Method and apparatus for transmitting data in a network using a service-oriented protocol

By providing shared secrets to network elements and generating message authentication codes or tokens in service-oriented protocol networks, and combining hash functions and digital signatures, the problem of insufficient data transmission security is solved, and more efficient network security authentication and authorization are achieved.

CN114944912BActive Publication Date: 2026-07-14ROBERT BOSCH GMBH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ROBERT BOSCH GMBH
Filing Date
2022-02-15
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In networks using service-oriented protocols, existing technologies struggle to effectively enhance data transmission security, particularly in areas such as authentication and authorization.

Method used

By providing network elements with shared secrets, using these secrets for authentication, and generating message authentication codes or tokens, combined with hash functions and digital signatures, secure authentication and data transmission between network elements can be achieved.

Benefits of technology

It improves network security, enhances the authentication and authorization mechanisms of network elements, prevents unauthorized service provision and use, protects the routing manager, and monitors network communication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114944912B_ABST
    Figure CN114944912B_ABST
Patent Text Reader

Abstract

A method for transmitting data in a network using a service-oriented protocol, wherein for example network elements can provide at least one service, the method having the steps of: providing a shared secret for at least two network elements; using the shared secret.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to a method for transmitting data in a network using a service-oriented protocol.

[0002] This disclosure also relates to an apparatus for transmitting data in a network using a service-oriented protocol.

[0003] This disclosure also relates to a network element for transmitting data in a network using a service-oriented protocol.

[0004] This disclosure also relates to a network using a service-oriented protocol. Summary of the Invention

[0005] Exemplary implementations relate to a method for transmitting data in a network using a service-oriented protocol, wherein, for example, network elements can provide at least one service. The method includes the steps of: providing a shared secret for at least two network elements; and using the shared secret. According to other exemplary implementations, this can effectively improve the security of network operation.

[0006] In other exemplary embodiments, the method further includes: using the shared secret for authentication, for example, authenticating a first network element among the at least two network elements, for example, relative to a second network element among the at least two network elements.

[0007] In other exemplary embodiments, it is specified that providing the shared secret has at least one of the following elements: a) receiving the shared secret, for example, receiving the shared secret from another network element; b) forming the shared secret, for example, forming the shared secret locally in at least one network element; c) sending the shared secret, for example, sending the shared secret to at least one other network element.

[0008] In other exemplary implementations, it is specified that the service-oriented protocol is a Scalable service-oriented middleware protocol over IP, namely the SOME / IP protocol. Other protocols are also conceivable in other exemplary implementations.

[0009] In other exemplary embodiments, the method is specified to include, for example, generating a message authentication code and / or a token based on the shared secret. In other exemplary embodiments, the token may also have or contain the message authentication code or the message authentication code.

[0010] In other exemplary embodiments, the method is specified to include: sending the message authentication code or a token having the message authentication code and at least one other piece of information, wherein the at least one other piece of information is, for example, at least one of the following elements: a) a random number; b) a pseudo-random number; c) a string; d) an identifier, such as the identifier of a network element or the network element making the transmission; e) a sequence number (e.g., a sequence number); f) a timestamp; g) application-based information.

[0011] In other exemplary embodiments, the method is specified to include receiving a message authentication code or the message authentication code or token, the token of which may, for example, contain the message authentication code.

[0012] In other exemplary implementations, the method is specified to include, for example, checking the message authentication code or token based on the shared secret.

[0013] In other exemplary embodiments, the method is specified to send a message authentication code or the message authentication code and / or the shared secret and / or information derived from the message authentication code and / or the shared secret (e.g., in the form of a token) to at least one other device, such as a recording device.

[0014] In other exemplary embodiments, the method is specified to include: receiving a message authentication code or the message authentication code and / or the shared secret and / or information derived from the message authentication code and / or the shared secret (e.g., in the form of a token).

[0015] In other exemplary embodiments, the method is specified to include: for example, creating at least one report and / or log file with respect to at least one message authentication code and / or shared secret, such as that sent and / or received.

[0016] In other exemplary embodiments, the method is specified to have at least one of the following elements: a) providing a shared secret, such as a unique shared secret, for the at least two network elements; b) providing a shared secret for a network element designed as a server and at least one network element designed as a client, for example, providing a shared secret for a SOME / IP server and at least one client associated with the SOME / IP server when using the SOME / IP protocol or the SOME / IP protocol; c) providing different shared secrets for some of the at least two network elements.

