Method for securing an electronic clock, device, vehicle and associated systems
The method secures electronic clock synchronization in microprocessors by receiving secure time from multiple entities and comparing time differences, addressing drift and unauthorized access issues, ensuring precise and secure synchronization.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- AMPERE SAS
- Filing Date
- 2024-12-09
- Publication Date
- 2026-06-12
AI Technical Summary
Electronic clocks in microprocessors, such as those in motor vehicles, are susceptible to drift and can be exploited by fraudsters to launch unauthorized access or secure functionalities through falsified synchronization times.
A method involving secure time reception from a first entity, determination of a confidence time, synchronization time reception from a second entity, and comparison of time differences to control synchronization, ensuring secure and precise clock synchronization even when synchronization time is unavailable.
Ensures secure and precise synchronization of electronic clocks by accounting for time availability and accuracy, preventing unauthorized access to sensitive functions, and maintaining clock synchronization despite potential delays or unavailability of synchronization time.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: Method for securing an electronic clock, device, vehicle and associated systems. Technical field
[0001] The present invention relates to any device requiring the use of one hour, in particular motor vehicles, and more specifically the safety of motor vehicles. Previous technique
[0002] Microprocessors, such as those found in motor vehicles, have an electronic clock (in other words: a digital clock) capable of providing the time. This time is used by these microprocessors during program execution, for example to grant access to sensitive (such as time-sensitive AD / AS functions like V2X use cases) or secure functionalities of these microprocessors.
[0003] However, such an electronic clock is susceptible to drift. When high time accuracy is required, the electronic clock is synchronized using a synchronization time received from outside the motor vehicle. A fraudster introducing a falsified synchronization time could then launch an attack against the microprocessors, resulting in illicit actions by the microprocessors, for example, unauthorized access to sensitive or secure microprocessor functions. Description of the invention
[0004] The invention aims to remedy this drawback and relates to a method for securing an electronic clock, for example implemented in a motor vehicle, comprising the following securing steps:
[0005] a) Secure reception of a secure time from a first entity via a first communication (in other words, via a first communication channel), for example, radio frequency or wired, then
[0006] b) Determination of a confidence time, the confidence time being the secure time or being obtained from the secure time,
[0007] c) Receiving a synchronization time from a second entity, different from the first entity, via a second communication (different from or identical to the first radio frequency communication) (in other words, via a second communication channel, for example different from or identical to the first communication channel), for example, radio frequency or wired,
[0008] d) Comparison of a difference between the synchronization time and the confidence time with a first threshold,
[0009] e) Electronic clock synchronization control from the synchronization time conditioned on the first threshold being greater than the difference between the synchronization time and the confidence time.
[0010] The invention makes it possible to secure the synchronization of the clock from a secure time which may be less precise than the synchronization time, because it is received less often or because of the delay in receiving this secure time, while maintaining a clock precisely synchronized from the synchronization time.
[0011] According to one embodiment, the process includes a repetition of the securing steps.
[0012] According to one embodiment, the security steps include, prior to step c, a determination of whether the synchronization time is available or unavailable (i.e., from the second entity via the second communication), steps c, d, and e being conditional upon the synchronization time being available
[0013] According to one embodiment, the security steps include, if the synchronization time is unavailable:
[0014] f) a control for synchronizing the electronic clock from the trusted time.
[0015] Thus, even when the synchronization time is unavailable, if the secure time is available, the electronic clock can be synchronized to a secure time.
[0016] The electronic clock can then be used to implement various operations in the motor vehicle, for example to verify the (temporal) validity of a cryptographic certificate.
[0017] The secure time can be determined by a first clock of the first entity or from another entity connected to the first entity. The first clock can be electronic, atomic and / or optical.
[0018] The synchronization time can be determined by a second clock of the second entity or from another entity connected to the second entity. The second clock can be electronic, atomic, and / or optical.
[0019] By synchronizing a clock from a given time, we mean, for example, in a classical way, that the clock is set to the correct time, from the given time (in other words that the clock is set to the given time).
[0020] The electronic clock is, for example, a system clock of a microprocessor. It could be a clock of the third microprocessor below, for example, a system clock of the third microprocessor below.
