JP2003046536A - Vehicle use relay device and in-vehicle communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To sufficiently prevent various in-vehicle electric devices from being unauthorizedly accessed from the outside, while simplifying wiring of an in- vehicle communication system. SOLUTION: The in-vehicle communication system 1 comprises an on-vehicle LAN 10 to which ECUs 11 to 37 in a vehicle are connected, a communication section 40 for communication with an out-vehicle device 3, and a gateway ECU 5 that is placed in between the on-vehicle LAN and the communication section and relays data communication. The gateway ECU authenticates the out-vehicle device, when write request for a program from the out-vehicle device to an ECU in the on-vehicle LAN via the communication section and enables the ECU being a program write object ECU to authenticate the out-vehicle device. Furthermore, the gateway ECU in the case of receiving communication data other than the program write request authenticates the out-vehicle device by itself, when discriminating the data are not destinated to the ECUs 31 to 37 of an AVC system network.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a vehicle relay device for relaying communication between an external device connected via a communication device and various in-vehicle electronic devices connected to an in-vehicle LAN.

[0002]

2. Description of the Related Art In recent years, particularly in automobiles, the number of various electronic devices installed in vehicles such as control devices, information devices, audio devices, etc. has been increasing, and cooperation between devices or sharing of information has become common. For the in-vehicle electronic devices that require the above, it is common to connect with a dedicated communication line so that information can be transmitted and received between the respective devices to construct an information communication network (so-called in-vehicle LAN).

Further, in recent years, with the development of a network outside the vehicle, an infrastructure for acquiring various information necessary for each device inside the vehicle from outside the vehicle has been developed. There is an increasing number of examples of connecting many in-vehicle electronic devices equipped with a wireless device for communication between vehicles to an in-vehicle LAN.

For example, a road traffic information communication system (VI)
VIC that can receive road traffic information provided by CS)
Navigation equipment that can connect to mobile phones used to collect nearby store information from S radios and the external Internet, automatic charge accounting system (ETC)
E to which an ETC radio for communicating with
For example, TC on-board device.

[0005]

However, in the conventional vehicle-mounted LAN, the radio for acquiring various information from the outside is directly connected to the device mainly using the information. However, it is inconvenient because the radio cannot be placed at a desired position in the vehicle or extra wiring is required between the radio and the device.

To solve this problem, for example,
A device in an in-vehicle LAN that directly connects a wireless device to the in-vehicle LAN and needs information received by the wireless device is the in-vehicle LA.
A method is considered in which necessary information can be acquired from the wireless device via N. By doing so, the degree of freedom in the installation position of the wireless device and the like is high, and the number of wires is small, which is convenient.

However, with such a configuration, it becomes possible to access each device connected to the in-vehicle LAN from the outside of the vehicle via the wireless device, and in recent years in the field of the Internet, etc., to a network terminal that frequently occurs. There is a high possibility that the same problem as in the case of unauthorized access will occur.

The present invention has been made in view of these problems, and an object thereof is to sufficiently prevent unauthorized access from the outside to various in-vehicle electronic devices in a vehicle while simplifying wiring in an in-vehicle communication system. To do.

[0009]

In order to achieve the above object, the present invention according to claim 1 provides a vehicle-mounted LAN built in a vehicle and a communication device for performing data communication between the vehicle exterior device and the vehicle exterior device. And a vehicle relay device that relays communication between the vehicle exterior device connected via the communication device and the various vehicle electronic devices connected to the vehicle-mounted LAN, the first identifying means, and One authentication means and a first distribution means are provided.

That is, in the vehicle relay device of the present invention, when there is an access request from the vehicle exterior device to the vehicle electronic device connected to the vehicle LAN, the first identification means identifies the access destination, and Based on the identification result, it is determined whether or not the access request is an access request to the in-vehicle electronic device that requires authentication of the device outside the vehicle.

In the vehicle relay device, when the first identification means determines that the access request requires authentication of the vehicle exterior device, the first authentication means transmits the first request from the vehicle exterior device. Based on the one piece of authentication information, it is determined whether or not the external device is an external device that is permitted to access the in-vehicle electronic device in advance.

Further, the vehicle relay device determines that the vehicle exterior device requested to be accessed by the first authentication means is a vehicle exterior device that is permitted to access the vehicle electronic device in advance, or the first identification means. Determines that the access request does not require authentication of the device outside the vehicle, the first distribution means transmits the communication data transmitted from the device outside the vehicle via the communication device to the in-vehicle electronic device of the access destination. Deliver to the device.

Therefore, in the vehicle relay device according to the first aspect of the invention, the vehicle-mounted relay device is connected before the vehicle exterior device is connected to the vehicle-mounted LAN.
Access to an in-vehicle electronic device may be denied for access from an out-of-vehicle device that is not permitted to access the in-vehicle electronic device in the AN. In other words,
The vehicle relay device can restrict access from the outside by authenticating the device outside the vehicle by the first authentication means, and as a result, can prevent unauthorized access from outside.

As a method of causing the first identifying means to determine whether or not the access request is an access request to an in-vehicle electronic device that requires authentication of a device outside the vehicle, for example, in advance in the vehicle relay device. In the above, there is a method in which the electronic devices in the vehicle that require the authentication of the device outside the vehicle are listed, and the first identifying means determines whether or not the authentication of the device outside the vehicle is required based on the list. In addition, as an in-vehicle LAN, a plurality of independent networks are constructed for each system of in-vehicle electronic devices so that these networks cannot be accessed from the outside without a vehicle relay device. It is also possible to determine whether or not the access request requires the authentication of the device outside the vehicle by determining whether or not the access request is an access request to the in-vehicle electronic device belonging to which network.