[0017] In other exemplary embodiments, the method is specified to include adding timestamps and / or counter values ​​to the shared secret and / or the token.

[0018] In other exemplary embodiments, the method is specified to include: receiving a token, and optionally evaluating a timestamp and / or evaluating a counter value contained in the token.

[0019] In other exemplary embodiments, the method is specified to include: providing an initial value, wherein the initial value is, for example, a random number or a pseudo-random number; applying a hash function to the initial value, wherein, for example, the application of the hash function includes: repeatedly applying the hash function to the initial value or the hash value obtained therefrom, for example, repeating it n times, n > 1, wherein, for example, an n-order hash value is obtained.

[0020] In other exemplary embodiments, the method further includes sending a hash value obtained based on the application or the repeated application, for example via a secure, such as encrypted, channel or in a secure environment (e.g., in a production facility), such as using the SOME / IP protocol or the SOME / IP protocol, to a routing manager.

[0021] In other exemplary embodiments, the method is specified to include: providing a (ni)-order hash value based on the initial value, for example where i < n; and sending the (ni)-order hash value, for example, together with or as part of a request.

[0022] In other exemplary embodiments, the method is specified to include: receiving a (ni)-order hash value or the (ni)-order hash value, for example where i < n, such as receiving the (ni)-order hash value or the (ni)-order hash value together with or as part of a request; and optionally, checking the (ni)-order hash value, wherein, for example, checking the (ni)-order hash value includes: applying a hash function i times to the (ni)-order hash value or the hash value obtained thereby, and comparing the check hash value obtained by applying the hash function i times with the n-order hash value. In other exemplary embodiments, as long as the check hash value matches the n-order hash value, it can be inferred, for example, that the sender of the (ni)-order hash value possesses the initial value and is therefore, for example, a legitimate party to the network or a legitimate user of the network.

[0023] In other exemplary embodiments, the method is further specified to include, for example, discarding or storing the nth-order hash value based on the comparison; and / or storing the (ni)th-order hash value. Thus, in other exemplary embodiments, future checks on (nk)th-order hash values, for example, where (nk) > (ni), can be performed more efficiently.

[0024] In other exemplary embodiments, the method is further specified to include, for example, using a digital signature based on the shared secret.

[0025] Other exemplary embodiments relate to an apparatus for performing the methods according to these embodiments, wherein, in particular, the apparatus has at least one computing device and a storage device allocated to the computing device for at least temporarily storing data and / or computer programs.

[0026] In other exemplary embodiments, it is specified that the device has a data interface, preferably a bidirectional data interface.

[0027] Other exemplary implementations relate to a network element for transmitting data in a network using a service-oriented protocol, wherein, for example, the network element can provide at least one service, and the network element has at least one device according to these implementations.

[0028] In other exemplary embodiments, the network element is specified as a server, such as a SOME / IP server.

[0029] In other exemplary implementations, the network element is specified as a client, such as a SOME / IP client.

[0030] In other exemplary implementations, the network element is specified as a routing manager, such as a SOME / IP routing manager.

[0031] In other exemplary embodiments, it is specified that the network element, such as a server, client, or routing manager, is designed to at least temporarily perform at least one aspect of the method described above in the exemplary embodiments.

[0032] Other exemplary implementations relate to a network using a service-oriented protocol, particularly a SOME / IP-based network, which has at least one device and / or at least one network element as described in these implementations.

[0033] Other exemplary embodiments relate to a computer-readable storage medium including instructions that, when executed by a computer, cause the computer to perform the methods described according to these embodiments.

[0034] Other exemplary embodiments relate to a computer program that includes instructions that, when executed by a computer, cause the computer to perform the methods described according to these embodiments.

[0035] Other exemplary embodiments relate to a data carrier signal that transmits and / or represents a computer program according to these embodiments. In other exemplary embodiments, the data carrier signal may be transmitted, for example, via an optional data interface of the device.

[0036] Other exemplary implementations relate to the application of the methods and / or devices and / or network elements and / or networks according to these implementations and / or computer-readable storage media and / or computer programs and / or data carrier signals according to these implementations for at least one of the following elements: a) improving the security of data transmission in networks using service-oriented protocols, especially SOME / IP; b) checking data transmission in the network and / or the authorization or authenticity of network elements or network elements; c) blocking or preventing the provision and / or use and / or implementation of unauthorized services; d) protecting the routing manager for networks using service-oriented protocols; e) restricting the group of network elements allowed to use services that can be predefined; f) monitoring communications in the network, such as monitoring whether a particular client registers to use a service and / or whether a particular client exits a service, and / or, for example, monitoring and / or recording whether a service is provided and / or whether a network element stops providing services.

