Proceedings 2002/2003 - IRSE
Proceedings 2002/2003 - IRSE
Proceedings 2002/2003 - IRSE
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
EURORADIO AND THE RBC 35<br />
communications engineers!) – what happens next?<br />
Basically, the connection request ripples down the<br />
protocol stack, and then the layer connections ripple<br />
back up. So the Safety Layer passes the connection<br />
request to the Transport Layer, which cannot do<br />
anything until there is a Network Layer connection,<br />
then the Data Link Layer, then GSM-R.<br />
It is at this point there can be a problem. The onboard<br />
application knows all about application<br />
addresses – the ETCS-ID which when used with the<br />
ETCS-ID-TYPE is unique in the world, safely – but it<br />
knows and cares little about phone numbers (they<br />
could be different from last week to this). At the<br />
bottom of the stack, GSM-R knows all about phone<br />
numbers, but nothing about application IDs. How is<br />
the translation achieved?<br />
It is possible that the application received the<br />
number along with the ETCS-ID from a balise – the<br />
simplest solution. It may have received it from an<br />
RBC in an application message, but of course it<br />
needs a connection first to do that. Another<br />
possibility is that, as people do, it remembers<br />
associations, in a look-up table in the Transport<br />
layer. But if all else fails, it has the possibility of using<br />
a feature of the network – location-dependent<br />
addressing. As with a ‘999’ call in the UK, the<br />
network is aware of the location of the source of the<br />
call, and can route it to an appropriate local<br />
destination. Similarly, a GSM network is aware of the<br />
source’s cell, and can route the call to a pre-defined<br />
‘most-appropriate RBC’.<br />
So, the Safety layer requests a connection from the<br />
Transport layer, the Transport layer requests a<br />
connection from the Network layer and the Network<br />
layer requests a connection from the Data Link layer<br />
– except that the Data Link layer has no mechanism<br />
to cause GSM to connect. So in fact the Network<br />
layer sends the dial commands to GSM. Once GSM<br />
has connected, the Network layer can request a<br />
connection from the Data Link layer, ie the HDLC<br />
Data Link layer synchronises.<br />
Once the train’s Data Link layer receives an<br />
Unnumbered Acknowledge frame, it can confirm the<br />
connection to the Network layer, which sends<br />
confirmation to the Transport layer, which confirms<br />
the connection to the Safety layer.<br />
4.2 AUTHENTICATION<br />
It is only at this point that the Safety layer, on the<br />
train and in the RBC, can start to authenticate the<br />
end users – but why should it?<br />
It was assumed in the design of EuroRadio that the<br />
data may go over some form of ‘open’ network –<br />
that is, a network where the data is not only subject<br />
to random noise, but could also be the subject of a<br />
malicious human attack from outside or inside the<br />
Railway.<br />
Authentication uses two defences. One is random<br />
data generated at the time of connection set-up. The<br />
other is use of a ‘shared secret’ – the ‘key’ – that only<br />
the correct user will know. But how does the train<br />
know what key to use? Once again, we could use a<br />
look-up table, matching ETCS-ID against phone<br />
number and key. But now, the look-up table must be<br />
much, much larger. If a train does not know the<br />
ETCS-ID or phone number of the next RBC, it can be<br />
given this by the last RBC or a balise – but it cannot<br />
find out the key in the same way. And the same<br />
applies if an RBC does not know the key for a train<br />
arriving in its area.<br />
A process is defined in the Symmetric Key<br />
Management specification (Unisig document<br />
Subset064), but it should really come with a health<br />
warning! It should not be considered a real-time<br />
system, and is best used for a train in operation only<br />
in exceptional conditions, and preferably when the<br />
train is stationary – in fact it is likely to take so long<br />
that the train will be stationary.<br />
It requires the use of a home Key Management<br />
Centre (KMC), which could be a PC in a locked<br />
room. Trains only ever call their home KMC, so<br />
interoperability is not an issue here. Only KMCs talk<br />
directly to other KMCs. So, to take an example,<br />
assume an English train in France does not have the<br />
key for the French RBC:<br />
• the train tries to set up a connection as<br />
described above, only to find it does not have a<br />
working key;<br />
• it disconnects;<br />
• it sets up a connection to its own UK KMC and<br />
requests the key;<br />
• the UK KMC realises the key requested is within<br />
the control of the French KMC, and so sets up a<br />
connection to the French KMC;<br />
• the French KMC generates a key for use by the<br />
train and the RBC;<br />
• the French KMC then encrypts and distributes<br />
the new key to the French RBC;<br />
• when that is confirmed, the French KMC<br />
encrypts and sends the key to the UK KMC;<br />
• the UK KMC encrypts the key, and sends it to<br />
the English train;<br />
• the English train disconnects from the UK KMC,<br />
and sets up the connection to the French RBC<br />
and 20km down the line is the next French<br />
RBC…<br />
It is clear that with five connections being set up, this<br />
is a process best invoked at start-up and in<br />
emergencies. In practice, keys are likely to be<br />
created and downloaded for all RBCs likely to be<br />
encountered by a train.<br />
While on the subject of keys, of course different<br />
strategies are possible. The example above<br />
assumes the ‘normal’ situation where each pair of<br />
entities is allocated a unique key. But it would be<br />
quite possible, in a country or area, if the safety case<br />
allows it, to allocate:<br />
• the same key to all RBCs and trains;<br />
• a key for all trains of a particular type;<br />
• a key for all trains of a particular operator.<br />
This would overcome most of the problems. It really<br />
depends how careless you are – if you keep losing<br />
trains and RBCs, you need a key management<br />
policy that limits the damage to only the stolen<br />
equipment; if equipment is rarely if ever stolen, key