The subject matter described herein relates to communications between devices of a vehicle system and communications to and from the devices, including from remote devices.
At any given time within a complex route network, such as a track network, one or more vehicle, such as trains, may be operating and traversing a route in the route network and sending data from one to another using various radio-based methods. For example, a moving block is a signaling block system where blocks are defined in real time by computers to establish safe zones around a first train (e.g., a lead train, etc.) and a second train (e.g., a follower train, etc.). Further, the one or more vehicles may have on-board communication and control systems that facilitate the safe operation of the one or more vehicles in a local territory within the route network. For example, a first vehicle of the one or more vehicles on a route can listen for signals from a second vehicle of the one or more vehicles to determine a vehicle movement in a way to ensure proper separation distance to safely stop the vehicle. In this manner, an individual vehicle may be controlled and safely operated.
The use of such communications as part of a vehicle control system, including positive train control (PTC) systems may introduce cyber security issues. For example, in a man-in-the-middle attack (MITM), a malicious actor may insert oneself between two communicating vehicles (e.g., a hacker positioned within a communication range of the vehicle, etc.) in order to detect information, cause damage, or influence vehicle control. In a MITM attack, both communicating trains are made to believe by the malicious actor that they are communicating with another vehicle while the malicious actor controls the communication channel to delete or modify any of the communications at will. In addition, commercial tools are now becoming more readily available for aiding a would-be malicious actor to inject himself into the middle of vehicle-to-device communications (e.g., locomotive to locomotive, etc.), thereby increasing such attacks on exploitable systems.
In a further example, a first vehicle may request vehicle information of a second vehicle by sending the request, including authentication information (e.g., a password, a one-time code from a token, etc.) to a second vehicle. In a MITM attack, a malicious actor may intercept the train-to-train communication from the first vehicle and pass it to the second vehicle. In this case, the second vehicle may then send a response to the first vehicle when it is actually sending the message to the malicious actor. In the MITM attack, after the response is intercepted by the malicious actor, the malicious actor is free to modify the response, including one or more other communications, and pass the modified response back to the first vehicle. When the first vehicle receives the modified response from the malicious actor, the first vehicle has no information to determine the actual sender (e.g., the malicious actor) and may believe (e.g., determine, etc.) that the response is a secure communication from the second vehicle. At this point, the malicious actor has gained control of the communications channel and may send any spoofed messages directly to the first vehicle and/or the second vehicle. In this attack, public keys, two-factor authentication mechanisms, mutual authentication, digital signatures, etc., are insufficient to certify that the source of the message is the trusted second vehicle, and the first vehicle may not have, nor obtain, information to determine that the message was sent from the second vehicle instead of a nefarious actor.
Some vehicle devices utilize single wireless communication channels or links. For example, some existing head of train (HOT) and end of train (EOT) devices onboard rail vehicle systems utilize a single wireless communication channel or link and, therefore, do not have redundancy when the vehicle systems pass through a challenging radio frequency (RF) environment. Current practices and regulations allow for long periods of time without communication between the HOT and EOT, e.g., up to approximately 16.5 minutes. This can be potentially an unsafe situation, especially where emergency braking is needed when there is no communication.
In areas of vehicle and route congestion, such as rail yards, marine ports, cities, etc., plural different vehicles may move along plural different routes that may intersect with each other at multiple intersections. Vehicles, obstacles, pedestrians, or the like, may move through the intersections, or may remain positioned across the intersections. In order for the multiple vehicles to safely move through an intersection, the vehicles need to understand when an intersection is free of another vehicle, obstacle, or pedestrian, and when the intersection is not, such as when another vehicle is disposed across the intersection. Additionally, the vehicles need to understand when all of the other vehicle system and/or other vehicle systems have moved out of the intersection.
For example, a first vehicle system approaching an intersection may be aware that a second vehicle system is moving through the intersection. However, the second vehicle system may include plural vehicles that travel together, and the first vehicle system may only have information related to a location of a lead vehicle of the second vehicle system. For example, the first vehicle system may receive information that indicates that the lead vehicle of the second vehicle system has moved out of the intersection, but the first vehicle system may be unaware that a trailing vehicle of the second vehicle system, or a portion of the trailing vehicle of the second vehicle system is disposed across the intersection or within an intersection allowance area. The first vehicle system may continue moving according to original operating conditions and may collide with the portion of the trailing vehicle of the second vehicle system that remains disposed across the intersection.
As another example, a stationary obstacle may be positioned near an intersection that the first vehicle system is approaching. The first vehicle system may be aware of where the obstacle is positioned but may be unaware of the size of the obstacle. For example, the obstacle may have a size such that a portion of the obstacle may extend into the intersection allowance area. The first vehicle system may collide with the portion of the obstacle that extends into allowance area of the intersection based on the size of the obstacle and/or the size of the first vehicle system. For example, the first vehicle system may be unable to gauge a distance between the obstacle and the first vehicle system to a level of accuracy to avoid collision with the obstacle.
Therefore, a need exists for a monitoring and control system that understands locations of all portions of vehicle systems and obstacles that move along and/or are disposed at locations along intersecting routes, to avoid collisions between vehicles, obstacles, pedestrians, or the like.
Many vehicles travel on determined routes. For example, rail vehicles travel along tracks that may include different sections. Knowing the location of a vehicle along a route typically is important to assist third parties in preventing vehicles from colliding. For example, in a rail vehicle example, a remote dispatcher may monitor global positioning system (GPS) signals and communicate with engineers of different trains to prevent collisions, and trains taking the same track.
For vehicles monitored by GPS, problems can occur with tracking based on limitations of the GPS to monitor a vehicle in all locations. For example, when a vehicle goes within a tunnel, a GPS receiver may not be able to detect a GPS signal. Additionally, in some open areas, GPS signals may not be as strong and consistent as in other areas. Similarly, sometimes signal reading can be wrong, indicating a vehicle is located somewhere different than where the vehicle is actually located. Thus, advancements in vehicle monitoring along routes are desired.
In accordance with one embodiment, a method is provided that can include activating at least two wireless communication channels in parallel, between a first wireless transceiver and a second wireless transceiver. Each of the at least two wireless communication channels can operate at a different radio carrier frequency, and the first wireless transceiver may be part of a first vehicle. The method can also include transmitting, by the first wireless transceiver, common information in parallel on the at least two wireless communication channels to the second wireless transceiver and deactivating the at least two wireless communication channels.
In one aspect, the method can also include receiving, by the second wireless transceiver, the common information transmitted in parallel on the at least two wireless communication channels. In another aspect, the method may include changing one or more of a throttle setting or a brake setting of at least one of the vehicles using the common information that is communicated. In one example the common information can be first information, and the method may also include subsequently activating only one but not multiple of the wireless communication channels. The method can also include transmitting, by the first wireless transceiver to the second wireless transceiver, second information on the one wireless communication channel that is activated. In another example, the first vehicle may be included in a rail vehicle system, and the first wireless transceiver can be included in a head-of-train (HOT) unit. The second wireless transceiver can be part of a second vehicle and the second wireless transceiver may be included in an end-of-train (EOT) unit. The method may also include transmitting the common information in parallel on the at least two wireless communication channels that may include transmitting the common information from the HOT unit to the EOT unit. In yet another example the second wireless transceiver can be part of a back-office computer.
In one aspect, the first vehicle can be part of a first consist of a vehicle system and the second wireless transceiver may be part of a second vehicle that can be part of a second consist of the vehicle system. In another aspect, activating at least two wireless communication channels in parallel can include switching at least one of the first wireless transceiver or the second wireless transceiver from a low power, stand-by, or sleep mode to an active or fully operational mode via a carrier frequency associated with at least one of the first or second wireless communication channels. In one example, the different radio carrier frequencies can include a center frequency of 450 MHz and a cellular telephone frequency.
In accordance with one embodiment a system is provided that can include a first wireless transceiver configured to be operably disposed onboard a first vehicle and to activate at least two wireless communication channels in parallel between the first wireless transceiver and a second wireless transceiver, each of the at least two wireless communication channels operating at a different radio carrier frequency. The first wireless transceiver can be further configured to transmit common information in parallel on the at least two wireless communication channels to the second wireless transceiver. The first wireless transceiver can also be further configured to deactivate the at least two wireless communication channels following transmission of the common information in parallel on the at least two wireless communication channels.
In one example the system can also include one or more processors configured to change one or more of a throttle setting or a brake setting of at least one of the first vehicle or the second vehicle using the common information that is communicated. In one aspect the common information can be first information, and the first wireless transceiver may be configured to subsequently activate only one but not multiple of the wireless communication channels and transmit second information to the second wireless transceiver on the one wireless communication channel that is activated. In another aspect, the first vehicle can be included in a rail vehicle system and the second wireless transceiver may be part of a second wireless transceiver of the rail vehicle system, the first wireless transceiver can be a head-of-train (HOT) unit, and the second wireless transceiver may be an end-of-train (EOT) unit. In another example, the second wireless transceiver may be part of a back-office computer. In yet another example, the first vehicle may be part of a first consist of a vehicle system and the second wireless transceiver can be part of a second vehicle that is part of a second consist of the vehicle system. In one embodiment the first vehicle can be a first automobile and the second wireless transceiver may be part of a second vehicle that is a second automobile. In another embodiment the different radio carrier frequencies can include a center frequency of 450 MHz and a cellular telephone frequency.
In accordance with one embodiment a system is provided that can include a wireless head-of-train (HOT) transceiver configured to be operably disposed onboard a first rail vehicle and to activate at least two wireless communication channels in parallel between the HOT transceiver and a wireless transceiver that is part of a remote device. Each of the at least two wireless communication channels operate at a different radio carrier frequency, and the HOT transceiver may be further configured to transmit common information in parallel on the at least two wireless communication channels to the wireless transceiver of the remote device. The HOT transceiver can be further configured to deactivate the at least two wireless communication channels.
In one aspect, the HOT transceiver may be configured to deactivate the at least two wireless communication channels by entering a low power, stand-by or sleep mode. In another aspect the HOT transceiver can be configured to subsequently transmit additional information to the transceiver of the remote device via a single wireless communication channel of the at least two wireless communication channels.
The present invention is neither limited to nor defined by the above summary. Rather, reference should be made to the claims for which protection is sought with consideration of equivalents thereto.
Two vehicles involved in a communication exchange may be vulnerable to a man-in-the-middle attack (MITM) due to limited information about one another's identities prior to establishing communication. A malicious actor may exploit such deficiencies in a communication exchange by gaining control of the communication exchange when the first vehicle cannot distinguish between communications sent by the malicious actor and the second vehicle. Vehicle control systems may not provide sufficient identifying content to authenticate communication as coming from a particular vehicle of the one or more vehicles. Additionally, the intermittent and asynchronous nature of vehicle-to-device communication may provide the extra time a malicious actor needs to gain information that can be used to adequately impersonate both vehicles.
As disclosed herein, in some non-limiting embodiments or aspects, a computer-implemented method of vehicle-to-device key exchange may include: generating a first secret random number and a first public key based on the first secret random number; generating a shared secret key based on a second secret random number and the first public key; authenticating an access request based on a digital signature of the first vehicle signed with a first on-board key associated with the first vehicle; and authenticating an access response based on a digital signature of the second vehicle signed with a second on-board key associated with the second vehicle. In this way, the vehicle-to-device key exchange system may provide a first vehicle and a second vehicle of the two vehicles involved in a vehicle-to-device communication exchange, information sufficient to acquire or more efficiently and/or securely determine the identity of another vehicle in a conversation, provide information to establish the trustworthiness of a vehicle identity, location, or other shared secret information to more efficiently and/or accurately establish communication is not susceptible to a MITM attack. In some non-limiting embodiments, the vehicle-to-device key exchange system establishes sufficient identifiable context to secure a vehicle-to-device message exchange by more securely and/or efficiently certifying one or more communications originating from both vehicles.
Embodiments of the subject matter described herein can also include a vehicle control system and method of operation. The vehicle control system may monitor intersections of intersecting routes, and movement of plural different vehicle systems that move along and/or disposed at locations along the intersecting routes. In one or more embodiments, the control system may monitor movement of plural different vehicle system that move along plural different routes. For example, the control system may remotely monitor a rail yard, a marine port, an area of a city that include plural paved roads intersecting each other, a parking lot, or the like.
The control system may determine whether a portion of a vehicle system is disposed within or across an intersection, or within an intersection allowance area that includes a threshold distance around the intersection. The portion of the vehicle system may be a front end or a rear end of the vehicle system, may be a corner or side of the vehicle system, may be a portion of a cargo being carried by the vehicle system that extends beyond the size of the vehicle system, or the like. The determination may be made based on one or more of a size of the vehicle system, locations of different portions of the vehicle system, a location of the intersection, a size and/or location of the intersection allowance area, a speed of movement of the vehicle system, or the like.
In one or more embodiments, the vehicle systems may be formed from rail vehicles (e.g., locomotives, transit vehicles, rail cars, etc.), automobiles, trucks, buses, mining vehicles, agricultural equipment, marine vessels, aircraft (manned or unmanned), or the like. In one or more embodiments, one of the vehicle systems may include two or more vehicles that travel together along a route, such as a consist, convoy, swarm, platoon, fleet, or the like. In such an example the vehicles in the consist, convoy, swarm, platoon, fleet, or the like can operate autonomously (e.g., without input from a human). At least one of the vehicles may be a propulsion-generating vehicle, and one or more other vehicles optionally may be non-propulsion generating vehicles. As one example, the vehicle system may be a train consist that includes a propulsion-generating locomotive and plural rail cars that move together along a rail track. The control system may determine whether any portion of one or more rail cars or the locomotive is disposed across an intersection or within an intersection allowance area. As another example, the vehicle system may be a semi-trailer truck that is coupled with one or more trailers. The control system may determine whether a portion of one or more of the trailers or the truck is disposed across an intersection or within an intersection allowance area. Optionally, the vehicle system may include a barge that is propelled by another marine vessel such as a barge, may be an agricultural vehicle (e.g., a tractor) that is coupled with and propels one or more trailers, or the like. In another example, a vehicle system may be formed from plural vehicles that travel together (e.g., as a convoy), but that are not mechanically coupled with each other.