[0037] Other features, applications, and advantages of the invention will become apparent from the following description of embodiments of the invention, which are illustrated in the accompanying drawings. All features described or shown herein, either alone or in any combination, form the subject matter of the invention, regardless of their generalization in the claims or their references thereto, and regardless of their expression or presentation in the specification or drawings. Attached Figure Description

[0038] In the attached diagram:

[0039] Figure 1 A simplified block diagram illustrating an exemplary implementation is shown schematically;

[0040] Figure 2 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0041] Figure 3 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0042] Figure 4 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0043] Figure 5 A simplified block diagram illustrating other exemplary embodiments is shown schematically;

[0044] Figure 6 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0045] Figure 7 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0046] Figure 8 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0047] Figure 9 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0048] Figure 10 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0049] Figure 11 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0050] Figure 12 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0051] Figure 13 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0052] Figure 14 A simplified diagram illustrating a method according to other exemplary embodiments is shown schematically;

[0053] Figure 15 A simplified flowchart illustrating a method according to other exemplary embodiments is shown schematically;

[0054] Figure 16 A simplified block diagram illustrating other exemplary embodiments is shown schematically;

[0055] Figure 17 The illustrations schematically depict aspects of the application according to other exemplary embodiments; and

[0056] Figure 18 A simplified block diagram illustrating other exemplary embodiments is shown. Detailed Implementation

[0057] For exemplary implementation methods, see [link to implementation details]. Figure 1 , 2This relates to a method for transmitting data in a network 10 using a service-oriented protocol, wherein, for example, network element 11 can provide at least one service D, such as providing at least one service to at least one other network element 12. The method includes the steps of: providing a shared secret SS to at least two network elements 11 and 12; and using the shared secret SS. According to other exemplary embodiments, this can effectively improve the security of the network 10 during operation.

[0058] Network 10 may be, for example, a network of vehicles or production facilities. For example, network 10 may also have a shared medium 10a, which may be wired (e.g., Ethernet) or wireless, and other network elements 12, 13 may also access the shared medium, for example, to use service D, in addition to network element 11.

[0059] In other exemplary embodiments, the method further includes: using the shared secret SS to perform authentication 102a, for example, authenticating the first network element 12 (e.g., a client) of the at least two network elements 11, 12, for example, relative to the second network element 11 (e.g., a server) of the at least two network elements.

[0060] In other exemplary embodiments, see Figure 3 The provision specifies that 100 of the shared secret SS has at least one of the following elements: a) receiving 100a of the shared secret SS, for example from another network element; b) forming 100b of the shared secret SS, for example locally on at least one network element, for example based on a random value or pseudo-random value; c) sending 100c of the shared secret SS, for example to at least one other network element, for example after forming (e.g., locally) or receiving it from another network element and / or from another unit (not shown).

[0061] In other exemplary embodiments, it is specified that the service-oriented protocol is an IP-based, extensible, service-oriented middleware protocol, namely the SOME / IP protocol. Other protocols are also conceivable in other exemplary embodiments.

[0062] In other exemplary embodiments, see Figure 4 The method specifies that, for example, it generates a 110 message authentication code (MAC) and / or a token (TOK) based on the shared secret SS. In other exemplary embodiments, the token (TOK) may also have or contain the message authentication code or the message authentication code MAC.

[0063] In other exemplary embodiments, the method is specified to include: sending 112 the Message Authentication Code (MAC) or a Token (TOK) having the Message Authentication Code and, if necessary, at least one other piece of information (WI), see [link to documentation]. Figure 5 The at least one other piece of information WI is, for example, at least one of the following elements: a) random number ZZ; b) pseudo-random number PZZ; c) string ZK; d) identifier ID, such as the identifier of the network element or the network element making the transmission; e) sequence number FN (e.g., sequence number); f) timestamp ZST; g) application-based information ABI.

[0064] In other exemplary embodiments, according to Figure 4 This method can be, for example, by client 12 ( Figure 1 ) to perform, for example, to perform authentication relative to server 11, for example, to prepare for the use of service D.