[0021] The secure time, or synchronization time, or trusted time, is (or may include), for example, a time called "UTC" (alternatively, it may be a time called "Unix"), and / or may include a date.
[0022] According to one embodiment, the securing steps include a determination of whether the secure time is available (i.e., from the first entity via the first communication) or unavailable, steps a, b, d and e being conditional on the secure time being available.
[0023] According to one embodiment, the securing steps include: - If the synchronization time is available and if the secure time is available; • Step e, and • A first flag is memorized (in other words: a first piece of data is memorized in memory) indicating that the electronic clock is secure, (and the second flag below is erased, if it is in memory), - If the secure time is unavailable and the synchronization time is available: • A command to synchronize the electronic clock from the synchronization time, and • A second flag is stored (in other words: a second piece of data is stored in memory) indicating that the electronic clock is not secure (and the first flag below is cleared, if it is in memory).
[0024] Of course, implicitly: - Storing the first flag includes erasing the second flag from memory, if it is stored there. - The memorization of the second flag includes the erasure of the first flag in memory, if it is in memory.
[0025] The first flag and the second flag can of course be stored in the same memory space or in different memory spaces.
[0026] According to one embodiment, step f, comprising a step of memorizing the first flag, the securing steps include, if the synchronization time is unavailable and if the secured time is available: - If the first flag is present in memory (i.e., and the process may include a check step to see if the first flag is in memory): • A comparison of the difference between the current time on the electronic clock (in other words: between the time read on the clock) and the confidence time with a second threshold, the step f being conditional on the second threshold being less than the difference between the current time on the electronic clock and the confidence time, - If the second flag is present in memory (i.e., and the process may include a check step to see if the second flag is in memory), implementation of step f.
[0027] The above embodiments make it possible to take into account the availability of the secure time and the synchronization time, while ensuring the security of the electronic clock and / or its accuracy where possible
[0028] Alternatively, the method does not take into account the availability of the secure time or the synchronization time, the securing steps being, for example, all inhibited when the secure time or the synchronization time is unavailable.
[0029] For example, secure time is unavailable when the first entity or communication is out of service, and may be available otherwise.
[0030] For example, the secure time may also be unavailable if the cryptographic signature below is not valid, or if the duration below is strictly greater than the third threshold (introduced below).
[0031] According to one embodiment, the process comprises the following steps: - Check if a flag (i.e., a piece of data) in memory indicates that the electronic clock is secure (for example, if the first flag is in memory and not the second flag) or not (for example, if the second flag is in memory and not the first flag), then: • If the flag in memory indicates that the electronic clock is not secure, an operation will be inhibited, and / or • If the flag in memory indicates that the electronic clock is secure, the operation is implemented.
[0032] The operation can be implemented from one hour on the electronic clock. This could be, for example, a verification of a cryptographic certificate with an expiry date (compared to the time on the electronic clock, to determine whether the cryptographic certificate is valid or not), or an operation implemented from such a cryptographic certificate, such as cryptographic authentication from the certificate (more precisely, from the public key contained in the certificate).
[0033] For example, the synchronization time is unavailable when the second entity or the second communication is out of service, and may be available otherwise.
[0034] According to one embodiment, the synchronization time comes from a geolocation satellite, which may be part of, for example, a system called "GPS" or "Galileo" or "Glonass", for example in a frame called "NMEA".
[0035] The synchronization time can, of course, come from another type of second entity.
[0036] The synchronization time can also be received by a communication according to the protocol standardized by the IEEE-1588 standard and known by the acronym "PTP".
[0037] According to a first embodiment, secure reception comprises the following steps: - Sending a random number to the first entity, and - A countdown begins, starting from the time the random number is sent. - Then, a message is received from the first entity containing a cryptographic signature, a number, and a time. The cryptographic signature is a signature of a portion of the message containing the time and number, and is generated, for example, using a private key from the first entity. - Then, the first verification takes place: • Cryptographic signature. As is known, this step can include a decryption step of the cryptographic signature, for example from the public key of the first entity whose private key was used to sign the received message, • That the duration is less than a third threshold, and • That the number included in the message is a random number. • The secure time is the time, if the first check has a positive result (i.e., if the message signature is validated, if the duration is less than the third threshold, and if the number contained in the message is a random number).