If it is determined that a portion of a vehicle system is disposed across an intersection or within an intersection allowance area, the control system may determine whether the portion of the vehicle system needs to move to a location outside of the intersection and/or intersection allowance area. For example, the portion of the vehicle system may need to move out of the intersection allowance area if another vehicle system is approaching the intersection. The control system may automatically communicate a command message to the vehicle system to direct the vehicle system to change an operating setting of the vehicle system to move the vehicle system out of the intersection allowance area.
Optionally, the control system may automatically communicate an alert to the vehicle system (e.g., to an operator of the vehicle system) indicating that a portion of the vehicle is positioned within the intersection allowance area or across the intersection. For example, the operator may be unaware that a portion of the vehicle system is disposed within the intersection allowance area, and the alert may be a notification to the operator. Optionally, the control system may communicate an alert to another vehicle system, such as another vehicle system that is moving in a direction toward the intersection. The alert to the other vehicle system may include instructions to change an operating setting of the other vehicle system to change a time of arrival at the intersection. Optionally, the alert may direct the other vehicle system to move onto another route, to move in another direction (e.g., in a direction away from the intersection), or the like.
If it is determined that a portion of the vehicle system is not disposed within the intersection allowance area or across the intersection, the control system may determine a predicted time of arrival at which the vehicle system will be disposed within the intersection allowance area or across the intersection. In one embodiment, the control system may determine that the predicted time of arrival of the vehicle system at the intersection may need to change. The control system may automatically communicate a command message to the vehicle system to automatically change an operating setting of the vehicle system to change the predicted time of arrival of the vehicle system at the intersection. The time of arrival may need to change based on another vehicle system being disposed within the intersection allowance area or across the intersection, based on another obstacle (e.g., barrier, debris, pedestrian, or the like) being disposed within the intersection allowance area, or the like.
Embodiments of the subject matter described may also relate to systems that use route circuits to provide coded signals that are unique to individual sections of a route to provide location information related to the vehicle. By using route circuits that are completed when a vehicle is on or within that route section, a location coded signal may be generated in locations that global positioning systems (GPSs) cannot reach. The coded signal may be coded by providing differing current pulse rates unique to that section of a route along a first frequency. Additional, or auxiliary information about the vehicle may still be provided by the route circuit by using a second frequency. Then, a controller may be configured to receive coded signals to determine the location of the vehicle based on the location coded signal received. For rail-based vehicles, the controller may determine a track section where the rail vehicle is located, the position of a switch along a track section, and similar information based on the location coded signals received.
It is to be understood that the present disclosure may assume various alternative variations and step sequences, except where expressly specified to the contrary. It is also to be understood that the specific devices and processes illustrated in the attached drawings, and described in the following specification, are simply exemplary and non-limiting embodiments or aspects. Hence, specific dimensions and other physical characteristics related to the embodiments or aspects disclosed herein are not to be considered as limiting.
For purposes of the description hereinafter, the terms “end,” “upper,” “lower,” “right,” “left,” “top,” “bottom,” and derivatives thereof shall relate to embodiments or aspects as they are oriented in the drawing figures. However, it is to be understood that embodiments or aspects may assume various alternative variations and step sequences, except where expressly specified to the contrary. It is also to be understood that the specific devices and processes illustrated in the attached drawings, and described in the following specification, are simply non-limiting exemplary embodiments or aspects. Hence, specific dimensions and other physical characteristics related to the embodiments or aspects disclosed herein are not to be considered as limiting unless otherwise indicated.
No aspect, component, element, structure, act, step, function, instruction, and/or the like used herein should be construed as critical or essential unless explicitly described as such. Also, as used herein, the articles “a” and “an” are intended to include one or more items and may be used interchangeably with “one or more” and “at least one.” Furthermore, as used herein, the term “set” is intended to include one or more items (e.g., related items, unrelated items, a combination of related and unrelated items, etc.) and may be used interchangeably with “one or more” or “at least one.” Where only one item is intended, the term “one” or similar language is used. Also, as used herein, the terms “has,” “have,” “having,” or the like, are intended to be open-ended terms. Further, the phrase “based on” is intended to mean “based at least partially on” unless explicitly stated otherwise.
As used herein, the terms “communication” and “communicate” may refer to the reception, receipt, transmission, transfer, provision, and/or the like of information (e.g., data, signals, messages, instructions, commands, and/or the like). For one unit (e.g., a device, a system, a component of a device or system, combinations thereof, and/or the like) to be in communication with another unit means that the one unit is able to directly or indirectly receive information from and/or transmit information to the other unit. This may refer to a direct or indirect connection that is wired and/or wireless in nature. For example, a first unit may be in communication with a second unit even though the first unit passively receives information and does not actively transmit information to the second unit. As another example, a first unit may be in communication with a second unit if at least one intermediary unit (e.g., a third unit located between the first unit and the second unit) processes information received from the first unit and communicates the processed information to the second unit. In some non-limiting embodiments or aspects, a message may refer to a network packet (e.g., a data packet and/or the like) that includes data. Other arrangements are possible.
As used herein, the term “computing device” may refer to one or more electronic devices that are configured to directly or indirectly communicate with or over one or more networks. A computing device may be a mobile or portable computing device, a desktop computer, a server, and/or the like. Furthermore, the term “computer” may refer to any computing device that includes the necessary components to receive, process, and output data, and normally includes a display, a processor, a memory, an input device, and a network interface. A “computing system” may include one or more computing devices or computers. An “application” or “application program interface” (API) refers to computer code or other data sorted on a computer-readable medium that may be executed by a processor to facilitate the interaction between software components, such as a client-side front-end and/or server-side back-end for receiving data from the client. An “interface” refers to a generated display, such as one or more graphical user interfaces (GUI) with which a user may interact, either directly or indirectly (e.g., through a keyboard, mouse, touchscreen, etc.). Further, multiple computers, servers, or other computerized devices, such as a vehicle including a vehicle computing system, directly or indirectly communicating in the network environment, may constitute a “system” or a “computing system”.
It will be apparent that the systems and/or methods described herein can be implemented in different forms of hardware, software, or a combination of hardware and software. The actual specialized control hardware or software code used to implement these systems and/or methods is not limiting of the implementations. Thus, the operation and behavior of the systems and/or methods are described herein without reference to specific software code, it being understood that software and hardware can be designed to implement the systems and/or methods based on the description herein.
Some non-limiting embodiments or aspects are described herein in connection with thresholds. As used herein, satisfying a threshold may refer to a value being greater than the threshold, more than the threshold, higher than the threshold, greater than or equal to the threshold, less than the threshold, fewer than the threshold, lower than the threshold, less than or equal to the threshold, equal to the threshold, etc.
With continued reference to
In some non-limiting embodiments or aspects, the on-board computer 102 provides PTC functions (e.g., vehicle management, computer displays, cab signal monitors, brake and systems interfaces, an event recorder, etc.).
In some non-limiting embodiments or aspects, vehicle database 102c provides a populated vehicle database. For example, vehicle database 102c obtains or receives data and/or information from one or more vehicles (e.g., vehicle system 20, etc.), one or more remote servers 106, one or more back-office servers, one or more central dispatchers, and/or the like. In some non-limiting embodiments, vehicle database 102c provides vehicle data, such as, for example, track profile data, vehicle data, switch location information, track heading changes (e.g., curves, and distance measurements), vehicle consist information (e.g., the number of vehicles, the number of cars, the total length of the vehicle, etc.), and/or the like.
With continued reference to
In some non-limiting embodiments or aspects, the on-board computer 102 also provides or is in communication with the appropriate braking system and other software or programs to effectively implement the systems and methods according to the present invention. In some non-limiting embodiments, the on-board computer 102 receives real-time input from various vehicle control settings or components, including a positioning (e.g., navigation system, mapping system, etc.) system (e.g., a GPS receiver, at least one wheel tachometer/speed sensor, and/or the like).
In some non-limiting embodiments or aspects, the on-board computer 102 provides a communication device 102a (e.g., a data radio, a transceiver, a receiver, a communication interface, a communication component, and/or the like). In some non-limiting embodiments, communication device 102a of on-board computer 102 provides secure communications by or between vehicle system 10 and/or on-board computer 104 of vehicle system 20 (e.g., communication device 104a, etc.) and/or one or more other on-board computers associated with one or more vehicles in the railway system. In some non-limiting embodiments, on-board computer 102, on-board computer 104, and remote server 106 communicate wirelessly and/or in a “hard wired” form (e.g., over the rails of the track).
In some non-limiting embodiments or aspects, on-board computer 102 provides a visual display device 102b, such as the operator's display in the cab of the propulsion vehicle 12, or visual display device 104b of vehicle system 20. For example, visual display device 102b provides information and data via an electronic display interface to the operator of the vehicle system 10 regarding information associated with the on-board computer 102.
With continued reference to
In some non-limiting embodiments, vehicle-to-device key exchange system 100 provides one or more key exchange messages of a key exchange protocol for establishing a secure communication (e.g., one or more secure communications, a secure communication channel, etc.) between a plurality of pairs of actors (e.g., parties, vehicles, vehicles, or any combination, etc.) in a railway. For example, the key exchange system 100 may include the following exchanges of information for generating a shared secret key between a first party and a second party, with authentication of a third party:
In some non-limiting embodiments or aspects, key exchange system 100 includes a first party generating a first secret random number and a first public key based on the first secret random number. For example, the first party generates the first public key based on a secret random number (e.g., a random number generated by on-board computer 102 etc.) and a modulus and base of a Diffie-Hellman protocol (e.g., shared secret key information, etc.).
In some non-limiting embodiments or aspects, key exchange system 100 includes a second party generating a second secret random number and a second public key based on the second secret random number. For example, the second party generates the second public key based on a second secret random number (e.g., a random number generated by on-board computer 104, etc.) and a modulus and base of a Diffie-Hellman protocol (e.g., shared secret key information, etc.), the modulus and base are identical to the modulus and base for generating the first public key by the first party.
In some non-limiting embodiments or aspects, key exchange system 100 includes the first party sending the first public key to the third party within a request message which is authenticated based on a private key associated with the first party. For example, the first party electronically signs the request message including the first public key with the private key associated with the first party, to securely communicate the secure information to the third party which possesses, obtains, or generates the private key associated with the first party. In some non-limiting embodiments, the third party authenticates the digital signature using the private key associated with the first party, after obtaining the private key associated with the first party.
In some non-limiting embodiments or aspects, key exchange system 100 includes the third party sending the first public key of the first party to the second party within a message which is authenticated based on a private key associated with the second party. For example, the third party electronically signs the request message including the first public key with the private key associated with the second party, to securely communicate the secure information to the second party which possesses, obtains, or generates the private key associated with the second party.
In some non-limiting embodiments or aspects, key exchange system 100 includes the second party sending the second public key to the third party within a message which is authenticated based on a private key associated with the second party. For example, the second party electronically signs the response message including the second public key with the private key associated with the second party, to securely communicate the secure information to the third party which possesses, obtains, or generates the private key associated with the second party. In some non-limiting embodiments, the third party authenticates the electronic signature using the private key associated with the second party, after obtaining the private key associated with the second party.
In some non-limiting embodiments or aspects, key exchange system 100 includes the third party sending the second public key to the first party. For example, third party sends a message providing the second public key, the message including the private key associated with the first party. For example, the third party electronically signs the response message including the second public key with the private key associated with the first party, to securely communicate the secure information to the first party which possesses, obtains, or generates the private key associated with the first party.
In some non-limiting embodiments or aspects, key exchange system 100 includes the first party generating a shared secret key based on the second public key and first secret random number. For example, in some non-limiting embodiments, the first party generates a shared secret key based on a first secret random number (e.g., the generated first secret random number, etc.) and a second public key. In some non-limiting embodiments, on-board computer 104 generates the second public key based on the second secret random number. In some non-limiting embodiments, the first party stores the first secret random number until obtaining the second public key to generate the shared secret key (e.g., a shared secret key of the first vehicle, etc.).
In some non-limiting embodiments or aspects, key exchange system 100 includes the second party generating a shared secret key based on a first public key and the second secret random number. For example, in some non-limiting embodiments, the second party generates a shared secret key based on a second secret random number (e.g., a generated second secret random number, etc.) after receiving the first public key. In some non-limiting embodiments, the first party generates a first public key based on the first secret random number. In some non-limiting embodiments, the second party stores the shared secret key (e.g., a shared secret key of the second vehicle, etc.).
In some non-limiting embodiments or aspects, key exchange system 100 includes authenticating a message using a shared secret key for one or more messages communicated between the first party and second party. For example, key exchange system 100 includes the first party securing a request to the second party by generating a cyclic redundancy check (CRC) over the contents of the request, and at least one of a content, timestamp, or the shared secret key (e.g. to detect changes to one or more messages, to prevent a MITM attack, etc.). Alternatively, the second party secures a request to the first party by generating a CRC over the contents of the request, and at least one of a content, timestamp, or the shared secret key.
In some non-limiting embodiments or aspects, the third party may include the remote server 106 (e.g., one or more processors of remote server 106, one or more processors of key exchange server 106a) which stores, obtains and communicates one or more key exchange message protocol communications. In some non-limiting embodiments, remote server 106 stores and or provides a vehicle electronic messaging protocol (EMP) address to another vehicle (e.g., a second vehicle's EMP address to the first vehicle, a first vehicle's EMP address to the second vehicle, etc.). In one example the second vehicle is a second vehicle of a vehicle system such as a rail vehicle where numerous vehicles are coupled together. Alternatively, the first and second vehicles may not be coupled to one another and each can be part of a vehicle system such as a first truck and a second truck in a fleet of trucks. Still, such vehicles can be in communication with one another and can be autonomous vehicles.