[0065] In other exemplary embodiments, see Figure 6 The method is defined as follows: receiving a 120 message authentication code or the message authentication code MAC or a token or the token TOK, wherein the token may, for example, contain the message authentication code MAC.

[0066] In other exemplary embodiments, the method is specified to include, for example, checking the message authentication code (MAC) or token (TOK) based on the shared secret (SS). In other exemplary embodiments, block 122 is optional.

[0067] In other exemplary embodiments, the method is specified to include: sending a message authentication code or the message authentication code MAC and / or the shared secret SS and / or information derived from the message authentication code and / or the shared secret (e.g., in the form of a token TOK) to at least one other device, such as a recording device AZE. Figure 1 ).

[0068] In other exemplary embodiments, the method is specified to include: receiving a 126 message authentication code or the message authentication code MAC and / or the shared secret SS and / or information derived from the message authentication code and / or the shared secret (e.g., in the form of a token TOK).

[0069] In other exemplary embodiments, the method is specified to include: creating at least 128 report BERs and / or log files, for example, with respect to at least one message authentication code (MAC) and / or shared secret (SS) sent and / or received.

[0070] In other exemplary embodiments, according to Figure 6The method, or aspects thereof, can be provided by server 11 ( Figure 1 ) to execute.

[0071] In other exemplary implementations, network element 13 (and / or a trusted third party) designed as a SOME / IP routing manager may generate multiple tokens TOK, which may be distributed, for example, at the outset, such as before network 10 is in normal operation, by sending to one or more SOME / IP servers 11 and / or by sending to one or more SOME / IP clients 12, for example, by means of (e.g., by encryption) protected transmissions and / or in a secure environment (e.g., a production facility).

[0072] In other exemplary embodiments, tokens (TOKs) are generated such that they can be verified, for example, by at least one other network element, such as the SOME / IP routing manager 13, based on the shared secret SS. In other exemplary embodiments, for example, the routing manager 13 can check the validity of a token (TOK) received, for example, from another network element, where the token is sent to the routing manager 13 by that other network element 12 when that other network element wants to use (e.g., a protected, such as SOME / IP) service D.

[0073] In other exemplary embodiments, the token TOK may be, for example, a codeword of a linear error-correcting code, which itself is kept confidential. In this case, in other exemplary embodiments, the token TOK may be formed based on the shared secret SS using, for example, a linear error-correcting code.

[0074] In other exemplary embodiments, see Figure 7 The method is defined as having at least one of the following elements: a) providing a shared secret SS, for example, a unique shared secret, for the at least two network elements 11, 12, or for all network elements 11, 12, 13; b) providing a shared secret SS, for example, a shared secret SS, for a network element 11 designed as a server and at least one network element 12 designed as a client, for example, providing a shared secret SS for a SOME / IP server 11 and at least one client 12 associated with the SOME / IP server when using the SOME / IP protocol; c) providing a different shared secret SS, for some of the at least two network elements.

[0075] In other exemplary embodiments, it may be specified that at least one network element, such as (SOME / IP) route manager 13, sends or forwards all or some (e.g., corresponding to a pre-defined standard) tokens (TOKs) to the recording device AZE. In other exemplary embodiments, this sending or forwarding may also be implemented as a call or request to route manager 13 (e.g., for service D), associated with a valid token (TOK), and such calls or requests are permitted, for example, according to rules that route manager 13 can check. In this way, in other exemplary embodiments, detailed reports (BERs) or log files may be generated, specifying, for example, which network element, for example, when, where / to whom / for example, to which route manager 13, made what kind of call / request.

[0076] In other exemplary embodiments, the shared secret SS may be shared or used by all servers and clients in network 10, for example.

[0077] In other exemplary implementations, for example, a shared secret SS can be provided for pre-defined groups of servers and / or clients and / or routing managers, thereby defining different authorized groups, which may each have different (or the same) network elements.

[0078] In other exemplary embodiments, hybrid approaches are also conceivable, which combine aspects of the two aforementioned aspects. For example, unique shared secrets for some servers and clients (e.g., according to one or more security rules, such as SOME / IP security rules, e.g., those servers and clients with higher privileges) are conceivable, as are unique shared secrets (or a smaller set of shared secrets, e.g., one per network segment or function group) for other network elements (e.g., servers and / or clients, e.g., those with less privileges). In this way, in other exemplary embodiments, the need for memory for shared secrets, e.g., at the routing manager 13, can be reduced, without compromising the security of the entire system, e.g., due to a successful attack on a single network element.