As a method for authenticating the device outside the vehicle at this time, for example, authentication information (password or the like) for each electronic device in the vehicle is stored in advance in the vehicle relay device. There is a method of causing the vehicle relay device to collate the authentication information with the authentication information acquired from the device outside the vehicle. As another example, authentication information common to the in-vehicle electronic device is stored in the vehicle relay device, and when there is an access request that requires authentication of the device outside the vehicle, the common authentication is performed regardless of the access destination. The information may be used to authenticate the device outside the vehicle.

In addition, the in-vehicle electronic device connected to the in-vehicle LAN is divided into an information system device for informing a vehicle occupant of information obtained from the outside and a control system device for controlling the vehicle. Then, the access request is sent to the first identification means.
It may be possible to determine whether the authentication of the device outside the vehicle is necessary by identifying which of the information system device and the control device is the access request.

Further, in this case, as described in claim 2, when the first identification means determines that the access request is an access request to the control system device, the first recognition means determines that the device outside the vehicle. It is preferable to configure the vehicle relay device so that the authentication is performed by the above method.

In this way, the control system device for controlling the vehicle can be accessed only by the authorized outside device, and the vehicle relay device is
It is possible to prevent unauthorized access to the control system device related to the traveling of the vehicle. By the way, in the above, the method of determining whether or not the device outside the vehicle is required to be authenticated by identifying the access destination is used. However, depending on the type of access request from the device outside the vehicle (type of communication data, etc.) There may be a case where it is better to authenticate the device outside the vehicle regardless of the destination.

For example, the access request is for writing a program that operates in the electronic device in the vehicle and a parameter for operating the electronic device in the vehicle (for example, a constant for properly operating the control system in the vehicle). This is the case when it is a write request. Therefore, in the vehicle relay device according to claim 3, in addition to the first identifying unit, the first authenticating unit, and the first distributing unit, the second identifying unit, the second authenticating unit, and the second distributing unit. And are provided.

That is, in the vehicle relay device according to the third aspect, when there is a request for access from the device outside the vehicle to the electronic device inside the vehicle, the access request is sent to the electronic device inside the vehicle by the second identifying means. When it is determined whether the request is a write request for writing the operating program or a parameter for operating the in-vehicle electronic device, and the second identifying unit determines that the access request to the in-vehicle electronic device is not the write request. The second authentication means is configured to operate the first identification means.

In the vehicle relay device, when the second identifying means determines that the access request to the in-vehicle electronic device is a request for writing a program or a parameter for operating the in-vehicle electronic device, the device outside the vehicle Based on the transmitted second authentication information, the second authentication means permits the writing request of the program for the external device that has requested the writing to operate in the electronic device inside the vehicle or the parameter for operating the electronic device inside the vehicle. It is determined whether or not the device is an external device that has been removed.

Then, it is determined that the second authentication means is an out-of-vehicle device which is permitted to write the program for operating the in-vehicle electronic device of the in-vehicle electronic device or the parameter for operating the in-vehicle electronic device. Only in the case of the above, the second distribution means distributes the program as the communication data transmitted from the device outside the vehicle via the communication device or the parameter for operating the electronic device in the vehicle to the electronic device in the vehicle to be accessed. .

Therefore, in the vehicle relay device according to the third aspect of the invention, when the access request is a program or a parameter write request for operating the in-vehicle electronic device, the second request is made regardless of the access destination. It is possible to authenticate the device outside the vehicle based on the authentication information, and as a result, it is possible to prevent the writing of the program for the electronic device inside the vehicle and the parameters for operating the electronic device inside the vehicle by unauthorized access.

Of course, if the writing request is made from the legitimate device outside the vehicle, the second distribution means distributes the program or the parameters for operating the electronic device in the vehicle to the electronic device in the vehicle to be accessed. Therefore, according to the vehicle relay device, while preventing the program and the parameter for operating the electronic device in the vehicle from being illegally accessed from being written, an authorized user can easily access the electronic device in the vehicle. The program and the parameters for operating the electronic device in the vehicle can be written and updated.

For example, in the past, a dealer or the like updated the program of the in-vehicle electronic device with a dedicated device.
In a vehicle incorporating such a vehicle relay device, the program can be updated without forcing the driver or the like to bother with bringing the vehicle into the dealer.

In the vehicle relay device according to the third aspect of the invention, the authentication method in the case where the access request is the writing of the program or the parameter for operating the in-vehicle electronic device,
It is desirable to use a strong authentication method that can more reliably determine whether the device outside the vehicle is legitimate.

For this purpose, for example, when the second identifying means determines that the access request to the in-vehicle electronic device is a write request, the second authenticating means determines that the first authenticating means It is determined based on the authentication information that the vehicle exterior device is the vehicle exterior device that is previously permitted to access the vehicle interior electronic device, and the vehicle exterior device is the vehicle exterior device that is previously permitted to access the vehicle interior electronic device. And whether the vehicle-outside device that has requested writing based on the second authentication information is a vehicle-outside device that is permitted to write a program that operates in the in-vehicle electronic device or a parameter for operating the in-vehicle electronic device. It is preferable to configure the vehicle relay device so as to determine whether or not it is.

