JP4768396B2 - Vehicle information collection system, vehicle information verification method, and control device - Google Patents

Description

The present invention authentication of various services such as car insurance, guarantee, relates to a charging system, in particular to prevent tampering of information, the contents are limited to between requester and provider, correctly, easily, reliably convey , Related to the technology used.

There are two types of conventional vehicle information collection systems. First, the server collects vehicle information by performing real-time communication from the vehicle to the server using an artificial satellite or the like. The details are disclosed in Patent Document 1, for example.
Second, the vehicle information is stored in a personal storage medium that can be attached to and detached from the vehicle, and is transmitted to the server later using a dedicated terminal device. A method for solving the problem that the data cannot be collected has also been proposed. This is disclosed in Patent Document 2, for example.

However, the method of transmitting data using a dedicated terminal device at a later date may send maliciously tampered data, so that vehicle information is recorded in an erasable memory such as an IC card. Therefore, a method has been proposed in which the falsification is prevented and an individual cannot freely delete or change vehicle information. As this detail, it is disclosed by patent document 3, for example.
Moreover, according to the above-mentioned Patent Document 1, in the case of a conventional vehicle service represented by vehicle insurance, when a family member or an acquaintance borrows a vehicle, each individual individually makes a contract with the vehicle service, so that the borrower Was receiving service. Alternatively, when the rented vehicle is on board, the contractor has received the service by comparing the contract details of the owner of the vehicle with the contract details of the borrower and making an additional contract for the missing service. This is disclosed in Patent Document 4, for example.
JP 2002-358425 A JP 2004-295421 A JP 2002-259703 A JP 2004-38278 A

The conventional vehicle information collection system has a problem that a special procedure is required and the apparatus side becomes complicated because it communicates with the server during use or prior to use in the online system.
In a system in which vehicle information is stored in a personally owned storage medium such as an IC card and then transmitted by a dedicated device, it is necessary to store the vehicle information in a non-erasable area in order to prevent falsification of the vehicle information. However, if information such as vehicle information that is variable in length and requires a relatively large storage capacity is to be written in such a special area, an expensive storage medium is required. Furthermore, there is a problem that complicated access control is necessary in order to prevent an individual from erasing or changing even though the storage medium is privately owned. This is difficult to operate.
In addition, when a vehicle is temporarily stored for vehicle inspection or traded for replacement, there is a risk that the vehicle information remaining in the vehicle can be seen by outsiders such as employees of manufacturers. There is a problem that there is.
Further, in the conventional vehicle service, when a vehicle is rented, the borrower has contracted for the service, or it has been necessary to perform a service contract procedure when getting on the rented vehicle. However, it is inconvenient to carry out a contract procedure for borrowing only several times a year, such as driving a vehicle when returning home.

The present invention has been made to solve the above-described problems, does not require complicated access control, stores vehicle information in a personally-owned inexpensive storage medium having a general storage area, and is used by others. the information leakage while anti technique to also prevent tampering with the vehicle information by individuals, that is intended to interact with high reliability data by universal element.
In other words, it prevents vehicle information from being leaked to third parties during vehicle inspection and trade-in, and allows the service provider to detect falsification of vehicle information and avoids the risk of providing services based on the falsified vehicle information. For the purpose.
It is another object of the present invention to improve convenience by eliminating the need for special operations such as a separate service contract for the borrower.
It is another object of the present invention to provide a system in which the server can safely collect vehicle information without requiring communication between the vehicle and the server and without depending on the communication state such as the deterioration of the communication state and the communication load of the server.
Furthermore, the purpose is to reduce the cost of system operation.

The vehicle information verification system according to this invention is
Acquires vehicle information that is the usage content from the start of the operation to the end of the operation and generates verification information using this vehicle information, and possesses authority to store the vehicle information and the verification information received from the control device A management apparatus that receives vehicle information and verification information from the authority owner apparatus and verifies whether the vehicle information received using the verification information has been tampered with by the authority owner apparatus, A vehicle information verification system that performs a service with different charges depending on vehicle information ,
The control device
Control device memory for accumulating and storing vehicle information from the start of operation of the control device to the end of operation;
Generated and stored in the controller memory as the next verification code verification information using the vehicle information that has been accumulated and stored in the verification code and the control unit memory for receiving generated from the authority owner device by the management device, generating The verification information is transmitted to the authority owner device, the vehicle information stored in the control device memory is received from the authority owner device in response to the vehicle information transmission request, is transmitted to the authority owner device, and is stored by transmission of the vehicle information. A control device controller that deletes the stored vehicle information from the control device memory ,
The authority owner device is
Authorized device memory to store vehicle information;
An operation instruction is given to the control device, vehicle information transmitted from the control device in response to the operation instruction is received, an accumulation and storage instruction is given to the authorized device memory, and the verification code transmitted from the management device is controlled. An authority owner control unit that receives the verification information generated by the control device and transferred to the device, and transmits the received verification information and the vehicle information stored and stored in the authority possessing device memory to the management device,
The management device
A verification code is generated and transmitted to the authority owner device, the verification information and vehicle information transmitted from the authority owner device in response to the verification code are received, and the vehicle is received using the received verification information A management device control unit that verifies whether or not the information has been tampered with by the authority owner device .

