Method for protected communication between a vehicle and an external server, device for performing key derivation in the method, and vehicle

What is claimed is: 1. A method for protected communication between a vehicle and an external server, comprising: obtaining a number of master keys for different service domains; generating a master key reference for at least one master key of the number of master keys; storing in the vehicle at least one cryptographic key derived from the at least one master key and from a key state; storing the master key reference associated with the at least one master key and the key state in the vehicle; transmitting from the vehicle to an external server a message, signed with the cryptographic key, wherein the message is additionally provided with the master key reference and the key state of the vehicle; deriving a cryptographic key in the external server from the master key identified by the master key reference depending on the key state of the vehicle; and checking authenticity of the signed message with the derived cryptographic key by the external server. 2. The method of claim 1 , wherein the message is signed with the cryptographic key that corresponds to the current key state of the vehicle. 3. The method of claim 1 , wherein service domains are distinguished using one or more of criteria of vehicle make, vehicle model, year of manufacturer, and distribution country. 4. The method of claim 1 , wherein different master keys are defined for different service providers or service domains. 5. The method of claim 1 , wherein the external server forwards at least information on the master key reference and the key state of the vehicle to a cryptographic service provider that performs a derivation of the cryptographic key and transmits it back to the external server. 6. The method of claim 1 , wherein a cryptographic service provider performs the derivation of the cryptographic key itself using a hardware security module, or sends it to another cryptographic service provider that performs the derivation of the cryptographic key using the hardware security module. 7. The method of claim 1 , wherein the cryptographic key is derived for individual vehicles using a vehicle identification number. 8. The method of claim 4 , wherein a key type determines properties of the key and a derivation path. 9. The method of claim 2 , wherein the service domains are distinguished using one or more of criteria of vehicle make, vehicle model, year of manufacturer, and distribution country. 10. The method of claim 2 , wherein different master keys are defined for different service providers or service domains. 11. The method of claim 3 , wherein different master keys are defined for different service providers or service domains. 12. The method of claim 2 , wherein the external server forwards at least information on the master key reference and the key state of the vehicle to a cryptographic service provider that performs a derivation of the cryptographic key and transmits it back to the external server. 13. The method of claim 3 , wherein the external server forwards at least information on the master key reference and the key state of the vehicle to a cryptographic service provider that performs a derivation of the cryptographic key and transmits it back to the external server. 14. The method of claim 4 , wherein the external server forwards at least information on the master key reference and the key state of the vehicle to a cryptographic service provider that performs a derivation of the cryptographic key and transmits it back to the external server. 15. The method of claim 2 , wherein a cryptographic service provider performs the derivation of the cryptographic key itself using a hardware security module, or sends it to another cryptographic service provider that performs the derivation of the cryptographic key using the hardware security module. 16. The method of claim 3 , wherein a cryptographic service provider performs the derivation of the cryptographic key itself using a hardware security module, or sends it to another cryptographic service provider that performs the derivation of the cryptographic key using the hardware security module. 17. A device for performing key derivations in the method of claim 1 , wherein the device comprises a hardware security circuit, configured to derive a cryptographic key from a saved master key that is selected in a received message by a master key reference noted therein. 18. The device of claim 17 , wherein the hardware security circuit is configured such that, to derive the key, it also takes into account a key state transmitted by the vehicle. 19. A vehicle with at least one processor, wherein the processor is configured for use in protected communication between the vehicle and an external server, and wherein the processor is further configured for: obtaining, from a protected memory area, at least one cryptographic key derived from at least one master key and a current key state; obtaining, from another memory area, a master key reference, associated with the at least one master key; obtaining from the other memory area, the a current key state of the vehicle; signing, with the derived cryptographic key, a message, wherein the message is additionally provided with the master key reference and the current key state of the vehicle; and transmitting the message to an external server to allow authentication of the signed message from the vehicle by the server. 20. A method for protected communication between a vehicle and an external server, comprising: obtaining a number of master keys for different service domains; generating a master key reference for at least one master key of the number of master keys; storing in the vehicle at least one cryptographic key derived from the at least one master key and from a key state; storing the master key reference associated with the at least one master key and the key state in the vehicle; transmitting from the vehicle to an external server a message, having an encrypted part that is encrypted with the cryptographic key, wherein the message is additionally provided with the master key reference and the key state of the vehicle, wherein the master key reference and the key state of the vehicle are transmitted unencrypted; deriving a cryptographic key in the external server from the master key identified by the master key reference depending on the key state of the vehicle; and decrypting the encrypted part with the derived cryptographic key by the external server. 21. A vehicle with at least one processor, wherein the processor is configured for use in protected communication between the vehicle and an external server, and wherein the processor is further configured for: obtaining, from a protected memory area, at least one cryptographic key derived from at least one master key and a current key state; obtaining, from another memory area, a master key reference, associated with the at least one master key; obtaining from the other memory area, a current key state of the vehicle; encrypting, with the cryptographic key, a message, wherein the message is additionally provided with the master key reference and the current key state of the vehicle, wherein the master key reference and the key state of the vehicle are transmitted unencrypted; and transmitting the message to an external server to allow decryption of the encrypted message from the vehicle by the server.