In some non-limiting embodiments or aspects, the communication network 108 includes one or more wired and/or wireless networks. For example, communication network 108 includes a cellular network (e.g., a long-term evolution (LTE) network, a third generation (3G) network, a fourth generation (4G) network, a fifth generation network (5G), a code division multiple access (CDMA) network, etc.), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the public switched telephone network (PSTN)), a private network, an ad hoc network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, and/or the like, and/or a combination of these or other types of networks, such as electronic communication protocols and/or algorithms may be used including, for example, TCP/IP (including HTTP and other protocols), WLAN (including 802.11 and other radio frequency-based protocols and methods), analog transmissions, Global System for Mobile Communications (GSM), private wireless, public wireless, 160/220/900 MHz VHF, Wi-Fi, UHF 452-458 MHz, WiMAX, omni-directional, and/or the like.
In some non-limiting embodiments or aspects, the on-board computer 102 receives updates from some remote server or computer system (e.g., a central controller, a back-office server, a remote server, central dispatch, dispatching system, communications server, back-office PTC components, various wayside devices, such as signal or switch monitors, other on-board computers 12 in the railway system, etc.). For example, the on-board computer 102 receives updates from the remote server 106 associated with vehicle system 20 on the same track. For example, on-board computer 102 receives a message that indicates the location of vehicle system 20, and on-board computer 102 subsequently determines that vehicle system 10 and vehicle system 20 are too close together.
In some non-limiting embodiments or aspects, the on-board PTC computer calculates both the actual distance between the two vehicles as well as the safe distance between the two vehicles moving in the same direction. The on-board PTC commands the second vehicle to apply brakes to slow down or stop in order to avoid a potential collision with the first vehicle.
In some non-limiting embodiments or aspects, the on-board computer 102 of vehicle system 10 sends one or more communications to an on-board computer 104 of vehicle system 20 for position information when a vehicle is running too close, running too fast, or is present in an upcoming block of the railway. In some non-limiting embodiments, on-board computer 102 sends one or more communications to on-board computer 104 including its identification number and location information (e.g., latitude, longitude, speed, heading, location uncertainty, etc.) for maintaining an electronic radio blocking and/or conditional movement authorities.
In some non-limiting embodiments or aspects, the on-board computer 102 sends an identification and/or the like to at least one of the on-board computer 104 or the remote server 106.
In some non-limiting embodiments or aspects, the on-board computer 104 on vehicle system 20 receives the communication from the on-board computer 102 of the vehicle system 10. In some non-limiting embodiments or aspects, the remote server 106 receives the communication from the on-board computer 102 of the vehicle system 10.
In some non-limiting embodiments or aspects, the on-board computer 104 sends an identification associated with vehicle system 20, an identification associated with vehicle system 10, and/or the like to at least one of the on-board computer 102 or the remote server 106.
Referring now to
In some non-limiting embodiments, one or more of the steps of message protocol 200 are performed (e.g., completely, partially, etc.) by on-board computer 102, on-board computer 104, and/or remote server 106. In some non-limiting embodiments, one or more of the steps of message protocol 200 are performed (e.g., completely, partially, etc.) by another device or a group of devices separate from or including on-board computer 102 (e.g., one or more processors of on-board computer 102, one or more processors of communication device 102a, one or more processors of visual display device 102b, one or more processors of vehicle database 102c, etc.), on-board computer 104 (e.g., one or more processors of on-board computer 104, one or more processors of communication device 104a, one or more processors of visual display device 104b, one or more processors of vehicle database 104c, etc.), or the remote server 106 (e.g., one or more processors of remote server 106, one or more processors of key exchange server 106a, etc.).
As shown in
As shown in
In some non-limiting embodiments or aspects, on-board computer 102 determines a public key for authenticating a communication channel with propulsion vehicle 22 of vehicle system 20. For example, on-board computer 102 generates a public key based on a secret random number (e.g., a random number generated by on-board computer 102, etc.) and shared secret key information (e.g., a modulus and base of a Diffie-Hellman protocol, etc.).
In some non-limiting embodiments or aspects, on-board computer 102 sends the access request to remote server 106 for initiating a vehicle-to-device key exchange (or vehicle to remote device exchange), the access request including the public key, the shared secret key information, and signed with a first vehicle on-board private key associated with first vehicle system 10 (e.g., a private key associated with propulsion vehicle 12 and known only by the remote server 106 and on-board computer 102, etc.).
In some non-limiting embodiments or aspects, the public key of the access request for parameters is associated with vehicle system 10 (e.g., a dependent vehicle, etc.). In some non-limiting embodiments, the public key associated with vehicle system 10 can decrypt one or more messages encrypted by an associated shared secret key, such as, for example, a digital signature of propulsion vehicle 12.
In some non-limiting embodiments or aspects, remote server 106 authenticates the access request for parameters based on the first vehicle private key to verify the sender of the access request for parameters of propulsion vehicle 12.
In some non-limiting embodiments or aspects, on-board computer 102 digitally signs the access request for parameters with the first vehicle private key (e.g., on-board private key, etc.) associated with vehicle system 10, and the key exchange server 106a at the remote server 106 verifies the digital signature.
In some non-limiting embodiments or aspects, remote server 106 determines a vehicle access request confirmation based on authenticating the request for access parameters. In some non-limiting embodiments, remote server 106 digitally signs a vehicle access request confirmation based on the on-board private key for propulsion vehicle 12.
As shown in
In some non-limiting embodiments or aspects, the remote server 106 determines an address of propulsion vehicle 22 from one or more addresses of one or more vehicles in a track network based on the vehicle identifier of the second vehicle (e.g., identifies a vehicle, determines an address, etc.). For example, the remote server 106 determines an address of vehicle system 20 to send a vehicle key request. For example, in some non-limiting embodiments, the remote server 106 sends a request for a vehicle key based on determining an address of propulsion vehicle 22 associated with the vehicle identifier of propulsion vehicle 22 received from vehicle system 10.
In some non-limiting embodiments or aspects, remote server 106 digitally signs a vehicle key request based on the second vehicle private key (e.g., a private key associated with propulsion vehicle 22 and known only by the remote server 106 and on-board computer 104 of vehicle system 20, etc.).
In some non-limiting embodiments or aspects, on-board computer 104 receives the request for a vehicle key from remote server 106. In some non-limiting embodiments or aspects, on-board computer 104 authenticates the request for a vehicle key from remote server 106 by authenticating the digital signature based on the on-board private key of propulsion vehicle 22.
In some non-limiting embodiments or aspects, on-board computer 104 determines a public key after receiving the request for a vehicle key. For example, on-board computer 104 generates the public key based on a secret random number (e.g., a random number generated by on-board computer 104, etc.) and shared secret key information (e.g., a modulus and base of a Diffie-Hellman protocol, etc.).
In some non-limiting embodiments or aspects, the on-board computer 104 generates a shared secret key based on at least one of the first public key, the second public key, and/or the like. In some non-limiting embodiments, the on-board computer 104 stores one or more of the shared secret key, the first vehicle public key, the second vehicle public key, the random number generated by on-board computer 104, and/or the like.
In some non-limiting embodiments or aspects, on-board computer 104 sends a response providing a public key. For example, in some non-limiting embodiments or aspects, the vehicle system 20 sends a public key to the remote server 106 after determining the shared secret key information of vehicle system 10.
In some non-limiting embodiments or aspects, on-board computer 104 digitally signs a vehicle key response based on the second vehicle on-board private key (e.g., second vehicle private key, etc.).
In some non-limiting embodiments or aspects, key exchange server 106a of remote server 106 receives the vehicle key response from on-board computer 104 including a public key of propulsion vehicle 22. In some non-limiting embodiments or aspects, key exchange server 106a authenticates the vehicle key response from on-board computer 104 by authenticating the digital signature based on the on-board private key of propulsion vehicle 22.
As shown in
In some non-limiting embodiments or aspects, step 240 includes providing a vehicle access confirmation. For example, in some non-limiting embodiments, on-board computer 102 receives and authenticates the access parameter response with the first vehicle private key. In some non-limiting embodiments, on-board computer 102 stores the vehicle address of the second propulsion vehicle 22 and the second public key from the key exchange server 106a. In some non-limiting embodiments, on-board computer 102 of propulsion vehicle 12 sends the vehicle access confirmation to the key exchange server 106a after receiving the access parameter response. For example, on-board computer 102 of propulsion vehicle 12 sends the vehicle access confirmation after authenticating the signed access parameter response with the first vehicle private key, after generating a shared secret key based on the second public key, after storing the vehicle address of the propulsion vehicle 22, after establishing a secure communication channel between the first propulsion vehicle 12 and the second propulsion vehicle 22, and/or the like. In some non-limiting embodiments, the vehicle access confirmation provides an indication that the vehicle access was successful, including a vehicle identifier of the first propulsion vehicle 12.
In some non-limiting embodiments or aspects, the on-board computer 102 generates a shared secret key based on receiving the second vehicle public key, the shared secret key based on at least one of the shared secret key information of vehicle system 10, the first vehicle public key, the random number generated by on-board computer 102, and/or the like. In some non-limiting embodiments, the on-board computer 102 stores one or more of the shared secret keys, the first vehicle public key, the second vehicle public key, the second secret random number generated by on-board computer 102, the vehicle address of the propulsion vehicle 22, and/or the like. In some non-limiting embodiments, on-board computer 102 of propulsion vehicle 12 sends the vehicle access confirmation to key exchange server 106a after storing the second public key and the vehicle address of the propulsion vehicle 22.
In some non-limiting embodiments or aspects, the on-board computer 102 sends a secure request (e.g., a signed request, etc.) to propulsion vehicle 22 of second vehicle system 20 (e.g., to register for clear reports, etc.) including the shared secret key. For example, in some non-limiting embodiments, the on-board computer 102 of vehicle system 10 communicates (e.g., registers with a constraining vehicle, etc.) based on a conditional authority for propulsion vehicle 12 (e.g., dependent vehicle, etc.), to receive updates from a constraining vehicle system 20 for a conditional movement based on the movement of propulsion vehicle 22 of vehicle system 20.
In some non-limiting embodiments or aspects, on-board computer 102 secures a request to on-board computer 104 (e.g., to register for clear reports, etc.) by generating a cyclic redundancy check (CRC) over the contents of the request to register and the shared secret key to detect changes to one or more messages between a first propulsion vehicle 12 and a second propulsion vehicle 22 (e.g., to detect accidental, fraudulent, nefarious changes and/or behavior, etc.). In some non-limiting embodiments, on-board computer 102 secures a request to register for clear reports by generating a cyclic redundancy check (CRC) over the contents of the request to register, a timestamp, and the shared secret key.
In some non-limiting embodiments or aspects, the on-board computer 104 of propulsion vehicle 22 authenticates the secure request from propulsion vehicle 12 to register for clear reports based on the CRC. For example, on-board computer 104 authenticates the CRC over the contents of the request to register, the shared secret key, and/or a timestamp to detect changes to one or more messages between a first propulsion vehicle 12 and a second propulsion vehicle 22.
In some non-limiting embodiments or aspects, the on-board computer 104 sends a signed response to propulsion vehicle 12 of first vehicle system 10 based on a CRC over the contents of the response to register and the shared secret key to detect changes to one or more messages between a first propulsion vehicle 12 and a second propulsion vehicle 22. In some non-limiting embodiments, on-board computer 102 of propulsion vehicle 12 sends the vehicle access confirmation to key exchange server 106a after authenticating the signed response from propulsion vehicle 22.
In some non-limiting embodiments or aspects, after confirming registration, on-board computer 104 secures one or more communications with on-board computer 102 by generating a cyclic redundancy check (CRC) over the contents of the one or more requests to register, a timestamp, and the shared secret key. In some non-limiting embodiments, on-board computer 102 secures one or more communications with on-board computer 104 by generating a cyclic redundancy check (CRC) over the contents of the one or more requests to register, a timestamp, and the shared secret key. For example, on-board computer 104, on retrieval of a new request or response, repeats a CRC calculation, and in the event the CRC values do not match, a safe and/or corrective action can be taken.
Referring now to
As shown in
In some non-limiting embodiments, process 300 includes receiving a vehicle identifier associated with a propulsion vehicle 22 of the second vehicle system 20 for determining the access request. For example, in some non-limiting embodiments, on-board computer 102 receives a vehicle identifier from remote server 106 associated with a propulsion vehicle 22 of the second vehicle system 20 for determining the access request. For example, the vehicle identifier is associated with a second vehicle and/or a first vehicle, for determining a vehicle address associated with the vehicle identifier at the remote server 106. In some non-limiting embodiments, on-board computer 102 receives a conditional movement authority including the vehicle identifier when receiving the second vehicle identifier associated with a second vehicle of the second vehicle in a railway.
In some non-limiting embodiments or aspects, process 300 includes generating the access request for securing messages with the vehicle identifier associated with a propulsion vehicle 22 of the second vehicle system 20. For example, in some non-limiting embodiments, on-board computer 102 generates a request for access parameters including at least a vehicle identifier associated with a second vehicle system 20 associated with the conditional movement authority including the first vehicle system 10.
In some non-limiting embodiments or aspects, process 300 includes generating and/or sending the access request by generating a request for a vehicle address associated with the vehicle identifier associated with a propulsion vehicle 22 of the second vehicle system 20.
In some non-limiting embodiments, process 300 includes sending a first vehicle address associated with a propulsion vehicle 12 of the first vehicle system 10 for determining the access response. For example, in some non-limiting embodiments, remote server 106 (e.g., central office server, etc.) sends a second vehicle address associated with a propulsion vehicle 22 of the second vehicle system 20 (e.g., a constraining vehicle, etc.) to a first vehicle system 10 for determining the access request. In one example the second vehicle system is physically separated from the first vehicle system 10, such as two vehicles in a fleet of vehicles. In one example, a first and second vehicle in a fleet each operate autonomously.