[0079] In other exemplary embodiments, see Figure 8 The method specifies that it involves adding a timestamp and / or counter value of 140 to a shared secret SS and / or a token TOK, thereby obtaining, for example, a correspondingly supplemented shared secret SS' or token TOK'. Optional box 142 symbolically represents the optional use of such supplemented secret SS' or token TOK'.

[0080] In other exemplary embodiments, see Figure 9 The method specifies that it receives 145 tokens TOK and TOK', and optionally evaluates 146 timestamps contained in the tokens TOK and TOK' and / or evaluates counter values. In other exemplary embodiments, this can enable the detection of replay attacks (e.g., by monitoring counter values, and / or by checking the reasonableness of timestamps or differences between timestamps and the current time or references to another timestamp (e.g., of a previous token).

[0081] In other exemplary embodiments, see Figure 10 The method is defined as follows: It provides an initial value AW of 150, where the initial value AW is, for example, a random number or a pseudo-random number; it applies a hash function HF of 152 to the initial value AW, wherein, for example, the application of the hash function HF of 152 has the following characteristics: it repeatedly applies the hash function HF of HF of 152a to the initial value or the hash value obtained therefrom, for example, performing n repetitions, where n > 1, where, for example, an nth-order hash value HW_n is obtained. For example, it applies as follows: HW_1 (first-order hash value) = HF(AW); HW_2 (second-order hash value) = HF(HW_1) = HF(HF(AW)); HW_3 (third-order hash value) = HF(HW_2) = HF(HF(HF(AW))), and so on.

[0082] In other exemplary embodiments, the method further includes sending a hash value (e.g., n-order, HW_n) obtained based on the application 152 or the repeated application 152a to the routing manager 13, for example via a secure, for example encrypted channel or in a secure environment (e.g., in a production facility) for example using the SOME / IP protocol or the SOME / IP protocol.

[0083] In other exemplary embodiments, see Figure 11 The method specifies that: based on the initial value AW, a hash value of order 160 (ni) HW_n-i is provided, for example where i < n; for example, together with or as part of a request ANFR (e.g. for service D), the hash value of order 162 (ni) HW_n-i is sent, for example, through client 12.

[0084] In other exemplary embodiments, see Figure 12 The method specifies that it receives, for example, a hash value of order 165 (ni) or the hash value of order (ni) HW_n-i, where i < n, either via server 11, either with or as part of a request, from client 11; and optionally, checks the hash value of order (ni) 166, where see Figure 13For example, the check 166 on the (ni)th order hash value has: the hash function HF ( Figure 10 The i-th application of 166a to the (ni)-th order hash value HW_n-i, or the hash value obtained therefrom, is compared 166b with the check hash value obtained by the i-th application of 166a to the hash function HF. In other exemplary embodiments, as long as the check hash value matches the n-th order hash value, it can be inferred, for example, that the sender of the (ni)-th order hash value possesses the initial value and is therefore, for example, a legitimate party to the network or a legitimate user of the network.

[0085] In other exemplary embodiments, the method is further specified to include, for example, discarding the nth-order hash value or the nth-order hash value based on the comparison 166b; and / or storing the (ni)th-order hash value 166d. Thus, in other exemplary embodiments, future checks on (nk)th-order hash values, for example, where (nk) > (ni), can be performed more efficiently.

[0086] Figure 14 A signaling diagram according to other exemplary embodiments is shown. Element e1 symbolically represents: the client 14 forming an n-order hash value; element e2 symbolically represents: sending the n-order hash value to the server 13; element e3 symbolically represents: storing the n-order hash value, for example, for later use; element e4 symbolically represents: the client 14 sending a (ni)-order hash value to the server 13; element e5 symbolically represents: the server 13 checking the (ni)-order hash value, for example, by applying the hash function HF i times to the (ni)-order hash value or the hash value obtained therein and comparing it with the n-order hash value stored according to element e3. Element e6 symbolically represents: for example, when check e5 is positive (verifying that the hash value corresponds to the n-order hash value), storing the (ni)-order hash value (and discarding the n-order hash value previously stored according to element e3 if necessary). Element e7 symbolically represents: the server 13's response to the client 14, for example, based on the positive check e5.

