchanging information messages sent successively from a sending platform to a receiving platform, which includes: a) an initialization sequence in which an initialization message containing information relating to a date t1 for sending a first information message M1 is exchanged between said sending platform and said receiving platform so that said sending platform and said receiving platform then know said date t1 for sending said first information message M1, and b) an information message transmission sequence in which: said information messages are sent successively by said sending platform at given time intervals ΔTE with a sending time tolerance δ based on a clock specific to said sending platform, so that said first message M1 is sent at said date t1 on said clock and the nth message Mn is sent at the date t1=t1+(n−1).ΔTE+δ, each message Mn being coded by means of a dynamic code Cn specific to said date tn of sending said message, and said messages received by said receiving platform are processed as a function of their reception date tr based on a clock specific to said receiving platform so that said messages received in an observation window Fn in the vicinity of tn are decoded using a decoding sequence DCn adapted to decode said dynamic code Cn, said clock of said receiving platform being synchronized to said date t1 on receiving said first message M1.

2. The secure method claimed in claim 1 of exchanging information messages, wherein during said initialization sequence a) a coded initialization message M0 is sent from said sending platform to said receiving platform and a coded initialization message M 0 is sent from said receiving platform to said sending platform, said initialization messages M0, M′0 containing the information relating to said date t1 for sending said first information message M1, and said initialization messages M0, M′0 being decoded by said sending platform and said receiving platform which then know said date t1 for sending said first information message M1.

3. The secure method claimed in claim 1 of exchanging information messages, wherein, if said first message M1 is not received within an allotted time after reception of said initialization message, said clock of said sending platform is automatically synchronized to said date t1 at the moment corresponding to the end of the allotted time.

4. The secure method claimed in claim 1 of exchanging information messages, wherein said observation window Fn corresponds to a time window [t1+(n−1).ΔTE−ΔTF*ε, t1+(n−1).ΔTE+ΔTF*(1−ε)], where ΔTF corresponds to the width of the observation window and satisfies the equation ΔTF≦ΔTE and ε is from 0 to 1.

5. The secure method claimed in claim 1 of exchanging information messages, wherein a clock synchronization signal is sent regularly by said sending platform between sending messages Mn, said synchronization signal being used to correct the frequency or the phase of the internal clock of said receiving platform dynamically in order to reduce the phase or frequency error between the internal clocks of said receiving platform and said sending platform.

6. The secure method claimed in claim 1 of exchanging information messages, wherein said information messages decoded by said receiving platform are transmitted to an information processing module.

7. The secure method claimed in claim 1 of exchanging information messages, said messages received by said receiving platform during an observation window Fn are stored sequentially in a memory able to store only one message at a time and only the message stored in said memory at the end of said observation window Fn is transmitted to said information processing module.

8. The secure method claimed in claim 1 of exchanging information messages, wherein said sending platform is part of a centralized control station of a rail traffic supervision and control system, said receiving platform is part of a fixed installation disposed alongside a rail track, and said information processing module is a control unit on board a train circulating on a track section associated with said fixed installation.