By constructing the vehicle relay device in this way,
Since the device outside the vehicle can be authenticated in two steps based on the first authentication information and the second authentication information, the request for writing the program and the parameter for operating the electronic device inside the vehicle is more reliable than the device outside the vehicle. Can be determined. Therefore, according to the vehicle relay device (Claim 4) of the present invention, it is possible to more reliably prevent unauthorized access to the in-vehicle electronic device connected to the vehicle-mounted LAN.

Specifically, it is preferable that the vehicle relay device described in claim 4 is constructed as described in claim 5. In the vehicle relay device according to claim 5, the second authenticating means owns the authentication information for authenticating the external device, and owns the first authentication information transmitted from the external device. By comparing it with the authentication information, it is configured to determine whether or not the out-vehicle device is an out-vehicle device that is permitted to access the in-vehicle electronic device in advance.

Further, when the second authentication means determines that the vehicle exterior device is the vehicle exterior device that is permitted to access the vehicle electronic device in advance, the second authentication information transmitted from the vehicle exterior device is stored in the program. Alternatively, it is transferred to the in-vehicle electronic device that is a target for writing the parameters for operating the in-vehicle electronic device.

It should be noted that whether or not the vehicle exterior device is the vehicle exterior device that is permitted to write the program or the parameter for operating the vehicle interior electronic device to the vehicle electronic device that receives the transferred second authentication information. Authentication information for determining that the second authentication means transfers the second authentication information to the electronic device in the vehicle, and the electronic device in the vehicle owns the second authentication information. Match with the authentication information. In addition, the verification result is acquired from the electronic device in the vehicle, and based on the acquired verification result, the device outside the vehicle that has requested writing,
It is determined whether or not the program is a device operating outside the vehicle or a device outside the vehicle permitted to write parameters for operating the vehicle electronic device.

In the vehicle relay device according to claim 5, wherein the vehicle exterior device is authenticated by such an authentication method, the second authentication is performed.
Even if the relay device for a vehicle malfunctions due to unauthorized access, the writing of the unauthorized program or the parameter for operating the electronic device in the vehicle is prevented because the in-vehicle electronic device to which the program or the parameter is written is performed. can do. Further, it is possible to prevent an unauthorized access to the in-vehicle electronic device by directly connecting the device to the in-vehicle LAN.

Further, the above-mentioned claim 1 to claim 5
By using the vehicle relay device according to any one of the above, it is possible to construct an in-vehicle communication system that is resistant to unauthorized access. More specifically, as described in claim 6, claim 1
The vehicle relay device according to claim 5 is arranged between a communication device that performs data communication with an external device and an in-vehicle LAN built in the vehicle, and the vehicle relay device. In-vehicle LA and vehicle-mounted LA that are connected via a communication device
Communication with various in-vehicle electronic devices connected to N may be relayed.

At this time, if all the communication devices mounted in the vehicle are connected to the vehicular relay device, all the access from the outside device can be relayed by the vehicular relay device, thereby preventing unauthorized access. , All can be handled by the vehicle relay device. Therefore, in such an in-vehicle communication system, it is possible to more reliably prevent unauthorized access to the in-vehicle electronic device.

[0035]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below.
A description will be given with reference to the drawings. FIG. 1 is a block diagram showing the configuration of an in-vehicle communication system 1 to which the present invention is applied.

As shown in FIG. 1, an in-vehicle communication system 1 of the present embodiment includes an in-vehicle LAN 10 constructed by electronic control units (ECUs 11 to 37) installed in the vehicle as an in-vehicle electronic device and an in-vehicle device. 3 is provided between the communication unit 40 for communicating with the vehicle-mounted LAN 10, the vehicle-mounted LAN 10, and the communication unit 40, and relays data communication between each of the ECUs 11 to 37 in the vehicle-mounted LAN 10 and the vehicle exterior device 3. And a gateway ECU 50.

The in-vehicle LAN 10 built in the vehicle
Is a control network, an AVC network,
A body system network, and each of the networks is connected to a common transmission line with the ECU in the vehicle corresponding to each system. For example, the control system network includes engine ECU 11, ECT / ECU 13, V
SC / ECU 15, ACC / ECU 17, peripheral monitoring EC
An ECU for vehicle control related to traveling such as U19 is connected.

Here, the engine ECU 11 is an engine control device for controlling the engine, and the ECT-ECU 1
Reference numeral 3 denotes a shift control device that performs shift control of the automatic transmission, and these are so-called power train control devices.
Further, the VSC / ECU 15 is a control device that performs attitude control and braking control of the vehicle, and the ACC / ECU 17 is a travel control device that performs control to cause the vehicle to follow the preceding vehicle. It is a control device.

On the other hand, the body system network includes a meter ECU 21, an antitheft ECU 23, and an air conditioner ECU 25.
ECUs for body control such as are connected. Meter E
CU21 is the vehicle speed, the engine speed, the open / closed state of the door,
The anti-theft ECU 23 is for displaying various states of the vehicle such as the shift range of the transmission on the display device. The antitheft ECU 23 monitors the state of the vehicle and allows a malicious person to enter the vehicle or each device in the vehicle. If you are trying to steal your phone, you will hear an alarm sound or make an emergency call to an external center.
The air conditioner ECU 25 is for controlling the air conditioner.