[0087] In other exemplary embodiments, see Figure 15 The method further includes, for example, using a digital signature DS based on the shared secret SS. Thus, in other exemplary embodiments, for example, mutual authentication between network elements 11, 12, 13, and 14 can also be performed. Block 172 symbolically represents: optionally, service D is provided after positive authentication by means of the digital signature DS.

[0088] For other exemplary implementations, see Figure 16The invention relates to an apparatus 200 for performing the methods described according to these embodiments, wherein, in particular, the apparatus 200 has at least one computing device (“computer”) 202 and a storage device 204 allocated to the computing device 202 for at least temporarily storing data DAT and / or computer program PRG.

[0089] Storage device 204 may have, for example, volatile memory 204a (e.g., working memory, i.e., RAM) and / or non-volatile memory 204b (e.g., flash EEPROM).

[0090] In other exemplary embodiments, the device 200 is specified to have a data interface 206, preferably a bidirectional data interface.

[0091] Other exemplary embodiments relate to a computer-readable storage medium SM that includes instructions PRG that, when executed by a computer 202, cause the computer to perform the methods described according to these embodiments.

[0092] Other exemplary embodiments relate to a computer program PRG that includes instructions that, when executed by a computer 202, cause the computer to perform the methods described according to these embodiments.

[0093] Other exemplary embodiments relate to a data carrier signal DCS that transmits and / or represents a computer program PRG as described in these embodiments. In other exemplary embodiments, the data carrier signal DCS can be transmitted, for example, via an optional data interface 206 of the device 200 (e.g., elements of service D or shared secrets SS or message authentication codes MAC or tokens TOK).

[0094] Other exemplary implementations relate to network elements 11, 12, and 13 for transmitting data in a network 10 using a service-oriented protocol. Figure 1 For example, network element 11 can provide at least one service D, and the network element has at least one device 200 according to these embodiments.

[0095] In other exemplary embodiments, the network element is specified as server 11, such as SOME / IP server 11.

[0096] In other exemplary embodiments, the network element is specified as client 12, such as SOME / IP client 12.

[0097] In other exemplary embodiments, the network element is specified as a routing manager 13, such as a SOME / IP routing manager 13.

[0098] In other exemplary embodiments, network elements 11, 12, and 13, such as server 11, client 12, or routing manager 13, are designed to at least temporarily perform at least one aspect of the method described above in the exemplary embodiments.

[0099] Other exemplary implementations relate to a network 10 using a service-oriented protocol, particularly a SOME / IP-based network 10, which has at least one device 200 as described in these implementations and / or at least one network element 11, 12, 13 as described in these implementations.

[0100] For other exemplary implementations, see Figure 17 This relates to the application 300 of at least one of the following elements: a) enhancing the security of data transmission in a network 10 using a service-oriented protocol, particularly the SOME / IP protocol; b) verifying data transmission in the network and / or the network element or the network element or the network element's authorization or authenticity; c) blocking or preventing the provision and / or use and / or implementation of unauthorized services; d) protecting the routing manager 13 for the network using a service-oriented protocol; e) restricting the group of network elements that can use a pre-defined service; f) monitoring communication in the network, such as monitoring whether a particular client registers to use a service and / or whether a particular client exits the service, and / or monitoring and / or recording whether a service is provided and / or whether a network element stops providing services.

[0101] Figure 18 A simplified block diagram illustrating other exemplary embodiments is shown schematically. Element e10 symbolically represents a SOME / IP routing manager; element e11 symbolically represents at least one SOME / IP server or client; element e11' symbolically represents, for example, a request AR authenticated based on the shared secret SS, as in these embodiments, for example, a request D ( Figure 1 ) request.

[0102] Element e12 symbolically represents an optional security device, such as what might be called a "security monitor" ( security monitorThe security device e12 is, for example, connected to or capable of connecting to the routing manager e10. In other exemplary embodiments, the security device e12 is designed to: check the authenticity and / or integrity of, for example, requests to the routing manager e10, such as SOME / IP requests. In other exemplary embodiments, the security device e12 may, for example, have according to Figure 16 The device 200 or at least a portion of the device's functionality. Optionally, in other exemplary embodiments, one or more rules e12', such as security rules, may be provided, for example, to control the operation of the security device e12, such as notifying the security device e12 which client is allowed to request or use which services D.