[0038] The third threshold depends, for example, on the latency of the first communication, for example, of the radio frequency type.
[0039] The verification that the duration is less than the third threshold and that the number is the random number ensures that an attacker has not intercepted the message in order to retransmit the secure time or to transmit the secure time later.
[0040] Alternatively, a common session key can be established with the first entity, for example so as to receive the signed secure time from the session key.
[0041] For example, the secure steps are implemented by a third microprocessor.
[0042] For example, the method includes a step during which the secure time passes through a first microprocessor of the motor vehicle, between the first entity and the third microprocessor (for example, connected to the third microprocessor via wired connections in the vehicle), during the secure reception step.
[0043] For example, all messages, and for example the secure time, communicated by the first microprocessor to the third microprocessor are decomposed, analyzed and then reconstructed by a second microprocessor in order to secure these messages.
[0044] For example, the first microprocessor has a lower level of security than the second microprocessor, which is itself lower than the third microprocessor.
[0045] Security levels are well known to those skilled in the art. A security level corresponds to the time it takes for an attacker to find a vulnerability in software or hardware and to exploit it to achieve an objective, for example, in the automotive field, such as extracting personal data or triggering an unwanted event that compromises the operational safety of the vehicle. The higher the security level, the longer it takes to find and exploit a vulnerability. By extension, the lower the risk associated with the attacker's objective.
[0046] According to one embodiment, the security steps include a transmission of a time read from the electronic clock to microprocessors, and the method includes a step of synchronizing a clock of each of the microprocessors, by said each of the microprocessors, from the time read from the electronic clock.
[0047] According to one embodiment, the secure reception of the secure time is from a server, and / or via a network, for example, a mobile phone network (in other words, during the secure time reception step, the secure time is received from a server, and / or via a mobile phone network).
[0048] Alternatively, the secure time can be received in another way or by another entity.
[0049] According to one embodiment, the method comprises synchronizing a trusted electronic clock from the secure time upon receipt of the secure time at a first instant, the trusted time being obtained by reading the trusted clock at a second instant after the first instant (for example, the second instant is the receipt of the synchronization time).
[0050] The trust clock is for example a virtual clock based on the electronic clock or is an independent clock.
[0051] Alternatively, the security steps include, upon secure receipt of the secure time, a step of calculating the offset value where offset = T - Hll, where T is the secure time and Hll is the time read from the electronic clock at a first instant. The confidence time, denoted Hc, is then obtained by calculating Hc = offset + H12, where H12 is the time read from the electronic clock at a second instant after the first instant.
[0052] According to one embodiment, the secure reception of the secure time (or the securing steps) is repeated (for example periodically), for example with a duration of between 1 hour and 6 months between two secure receptions of the secure time.
[0053] According to one embodiment, the reception of the synchronization time is repeated (for example periodically), for example with a duration of between 2 (or 5) seconds and 1 hour between two receptions of the synchronization time.
[0054] According to one embodiment, the reception of the synchronization time is repeated with a first frequency and the secure reception of the secure time is repeated with a second frequency strictly lower than the first frequency.
[0055] Thus, it is possible to synchronize the clock of a microprocessor very precisely and cheaply from the synchronization time obtained with a high frequency while ensuring satisfactory security thanks to a secure time obtained with a lower frequency but more resource-intensive (computing, communication for example) than the synchronization time.
[0056] Alternatively, the secure reception of the secure time can be simultaneous with the reception of the synchronized time.
[0057] According to one embodiment, the first threshold (and / or the second threshold and / or the third threshold) is between 2 seconds and 48 hours. Of course, the first threshold can alternatively take other values.
[0058] The invention also relates to a computer program comprising instructions, executable by a microprocessor or a microcontroller (or a computer), for the implementation of the method according to the invention, when executed by the microprocessor or the microcontroller (or the computer).
[0059] The invention also relates to an electronic device (or a motor vehicle) configured to implement the steps of the process according to the invention, as well as a motor vehicle comprising the electronic device.
[0060] The invention also relates to a system comprising the electronic device, a first entity capable of emitting the secure time, and a second entity capable of emitting the synchronization time (for example to the third microprocessor).