In addition to the above, the AVC system network includes a navigation ECU 31, an audio ECU 33, and a telephone E.
AVC ECU belonging to information equipment that provides various information (information display, reproduction, etc.) such as CU35, ETC / ECU37, etc.
Are connected. The navigation ECU 31 acquires map data from a map data storage unit (not shown) composed of a DVD player, a CD player, or the like connected to itself, and also a GPS receiver (not shown) connected to the communication unit 40. ) To display a map indicating the current position of the vehicle on the basis of the information about the current position of the vehicle on a display device (not shown) such as a liquid crystal display connected to the audio ECU 33 described later. ECU.

Further, the navigation ECU 31 obtains traffic congestion information and the like from the VICS radio device 41 and the like which will be described later and displays the information together with a map on the display device.
The position information of the gate for ETC and the like is acquired from the ETC radio device 45 described later, and the information is displayed on the display device to guide the driver to the gate position for ETC.

Next, the audio ECU 33, in accordance with a command input by the user operating an operation switch connected to the ECU, broadcasts a radio broadcast program or a television broadcast program desired by the user to a television / radio described later. By controlling a tuner built in the wireless device 43, the tuner is acquired from the television / radio wireless device 43 and reproduced by a speaker system in the vehicle, a liquid crystal display or the like.

Further, the telephone ECU 35 communicates with a telephone radio unit 47, which will be described later, so that the telephone radio unit 47 can be connected to an external device connected to the telephone line network to establish a wireless base station in the telephone line network. Each of the in-vehicle LAN 10 is connected via
This is for making communication between the CU and an external device through a telephone line.

In addition, when the ETC / ECU 37 acquires command information related to charging from the ETC center via an ETC radio (described later), in response to this, various information is sent from a card reader or the like connected to itself. And read this
It is for transmitting to an external ETC center via the TC radio 45.

Next, as shown in FIG. 1, the communication section 40 of the present embodiment has a plurality of types of radio such as a VICS radio 41, a television / radio radio 43, an ETC radio 45, and a telephone radio 47. And an external device connecting portion 49 for connecting an external device such as the service tool 5 directly into the vehicle.

The VICS radio 41 is, for example, VICS.
It is composed of a radio wave beacon receiver for receiving road traffic information provided by the optical beacon receiver, an optical beacon receiver, and the like, and transmits the communication data from the VICS acquired from these radios to the gateway ECU 50. ing.

The television / radio radio 43 includes a tuner for receiving a television broadcast signal and a radio broadcast signal, and the tuner is configured to be controlled by the audio ECU 33 connected to the vehicle-mounted LAN 10 or the like. There is. In addition, the television / radio radio 43 is configured to be connectable to an external center that provides a video-on-demand service in response to a command from the audio ECU 33, and the video data and the like acquired from these are transmitted to the gateway ECU 50. Send to.

The ETC radio 45 is a radio for communicating with the ETC center, and sends communication data from the ETC center to the gateway ECU 50 or from the vehicle-mounted LAN via the gateway ECU 50. The received data is transmitted to the ETC center side.

Then, the telephone radio unit 47 uses the telephone E
Under the control of the CU, it connects itself to an external public telephone line network via a radio base station and sends communication data from the public telephone line network to the gateway ECU 50. here,
The following are examples of access from outside the vehicle via the telephone wireless device 47.

For example, access can be made when the vehicle owner inputs a command for starting the air conditioner from the mobile phone or the like to the air conditioner ECU 25 in the vehicle-mounted LAN 10 and remote-controls the air conditioner. In addition, access may be considered when the user obtains music data through a telephone line and reproduces it by the audio ECU 33 in the vehicle. In addition to this, the user acquires a program that operates in each of the ECUs 11 to 37 in the vehicle-mounted LAN from an external center through a telephone line, and acquires the program from the ECUs 11 to 37.
It is possible to access it when you install it in and write or update the program.

As described above, each radio device 41 in the communication section 40,
Although 43, 45, and 47 have been described, in the in-vehicle communication system 1, it is conceivable that the communication unit 40 receives communication data from outside with no instruction of a distribution destination (that is, an access destination). Therefore, in the case of dealing with such a case, for example, each of the wireless devices 41 to 47 attaches the information regarding the delivery destination to the communication data with respect to the specific type of data which is not instructed by the delivery destination, and the data is transmitted to the gateway. EC
The communication unit 40 may be configured to transmit to the U50.
For example, when a television signal is received, the delivery destination is designated to the audio ECU 33.

In addition to the above, the external device connecting section 49 is provided with an external device such as the service tool 5 for diagnosing the vehicle or the service tool 5 for updating the program in the ECU.
It is composed of a connector for connecting to the vehicle-mounted LAN 10, and when the service tool 5 is connected, the service tool 5 is connected to the gateway ECU 50.

The gateway ECU 50 is connected to the communication section 40 and the in-vehicle LAN 10, and the in-vehicle L
It has a configuration for relaying data communication between each of the ECUs 11 to 37 in the AN 10 and the vehicle exterior device 3. For example, the gateway ECU 50 has a so-called routing function, and E in each system network in the vehicle-mounted LAN
It relays access from the CU to ECUs in other networks in the vehicle LAN. Specifically, for example, from the ECU in the body system network to the ECU in the control system network
When there is a request for access to the ECU, communication data from the ECU in the body network is transmitted to the ECU in the control network.

Further, as a feature of the present invention, when the gateway ECU 50 acquires the communication data received by the communication section 40, its own CPU executes the main routine shown in FIG. FIG. 2 shows the gateway ECU 50.
FIG. 3 is a flowchart showing a program transfer process called in the main routine, FIG. 4A is a flowchart showing an individual authentication process called in the program transfer process, FIG. 5 is a flowchart showing the access restriction process.

