I. Field of the Invention
The present invention relates generally to vehicle-to-vehicle communication networks and, more particularly, to a method for allocating multiple authentication certificates for the vehicles within the network.
II. Description of Related Art
On an average day, many people are killed or injured and thousands of dollars incurred in property damage due to automotive accidents. This in turn results in a huge expenditure of healthcare dollars for treating those injured in such accidents, as well as lost labor from such injured or killed persons.
Many such accidents, however, may be prevented if the vehicle driver is warned of a hazardous driving condition in sufficient time so that the driver may react to avoid that hazardous condition. For example, a driver may cause a chain reaction accident by rapidly applying his or her brakes to avoid a collision with a deer or other animal. However, the drivers behind the vehicle about to strike the animal have insufficient time to avoid an accident thus resulting in a chain reaction accident. However, such an accident may be theoretically prevented or at least the injuries and damages minimized if the driver and/or vehicle potentially involved in the accident is able to react sufficiently rapidly to a hazardous driving condition in a fashion to minimize damage or injury or avoid such damage or injury altogether.
For that reason, dedicated short range communications (DSRC) have been proposed to permit communication between automotive vehicles as well as infrastructure for safety communications as well as other types of communications. At present, the federal government in the United States has allotted 75 megahertz in the wireless spectrum in the 5.9 gigahertz range for such communications. It is anticipated that more and more future vehicles will begin to include equipment for DSRC and, for that reason, a common protocol of the communications between different vehicles should be established in order to achieve maximum efficiency of the overall vehicle-to-vehicle communication system or network.
In managing the wireless communications between different vehicles, as well as infrastructure, the authenticity of the received message is paramount. Otherwise the vehicles may receive wireless communications from parties who intentionally transmit incorrect information. Another risk is a vehicle that, through malfunction, transmit incorrect information. Without authentication that the received messages are trustworthy, unsafe traffic conditions, traffic congestion and even traffic accidents may result.
In order to enable automotive vehicles to communicate between themselves and optionally infrastructure, it has been previously proposed to form a vehicle ad hoc network (VANET) with the automotive vehicles that are within the range of interest for a particular automotive vehicle. Such vehicles in the VANET would then communicate amongst themselves providing safety information as well as the status or status of operation of each vehicle in the network as well as nearby infrastructure. The number of vehicles in any particular VANET will, however, vary as different automotive vehicles enter or exit the VANET.
In order to ensure the authenticity or trustworthiness of the messages received within the vehicle network, it has been previously proposed to use public key infrastructure (PKI) encryption of the messages transmitted over the vehicle network. In such a PKI encryption, a Certificate Authority, such as a governmental body, distributes a public key for the Certificate Authority to all vehicles or nodes within the network. The Certificate Authority then also provides a signature encrypted with a private key of the Certificate Authority to each node and in which the signature is unique to that particular vehicle. For example, the PKI encrypted certificate for a particular vehicle may be bound to the vehicle identification number, license plate and/or the like.
It is also highly desirable that the Certificate Authority retain the power to revoke the authentication certificates previously granted to any vehicle or vehicles within the vehicle communication network. Such revocation would be highly desirable, for example, when a particular vehicle within the network begins to transmit messages or other information that is incorrect or otherwise untrustworthy. This may occur, for example, due to a malfunction of the DSRC equipment maintained by each vehicle.
While the assignment of a single authentication certificate by the Certificate Authority to the individual vehicle is sufficient to authenticate or encrypt messages subsequently transmitted by that vehicle, the use of a single certificate assigned by the Certificate Authority raises serious privacy concerns. For example, a vehicle within the network will repeatedly transmit the identity of that vehicle. Consequently, if a single certificate were utilized, it would be possible to monitor either the vehicle or various locations to determine if the vehicle has visited those locations. That, in turn, may result in a loss of privacy for the occupant of the particular vehicle.
In order to address these privacy concerns, it has been proposed that, instead of the Certificate Authority issuing a single certificate to each vehicle, the Certificate Authority instead issue multiple authentication certificates to each vehicle. Indeed, some have proposed that tens of thousands of certificates be issued to each vehicle.
Consequently, a vehicle that has been issued thousands of authentication certificates may periodically change the certificate utilized by the vehicle on a frequent basis, e.g. every ten minutes. By doing so, the issuance of thousands of authentication certificates to each vehicle should adequately address any privacy concerns that would otherwise result in tracking or monitoring that particular vehicle.
The issuance of multiple, indeed tens of thousands, of authentication certificates to each vehicle, however, creates additional difficulties in maintaining a certificate revocation list by the Certificate Authority. Such a certificate revocation list is disseminated to vehicles in the network to enable the vehicle to check if a received message originated from a vehicle having a revoked certificate and, if so, disregarding the received message.
More specifically, the Certificate Authority maintains the certificate revocation list for all vehicles for which the Certificate Authority has determined that the transmitted messages are not trustworthy. In the case where a single authentication certificate was assigned to a particular vehicle, it is only necessary to include a single entry in the certificate revocation list which is ultimately transmitted to other vehicles in the vehicle network. However, in a situation where each vehicle contains tens of thousands of authentication certificates, it would be necessary to list the tens of thousands of authentication certificates in the certificate revocation list whenever the trustworthiness of any particular vehicle is revoked.
The inclusion of tens of thousands of authentication certificates in the certificate revocation list for each vehicle in which the authentication trustworthiness has been revoked is unacceptable for several reasons. However, it is primarily unacceptable since such a bulky certificate revocation list not only requires unacceptably high processor overhead, but also consumes excessive bandwidth when transmitted to other vehicles. As such, this previously known proposal has not gained acceptance.