[0103] Element e12 exemplarily and symbolically represents an optional detection or recording device, designed, for example, to record (e.g., unsuccessful or all) authentication attempts, such as those performed by security device e12. In other exemplary embodiments, detection or recording device e12 is designed, for example, to send unsuccessful authentication attempts to a Security Information and Event Management (SIEM) system, which operates, for example, in the background. In other exemplary embodiments, one or more rules e13' may be provided, such as logging and / or forwarding rules, which control, for example, the operation of detection or recording device e12, wherein the rules e13' specify, for example, how the detection or recording can be performed on pre-defined events (e.g., standard log files, security or verbose log files). For example, rule e13' may specify that only unsuccessful authentication attempts related to a pre-defined (SOME / IP) service D are logged or forwarded to the background.

Claims

1. A method for transmitting data in a network (10) using a service-oriented protocol, wherein a network element (11) is capable of providing at least one service (D), the method comprising the steps of: providing (100) a shared secret (SS) for at least two network elements (11, 12); and using (102) the shared secret (SS). The method comprises: providing (150) an initial value (AW), wherein the initial value (AW) is a random number or a pseudo-random number; applying (152) a hash function (HF) to the initial value (AW), wherein the application (152) of the hash function comprises: repeatedly applying (152a) the hash function to the initial value (AW) or the hash value (HW) obtained therefrom, for n times, n > 1, wherein an n-order hash value (HW_n) is obtained. The method wherein the method comprises: providing a (160) (ni) order hash value (HW_n-i) based on the initial value (AW), where i < n; and sending (162) the (ni) order hash value (HW_i) together with or as part of the request (ANFR). The method further comprises: receiving (165) the (ni)-order hash value (HW_n-i) together with or as part of the request (ANFR), where i < n; and optionally, checking (166) the (ni)-order hash value (HW_n-i), wherein the checking (166) of the (ni)-order hash value (HW_n-i) comprises: applying (166a) the hash function i times to the (ni)-order hash value (HW_n-i) or the hash value obtained therefrom, and comparing (166b) the check hash value obtained by applying the hash function i times (166a) with the n-order hash value (HW_n). The method further comprises: discarding (166c) the nth-order hash value (HW_n) based on the comparison (166b); and / or storing (166d) the (ni)th-order hash value (HW_n-i).

2. The method according to claim 1, further comprising: using the shared secret (SS) of (102a) for authentication.

3. The method according to claim 2, the method further comprising: using the shared secret (SS) (102a) to authenticate the first network element (11) of the at least two network elements (11, 12) with respect to the second network element (12) of the at least two network elements (11, 12).

4. The method according to any one of claims 1 to 3, wherein providing (100) the shared secret (SS) has at least one of the following elements: a) receiving (100a) the shared secret (SS) from another network element; b) forming (100b) the shared secret (SS); c) sending (100c) the shared secret (SS) to at least one other network element.

5. The method according to any one of claims 1 to 3, wherein the service-oriented protocol is an IP-based scalable service-oriented middleware protocol, namely the SOME / IP protocol.

6. The method according to any one of claims 1 to 3, wherein the method comprises: generating (110) a message authentication code (MAC) and / or a token (TOK) based on the shared secret (SS).

7. The method of claim 6, wherein the method comprises: sending (112) the Message Authentication Code (MAC) or a token (TOK) having the Message Authentication Code and at least one other information (WI), wherein the at least one other information is at least one of the following elements: a) a random number (ZZ); b) a pseudo-random number (PZZ); c) a string (ZK); d) an identifier (ID); e) a serial number (FN); f) a timestamp (ZST); g) application-based information (ABI).

8. The method according to claim 7, wherein the identifier (ID) is an identifier of the network element that is transmitting.

9. The method according to any one of claims 1 to 3, wherein the method comprises: receiving (120) a message authentication code.

10. The method according to claim 9, wherein the method comprises: using the message authentication code (122) based on the shared secret (SS).

11. The method according to any one of claims 1 to 3, the method comprising: sending (124) a message authentication code and / or the shared secret (SS) and / or information derived from the message authentication code and / or the shared secret (SS) to at least one other device.

12. The method of claim 11, wherein the at least one other device is a recording device (AZE).

13. The method according to any one of claims 1 to 3, the method comprising: receiving (126) a message authentication code and / or the shared secret (SS) and / or information derived from the message authentication code and / or the shared secret (SS).