As shown in
In some non-limiting embodiments, on-board computer 104 receives a first vehicle address associated with a propulsion vehicle 12 of the first vehicle system 10 for determining the access response. In some non-limiting embodiments, on-board computer 104 generates the access response for securing messages with the vehicle identifier associated with a propulsion vehicle 12 of the first vehicle system 10.
In some non-limiting embodiments, process 300 includes sending a first vehicle address associated with a vehicle of the first vehicle for determining the access response. For example, in some non-limiting embodiments, remote server 106 (e.g., central office server, etc.) sends a first vehicle address associated with a propulsion vehicle 12 of the first vehicle system 10 (e.g., dependent vehicle, etc.) to a second vehicle system 20 for determining the access response.
As shown in
In some non-limiting embodiments, process 300 includes sending a first on-board key associated with a propulsion vehicle 12 of the first vehicle system 10 for determining the access response. For example, in some non-limiting embodiments, remote server 106 (e.g., central office server, etc.) receives a first vehicle address associated with a propulsion vehicle 12 of the first vehicle system 10 (e.g., dependent vehicle, etc.) from a first vehicle system 10 for determining the access response.
In some non-limiting embodiments, remote server 106 generates a vehicle key request including a first vehicle's address, a first vehicle public key, a DH modulus, and a DH base. In some non-limiting embodiments, remote server 106 sends the message to a second propulsion vehicle 22 after signing the message with the second vehicle private key of the second vehicle.
As shown in
In some non-limiting embodiments or aspects, the key exchange server 106a (e.g., central office server, etc.) digitally signs the second public key of the second vehicle system 20 before sending the digitally signed second public key to the first vehicle system 10. For example, the key exchange server 106a signs the second public key with a private key of the first propulsion vehicle 12 before sending the digitally signed second public key to the first vehicle system 10.
In some non-limiting embodiments, remote server 106 generates a vehicle key response including a second vehicle's address and public key. In some non-limiting embodiments, remote server 106 sends the message to a first vehicle after signing with a vehicle key of a propulsion vehicle 12.
In some non-limiting embodiments, the vehicle-to-central office message and the central office-to-vehicle message are authenticated based on a predetermined private key associated with a respective vehicle.
As shown in
In some non-limiting embodiments or aspects, the on-board computer 102 receives the second public key and authenticates the second public key based on a vehicle private key associated with the first vehicle before generating the shared secret key (e.g., a shared secret key of the first vehicle and the second vehicle, etc.). For example, the on-board computer 102 receives the second public key after the key exchange server 106a digitally signs the second public key with a private key of the first propulsion vehicle 12. For example, the on-board computer 102 prevents a MITM by authenticating the second public key before generating a shared secret key.
As shown in
In some non-limiting embodiments or aspects, the on-board computer 104 receives the first public key and authenticates the first public key based on a private key associated with the second vehicle before generating the shared secret key (e.g., a shared secret key of the first vehicle and the second vehicle, etc.). In some non-limiting embodiments, the on-board computer 102 receives the second public key after the key exchange server 106a digitally signs the second public key with a private key of the first propulsion vehicle 12.
For example, the on-board computer 104 prevents a MITM by authenticating the first public key before generating a shared secret key. In some non-limiting embodiments, the first vehicle system 10 (e.g., on-board computer 102, etc.) generates a first public key based on the first secret random number. In some non-limiting embodiments, the second on-board computer 104 stores the shared secret key (e.g., a shared secret key of the second vehicle, etc.).
As shown in
In some non-limiting embodiments, process 300 includes determining a shared secret key based on a public key and a secret random number. For example, on-board computer 102 and/or on-board computer 104 determine a shared secret key based on a public key and a secret random number.
In some non-limiting embodiments, process 300 includes securing at least one peer-to-peer communication channel between the first on-board computer communication device 102a of the first vehicle system 10 and the second on-board computer communication device 104a of the second vehicle system 20 based on the shared secret key. For example, on-board computer 102 secures at least one peer-to-peer communication channel between the first communication device of the first vehicle system 10 and the second communication device of the second vehicle system 20 based on the shared secret key. For example, in some non-limiting embodiments, on-board computer 102, on-board computer 104, and/or remote server 106 prevents a man-in-the-middle attack by securing (e.g., authenticating, etc.) at least one of vehicle-to-central office communication, central office-to-vehicle communication, or vehicle-to-device communication.
In some non-limiting embodiments, process 300 includes communicating vehicle data and/or movement information between the first vehicle system 10 and the second vehicle system 20 via the at least one secure peer-to-peer communication channel. For example, on-board computer 102 communicates vehicle data between the first vehicle system 10 and the second vehicle system 20 via the at least one secure peer-to-peer communication channel. For example, in some non-limiting embodiments, a vehicle-to-device message (e.g., peer-to-peer, vehicle-to-device, etc.) is authenticated based on the shared secret key.
Referring now to
As shown by reference number 440 in
In some non-limiting embodiments or aspects, the public key associated with vehicle system 10 can decrypt one or more messages encrypted by a shared secret key generated in the implementation, such as, for example, a digital signature of propulsion vehicle 12. In some non-limiting embodiments, remote computer 406 authenticates the access request for parameters based on the private key of propulsion vehicle 12 to verify a sender of the access request for parameters is propulsion vehicle 12. In some non-limiting embodiments or aspects, propulsion vehicle 12 digitally signs the access request for parameters with a first vehicle on-board private key (e.g., vehicle private key, etc.) assigned to a propulsion vehicle 12 associated with vehicle system 10, and the key exchange server 106a at the remote server 106 verifies the digital signature.
As shown by reference number 450 in
In some non-limiting embodiments or aspects, propulsion vehicle 22 of vehicle system 20 authenticates the request for a vehicle key from remote server 106 by authenticating the digital signature based on the on-board private key for propulsion vehicle 22. In some non-limiting embodiments, propulsion vehicle 22 of vehicle system 20 generates a second vehicle public key based on a secret random number and shared secret key information associated with the public key and stores the shared secret key in an on-board database for communicating with vehicle system 10. In some non-limiting embodiments, propulsion vehicle 22 of vehicle system 20 sends the second vehicle public key to the remote server 106 after digitally signing with the on-board private key for propulsion vehicle 22.
In some non-limiting embodiments or aspects, key exchange server 106a authenticates the request for a vehicle key by authenticating the digital signature based on the second vehicle on-board private key.
As shown by reference number 460 in
With reference to
In some embodiments or examples, the vehicle system 502 can include a first communication unit 508 disposed in one location and a second communication unit disposed in another location. The first communication unit can be disposed onboard the lead vehicle, and the second communication unit can be disposed onboard the last vehicle. In one embodiment, the first communication unit is an HOT unit, and the second communication unit is an EOT unit 512. These communication units can be used to control the brakes and/or throttles of the vehicle system. In one example the first communication unit 508 can be located at a first consist of the vehicle system 502 while the second communication unit 512 can be located on a second consist of the vehicle system 502. Alternatively, the first communication unit can be disposed onboard a lead vehicle, and the second communication unit can be disposed within a wayside device. In yet another example the second communication unit can be at a control center, back office, or be part of a remote device, including a remote device computer. In yet another example the vehicle system can include a fleet, vehicles on a roadway, or the like that are not positioned linear to one another and instead can be in side-by-side or parallel relation to one another. In one example, a first and second vehicle in a fleet each operate autonomously. In such an example the first on-board communication unit 508 can be within a first vehicle of the vehicle system and the second on-board communication unit 512 can be within a second vehicle of the vehicle system that is side-by-side with the first vehicle.
Each of the communication units can include one or more than one processor 518 and a memory 520 coupled to the processor(s) 518 and operative for storing one or more software control programs and/or operational data. The first communication unit can include a wireless transceiver (or radio) 526 and the second communication unit 512 can include a wireless transceiver (or radio) 528. The second communication unit may include a location determining device 524 (e.g., a global navigation satellite system (GNSS) receiver, such as a global positioning system (GPS) receiver) and the first communication unit may also include an optional location determining device 522 (e.g., a GNSS receiver such as a GPS receiver). In one example, GPS data, route data, or the like that is obtained may be used update maps within the storage device. In one example the storage device can include a map database where the GPS information can be utilized to confirm and update locations accordingly (
The processor(s) 518 and memory 520 of the first communication unit 508 can comprise or form a controller 530 while the processor(s) 518 and memory 520 of the second communication unit can comprise or form a controller 532.
In one embodiment, the communication units 508, 512 may have a local data collection system deployed that may use machine learning to enable derivation-based learning outcomes. The communication units 508, 512 may learn from and make decisions on a set of data (including data provided by the various sensors and communicated to the communication units 508, 512), by making data-driven predictions and adapting according to the set of data. In embodiments, machine learning may involve performing a plurality of machine learning tasks by machine learning systems, such as supervised learning, unsupervised learning, and reinforcement learning. Supervised learning may include presenting a set of example inputs and desired outputs to the machine learning systems. Unsupervised learning may include the learning algorithm structuring its input by methods such as pattern detection and/or feature learning. Reinforcement learning may include the machine learning systems performing in a dynamic environment and then providing feedback about correct and incorrect decisions. In examples, machine learning may include a plurality of other tasks based on an output of the machine learning system. In examples, the tasks may be machine learning problems such as classification, regression, clustering, density estimation, dimensionality reduction, anomaly detection, and the like. In examples, machine learning may include a plurality of mathematical and statistical techniques. In examples, the many types of machine learning algorithms may include decision tree based learning, association rule learning, deep learning, artificial neural networks, genetic learning algorithms, inductive logic programming, support vector machines (SVMs), Bayesian network, reinforcement learning, representation learning, rule-based machine learning, sparse dictionary learning, similarity and metric learning, learning classifier systems (LCS), logistic regression, random forest, K-Means, gradient boost, K-nearest neighbors (KNN), a priori algorithms, and the like. In embodiments, certain machine learning algorithms may be used (e.g., for solving both constrained and unconstrained optimization problems that may be based on natural selection). In an example, the algorithm may be used to address problems of mixed integer programming, where some components restricted to being integer-valued. Algorithms and machine learning techniques and systems may be used in computational intelligence systems, computer vision, Natural Language Processing (NLP), recommender systems, reinforcement learning, building graphical models, and the like. In an example, machine learning may be used for vehicle performance and behavior analytics, and the like.
In one embodiment, the communication units 508, 512 may include a policy engine that may apply one or more policies. These policies may be based at least in part on characteristics of a given item of equipment or environment. With respect to control policies, a neural network can receive input of a number of environmental and task-related parameters. These parameters may include an identification of a determined trip plan for a vehicle group, data from various sensors, and location and/or position data. The neural network can be trained to generate an output based on these inputs, with the output representing an action or sequence of actions that the vehicle group should take to accomplish the trip plan. During operation of one embodiment, a determination can occur by processing the inputs through the parameters of the neural network to generate a value at the output node designating that action as the desired action. This action may translate into a signal that causes the vehicle to operate. This may be accomplished via back-propagation, feed forward processes, closed loop feedback, or open loop feedback. Alternatively, rather than using backpropagation, the machine learning system of the controller may use evolution strategies techniques to tune various parameters of the artificial neural network. The communication units 508, 512 may use neural network architectures with functions that may not always be solvable using backpropagation, for example functions that are non-convex. In one embodiment, the neural network has a set of parameters representing weights of its node connections. A number of copies of this network are generated and then different adjustments to the parameters are made, and simulations are done. Once the output from the various models is obtained, they may be evaluated on their performance using a determined success metric. The best model is selected, and a vehicle controller executes that plan to achieve the desired input data to mirror the predicted best outcome scenario. Additionally, the success metric may be a combination of the optimized outcomes, which may be weighed relative to each other.
The communication units 508, 512 can use this artificial intelligence or machine learning to receive input (e.g., a location or change in location), use a model that associates locations with different operating modes to select an operating mode of the one or more functional devices of the first communication unit 508 (e.g., HOV unit) and/or second communication unit 512 (e.g., EOV unit), and then provide an output (e.g., the operating mode selected using the model). The communication units 508, 512 may receive additional input of the change in operating mode that was selected, such as analysis of noise or interference in communication signals (or a lack thereof), operator input, or the like, that indicates whether the machine-selected operating mode provided a desirable outcome or not. Based on this additional input, the communication units 508, 512 can change the model, such as by changing which operating mode would be selected when a similar or identical location or change in location is received the next time or iteration. The communication units 508, 512 can then use the changed or updated model again to select an operating mode, receive feedback on the selected operating mode, change or update the model again, etc., in additional iterations to repeatedly improve or change the model using artificial intelligence or machine learning.
In one embodiment, the communication units 508, 512 can utilize machine learning and/or artificial intelligence to make determinations related to communications between the first communication unit 508 and a second communication unit 512 that can be at numerous other locations. Such locations include on another vehicle of the vehicle system, on another consist of the vehicle system, at a back office; controller, at a dispatch controller, at another vehicle in the vehicle system such as of a fleet that is operating in parallel (including parallel communication paths) with the vehicle having the first communication unit, or the like. In one example, a first and second vehicle in a fleet each operate autonomously.
Wireless transceivers 526 and 528 can each be programmed or configured to provide a plurality of wireless communication channels therebetween. Each of the wireless communication channels can operate at a different radio carrier frequency than each other wireless communication channel. The plurality of wireless communication channels can include a first wireless communication channel 534 between wireless transceivers 526 and 528 and a second wireless communication channel 536 between wireless transceivers 526 and 528. The first and second wireless communication channels 534 and 536 can be operated in parallel, where common information or data can be transmitted in parallel over first and second wireless communication channels 534 and 536. The common information also can be referred to as the same information. The common or same information or data can mean that the exact same data is communicated via each of the channels in one example. In another example, the same information or data can mean that only part, but not all, of the information or data sent via one channel is the same (and identical to) at least some of the information sent via the other channel. For example, the same information may be sent on both channels but with one channel including different CRC or checksum data than the other channel.