[0061] Although they are not repeated here, the advantages and characteristics of the device, vehicle and system are identical (mutatis mutandis) to those of the above method. Brief description of the drawings
[0062] The invention will be better understood upon reading the detailed description that follows, the non-limiting examples of its implementation, and upon examination of the accompanying drawings, in which:
[0063] [Fig-1] represents an electronic device and a system according to a mode of realization of the invention.
[0064] [Fig.2] represents a method, according to an embodiment of the invention, put into work by the electronic device and / or the system of the [Fig.l]. Detailed description
[0065] Figure 1 represents a system 1000. The system may include: - A 500' receiver, which is a satellite receiver, - A 500 receiver, which is a mobile phone receiver, - A 700' satellite that is part of a satellite geolocation system, for example of the so-called "GPS" type, capable of communicating with the 500' receiver and including a 710' atomic clock, - A trusted server 700 capable of communicating with the receiver 500 via a mobile telephone network 900 of system 1000, and comprising an electronic clock 710, - The 600 microprocessor, including a 610 clock, - Microprocessor 100, microprocessor 200, and microprocessor 300 including an electronic clock 310 and a clock 310'.
[0066] Microprocessor 100, microprocessor 200, microprocessor 300, microprocessor 600, receiver 500, and receiver 500' are part of the same motor vehicle (not shown).
[0067] The microprocessor 100, the microprocessor 200, the microprocessor 300, and the microprocessor 600 are capable of implementing various communication, detection and control functions of motor vehicle components.
[0068] With reference to [Fig.2], at step S00, the microprocessor 300 sends a request including a random number alea300 to the trusted server 700 which receives it.
[0069] At step S10, the microprocessor 300 starts a countdown of a duration since the sending of the random number alea300 at step S00.
[0070] At step S20, after signing the message m700, which includes the random number alea300 and the time thne700 obtained by reading the electronic clock 710, with its private key prv700 to obtain the signature sign700, the trusted server 700 sends the message m700 to the microprocessor 300, which receives it. The message m700 includes the signature sign700, the time thne700, and the random number alea300.
[0071] At step S30, the microprocessor 300 checks the cryptographic signature sign700 of the message m700 using the public key pub700, and whether the number contained in the message m700 is equal to the random number alea300.
[0072] At step S40, the microprocessor 300 checks that the time elapsed since step S00 is less than, for example, 10 seconds.
[0073] If the microprocessor 300 has determined, at step S30, that the cryptographic signature sign700 is valid and that the number contained in the message m700 is equal to the random number alea300 and, at step S40, that the time elapsed since step S00 is less than, for example, 10 seconds, at step S50 the microprocessor 300 synchronizes the electronic clock 310' from the secure time thne700 (in other words: the electronic clock 310' is set to the secure time thne700).
[0074] At step S60, the microprocessor then stores the dr310 and dr311 flags indicating respectively that the electronic clock 310' is respectively available and updated, which is equivalent to saying that the secure time is available.
[0075] In a step S60', following step S10, if the microprocessor 300 determines that the server 700 has not responded to the request (in other words: if the server 700 is not available) or following step S40, if the microprocessor 300 has determined, in step S30, that the cryptographic signature sign700 is not valid or that the number contained in the message m700 is not the random number alea300 or, in step S40, that the duration is strictly greater than, for example, 10 seconds, the microprocessor 300 rejects the message m700, then stores the flag dr310' and the flag dr311' indicating respectively that the electronic clock 310' is unavailable and not updated.
[0076] At step S70 (following step S60 or S60'): • either the microprocessor 300 receives, for example via radio communication from satellite 700', the synchronization time thne700' in a message m700', the microprocessor then stores the flag dr320 indicating that the synchronization time is available. • Either the 300 microprocessor does not receive the m700' message. The unavailability may be due to a lack of GNSS coverage or a failure, or a compromise of a time-carrying component. The microprocessor then stores the dr320' flag, indicating that the synchronization time is unavailable.
[0077] At step S80, following step S60, if the electronic clock 310' is available and updated (i.e., the dr310 and dr311 flags have been stored), and, following step S70, if the synchronization time is available (i.e., the dr320 flag has been stored), the microprocessor 300 reads the trusted time from the clock of electronics 310' and at stage S90, the microprocessor 300 then calculates the difference between the confidence time and the synchronization time thne700', and compares it for example to one minute.