The gateway ECU 50 firstly sets S110.
At, the communication data delivery destination is read from the communication data, and based on this, the delivery destination (ie, access destination)
However, it is determined whether or not it is listed in the in-vehicle mounted device list stored in its own storage medium (memory in this embodiment) (S120). It should be noted that the in-vehicle mounted device list mentioned here is a list relating to the ECUs 11 to 37 connected to the in-vehicle LAN 10.

Here, if it is determined that the communication data delivery destination is not registered in the in-vehicle device list, the gateway ECU 50 executes the access restriction process (described later in detail) in S125, and then ends the process. . On the other hand, when determining that the delivery destination of the communication data is registered in the in-vehicle device list, the gateway ECU 50 proceeds to S130, in which the communication data relates to the writing request of the program operating in the ECU in the in-vehicle LAN 10. It is determined whether or not the communication data includes information or information regarding a request for writing a matching constant for properly operating the control system in the vehicle. The request for writing the adaptation constant here is, for example, a request for rewriting the engine ignition timing map.

When it is determined that the communication data includes the information regarding the program or parameter write request, the gateway ECU 50 next executes a program transfer process (FIG. 3) in S140. In the following processing, only the program writing request will be described, but these processings are performed in the same procedure even when the writing request is a matching constant.

Upon proceeding to the program transfer processing, the gateway ECU 50 first sends the password as the first authentication information to itself to the vehicle exterior device 3 which has transmitted the program write request via the communication section 40 in S141. Is requested and the password is acquired from the vehicle exterior device 3.

Subsequently, the gateway ECU 50 determines S1
At 43, the password is itself (gateway EC
It is determined whether the password matches the password registered in advance in (U50). Regarding this password, for example, when the product is shipped, the producer sets the gateway ECU 50.
The password unique to the gateway ECU 50 may be registered in.

If it is determined in S143 that the password is not correct (that is, the acquired password does not match the pre-registered password), the gateway ECU 50 advances the processing to S169 and executes the access restriction processing ( After executing (Fig. 5), the process is terminated,
If it is determined in S143 that the password is correct, the process proceeds to S145, the program is acquired from the vehicle exterior device 3 via the communication unit 40, and temporarily stored in its own memory.

Subsequently, the gateway ECU 50 determines S1
At 50, individual authentication processing (FIG. 4) is executed. When shifting to the individual authentication processing, the gateway ECU 50 firstly sets S1.
At 51, the ECU in the vehicle-mounted LAN 10 to which the vehicle exterior device 3 writes the program (hereinafter, referred to as “writing target EC
U ". ) Request to receive the program.

When the gateway ECU 50 requests the reception of the program in this way, the requested writing target EC
U executes the program receiving process whose flowchart is shown in FIG. Hereinafter, details of the individual authentication processing executed by the gateway ECU 50 shown in FIG.
Details of the program reception process shown in (b) will be described in parallel.

Write target E that received the program reception request
First, in S310, the CU determines the above-mentioned first authentication information in order to determine whether or not the out-of-vehicle device 3 that has requested the writing of the program is the out-of-vehicle device 3 that is previously permitted to write the program. The second authentication information different from that is requested to the outside-vehicle device 3 that is the writing request source.

For example, the common key method (DE
S system etc.) is adopted, the writing target ECU is S31
At 0, a random number r is generated and once stored in its own memory, this random number r is transmitted to the vehicle exterior device 3 side together with a request for authentication information, and the vehicle exterior device 3 receives the random number r.
It is instructed to send back what is encrypted with the common key K as the authentication information.

When requesting this authentication information to the vehicle exterior device 3, the gateway ECU 50 once obtains the request information from the writing target ECU and transfers it to the vehicle exterior device 3 via the communication section 40. Yes (S153). Further, when the gateway ECU 50 acquires the authentication information from the vehicle exterior device 3 as a response result to the request for the authentication information, the gateway ECU 50 S1
At 55, this is transferred to the writing target ECU.

On the other hand, the writing target ECU is the gateway E.
When the authentication information is acquired from the vehicle exterior device 3 via the CU 50 (S320), it is collated with the authentication information stored in its own memory (S330). Then, based on the comparison result, it is determined whether or not the authentication of the vehicle exterior device 3 is successful (S340). If the authentication is successful, the authentication success is notified to the gateway ECU 50 (S350), and the authentication must be successful. For example, the fact that the authentication has failed is notified (S35).
5).

Here, a concrete description will be given of an example of the case where the common key system authentication is performed. The writing target ECU decrypts the authentication information acquired from the vehicle exterior device 3 with the common key K, and the decryption is performed. The converted authentication information is the random number r generated in S310.
If it matches, it is determined that the vehicle exterior device 3 is a vehicle exterior device for which writing of a program has been permitted in advance (Yes in S340), and the fact that the vehicle exterior device 3 has been successfully authenticated is notified. .

On the other hand, the gateway ECU 50 determines in S15
In step 7, when the authentication result (notification of authentication success or notification of authentication failure) is received from the writing target ECU, the individual authentication process is terminated, and S161 of the program transfer process (FIG. 3) is performed.
Then, it is determined whether or not the authentication in the writing target ECU has succeeded.

That is, when the gateway ECU 50 receives the notification of the authentication failure from the writing target ECU, the gateway ECU 50 determines No in S161, moves the process to S169, and writes the writing target EC.
When the notification of the authentication success is received from U, it is determined as Yes in S161, and the process proceeds to S163.