14. The method according to any one of claims 1 to 3, the method comprising: creating (128) at least one report (BER) and / or log file with respect to at least one message authentication code and / or shared secret (SS) sent and / or received.

15. The method according to any one of claims 1 to 3, wherein the method comprises at least one of the following elements: a) providing (130) a shared secret (SS) for the at least two network elements (11, 12); b) providing (132) a shared secret (SS) for a network element designed as a server and at least one network element designed as a client, and providing a shared secret (SS) for a SOME / IP server and at least one client associated with the SOME / IP server when using the SOME / IP protocol; c) providing (134) different shared secrets (SS) for some of the at least two network elements (11, 12).

16. The method of claim 15, wherein the shared secret (SS) is a unique shared secret.

17. The method according to any one of claims 1 to 3, the method comprising: adding (140) timestamp and / or counter values ​​to the shared secret (SS) and / or to the token (TOK).

18. The method according to any one of claims 1 to 3, the method comprising: receiving (145) a token (TOK; TOK'), and optionally evaluating (146) a timestamp and / or evaluating a counter value contained in the token (TOK; TOK').

19. The method according to any one of claims 1 to 3, the method further comprising: sending (154) the hash value (HW) obtained based on the application (152) or based on the repeated application (152a) to the routing manager via a secure channel or in a secure environment using the SOME / IP protocol.

20. The method of claim 19, wherein the secure channel is a secure encrypted channel.

21. The method according to any one of claims 1 to 3, the method further comprising: using (170) digital signature (DS) based on the shared secret (SS).

22. An apparatus (200) for performing the method according to any one of claims 1 to 21, wherein the apparatus (200) has at least one computing device (202) and a storage device (204) allocated to the computing device (202) for at least temporarily storing data (DAT) and / or computer programs (PRG).

23. A network element (11, 12, 13) for transmitting data in a network (10) using a service-oriented protocol, wherein the network element (12) is capable of providing at least one service (D), the network element having at least one device (200) according to claim 22.

24. The network element (11, 12, 13) according to claim 23, wherein the network element (11, 12, 13) is a server; or a client; or a routing manager.

25. The network element (11, 12, 13) according to claim 24, wherein the server is a SOME / IP server.

26. The network element (11, 12, 13) according to claim 24, wherein the client is a SOME / IP client.

27. The network element (11, 12, 13) according to claim 24, wherein the routing manager is a SOME / IP routing manager.

28. A network (10) using a service-oriented protocol, the network having at least one device (200) according to claim 22 and / or at least one network element (11, 12, 13) according to any one of claims 23 to 27.

29. The network (10) according to claim 28, wherein the network (10) is a SOME / IP-based network.

30. A computer-readable storage medium (SM) comprising instructions (PRG) that, when executed by a computer (202), cause the computer to perform the method according to any one of claims 1 to 21.

31. A computer program product comprising a computer program (PRG) including instructions that, when executed by a computer (202), cause the computer to perform the method according to any one of claims 1 to 21.

32. A data carrier signal (DCS) that transmits and / or characterizes a computer program (PRG), the computer program including instructions that, when executed by a computer (202), cause the computer to perform the method according to any one of claims 1 to 21.

33. The application (300) of the method (200) according to any one of claims 1 to 21 and / or the device (200) according to claim 22 and / or the network element (11) according to any one of claims 23 to 27 and / or the network (10) according to claim 28 or 29 and / or the computer-readable storage medium (SM) according to claim 30 and / or the computer program product according to claim 31 and / or the data carrier signal (DCS) according to claim 32 for at least one of the following elements: a) improving (302) the security of data transmission in the network (10) using a service-oriented protocol; b) checking (304) the data transmission in the network (10) and / or the authorization or authenticity of the network element (11, 12, 13) or network element (11, 12, 13); c) blocking (306) or preventing the provision and / or use and / or implementation of unauthorized services; d) protecting (308) the routing manager for the network (10) using a service-oriented protocol; e) (310) restricts (312) the use of network elements that can be given in advance; (f) monitors (312) the communication in the network (10).

34. The application (300) according to claim 33, wherein the service-oriented protocol is the SOME / IP protocol.

35. The application (300) according to claim 33 or 34, wherein the monitoring (312) of communication in the network (10) is monitoring whether a particular client registers to use the service (D) and / or whether a particular client exits the service (D), and / or monitoring and / or recording whether the service is provided (D) and / or whether the network element stops providing the service (D).