[0078] At step S100, if the microprocessor 300 determines that this difference is less than, for example, 1 minute, then the microprocessor 300 commands the synchronization of the electronic clock 310 from the synchronization time 'time700' and stores the flag 'dr300' indicating that the electronic clock 310 is secure. The process then continues to step S120.
[0079] At step SI 10, if the microprocessor 300 determines that this difference is strictly greater than, for example, 1 minute, then the electronic clock 310 and the flags dr300 and dr300' remain unchanged. The process then continues to step S120.
[0080] At step S80', following step S60, if the electronic clock 310' is available and updated (i.e., the dr310 and dr311 flags have been stored), and, following step S70, if the synchronization time is unavailable (i.e., the dr320' flag has been stored), the microprocessor 300 then determines whether the electronic clock 310 already has a secure time by reading whether the dr300 or dr300' flag has been stored: • If the electronic clock 310 does not already have a secure time (i.e., the dr300' flag has been previously stored (typically upon initial startup or following a power outage)), the microprocessor 300 then commands the synchronization of the electronic clock 310 from the secure time of the electronic clock 310' and stores the dr300 flag indicating that the electronic clock 300 is secure. The process then continues to step S120. • If the 310 electronic clock already has a secure time setting (i.e., the dr300 flag has been previously stored): • The microprocessor 300 then calculates the difference between the time on the electronic clock 310 and the confidence time on the electronic clock 310', and compares it, for example, to a duration of 15 minutes: • If the difference is strictly greater than 15 minutes, the microprocessor 300 then commands the synchronization of the electronic clock 310 from the trusted time of the electronic clock 310' and stores the flag dr300 indicating that the electronic clock 300 is secure. The process then continues to step S120. If the difference is less than or equal to 15 minutes, then the electronic clock 310 and the flags dr300 and dr300' remain unchanged. The process then continues to step S120.
[0081] At step S80, following step S60, if the electronic clock 310 is unavailable and not updated (i.e., the dr310 and dr311 flags have been stored), and, following step S70, if the synchronization time is available (i.e., the dr320 flag has been stored), then the microprocessor 300 commands the electronic clock 310 to synchronize with the time700 and stores the dr300 flag, indicating that the electronic clock 310 is not secure. The process then continues at step S120.
[0082] At step S120, the microprocessor 300 transmits a time read in the electronic clock 310, the flag dr300' or the flag dr300 to the microprocessor 600 (NB: the figure represents the flag dr300' and the flag dr300 to facilitate reading of [Fig.1], but in the embodiment of the process of [Fig.2], they do not coexist in the memory of the microprocessor 300).
[0083] At step S130, the microprocessor 600 synchronizes its clock 610 with the received time, and stores the dr300' flag or the dr300 flag.
[0084] At step S140, any cryptographic operation performed using a certificate containing an expiration date in microprocessor 600 or any other microprocessor in the vehicle is then conditional upon the state of the dr300' flag. For example, the diagnostic tool 800 connected to microprocessor 600 sends microprocessor 600 a certificate cert800, certified using the private key priv800, and a public key pub800. If the microprocessor determines that it has dr300' in memory, microprocessor 600 inhibits the use of certificate cert800. Conversely, if the microprocessor determines that it has dr300 in memory, microprocessor 600 authorizes the verification and use of certificate cert800.
[0085] It can be noted that during the S20 step, the message m700 passes through the receiver, for example of type radio 500, and the microprocessor 100.
[0086] All messages communicated by microprocessor 100 to microprocessor 300 are decomposed, analyzed and then reconstructed in such a way as to secure these messages, by microprocessor 200.
[0087] For example, microprocessor 100 has a lower level of security than microprocessor 200, which is itself lower than microprocessor 300.
[0088] For example, steps S00 to S60 are repeated once a week and steps S70 to SI 10 every 5 seconds.
[0089] For example, steps S00 to S120 can be implemented or controlled by a computer program in memory of the microprocessor 300 when it is executed by the microprocessor 300.