Each wireless transceiver 526 and 528 can be programmed or configured to be in a sleep state while not conveying information or data via the first and second wireless communication channels 534 and 536. When it is desired to transmit information or data in parallel via the first and second wireless communication channels 534 and 536, the processor(s) 518 can initiate the transmission can cause the corresponding wireless transceiver (526 or 528) to awake from the sleep state and begin transmitting the information or data via both wireless communication channels 534 and 536 in parallel to the other wireless transceiver (528 or 526). The other wireless transceiver (528 or 526) in the sleep state can be programmed or configured to be responsive to information or data transmitted on first and/or second wireless communication channels 534 and/or 536 to awake from the sleep state to receive the information or data transmitted in parallel on the first and second wireless communication channels 534 and 536, to demodulate the information or data transmitted thereon, and to provide the same to the processor(s) associated with the other wireless transceiver (528 or 526). For example, starting from the state where first and second radio transceivers 526 and 528 are each in a sleep state, in response to the processor(s) 518 of the first communication unit 508 communicating information or data to wireless transceiver 526, the wireless transceiver 526 awakes from the sleep state and begins transmitting the information or data over first and second wireless communication channels 534 and 536 in parallel. In response to sensing information or data being transmitted at the first and second carrier frequencies 542 and 544 (
With reference to
Each wireless transceiver 526 and 528 also can include low noise amplifiers 552 and 554 for receiving and amplifying signals received via the one or more antennas 550 and for providing the amplified signals to a dual receiver 556. The dual receiver 556 can demodulate the signals received from low noise amplifiers 552 and 554 and provide the demodulated signals to analog-to-digital converters (ADC) 558 and 560. The digitized outputs of the ADCs 558 and 560 can be provided to multiplexer 562 which, in turn, can provide the digitized outputs to the corresponding processor(s) 518 for processing in accordance with programming of the processor(s) 518.
The data communicated in parallel via first and second wireless communication channels 534 and 536 between the first and second communication units can include data integrity information appended thereto. The integrity of the data being transmitted can be confirmed using this data integrity information. Similarly, the information or data received by the first and second communication units can include, in addition to the transmitted information or data, the data integrity information. Information from which the data integrity can be determined can include at least one of the following: a checksum; a BCH code; or a CRC.
In some embodiments or examples, in response to receiving the plural instances of information or data (including the data integrity information) from the ADCs 558, 560 and multiplexer 562, the corresponding processor(s) 518 (upon determining that each instance of the information or data is valid or accurate from the data integrity information), the processor(s) 518 can further process either instance of the information or data in accordance with programing of the processor(s) 518. On the other hand, for example, if one instance of the information or data fails the data integrity check and is invalid, and another instance of the information or data passes the data integrity check and is valid, the processor(s) 518 can use the latter or other instance of the information or data (that is valid) in accordance with the programming of the processor(s) 518.
The foregoing description of the elements comprising each wireless transceiver 526 and 528 is for the purpose of illustration and is not to be construed as limiting in every embodiment since it is envisioned that one or both of wireless transceivers 526 and/or 528 may be comprised of any other suitable and/or desirable elements that enable the transmission and receipt of information or data over first and second wireless communication channels 534 and 536.
Having described an example wireless transceiver for producing first and second wireless communication channels 534 and 536 in parallel, various methods of communication from or between the communication units 508, 512, or vice versa, will now be described.
With reference to
In some embodiments or examples, the method advances from a step 570-1 to step 570-2 where at least two wireless communication channels (e.g., 534 and 536) operating at different radio carrier frequencies are provided between the communication units. In an example, step 570-2 can include, among other things, providing the necessary hardware (e.g., wireless transceivers 526 and 528) to enable the at least two wireless communication channels (e.g., 534 and 536) to be established between the communication units 508, 512. In some embodiments or examples, it is not necessary for the one or more of the at least two wireless communication channels to be active in step 570-2.
At step 570-3, the at least two wireless communication channels are caused (e.g., via the controllers of the communication units 508, 512) to become active in communication in parallel. In step 570-4, one of the communication unit 508 or the communication unit 512 communicates (e.g., transmits) some or all of the same information in parallel on the at least two wireless communication channels. In step 570-5, the other of the communication unit 508 or the communication unit 512 receives the information transmitted in parallel on the at least two wireless communication channels in step 570-4.
In step 570-6, the at least two wireless communication channels can then be caused to be inactive (e.g., placed into a sleep mode) and out of communication. In some non-limiting embodiments or examples, the at least two wireless communication channels can be inactive in response to the wireless transceivers 526 and 528 entering a sleep mode. For example, the wireless transceiver 526 and/or 528 may turn off after a predetermined interval of time during which no information or data is being passed between the wireless transceivers 526, 528. This timing of entering sleep mode can be controlled by hardware of each wireless transceiver 526 and 528 and/or the processor(s) 518 coupled to each wireless transceiver.
Thereafter, steps 570-3 through 570-6 may be repeated (e.g., intermittently) as needed when communication from the communication unit 508 to the communication unit 512, or from the communication unit 512 to the communication unit 508, is desired. The information or data transmitted in parallel on the at least two wireless communication channels can comprise digital data that is modulated on each radio carrier frequency.
In an example, each communication channel can be operated at a radio carrier frequency of approximately 160 MHz, 220 MHz, 450 MHz, or between 450 MHz and 500 MHz. In an example, the first wireless communication channel 534 may operate at 160 MHz while second wireless communication channel 536 may operate at 220 MHz. Alternatively, both or at least one of the communication channels 534, 536 can operate at 450 MHz. In another example, each wireless communication channel 534 and 536 operates at a different carrier frequency.
In some embodiments or examples, at least one wireless communication channel 534 or 536 may comprise a cellular telephone infrastructure whereupon information or data communicated on the wireless communication channel is routed through said cellular telephone infrastructure. In this example, instead of there being a direct communication between wireless transceivers 526 and 528, at least one wireless communication channel 534 or 536 can include information or data being transmitted via the cellular telephone infrastructure (network). In an example, cellular telephone frequencies can vary between 700 MHz and 2.7 GHz, depending on the country or region where the vehicle system may be operating.
The choice of frequencies and, optionally, infrastructure used with each wireless communication channel 534 and 536 can be selected in any suitable and/or desirable manner to accomplish the aim of communicating information or data in parallel on first and second wireless communication channels 534 and 536. Accordingly, the particular description of frequencies and/or infrastructure (e.g., a cellular telephone infrastructure) that may be used is not to be construed in a limiting sense in all embodiments.
With reference to
At step 572-3, the first and second wireless communication channels 534 and 536 are caused to be in communication in parallel, whereupon the communication unit 508 and the communication unit 512 are in communication in parallel via both the first and second wireless communication channels 534 and 536.
At step 572-4, one of the communication unit 508 or the communication unit 512 causes information or data to be transmitted in parallel on the first and second wireless communication channels 534 and 536.
At step 572-5, the other of the communication unit 508 or the communication unit 512 receives the information or data transmitted in parallel on the first and second wireless communication channels 534 and 536. At step 572-6, the first and second wireless communication channels are caused to be inactive (e.g., enter into a sleep mode or state), where the communication unit 508 and the communication unit 512 are out of communication with each other. For example, the communication units 508, 512 may not be able to communicate with each other when at least one of the communication units 508, 512 is inactive.
Steps 572-3 through 572-6 can be repeated (e.g., intermittently) as deemed suitable and/or desirable to transmit information or data from the communication unit 508 to the communication unit 512, or vice versa.
One or more instances of step 572-3 optionally can include one of the wireless transceivers 526 or 528 awakening from the low power, stand-by, or sleep mode into the active, fully operational mode and initiating communication with the other wireless transceiver 528 or 526 via a carrier frequency associated with at least one of the first and/or second wireless communication channels 534 and 536. In response, the other wireless transceiver can awake from the low power, stand-by, or sleep mode to the active, fully operational mode, whereupon the wireless transceivers 526 and 528 can form the first and second wireless communication channels 534 and 536.
When it is desired to communicate data between the communication unit 512 and the communication unit 8, the processor(s) 518 of the communication unit 512 optionally causes the wireless transceiver 528 to awaken from the low power, stand-by, or sleep mode (where communication with the communication unit 512 does not occur or is not possible) into a fully operational mode to initiate communication with the wireless transceiver 526 (which can be in the low power, stand-by, or sleep mode or alternatively may be active). In an example, while the wireless transceiver 526 is in the low power, stand-by or sleep mode, the wireless transceiver 526 can be programmed or configured to respond to communications from the wireless transceiver 528 and awaken from the low power, stand-by, or sleep mode (where communication does not or cannot occur) into the active, fully operational mode (where communication can occur). Once the wireless transceivers 526 and 528 have awakened from the low power, stand-by, or sleep modes into the active, fully operational modes, the first and second wireless communication channels 534 and 536 can be formed in parallel between the wireless transceivers 526 and 528.
As discussed above, each transmission of information or data in parallel on first and second wireless communication channels 534 and 536 optionally can include data integrity information. In an example, this data integrity information can include a checksum of the information or data that is transmitted. In response to receiving each instance of information transmitted in parallel on the first and second wireless communication channels 534 and 536, a first checksum of the information or data transmitted on wireless communication channel 534 and a second checksum of information or data transmitted on wireless communication channel 536 can be calculated by the processor(s) 518 associated with the receiving wireless transceiver. The calculated checksum(s) can be compared to a reference checksum comprising the data integrity information included with the transmitted information or data (to determine whether communication of the information was successful).
The first checksum can be compared to the reference checksum to determine whether the information or data transmitted on first wireless communication channel 534 is valid. Similarly, the second checksum can be compared to the reference checksum to determine whether the information or data transmitted on second wireless communication channel 536 is valid. In an example, provided the information or data transmitted via least one wireless communication channel 534 and 536 is valid, the information or data can be utilized by the corresponding processor(s) 518 in accordance with programming of the processor(s) 518. Moreover, the processor(s) 518 associated with the wireless transceiver receiving the information or data can utilize the calculated first and second checksums as a confirmation of the integrity of the information or data. In an example, if the calculated first and second checksums are the same and each calculated checksum is the same as the reference checksum included with the transmitted information or data, the processor(s) 518 associated with the wireless transceiver receiving the information or data is assured of the integrity of the data, whereupon the processor(s) can store or respond to the information or data in accordance with programming of the processor(s).
If the processor(s) 518 associated with the wireless transceiver receiving the information or data transmitted in parallel on the first and second wireless communication channels 534 and 536 determines that, for example, the first checksum is not equal to the reference checksum and the second checksum is equal to the reference checksum, the processor(s) 518 optionally can store or respond to the information transmitted only on the second wireless communication channel, and optionally ignore the information or data transmitted on the first wireless communication channel.
Each response to information or data transmitted on a wireless channel can include the processor(s) 518 associated with the wireless transceiver (e.g., 526 or 528) receiving the transmitted information or data transmitting second information or data in parallel on the first and second wireless communication channels 534 and 536. The second information transmitted in parallel on the first and second wireless communication channels 534 and 536 can be received by the other wireless transceiver (e.g., 528 or 526).
In an example, the second communication unit 512 can transmit information or data on first and second wireless communication channels 534 and 536 to the first communication unit 508. In response, the processor(s) 518 of the first communication unit 508 may transmit second information or data in parallel on the first and second wireless communication channels 534 and 536 to the second communication unit 512. In this example, the second information or data may include an acknowledgement by the first communication unit 508 that the information or data transmitted by the second communication unit 512 was received. In some embodiments or examples, the information or data transmitted in parallel on first and second wireless communication channels 534 and 536 can be digital data that is modulated on the respective first and second carrier frequencies or frequency bands of the first and second communication channels 534 and 536.
Each frequency band can include at least one of the following frequencies: a frequency of 450 MHz, a frequency between 450 MHz and 500 MHz; a frequency of 220 MHz; a frequency of 160 MHz; or a cellular telephone frequency between 700 MHz and 2.7 GHz, in various embodiments or examples. In an example, each frequency may be a center frequency of a corresponding frequency band.
With reference to
The method can then advance toward step 574-3, where the first and second wireless communication channels 534 and 536 are caused to be in communication with each other in parallel. This causes the first and second controllers 530 and 532 to be in communication via both the first and second wireless communication channels 534 and 536. In step 574-4, the first controller can cause information or data to be transmitted in parallel on the first and second wireless communication channels 534 and 536 to the second controller.
The method optionally can then advance to step 574-5, where the second controller can receive the information transmitted in parallel on the first and second wireless communication channels 534 and 536 in step 574-4. Finally, the method can then advance toward step 574-6, where the first and second wireless communication channels can be caused to be inactive (e.g., set to a sleep mode), where the first and second controllers are not in communication. Thereafter, the method can repeat steps 574-3 through 574-6 as needed (e.g., intermittently).
Step 574-3 optionally can include one of the wireless transceivers 526 or 528 awakening from a low power, stand-by, or sleep mode into the active, fully operational mode, and initiating communication with the other wireless transceiver via at least one of the first and second wireless communication channels 534 and 536. In response to this communication, the other wireless transceiver can awaken from the low power, stand-by, or sleep mode into the active, fully operational mode, whereupon the wireless transceivers 526 and 528 can form first and second wireless communication channels 534 and 536 in parallel.
The first controller can be controller 530 or 532 while the second controller can be the other controller of 530 or 532.
As can be seen, disclosed herein are methods of communicating between first and second controllers which can comprise the first communication unit 508 and the second communication unit 512. The various methods described herein utilize first and second communication channels formed in parallel between the first and second controllers in parallel for communicating the same data between said first and second controllers. By providing first and second communication channels between the first and second controllers, a drawback associated with utilizing only a single channel for communication, namely, the communication channel becoming disrupted whereupon there is no communication between the first and second controllers for, possibility, an extended period of time due to, for example, challenging environmental conditions.