Then, in S163, gateway ECU 50 transmits the temporarily stored program to the writing target ECU. In response to this, the writing target ECU receives the program transferred from the gateway ECU 50 and stores the program in its own memory in an executable state (S360).

When the writing target ECU finishes storing the program, gateway ECU 50 verifies in step S165 whether the writing target ECU correctly stores the program. For example, the gateway ECU 50 is
By verifying whether the contents of the program transferred by itself and the program stored in the memory by the writing target ECU are the same, it is verified whether the writing target ECU correctly stores the program.

If the program is correctly stored, the program transmitted in S163 is discarded from its own memory (S167), the process is terminated, and if the program is not correctly stored (S165). So N
o), the program stored in its own memory is read again, and this program is transmitted to the writing target ECU (S16).
3). If the writing of the program is unsuccessful for a plurality of times, the writing of the program may be stopped and the process may be ended.

Next, a description will be given of the processing when the gateway ECU 50 determines in S130 (see FIG. 2) that the communication data is not a request for writing the communication data or program (No in S130). As shown in FIG. 2, when the gateway ECU 50 determines No in S130, in the subsequent S170, the communication data delivery destination (access destination) is reached.
Is an AVC ECU connected to an AVC network
It is determined whether it is 31 to 37.

Here, the delivery destination is the AVC system ECUs 31 to 3
If it is determined to be 7 (Yes in S170), the gateway ECU 50 delivers the communication data to the AVC ECU of the delivery destination in S175. On the other hand, if it is determined that the delivery destination is not the AVC system ECUs 31 to 37 (N in S170).
o), the gateway ECU 50 sends the EC data to the external device 3 that has transmitted the data via the communication unit 40.
U is requested to transmit the password, and the password as the authentication information is acquired from the vehicle exterior device 3 (S18).
0).

Subsequently, the gateway ECU 50 determines S1
At 90, it is determined whether or not the acquired password is correct by determining whether or not the password matches the password registered in advance. The gateway ECU 50 may be configured to verify the password acquired from the vehicle exterior device 3 with the same password used to verify the password in step S143 of the program transfer process described above, or verify it with another password. May be configured to do so. In this case, the gateway ECU 50
The password used at the time of verification in S143 and S19
Both of the passwords used for 0 collation are stored.

If the password is determined to be correct (Yes in S190), the gateway ECU 50 transmits the data to the delivery destination ECU (S200), and if the password is determined to be incorrect (No in S190), S1.
At 95, an access restriction process is executed and the process ends.

In this access restriction process, the gateway ECU 50 operates as shown in FIG. That is, in S410, the gateway ECU 50 determines whether or not the same vehicle exterior device 3 has accessed the gateway ECU 50 n times (for example, 3 times) or more within a certain time, and the access must be performed n times or more. If (S410
No), and in S420, the abnormal access for which the authentication has failed is transmitted from the vehicle exterior device 3 to the corresponding radios 41 to 47 of the communication unit 40 (corresponding radios 41 to 47).
The operation of 47 will be described later), and the processing ends.

On the other hand, when the access is made n times or more (Yes in S410), the corresponding radios 41 to 47 are notified to prohibit the access from the external device 3 (S430), and the The communication data from the vehicle exterior device 3 of the same access source is transmitted to the machines 41 to 47 by the gateway ECU.
The process is terminated by causing the device 50 to never send it again.

Further, each of the wireless devices 41 to 47 of the present embodiment which receives the above notification of the access restriction process executes the access control process as shown in FIG. 6 to control the access from the vehicle exterior device 3. 6. Note that FIG. 6 is a flowchart showing the access control processing. When the wireless devices 41 to 47 acquire the communication data as the demodulation result from the demodulation circuit, the wireless devices 41 to 47 acquire the information on the out-of-vehicle device 3 of the transmission source included in the communication data and identify the transmission source (S510), and S520.
At, it is determined whether the transmission source is on the access prohibition list. Note that this access prohibition list is the gateway EC
Whenever a notification of access prohibition is received from U50, the radio 4
1 to 47 are sequentially updated, and the wireless devices 41 to
In its own memory, 47 has an access prohibition list in which the out-of-vehicle device 3 for which access is prohibited is registered.

If it is determined in S520 that the transmission source of the communication data is in the access prohibition list, the wireless device 41
47, in subsequent S540, the access to the gateway ECU 50 of the transmission outside vehicle device 3 is denied. That is, the wireless devices 41 to 47 discard the communication data received from the transmission source without transmitting the communication data to the gateway ECU 50.

On the other hand, when it is determined in S520 that the transmission source of the communication data is not in the access prohibition list, the wireless devices 41 to 47 have succeeded in S530 for a certain period of time after the transmission source received the abnormal access. Or not. In addition, the fixed time here is the gateway E
The time is set to be sufficiently shorter than the time when the CU 50 determines in S410 whether or not the access is performed n times or more.

If it is determined that the fixed time has not elapsed after the abnormal access, the wireless devices 41 to 47 determine whether the wireless devices 41 to 47 have S540.
To the gateway ECU of the vehicle exterior device 3 of the transmission source
Deny access to 50. On the other hand, when it is determined that a certain time has passed after the abnormal access or the notification of the abnormal access has not been received, the process proceeds to S550 and the communication data is transmitted to the gateway ECU 50.