Claims
Demands
1. A method for securing an electronic clock (310), comprising the following securing steps: - a) Securely receiving a secure time (time700) from a first entity (700) via a first communication, - b) Determining a trust time, the trust time being the secure time or being obtained from the secure time (thne700), - c) Receiving (S70) a synchronization time (thne700') from a second entity (700'), different from the first entity (700), via a second communication, - d) Comparing (S90) a difference between the synchronization time (thne700') and the trust time with a first threshold,- e) Synchronization command (S 100) of the electronic clock (310) from the synchronization time conditioned on the first threshold being greater than the difference between the synchronization time (time700') and the confidence time.
2. A method according to the preceding claim comprising a repetition of the securing steps.
3. A method according to any one of the preceding claims, the securing steps comprising, prior to step c, a determination of whether the synchronization time (time700') is available, or unavailable, steps c, d, and e being conditioned on the synchronization time (time700') being available.
4. Method according to the preceding claim the securing steps comprising, if the synchronization time (time700') is unavailable: - f) a synchronization command of the electronic clock (310) from the trusted time.
5. A method according to any one of the preceding claims, the securing steps comprising a determination of whether the secured time (thne700) is available or unavailable, steps a, b, d and e are conditional on the secure time (time700) being available.
6. Method according to the preceding claim and claim 3, the securing steps, comprising: - If the synchronization time (thne700') is available and if the secured time (time700') is available; • Step e, and • A storage, of a first flag (dr300) indicating that the electronic clock (310) is secured, - If the secured time (thne700) is unavailable and if the synchronization time (thne700') is available: • A synchronization command of the electronic clock (310) from the synchronization time, and • A storage, of a second flag (dr300') indicating that the electronic clock (310) is not secured.
7. Method according to the preceding claim and claim 2 and claim 4, step f, comprising a storage of the first flag, the securing steps comprising, if the synchronization time (time700') is unavailable and if the secure time (thne700) is available: - If the first flag (dr300) is present in memory: • A comparison (S80') of a difference between a current time of the electronic clock (310) and the confidence time with a second threshold, step f being conditioned on the second threshold being less than the difference between the current time of the electronic clock (310) and the confidence time, - If the second flag (dr300') is present in memory, implementation of step f.
8. A securing method according to any one of the preceding claims, wherein: - The reception of the synchronization time (time700') is from a geolocation satellite, or - The secure reception of the secure time is from a server (700), via a mobile telephone network (900).
9. A security method according to any one of the preceding claims, wherein the secure reception comprises the following steps: - Sending (S00) a random number (alea300) to the first entity, and - Starting a countdown (S20) of a duration since the sending of the random number (alea300), - Then, receiving (S20), from the first entity, a message comprising a cryptographic signature (sign700), a number, and a time, the cryptographic signature (sign700) being a signature of a part of the message comprising the time and the number, - Then, first verification: • Of the cryptographic signature (sign700), • That the duration is less than a third threshold, and • That the number included in the message is the random number (alea300), The secure time (time700) being the time, if the first verification has a positive result.
10. A security method according to any one of the preceding claims comprising a synchronization (S50) of a trusted electronic clock (310') from the secured time (time700), the trusted time being obtained by a reading of the trusted electronic clock (310').
11. A securing method according to any one of the preceding claims, wherein: - The secure reception of the secure time (time700) is repeated, for example with a duration of between 1 hour and 6 months between two secure receptions of the secure time (time700), or - The reception of the synchronization time (time700') is repeated, for example with a duration of between 2 seconds and 1 hour between two receptions of the synchronization time (time700'), or - The reception of the synchronization time (time700') is repeated with a first frequency and the secure reception of the secure time (time700) is repeated according to a second frequency strictly lower than the first frequency.
12. Computer program comprising instructions, executable by a microprocessor or microcontroller, for implementing the method according to any one of claims 1 to 11, when executed by the microprocessor or microcontroller.
13. Electronic device (300) configured to carry out the steps of the process according to any one of claims 1 to 11.
14. Motor vehicle comprising the electronic device (300) according to the preceding claim.
15. System comprising the electronic device (300) according to claim 13, a first entity (700) capable of emitting the secure time (thne700), and a second entity (700') capable of emitting the synchronization time (thne700').