In one embodiment, the schematic illustrated in
In one embodiment, one or more of the vehicle systems may include two or more vehicles that may travel together (e.g. by being mechanically coupled or by being mechanically separate but logically coupled and communicating with each other to travel together, such as in a convoy or a locomotive consist where multiple locomotives communicate and operate together as a train). At least one vehicle of the vehicle system may be a propulsion-generating vehicle, and optionally the vehicle system may include one or more non-propulsion generating vehicles.
In the illustrated embodiment, vehicle systems may move in various directions along a first route 1132, a second route 1134, a third route 1136, a fourth route 1138, a fifth route 1140, and a sixth route 1142. The first and second routes intersect with each other at a first intersection 1130A, the first and sixth routes intersect with each other at a second intersection 1130B, the second and fourth routes intersect with each other at a third intersection 1130C, the fourth and seventh routes intersect with each other at a fourth intersection 1130D, the second and third routes intersect each other at a fifth intersection 1130E, the first and third routes intersect each other at a sixth intersection 1130F, the third and fourth routes intersect with each other at a seventh intersection 1130G, and the third and fifth routes intersect with each other at an eighth intersection 1130H. Optionally, the routes may define other or different pathways on which vehicles or other objects may move and may intersect with other routes in any alternative configuration. For example,
A control system 1100 may monitor one or more vehicle systems moving along the routes and/or one or more intersections of two or more routes. The control system may be disposed off-board the vehicle systems.
The control system may be manually operated by receiving instruction signals from an input device 1206 (e.g., a device that receives input from an operator such as, but not limited to, a touchscreen, a joystick, a keyboard, a switch, a wheel, a microphone, or the like) based on manually input from an operator at the input device. An output device 1208 can provide information to the operator, such as locations of vehicle systems moving along different routes, operating settings or operating conditions of the different vehicle systems (e.g., speed, brake settings, direction of movement, or the like). The control system may include a memory 1210 or other data storage device. Optionally, the control system may be communicably coupled with other storage databases (e.g., other memory devices of other systems, data storage cloud systems, or the like).
The control system includes a communication system 1202 that may be set up for one or both wired or wireless communication. For example, the communication system can represent transceiving circuitry, one or more antennas, modems, communication cables, or the like. The communication system may communication (e.g., receive and/or provide data signals) with a controller onboard one or more of the vehicle systems, with another off-board controller, with one or more wayside devices 1124A-F, with one or more traffic control devices (e.g., traffic lights, barriers, rail crossing gates, or the like), or the like.
In one embodiment, the communication system can interact with other systems via one or more communication types. Suitable communication types can include, but are not limited to, cellular networks (e.g., the Global System for Mobile Communications (GSM)), mesh networks using Ethernet standards, wireless communication protocols (e.g., Bluetooth), radio and shortwave communication types, or the like. In one or more embodiments, where two or more communication types are present, the communication system may translate some or all of a data stream from one type to another. Similarly, different data protocols may be used. Such translation may allow the communication system to act as a transference point for data transmission. The translation may allow for different types of equipment (e.g., first and second vehicle systems may each use communication types different from each other to communicate with each other via the communication system). The communication system may switch types, protocols, and/or communication pathways in response to delegation of signal or failure of one pathway. This may cause redundancy of communication by the communication system. In one embodiment, the communication system may decrypt, decompile, or disaggregate information, parse information, and send along all or part of a message (e.g., alone or combined with new data, or with encryption, or both). The communication system may be the same as or similar to other communication devices or communication systems described herein.
In one or more embodiments, the control system may represent a back-office server or a dispatch center, such as of a positive vehicle control (PVC) system. A PVC system is a control system in which a vehicle is allowed to move, and/or is allowed to move outside a designated restricted manner (such as above a designated penalty speed limit), only responsive to receipt or continued receipt of one or more signals (e.g., received from off-board the vehicle system) that meet designated criteria, the signals have designated characteristics (e.g., a designated waveform and/or content) and/or are received at designated times (or according to other designated time criteria) and/or under designated conditions. This is opposed to ‘negative’ vehicle control systems where a vehicle system is allowed to move unless a signal (restricting movement) is received. The back-office server may be a vital or a non-vital system such that data stored, contained, maintained, communicated between, or the like, may be vital (e.g., protected) and/or non-vital (e.g., non-protected) data. Alternatively, the off-board control system represents another computerized system that communicates with vehicles and/or vehicle systems described herein.
The control system may monitor movement and/or positions of the plural different vehicle systems. Additionally, the control system may monitor locations of different portions of the plural different vehicle systems relative to intersections between routes. As one example, the control system may monitor movement and/or placement of vehicle systems relative to route intersections to ensure that one vehicle system may not interfere with or run into another vehicle system.
The control system may receive or obtain the size of the vehicle system from the first vehicle system, from the memory of the control system, from another off-board database, from a wayside device (e.g., a sensor disposed onto or coupled with the wayside device may detect a first end of the vehicle and a second end of the vehicle responsive to the vehicle moving past the sensor), from another vehicle system, or the like. In another embodiment, the control system may obtain a size of the vehicle system based on data from sensors onboard a first vehicle 1302 of the vehicle system (e.g., global positioning system, or the like) and data from sensors onboard a last or seventh vehicle 1314 of the vehicle system (e.g., an end-of-train or end-of-vehicle transferable device may be coupled with the seventh or last vehicle of the vehicle system and may include global positioning systems or other position sensors).
In one or more embodiments, the size of the vehicle system may include or indicate a three-dimensional size of the vehicle system. For example, the control system may obtain a height of each of the vehicles, a width of each of the vehicles, and a length of each of the vehicles of the first vehicle system. Optionally, the size of the vehicle system may include a size of oversized cargo the first vehicle system (or one or more vehicles of the first vehicle system) may be carrying. For example, the first vehicle 1302 may have a height, width, and length, but the cargo disposed onboard the first vehicle may have a height, width, and/or length that is greater than one or more of the height, width, or length of the first vehicle such that the size of the cargo is greater than the size of the first vehicle in one or more directions.
At step 1404, the control system may identify locations of portions of the vehicle system. The different portions of the vehicle system may include locations of corners, sides, top portions and bottom portions of the different vehicles of the vehicle system. Optionally, the different portions may include locations of components (e.g., wheels, hitches or other coupling devices, bumpers, tail gates, operator cab positions, cargo loading and unloading components, doors or windows, or the like) of the different vehicles of the vehicle system.
The control system may identify locations of different portions of the vehicle system based on the positioning information of the first vehicle system and the size of the first vehicle system. For example, the control system may identify locations of each of the first vehicle system, the second vehicle system, the third vehicle system, the fourth vehicle system, the fifth vehicle system, and the sixth vehicle system illustrated in
In one or more embodiments, the control system may identify locations of each of the vehicles of the first vehicle system based on the information of the length of the first vehicle system, the route(s) along which the first vehicle system is moving or disposed on, and locations of the first and seventh vehicles. For example, the control system may determine a location of each of the second, third, fourth, and fifth vehicles based on information related to the size of the vehicle system, the route, and the locations of the first and seventh vehicles. The locations of each of the other vehicles of the first vehicle system may be determined within a 5% area of the actual locations of each of the other vehicles, within a 10% area of the actual locations, or the like.
At step 1406, the control system may identify a location of an intersection or an intersection allowance area. For example, the control system may identify locations of each of the intersections 1130A-H shown in
The intersection allowance area may be an area of a threshold distance around the intersection. For example, the intersection allowance area may be defined as an area that is within about 1 meter of the intersection, within about 5 meters of the intersection, within about 10 meters of the intersection, within about 25 meters of the intersection, or the like. For example, the control system may identify the location of the intersection (e.g., where the routes cross each other) and the area that is within a 10-meter diameter perimeter of the intersection, a 5-meter diameter perimeter of the intersection, or the like. The intersection allowance area may be a substantially circular area that extends around the intersection, or alternatively may have an alternative shape. For example, the intersection allowance area may have an oblong or oval shape such that the allowance area includes an area of one route that is greater than an area of the intersecting route, such as the intersection allowance area of the intersection 1130C shown in
In one or more embodiments, the control system may be monitoring plural different routes that form or create plural different intersections. The control system may monitor and/or identify locations of one or more of the different intersections. For example, the control system may identify locations of intersections of plural different routes in which routes intersect with similar or dissimilar types of routes (e.g., tracks, paved roads, unpaved roads, pedestrian walkways, or the like). Optionally, the control system may only identify locations of intersections of similar routes (e.g., rail tracks intersecting other rail tracks, or paved roads intersecting other paved roads).
At step 1408, a determination is made whether a portion of the vehicle system (or a portion of the cargo being transported by the vehicle system) is disposed within or across the intersection or intersection allowance area. For example, returning to
In one or more embodiments, the output device of the control system may indicate to an operator of the control system that a portion of one or more vehicle systems, a portion of another obstacle, or the like, is disposed within or across an intersection or intersection allowance area. For example, the output device may be a digital screen, touch screen, or the like (e.g., of a stationary terminal, or of a wireless mobile device such as a tablet or smartphone) and may include a map of the intersecting routes. The map may include an indication of locations of each of the vehicles of the plural different vehicle systems, locations of obstacles, and an indication of portions of the vehicles or obstacles that may be disposed within or across an intersection. For example, the output device may display a mark, a dot, a star, a text, an arrow, a flag, or other indication (e.g., in a designated color) that a portion of the vehicle system is disposed within the intersection. Optionally, the output device may indicate a location of the portion of the vehicle system (e.g., a front left corner of a vehicle of the vehicle system, a rear end of a vehicle, or the like). In one or more embodiments, respective indications may be displayed for all vehicle systems disposed within respective intersections or intersection allowance areas, for the operator of the control system to understand multiple such instances of vehicle positioning within a rail yard or other designated region of transportation routes. Optionally, the output device may be and/or include an audio output device that may sound an audio alarm based on a determination that a portion of a vehicle system is disposed within an intersection or intersection allowance area.
In one or more embodiments, an output device disposed onboard a vehicle system (not shown) may indicate to an operator onboard the vehicle system that a portion of a vehicle of the vehicle system is disposed within or across an intersection or intersection allowance area. For example, the output device onboard the vehicle system may indicate to the operator onboard the vehicle system that a portion of the vehicle is within the intersection allowance area and may indicate which portion of the vehicle is disposed within the intersection allowance area (e.g., a rear corner, a front end, or the like). Optionally, the output device onboard the vehicle system and/or the output device of the control system may indicate how far a distance within the intersection allowance area the portion of the vehicle system extends (e.g., extends 1 meter into the intersection allowance area, 10% of the vehicle extends into the intersection allowance area, or the like).
In one or more embodiments, the control system may automatically communicate an alert to one or more vehicle systems responsive to determining that a portion of a vehicle system disposed within or across an intersection or intersection allowance area. For example, the control system may determine that the portions of the first vehicle system are disposed within the intersection allowance area of the intersections 1130A and 1130B and may communicate an alert to the operator of the first vehicle system. Optionally, the control system may communicate an alert to the fourth vehicle system based on a direction of movement of the first vehicle system toward the fourth vehicle system. Optionally, the control system may communicate alerts to vehicle systems that may be moving toward the first vehicle system (e.g., on the first route or other routes that intersect the first route), to other vehicle systems that are moving along the same route as the first vehicle system or other routes that intersect the first route), or the like. Optionally, the control system may communicate alerts to vehicle systems within a determined relative area around the first vehicle system regardless of a direction of travel and/or routes along which the other vehicle systems may be moving (e.g., to vehicle systems within 100 meters of the first vehicle system, vehicle systems within 500 meters of the first vehicle system, or the like).
If a portion of a vehicle system is disposed within or across an intersection or intersection allowance area, flow of the method proceeds toward step 1410. Alternatively, if no portion of a vehicle system is disposed within or across an intersection or intersection allowance area, flow of the method proceeds toward step 1414.
At step 1410, a determination is made whether the portion of the vehicle that is disposed within or across an intersection or an intersection allowance area needs to move out of the intersection or intersection allowance area. As one example, the vehicle system may need to move out of the intersection if another vehicle system or other object or obstacle is disposed at or approaching the intersection. As another example, the vehicle system may need to move out of the intersection or intersection allowance area if another vehicle system or other object is planned or scheduled to move through the intersection. For example, referring to
At step 1412, an operating setting of the vehicle system may be changed to move the portion of the vehicle system out of the intersection. For example, the illustrated embodiment of
Alternatively, if the portion of the vehicle system does not need to move out of the intersection or intersection allowance area, at step 1422 operating settings of the vehicle system may remain the same. For example, the portion of the vehicle system that is disposed within or across the intersection or intersection allowance area may remain within the intersection or intersection allowance area.
Returning to the decision made at step 1408, if a portion of a vehicle system is not disposed within or across an intersection or intersection allowance area, flow of the method proceeds toward step 1414. At step 1414, a predicted time of arrival of a vehicle system at an intersection or intersection allowance area is determined. The time of arrival may be based on a moving speed of the vehicle system, a rate of a changing speed of movement, a location of the vehicle system, a distance between the vehicle system and the intersection or intersection allowance area, an elevation of the intersection (e.g., relative to sea level) relative to an elevation of the vehicle system, or the like.
At step 1416, a decision is made whether the time of arrival of a vehicle system at an intersection or intersection allowance area needs to change. For example, referring to
In one or more embodiments, the control system may determine that the first vehicle system needs to reach the intersection 1130D at a time before the predicted time of arrival T1 based on another vehicle system needing to move through the intersection 1130A after the first vehicle system has moved through the intersection 1130A. For example, the speed of the first vehicle system may need to increase to allow the seventh vehicle 1314 of the first vehicle to move through the intersection allowance area of the intersection 1130A before another vehicle system (not shown) reaches the intersection 1130A.