The in-vehicle communication system 1 of this embodiment has been described above.
When the gateway ECU 50 relays communication between the communication unit 40 connected to the vehicle exterior device 3 and the vehicle-mounted LAN 10, the vehicle exterior device 3 makes each EC of the vehicle-mounted LAN 10 as necessary.
Since it is confirmed by acquiring the password whether or not the access to U11 to 37 (that is, data communication with each ECU) is permitted outside the vehicle, it is possible to prevent unauthorized access to each ECU 11 to 37 in the vehicle-mounted LAN 10. Can be prevented. Further, with such a configuration, it is possible to further prevent unauthorized access from the outside as compared with the case where the vehicle exterior device 3 is authenticated only by the individual ECU.
Such a system can be inexpensively constructed. In addition, it is possible to reduce wiring in the in-vehicle communication system.

In the in-vehicle communication system 1 of this embodiment,
The communication data is not related to the program and the request for writing the constant, and the AVC ECU (not connected to the AVC network for notifying the vehicle occupant of the information obtained from the outside by the communication data delivery destination (access destination)) ECU 31
~ 37), the external device 3 is not authenticated.

This is because as long as it is communication data to the AVC system ECUs 31 to 37, even if the communication data is maliciously acted, the communication data does not affect the safety regarding the running of the vehicle. Because.
Further, considering that the access to the AVC system ECU is frequently performed from the outside, if the authentication of the vehicle exterior device 3 is performed one by one, the processing load on the gateway ECU 50 increases. Of course, if necessary, each ECU may perform individual authentication.

On the other hand, the delivery destination of the communication data is the AVC EC.
When the ECU is other than U (in other words, the ECU 11 connected to the control system network and the body system network
˜25), authentication of the vehicle exterior device 3 is performed at least once using a password or the like. Because each ECU connected to the control system network and the body system network is an ECU involved in vehicle control, it is necessary to prevent these ECUs from being tampered with and to ensure the traveling safety of the vehicle. Is.

In particular, the in-vehicle communication system 1 of this embodiment
In the case where the communication data relates to a program or a request to write a conforming constant, the second authentication is performed in addition to the first authentication using a password, etc., regardless of the type of ECU of the delivery destination. Access to the device 3 is more severely restricted. Therefore, in the in-vehicle communication system 1 of the present embodiment, it is possible to prevent a situation in which the program operating in the ECU and the adaptation constants related to vehicle control are illegally rewritten.

In addition to this, in the in-vehicle communication system 1, the access from the out-of-vehicle device 3 which often fails in the authentication is prohibited by the authentication failure of n times, and the communication data from the out-of-vehicle device 3 is communicated by the communication unit 40. Gateway ECU50
Therefore, it is possible to solve the problem that the processing load of the gateway ECU 50 increases due to unauthorized access.

Here, the relationship between the in-vehicle communication system 1 of the present embodiment described above and the in-vehicle communication system of the present invention is as follows. First, the vehicle relay device of the present invention corresponds to the gateway ECU 50 of the present embodiment, the information system device of the present invention corresponds to the AVC system ECUs 31 to 37 connected to the AVC system network, and the control of the present invention. The system device corresponds to each of the ECUs 11 to 25 connected to the control system network or the body system network. Further, the access request for the device outside the vehicle corresponds to an operation in which the device 3 outside the vehicle transmits communication data to the communication unit 40.

Then, in the first identifying means of the present invention, based on the distribution destination that the gateway ECU 50 has grasped in S110, in S170, the distribution destination is the AVC as an information system device.
This is equivalent to the operation of determining whether or not it is the system ECU, and the first authentication means, the gateway ECU 50 acquires the password as the first authentication information in S180, and determines whether the password is correct in S190. It corresponds to the operation. Further, the gateway ECU 50 executes S17 as the first distribution means.
S175, which is executed when it is determined to be Yes in 0, and S19
This corresponds to the process of S200 executed when it is determined to be Yes in 0.

In addition, the second identifying means of the present invention corresponds to the processing operation in S130 executed by the gateway ECU 50, and the second authenticating means is that the gateway ECU 50 does not request the access request to write a program or the like. If the access request is a write request for a program, etc., while the process proceeds to S170 when the determination is made, S140 is executed.
This corresponds to the operation of executing the processing of to S161. Further, the second distribution means corresponds to an operation in which the gateway ECU 50 shifts the step to S163 based on the determination result of S161 and transmits the communication data (a program or the like) to the ECU.

Although the embodiments of the present invention have been described above, the vehicle relay device and the in-vehicle communication system of the present invention are as follows.
The present invention is not limited to the above-mentioned embodiment, and various modes can be adopted. For example, in the above-described embodiment, the authentication of the vehicle exterior device 3 is performed by the password first, but the vehicle exterior device 3 may be authenticated by other authentication methods. If the out-of-vehicle device 3 is authenticated by a more reliable authentication method such as the common key method, the authentication time may be longer, but it is possible to more reliably prevent unauthorized access to the ECU in the vehicle-mounted LAN 10.

In addition to this, when a writing request for a program or the like is received, the outside-vehicle device 3 is set to a different authentication method by a different authentication method.
Although it has been configured to authenticate once, in order to ensure the safety of these writing, authentication is performed with a highly reliable authentication method.
It may be performed more than once, or the system may be configured to authenticate the out-vehicle device 3 only once by a highly reliable authentication method.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of an in-vehicle communication system 1 of this embodiment.

FIG. 2 is a flowchart showing a main routine executed by gateway ECU 50.

FIG. 3 is a flowchart showing a program transfer process executed by gateway ECU 50.

