I. Field of the Invention
The present invention relates generally to vehicle-to-vehicle communication systems and, more particularly, to a method for distributing a list of certificate revocations to vehicles in the communication system.
II. Description of Related Art
On an average day, hundreds of people are killed and thousands injured in automotive accidents. This in turn results in a huge expenditure of healthcare dollars for treating those injured in such automotive accidents.
Many automotive accidents, however, are preventable if the vehicle driver is warned of a hazardous driving condition, or the vehicle itself reacts automatically to such a hazardous condition. For example, a driver may cause a chain reaction accident by rapidly applying his or her brakes in order to avoid a collision with a deer or other animal. The drivers behind the vehicle about to strike the animal, however, are unable to brake sufficiently rapidly in order to avoid an accident thus resulting in a chain reaction accident. However, such an accident may theoretically be prevented, or at least the injuries and/or vehicular damages minimized, if the driver and/or vehicle potentially involved in the accident are able to react sufficiently rapidly to hazardous driving conditions in the vicinity.
For that reason, dedicated short range communications (DSRC) have been proposed to permit communication between automotive vehicles as well as vehicles and infrastructure for safety and other communications. Indeed, the federal government in the United States has allocated 75 megahertz of the wireless spectrum in the 5.9 gigahertz range for such communications.
In managing the wireless communication between different vehicles, as well as between vehicles and infrastructure, the authenticity of the received messages is paramount. Without such authentications, the vehicles may receive wireless communications from parties who intentionally transmit incorrect information for whatever private purpose, as well as vehicles that, through malfunction, transmit incorrect information. Without authentication of the reliability of the received messages, unsafe traffic conditions, traffic congestion, etc. may result.
In order to enable automotive vehicles to communicate between themselves and optionally infrastructure, it has been previously proposed to form a vehicle ad hoc network (VANET) with the automotive vehicles that are within range of interest for the automotive vehicle and in which each automotive vehicle forms one node in the network. Such vehicles would then communicate amongst themselves within the network providing safety information, such as the status or status of operation of each vehicle in the network as well as infrastructure adjacent the road.
In order to ensure authenticity of the messages received by vehicle nodes within the network, it has been previously proposed to use public key infrastructure (PKI) authentication of messages transmitted over the ad hoc network. At the root of a PKI is a trusted Certificate Authority (CA). This certificate authority may be a government agency or its proxy. One of the responsibilities of a CA is to clearly distinguish between trusted and non-trusted nodes. To the trusted nodes, the CA gives one or more certificates (a single vehicle may use more than one certificate in order to improve its privacy). Each certificate imparts the trust of the CA to the owner of the certificate. A node V1 wanting to validate the authenticity of another node (V2)'s messages must have a certificate for V2. Certificates can be pre-installed or exchanged at the time of first meeting. Other certificate exchange methods have also been proposed. Node V1 can authenticate the validity of the certificate of V2. If V2's certificate is valid, V1 can then trust V2.
In one example, the certificate comprises (at least) a certificate ID, which for all practical purposes, also becomes a pseudonym for the certificate owner, as well as a public key associated with this certificate ID, as well as the certificate authority's digital signature binding this association.
In some situations, the CA may come to distrust a node V3. This may occur if there is evidence that V3 is sending inaccurate information, either due to direct manipulation of the VANET equipment, or because of a malfunction. When this happens, the CA must revoke the certificates it previously gave to V3. One method for doing this is to create a Certificate Revocation List (CRL), and then widely propagate the CRL throughout the network of nodes. Once the certificate authority revokes a certificate, and other vehicle nodes in the VANET are advised of that revocation, future messages received validated with the revoked certificate should be distrusted (and possibly disregarded).
Consequently, in order to ensure the trustworthiness of inter-vehicle messages received within the VANET, it is necessary that a list of all certificates that have been revoked not only be maintained, but also rapidly propagated throughout the entire vehicle communication system which includes all of the VANETs. One previously known proposal to accomplish this has been to provide roadside equipment (RSE) at numerous locations along the roads throughout the entire area encompassing the vehicle communication system, e.g. the United States. Such RSEs would transmit repeatedly a list identifying the certificate authentications or signatures that have been revoked by the certificate authority. This list would then be received by vehicles passing nearby the RSE and those vehicles would then update their list of certificate revocations so that any subsequent message received from a vehicle node having a revoked certificate will be disregarded.
The major disadvantage of utilizing numerous RSEs throughout the area of the communication network is the enormous cost of not only building the RSEs and installing them at numerous spaced locations adjacent roads in the area of the communication network, but also the cost of both maintaining and operating the RSEs.
A still further disadvantage of utilizing numerous RSEs to update the list of certificate revocations in automotive vehicle nodes passing nearby such RSEs, is that some vehicles may pass near an RSE on only rare occasions, if ever. As such, the list of certificate revocations maintained by such vehicles will necessarily be outdated most of the time. Consequently, messages received from vehicle nodes having a revoked certificate may still be treated as trustworthy from the receiving vehicle with the outdated list of certificate revocations thus creating safety hazards and other undesirable effects.