In one or more embodiments, the control system may determine that the predicted time of arrival T1 of the first vehicle system at an intersection may need to change based on an obstacle being disposed within or across the intersection. For example, the control system may receive data signals communicated from a wayside device that indicates that an obstacle is disposed within or across the intersection. The data signals may indicate whether the obstacle is stationary or moving, a moving speed of the moving obstacle, a size of the object, a predicted time of departure of the obstacle at which the obstacle is expected to move out of the intersection, or the like. In one or more embodiments, the control system may determine whether a portion of the obstacle (e.g., a portion of the obstacle disposed within an intersection allowance area) may interfere with a portion of the first vehicle system if the first vehicle system reaches the intersection before the obstacle moves out of the intersection allowance area. The control system may determine whether the first vehicle system and obstacle will interfere with each other based on the speed of movement of the obstacle, the size of the obstacle, the moving speed of the first vehicle system, the size of the first vehicle system, or the like.
In one or more embodiments, the control system may receive data signals communicated from a wayside device or other vehicle system that indicate that the obstacle is not disposed at or within an intersection allowance area of an intersection but may be moving towards the intersection allowance area. The control system may determine a time of arrival of the obstacle at the intersection and/or a time of departure of the obstacle from the intersection based on the moving speed of the obstacle. Optionally, the predicted time of arrival of a vehicle system at an intersection may need to change (e.g., speed up to arrive sooner than the predicted time of arrival or slow down to arrive at a time later than the predicted time of arrival) for an alternative reason.
If the predicted time of arrival T1 of the first vehicle system needs to change, flow of the method proceeds toward step 1418. Alternatively, if the predicted time of arrival of the first vehicle system does not need to change, flow of the method proceeds toward step 1422 and the first vehicle system continues to operate according to the operating settings.
At step 1418, an operating setting of the first vehicle system may be changed in order to change the time of arrival T1 of the first vehicle system at the intersection 1130D to a new predicted time of arrival T3. One or more operating settings of the first vehicle system may need to change based on a determination that the first vehicle system will interfere or collide with a portion of the fourth vehicle system. Optionally, the one or more operating settings may need to change based on a determination that the first vehicle system will interfere or collide with another obstacle.
In one embodiment, the control system may communicate a command message to a controller of the first vehicle system (not shown) to direct the controller to automatically change a throttle and/or brake setting of the first vehicle system. Optionally, the control system may remotely control the operation of the first vehicle system and may remotely change an operating setting of the first vehicle system. Optionally, the control system may communicate the command message to the controller of the first vehicle system to direct an operator of the first vehicle system to manually change an operating setting of the first vehicle system. At step 1420, the vehicle system is operated according to the new operating settings and arrives at the intersection at a time that is different than the predicted time of arrival T1. For example, the actual time of arrival of the first vehicle system may be at a time that is before or after the predicted time of arrival T1.
In one or more embodiments, the control system may obtain and/or determine a vector projection of movement of the first vehicle system. The vector projection may be based on one or more of a direction of movement of the first vehicle system, the route along which the first vehicle system is or will be moving (e.g., if the first vehicle system is changing routes at an intersection), the moving speed of the first vehicle system, if the moving speed of the vehicle system is changing (e.g., slowing down or speeding up), the predicted time of arrival of a portion of the first vehicle system at the intersection, or the like. The control system may determine whether the first vehicle system will interfere with another vehicle system or an obstacle at the intersection based on the vector projection of movement of the first vehicle system. Optionally, the control system may automatically communicate a command message to the first vehicle system to change an operating setting to change the predicted time of arrival at the intersection based on the vector projection of the first vehicle system.
At step 1502, the control system may identify a location of an intersection of two or more routes. The location of the intersection may include an intersection allowance area that includes a threshold distance around the intersection. For example, the intersection allowance area may be an area within about 5 meters of the intersection, within about 10 meters of the intersection, within 50 meters of the intersection, or the like. At step 1504, the control system may monitor movement of the plural different vehicle systems moving toward and away from the intersections and intersection allowance areas.
At step 1506, a determination is made whether a first vehicle system is moving toward the intersection. If the first vehicle system is not moving toward the intersection, flow of the method returns to step 1504 and the control system continues to monitor movement of the vehicle systems. Alternatively, if the first vehicle system is moving toward the intersection, flow of the method proceeds toward step 1508.
At step 1508, a determination is made whether at least a portion of a second vehicle system (or other obstacle) is disposed within or across the intersection or disposed within the intersection allowance area. If no portion of the second vehicle system is disposed within or across the intersection or intersection allowance area, flow of the method returns to step 1504 and the control system continues to monitor movement of the vehicle systems and the intersections.
Alternatively, if at least a portion of the second vehicle system is disposed within or across the intersection or intersection allowance area, flow of the method proceeds toward step 1510. At step 1510, one or more operating settings of one or both of the first or second vehicle systems are changed based on at least a portion of the second vehicle system being disposed within the intersection allowance area or across the intersection and the first vehicle system moving toward the intersection. For example, operating settings of one or both of the first or second vehicle systems may need to change to avoid the first and second vehicle systems colliding with each other at the intersection or within the intersection allowance area.
In one embodiment, a speed of movement of the second vehicle system may be increased to move the second vehicle system out of the intersection allowance area before a time of arrival of the first vehicle system at the intersection allowance area. Optionally, a brake setting of the first vehicle system may need to change, such as to slow or stop movement of the first vehicle system. For example, the speed of movement of the first vehicle system may be reduced to change the predicted time of arrival of the first vehicle system at the intersection to a time that is after a time of departure of the second vehicle system from the intersection allowance area. Flow of the method may return to step 504 and the control system may continue to monitor plural vehicle systems moving along plural different routes and intersections of the plural different routes.
As illustrated by
The first route may include a first route circuit (
To code a signal, a signal generator applies a coded signal of a determined number of pulses, or pulse rate, at a specified carrier frequency onto the rail. A vehicle such as a locomotive may be equipped with dedicated hardware of the controller to receive the generated signal and convey the information to the crew as well as other systems on board the locomotive. The combination of detected pulse rates and carrier frequencies yield the status of a signal with which the controller of the locomotive must comply. Additionally, multiple coded signals on the same track circuit may be provided by different carrier frequencies for each coded signal. The signals may coexist and none, some, or all can be received by the controller of the locomotive depending on the installed equipment.
In one example, the coded signal is a location coded signal that conveys identifying information unique to the first route, or finite portion of the track. When used herein, unique refers to a signal that has characteristics that are different than other signals produced along other routes in a specific transportation system or transportation area. Therefore, in one example, there may be 100,000 individual route sections total in a transportation system or area within the western United States, where each individual section has its own combination of frequency and pulse rate. Thus, each section has a unique signal, because no two signals have the same frequency and pulse rate. Still, the same combination of frequency and pulse rate may be used to identify a track in the Eastern United States. Specifically, a GPS, route data, or otherwise may be used to identify the track system or area of a vehicle, and the unique signal may be used to identify the track in that system or area. The location coded signal includes a combination of pulse counts, or pulse rate, and carrier frequency that may be indicated on a mapped track database associated with first route.
The controller may include one or more processors that may use a look-up table, mathematical equation, algorithm, function, etc. to determine the location of the vehicle based on the pulse count and carrier frequency of the location coded signal. In one example, the controller compares the location coded signal to signals within loaded track database files. Specifically, the track database files may include each track segment of a transportation system, along with the location coded signal associated with each such track segment.
The controller may also include a GPS system, and the determined location may be compared to the location determined by the GPS system. In this manner a verification may be provided for the GPS system. If the location determined by the GPS system and determined from the location coded signal do not match, the controller may indicate a match is not presented. To this end the controller may display both locations, provide a difference in locations, or the like, to convey information to a driver of the discrepancy. In another example, the discrepancy may be recorded, and/or the GPS location determination may be ignored by the controller in making determinations related to location.
The second route may include a second route circuit (
Similarly, the third route may include a third route circuit (
The controller based on the third location coded signal may determine that the vehicle is now on the third route instead of the first route based on the differences in the signal. The controller may also display this information to the driver of the vehicle. In an embodiment where a first route transitions into either a second route or third route depending on the position of a switch, based on the changing of the received signal from the first coded location signal to either the second coded location signal or third coded location signal, the position of the switch may be determined. The switch position may then be communicated to a remote device, such as a controller of another vehicle or a dispatch.
A route circuit 1814 coupled to the route may be affected by a vehicle to generate a determined signal back to the controller. The route circuit of
The determined coded signal may be a coded location signal, or an auxiliary coded signal. The coded location signal may be provided a first frequency, such as 100 Hz with a first determined amount of pulse rates, such as 75 pulses, while the auxiliary coded signal may be at a second frequency, such as 200 Hz and or a second determined pulse rate, such as 50 pulses. The coded location signal may be associated with a specific location of a route, while the auxiliary coded signal may be associated with an operating status of the vehicle such as vehicle speed, vehicle movement, or the like. In this manner, information related to the vehicle may be passed from the signal generation circuitry to the controller.
As an example, the one or more processors may receive the coded location signal from the signal detection device and determine the frequency and pulse rates of the coded location signal. Based on the frequency and pulse rate, the one or more processors may determine the location of the vehicle. For example, the storage device may include a look-up table that has frequency and pulse rate pairs that have an associated location or route associated therewith. The one or more processors may then compare the frequency and pulse rate of the coded location signal received to the frequency and pulse rate pairs in the look-up table, and when a match occurs, the associated route or location on a map is the determined location. Alternatively, the one or more processor may use an algorithm, mathematical function or calculation, or the like to determine the location on a map.
In one example, a look-up table may be used to determine when a vehicle begins traveling in a determined section of a route, and that parameter may be used in an algorithm or mathematical function or calculation to determine an instantaneous location of the vehicle. Additional parameters may be used in the algorithm or mathematical function or calculation including vehicle speed, axle rotation, wind speed and direction, GPS location information, vehicle weight, fuel consumption, etc.
The controller may also display the determined output on the display. The display may be an output screen, touch screen, monitor, interface, or the like. In particular, upon determining the location of the vehicle, the location information may be displayed to a driver or crew for use during operation.
In one example, the one or more processors determine the location of the vehicle based on both a coded location signal and a GPS signal. When the coded location signal and GPS signal match, the display may indicate a match, flash, or the like to provide additional confidence to the driver of the location of the vehicle. When the coded location signal and GPS signal result in location that do not match, the one or more processors may provide both on the screen and an indication that they do not match. The indication that the locations do not match may be illustrated by a different color, flashing, a sound or alarm, or the like.
In one example, the difference between the coded location signal location and GPS signal location must be at least a determined distance before the difference is displayed. In one example, the distance is ten meters, such that once the difference in locations is greater than ten meters, the display screen will show the two distances, flash, audibly warn a driver, etc. Under ten meters, no change will be made. While in one example this distance may be 10 meters, in another example the distance may be 20 meters, 5 meters, less than 5 meters, greater than 20 meters, etc. In another example, when both a GPS signal location and coded location signal location are both being received and determined, the one or more processors only use, and display information related to the coded location signal. In this manner, the GPS signal location is only used when a coded location signal is not received.
At 1902, a coded signal is generated by a vehicle traveling along a unique section of a route. In one example, the vehicle is a rail vehicle traveling on tracks that receive either an AC input or DC input from a power source. A relay may be provided such that when a vehicle passes over the relay, the axles of the vehicle disrupt the relay. Based on the disruption, signal generation circuitry generates a coded signal that may include a determined frequency and/or input pulses.
At 1904, the coded signal is received by a signal detection device of a vehicle controller. In one example the signal detection device is associated with the route, or tracks to detect the signal. In this manner, the vehicle itself does not need to move for the signal to be received by the signal detection device. Specifically, the presence of the vehicle on the route, whether moving, or stationary, results in an impact on the relay, causing the coded signal to be generated and consequently received by the vehicle controller. This is an advantage over wayside based sensors that only detect the movement of a vehicle along a route. Thus, in a situation where a vehicle is stopped in a tunnel where a GPS signal may not be reached, and the vehicle is not moving, the vehicle may still be detected, including a known location. This information may then be communicated to remote devices so that the presence of the vehicle is known by remote devices.
At 1906, the location of the vehicle is determined based on the coded signal. In one example, the one or more processors of the vehicle controller may use a look-up table, algorithm, mathematical function or calculation, etc. to determine the exact location of the vehicle based on the coded signal. The one or more processor may use a look up table, algorithm, equation, etc. stored in a storage device. To this end, the storage device may include a map with a specific map location based on the coded signal. The map, look-up table, algorithm, equation, or the like may be updated from time to time to better reflect location information as maps, codes, equations, etc. are updated and refined.
At 1908, optionally, the location of the vehicle determined may be compared to the location of the vehicle determined using another method. In one example, a GPS signal may be used to determine the location of the vehicle. In particular, when the location of the vehicle based on the GPS signal matches, or closely matches the location based on the coded location signal, verification is provided. Such verification provides increased confidence and reduces mistakes related to location-based decisions of a driver.
At 1910, the location of the vehicle is displayed to a driver. In one example, when the location based on the coded location signal and a GPS signal vary, such differences may be displayed. The vehicle location may be displayed as a latitude and longitude, mile marker, graphical representation of a vehicle along a route, or the like to convey the information in an understandable manner to the driver. Thus, not only is the location determined, but may also be used by the driver in making driving decisions related to the vehicle along a route.
Thus, a system and method are provided to communicate information from a vehicle system to a remote device using the route itself as a communication pathway. In this manner, when over the air communication methods are not effective as a result of a vehicle being underground, in a remote location without network support, or the like, a communication signal may still be provided to a driver and/or third party related to the location of the vehicle. Such an alternative communication path reduces driver error resulting from not knowing where a vehicle is located and increases safety within a transportation system.