FIG. 4 is a flowchart (a) showing an individual authentication process executed by the gateway ECU 50 and a flowchart (b) showing a program reception process executed by the writing target ECU.

FIG. 5 is a flowchart showing an access restriction process executed by the gateway ECU 50.

FIG. 6 is a flowchart showing an access control process executed by each of the wireless devices 41 to 47.

[Explanation of symbols]

1 ... In-vehicle communication system, 3 ... Outside device, 10 ... In-vehicle LA
N, 11 to 37 ... ECU, 40 ... Communication unit, 41, 43,
45, 47 ... Radio, 49 ... External device connection part, 50 ... Gateway ECU

Claims (6)

[Claims] 1. An on-vehicle LA and an on-vehicle LA, which are arranged between a vehicle-mounted LAN built in a vehicle and a communication device for performing data communication with the vehicle-outside device, and which are connected via the communication device.
A vehicle relay device that relays communication with various in-vehicle electronic devices connected to N, and when an access request is made from an external device to an in-vehicle electronic device in the in-vehicle LAN, the access destination is changed. First identification means for identifying and determining whether or not the access request is an access request to the in-vehicle electronic device that requires authentication of a device outside the vehicle, based on the identification result, When the means determines that the access request requires the authentication of the device outside the vehicle, the device outside the vehicle to the electronic device inside the vehicle in advance based on the first authentication information transmitted from the device outside the vehicle. Access means for determining whether or not the external device is permitted to access the vehicle, and the first authentication means allows the external device that has made the access request to access the electronic device in the vehicle in advance. If it is determined that the device is an out-of-vehicle device, or if the first identifying means determines that the access request does not require authentication of the out-of-vehicle device, it is transmitted from the out-of-vehicle device through the communication device. A vehicle relay device comprising: a first distribution unit that distributes communication data to the vehicle electronic device that is an access destination. 2. The in-vehicle LAN is connected to, as the in-vehicle electronic device, an information system device for informing a vehicle occupant of information acquired from the outside and a control system device for controlling the vehicle. When the access request to the in-vehicle electronic device is received, the first identifying means identifies which of the information system device and the control system device the access request is, Determining whether the access request is an access request to the electronic device in the vehicle that requires authentication of the device outside the vehicle, the first authenticating unit, the first identifying unit, the access request When it is determined that the access request is for the control system device, the vehicle outside the vehicle is allowed to access the vehicle electronic device in advance based on the first authentication information transmitted from the vehicle outside device. Vehicular repeater according to claim 1, characterized in that determining whether the device. 3. When a request to access the electronic device in the vehicle is issued from the device outside the vehicle, the access request is a document for writing a program operating in the electronic device in the vehicle or a parameter for operating the electronic device in the vehicle. A second identifying means for determining whether the request is a write request, and the second identifying means operates the first identifying means when it determines that the access request to the in-vehicle electronic device is not the write request. Then, when the second identification means determines that the access request to the in-vehicle electronic device is the write request, the second write request is made based on the second authentication information transmitted from the vehicle exterior device. Second authentication means for determining whether the external device is an external device permitted to write a program for operating the electronic device in the vehicle or a parameter for operating the electronic device in the vehicle; Only when the authentication means determines that the vehicle-outside device that has requested the writing is a vehicle-outside device permitted to write a program for operating the vehicle-side electronic device or a parameter for operating the vehicle-side electronic device. A second distribution means for distributing communication data transmitted from the device outside the vehicle via the communication device to the electronic device in the vehicle to be accessed,
The vehicle relay device according to claim 1 or 2, further comprising: 4. The second authentication means, when the second identification means determines that the request to access the electronic device in the vehicle is the write request, the device outside the vehicle is determined based on the first authentication information. It is determined whether or not it is an out-of-vehicle device that is permitted to access the in-vehicle electronic device in advance, and if the out-of-vehicle device is an out-of-vehicle device that is previously permitted to access the in-vehicle electronic device, the second device Whether the vehicle-outside device that has made the writing request is a vehicle-outside device that is permitted to write a program operating in the in-vehicle electronic device or a parameter for operating the in-vehicle electronic device based on the authentication information of The vehicle relay device according to claim 3, wherein 5. The second authentication means collates the first authentication information transmitted from the vehicle exterior device with the authentication information owned by itself, so that the vehicle exterior device preliminarily causes the vehicle exterior electronic device to operate. It is determined whether or not the vehicle-outside device is permitted to access the vehicle, and the vehicle-outside device has been transmitted from the vehicle-outside device when the vehicle-outside device is a vehicle-outside device permitted to access the in-vehicle electronic device in advance. The second authentication information,
The program or the parameter is transferred to the in-vehicle electronic device to be written, and the in-vehicle electronic device is caused to collate the second authentication information with the authentication information possessed by the in-vehicle electronic device. A verification result is acquired from the in-vehicle electronic device, and based on the acquired verification result, the outside-vehicle device that has made the writing request is a program that operates in the in-vehicle electronic device or the in-vehicle electronic device operation. The vehicle relay device according to claim 4, wherein it is determined whether or not the device is a device outside the vehicle for which writing of parameters is permitted. 6. A vehicle-mounted LAN built in a vehicle, a communication device for performing data communication with an apparatus outside the vehicle, and a communication device arranged between the communication device and the vehicle-mounted LAN and connected via the communication device. Device outside the vehicle and the in-vehicle LAN
An in-vehicle communication system comprising: the vehicle relay device according to any one of claims 1 to 5, which relays communication with various in-vehicle electronic devices connected to the vehicle.