In one or more embodiments, a computer-implemented method is provided that includes obtaining, with a central office server, a first secret and a first public key, and obtaining, with the central office server, a second secret a second public key. The method may also include authenticating, with the central office server, the first public key of the first vehicle based on a first private key associated with the first vehicle, and authenticating, with the central office server, the second public key of the second vehicle based on a second private key associated with the second vehicle. The method may also include preventing a man-in-the-middle attack, by securing at least one of a first vehicle-to-central office communication, a central office-to-first vehicle communication, or a first vehicle-to-second vehicle, wherein the first vehicle-to-central office communication and the central office-to-first vehicle communication are authenticated based on a determined private key associated with a respective first vehicle on-board computer, and sending a message, with the central office server, to a vehicle associated with a conditional movement authority.
Optionally, the method may also include sending, with the central office server, a vehicle identifier associated with the second vehicle for determining an access request, and receiving, with the central office server, a digitally signed first public key from the first computing device based on the first private key, wherein the first private key is assigned to the first vehicle. In one aspect, receiving the digitally signed first public key at the central office server may include receiving a request for a vehicle address of the second vehicle including a vehicle identifier associated with the second vehicle. In another aspect, obtaining, with a central office server, the first secret and a first public key may include receiving the first secret and the first public key from the conditional movement authority. In one example, the first vehicle may be a rail vehicle that can include at least one individual vehicle. The method may also include sending, with the central office server, a digitally signed first vehicle address associated with the at least one individual vehicle of the first vehicle; and preventing the man-in-the-middle attack based on the digitally signed first vehicle address.
Optionally, the method may also include sending, by the central office server, at least one of a first vehicle address associated with the first vehicle or a second vehicle address associated with the second vehicle. In one aspect, a second vehicle-to-central office communication and a central office-to-second vehicle communication may be authenticated based on a determined private key associated with a respective second vehicle on-board computer. In another aspect, the first secret may be based on a first random secret number, and the second secret is based on a second random secret number. In one example, the first secret may be based on at least one of a first DH modulus, a first DH base, or a first secret random number, and the second secret is based on at least one of a second DH modulus, a second DH base, or a second secret random number.
In one or more example embodiments, a vehicle-to-device key exchange system is provided that may include a central office server comprising one or more processors. The one or more processors may be configured to obtain, from a first on-board computer of a first vehicle, a first secret and a first public key, and obtain, from a second on-board computer of a second vehicle, a second secret and a second public key. The one or more processors may also be configured to receive from the second on-board computer a digitally signed second public key based on a second private key associated with the second on-board computer and authenticate the first public key of the first vehicle based on the first private key associated with the first on-board computer of the first vehicle. The one or more processors may also be configured to authenticate the second public key of the second vehicle based on the second private key associated with the second on-board computer of the second vehicle. In addition, the one or more processors may be configured to prevent a man-in-the-middle attack, by securing at least one of a first vehicle-to-central office communication, a central office-to-first vehicle communication, or a first vehicle-to-second vehicle, wherein the first vehicle-to-central office communication and the central office-to-first vehicle communication may be authenticated based on a determined private key associated with a respective first vehicle on-board computer. The one or more processors may also be configured to send a message, with the central office server, to a vehicle associated with a conditional movement authority.
Optionally, the one or more processors may further be configured to obtain, from the first on-board computer of the first vehicle, a digitally signed first public key based on a first private key associated with the first on-board computer. In one aspect, the central office server may also be configured to send an identifier associated with the second vehicle for determining an access request and receive the digitally signed first public key based on the first private key, wherein the first private key is assigned to the first vehicle. In another aspect, receiving the digitally signed first public key at the central office server may also include receiving a request for a vehicle address including an identifier of the second vehicle. In one example, the first secret may be based on at least one of a first DH modulus, a first DH base, or a first secret random number, and the second secret may be based on at least one of a second DH modulus, a second DH base, or a second secret random number. In another example, the central office server may also be configured to send at least one of a first vehicle address of the first vehicle or a second vehicle address associated with the second vehicle.
Optionally, the vehicle-to-device key exchange system may be configured to prevent a man-in-the-middle attack, by securing at least one of a first vehicle-to-central office communication, a central office-to-first vehicle communication, or a first vehicle-to-second vehicle communication. In one aspect, the first vehicle-to-central office communications and the central office-to-first vehicle communications may be authenticated based on a predetermined private key associated with a respective vehicle on-board computer.
In one or more embodiments, computer program product that may include at least one non-transitory computer-readable medium including program instructions. When executed by at least one processor, the at least one processors may be configured to obtain a first secret and a first public key and obtain a second secret and a second public key. The one or more processors may also be configured to authenticate the first public key of the first vehicle based on a first private key associated with the first vehicle and authenticate the second public key of the second vehicle based on a second private key associated with the second vehicle. The one or more processors may also be configured to prevent a man-in-the-middle attack, by securing at least one of a first vehicle-to-central office communication, a central office-to-first vehicle communication, or a first vehicle-to-second vehicle, wherein the first vehicle-to-central office communication and the central office-to-first vehicle communication are authenticated based on a determined private key associated with a respective first vehicle on-board computer. The one or more processors may also be configured to send a message to a vehicle associated with a conditional movement authority.
Optionally, the first vehicle-to-central office communications and the central office-to-first vehicle communications may be authenticated based on a predetermined private key associated with a respective vehicle on-board computer. In one aspect, a second vehicle-to-central office communication and a central office-to-second vehicle communication may be authenticated based on a determined private key associated with a respective second vehicle on-board computer.
Although embodiments or aspects have been described in detail for the purpose of illustration and description, it is to be understood that such detail is solely for that purpose and that embodiments or aspects are not limited to the disclosed embodiments or aspects, but, on the contrary, are intended to cover modifications and equivalent arrangements that are within the spirit and scope of the appended claims. For example, it is to be understood that the present disclosure contemplates that, to the extent possible, one or more features of any embodiment or aspect can be combined with one or more features of any other embodiment or aspect. In fact, many of these features can be combined in ways not specifically recited in the claims and/or disclosed in the specification. Although each dependent claim listed below may directly depend on only one claim, the disclosure of possible implementations includes each dependent claim in combination with every other claim in the claim set.
In some example embodiments, the device performs one or more processes described herein. In some example embodiments, the device performs these processes based on processor executing software instructions stored by a computer-readable medium, such as a memory and/or a storage component. A computer-readable medium (e.g., a non-transitory computer-readable medium) is defined herein as a non-transitory memory device. A memory device includes memory space located inside of a single physical storage device or memory space spread across multiple physical storage devices.
Software instructions may be read into a memory and/or a storage component from another computer-readable medium or from another device via the communication interface. When executed, software instructions stored in a memory and/or a storage component cause the processor to perform one or more processes described herein. Additionally or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, embodiments described herein are not limited to any specific combination of hardware circuitry and software.
As used herein, the terms “processor” and “computer,” and related terms, e.g., “processing device,” “computing device,” and “controller” may be not limited to just those integrated circuits referred to in the art as a computer, but refer to a microcontroller, a microcomputer, a programmable logic controller (PLC), field programmable gate array, and application specific integrated circuit, and other programmable circuits. Suitable memory may include, for example, a computer-readable medium. A computer-readable medium may be, for example, a random-access memory (RAM), a computer-readable non-volatile medium, such as a flash memory. The term “non-transitory computer-readable media” represents a tangible computer-based device implemented for short-term and long-term storage of information, such as, computer-readable instructions, data structures, program modules and sub-modules, or other data in any device. Therefore, the methods described herein may be encoded as executable instructions embodied in a tangible, non-transitory, computer-readable medium, including, without limitation, a storage device and/or a memory device. Such instructions, when executed by a processor, cause the processor to perform at least a portion of the methods described herein. As such, the term includes tangible, computer-readable media, including, without limitation, non-transitory computer storage devices, including without limitation, volatile and non-volatile media, and removable and non-removable media such as firmware, physical and virtual storage, CD-ROMS, DVDs, and other digital sources, such as a network or the Internet.
The singular forms “a”, “an”, and “the” include plural references unless the context clearly dictates otherwise. “Optional” or “optionally” means that the subsequently described event or circumstance may or may not occur, and that the description may include instances where the event occurs and instances where it does not. Approximating language, as used herein throughout the specification and claims, may be applied to modify any quantitative representation that could permissibly vary without resulting in a change in the basic function to which it may be related. Accordingly, a value modified by a term or terms, such as “about,” “substantially,” and “approximately,” may be not to be limited to the precise value specified. In at least some instances, the approximating language may correspond to the precision of an instrument for measuring the value. Here and throughout the specification and claims, range limitations may be combined and/or interchanged, such ranges may be identified and include all the sub-ranges contained therein unless context or language indicates otherwise.
This written description uses examples to disclose the embodiments, including the best mode, and to enable a person of ordinary skill in the art to practice the embodiments, including making and using any devices or systems and performing any incorporated methods. The claims define the patentable scope of the disclosure, and include other examples that occur to those of ordinary skill in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.
This application is a continuation-in-part of U.S. patent application Ser. No. 17/504,086 (U.S. Publication No. 20220038906) filed on 18 Oct. 2021, which is a continuation-in-part of U.S. patent application Ser. No. 16/220,959 (U.S. Pat. No. 11,153,077) filed on 14 Dec. 2018, which is a continuation-in-part of U.S. patent application Ser. No. 16/210,883 (U.S. Pat. No. 11,142,229) filed on 5 Dec. 2018. U.S. patent application Ser. No. 17/504,086 is a continuation-in-part of U.S. patent application Ser. No. 16/535,966 (U.S. Pat. No. 11,312,390) filed on 8 Aug. 2019, and is a continuation-in-part of U.S. patent application Ser. No. 16/685,485 (U.S. Pat. No. 11,267,496) filed on 15 Nov. 2019, and is a continuation-in-part of U.S. patent application Ser. No. 16/600,147 (U.S. Pat. No. 11,358,618) filed on 11 Oct. 2019, and is a continuation-in-part of U.S. patent application Ser. No. 16/724,449 (U.S. Pat. No. 11,574,261) filed on 23 Dec. 2019, and is a continuation-in-part of U.S. patent application Ser. No. 16/690,152 (U.S. Pat. No. 11,176,811) filed on 21 Nov. 2019, and is a continuation-in-part of U.S. patent application Ser. No. 16/206,674 (U.S. Pat. No. 11,772,692) filed on 30 Nov. 2018, and is a continuation-in-part of U.S. patent application Ser. No. 16/809,248 (U.S. Pat. No. 11,511,782) filed on 4 Mar. 2020, and is a continuation-in-part of U.S. patent application Ser. No. 17/458,841 (U.S. Publication No. 20220082400) filed on 27 Aug. 2021, and claims the benefit of U.S. Patent Application No. 63/077,262 filed on 11 Sep. 2020; and is a continuation-in-part of U.S. patent application Ser. No. 17/443,483 (U.S. Publication No. 20220024503) filed on 27 Jul. 2021, and claims the benefit of U.S. Patent Application No. 63/056,874 filed on 27 Jul. 2020; and claims the benefit of U.S. Patent Application No. 63/126,192 filed on 16 Dec. 2020; and claims the benefit of U.S. Patent Application No. 63/121,111 filed on 3 Dec. 2020; and is a continuation-in-part of U.S. patent application Ser. No. 17/181,667 (U.S. Publication No. 20220266883) filed on 22 Feb. 2021, and is a continuation-in-part of U.S. patent application Ser. No. 17/174,065 (U.S. Publication No. 20220250649) filed on 11 Feb. 2021. This application is also a continuation-in-part of U.S. patent application Ser. No. 17/408,124 (Publication No. 20210385632) filed 20 Aug. 2021, which is a continuation-in-part of U.S. patent application Ser. No. 16/235,144 (U.S. Pat. No. 11,129,220) filed on 28 Dec. 2018. This application is also a continuation-in-part of U.S. patent application Ser. No. 17/504,965 (U.S. Publication No. 20230120917) filed on 19 Oct. 2021. This application is also a continuation-in-part of U.S. patent application Ser. No. 17/226,077 (Publication No. 20210323592) filed on 9 Apr. 2021, which claims the benefit of U.S. Patent Application No. 63/011,758 filed on 17 Apr. 2020. The entire disclosures of each which are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
63077262 | Sep 2020 | US | |
63056874 | Jul 2020 | US | |
63126192 | Dec 2020 | US | |
63121111 | Dec 2020 | US | |
63011758 | Apr 2020 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 17504086 | Oct 2021 | US |
Child | 18537474 | US | |
Parent | 16220959 | Dec 2018 | US |
Child | 17504086 | US | |
Parent | 16210883 | Dec 2018 | US |
Child | 16220959 | US | |
Parent | 16535966 | Aug 2019 | US |
Child | 17504086 | US | |
Parent | 16685485 | Nov 2019 | US |
Child | 16535966 | US | |
Parent | 16600147 | Oct 2019 | US |
Child | 16685485 | US | |
Parent | 16724449 | Dec 2019 | US |
Child | 16600147 | US | |
Parent | 16690152 | Nov 2019 | US |
Child | 16724449 | US | |
Parent | 16206674 | Nov 2018 | US |
Child | 16690152 | US | |
Parent | 16809248 | Mar 2020 | US |
Child | 16206674 | US | |
Parent | 17458841 | Aug 2021 | US |
Child | 16809248 | US | |
Parent | 17443483 | Jul 2021 | US |
Child | 17504086 | US | |
Parent | 17181667 | Feb 2021 | US |
Child | 17443483 | US | |
Parent | 17174065 | Feb 2021 | US |
Child | 17181667 | US | |
Parent | 17408124 | Aug 2021 | US |
Child | 17174065 | US | |
Parent | 16235144 | Dec 2018 | US |
Child | 17408124 | US | |
Parent | 17504965 | Oct 2021 | US |
Child | 16235144 | US | |
Parent | 17226077 | Apr 2021 | US |
Child | 17504965 | US |