According to this invention, with the above configuration, the management device verifies whether the vehicle information has been tampered with by the authority owner device using the verification information generated by the control device. It is possible to detect fraudulent acts such as change or deletion of the contents of the information, and to avoid the risk of the management device due to falsified vehicle information.
In addition, since complicated access control is not required , an inexpensive personally owned storage medium having a general storage area can be used. Further, after the vehicle information is transmitted , the vehicle information is deleted from the control device. at the time of or trade, Ru can be prevented from flowing out of the vehicle information to a third party.
That is, it is possible to obtain a highly reliable vehicle information collection system capable of preventing falsification of vehicle information by an authorized owner and preventing vehicle information from leaking to a third party .

Embodiment 1 FIG.
In this embodiment, based on the vehicle information of the target vehicle, such as the travel distance and travel speed, a reliability suitable for a service for charging, cashing back or adding points to the owner as a contract target. A system that can collect vehicle information that can be placed will be described.
Specifically, a vehicle information collection system in an automobile insurance service that calculates insurance premiums using vehicle information will be described, and a mode in which the vehicle owner uses the service in the system will be described.

1.1. Overall Configuration FIG. 1 is a configuration diagram of a vehicle information collection system according to Embodiment 1 of the present invention.
In FIG. 1, a vehicle owner's mobile phone 101 (an example of an authority owner device) is a mobile phone held by a vehicle owner (hereinafter referred to as a vehicle owner). The vehicle 121 is held by the vehicle owner and is a vehicle to be insured. The insurance company server 141 is a server of an insurance company with which the vehicle owner has a contract. However, the mobile phone 101 may be a mobile terminal represented by PDA or PHS (registered trademark), a smart key, or a portable personal computer. That is, in general, it may be considered as an authority owner device. Further, the vehicle may be a general control device such as an entrance door, a building entrance / exit, or an appliance. Furthermore, the insurance company server is considered as a kind of service provision management device. That is, the present invention can be applied to a system in which the owner receives a maintenance service using a specific device such as an elevator.

1.2. Configuration of Terminal Device (Mobile Phone) Held by Vehicle Owner The mobile phone 101 of the vehicle owner includes a P (P is an abbreviation of authority holder) communication unit 102, a P display unit 103, a P input unit 104, and P control. Unit 105, P storage unit 106, and card unit 107. The P communication unit 102 is responsible for communication with other devices using wireless communication, infrared communication, or the like. The P display unit 103 displays information transmitted from the P control unit 105 on the screen. The P input unit 104 is responsible for processing in which the vehicle owner inputs information using operation buttons, a touch panel, and the like. P control unit 105 controls the processing of mobile phone 101 of the vehicle owner. That is, a microprocessor (not shown) is provided, and this control process is performed by reading a program stored in the next P storage unit (memory). The P storage unit 106 stores programs and data necessary for processing of the mobile phone 101 of the vehicle owner. The card unit 107 can be equipped with a UIM (User Identity Module) 108.

The UIM 108 includes a U (U is an abbreviation for a card unit) communication unit 109, a U control unit 110, and a U storage unit 111. The U communication unit 109 is responsible for communication with other devices using wireless communication or other communication means. The U control unit 110 controls processing of the UIM 108. The U storage unit (memory) 111 (the U memory is in the authority owner device and is also an authority owner memory in a broad sense) stores programs and data necessary for processing of the UIM 108. The U control unit 110 also includes a microprocessor (not shown), and performs control by reading a program stored in the U storage unit 111.
When a vehicle owner purchases a vehicle, the vehicle owner uses the mobile phone 101 of the vehicle owner to perform vehicle operations such as door unlocking / locking, engine starting / stopping, starting / stopping on-vehicle devices such as car navigation, etc. The program and data necessary for the vehicle are stored in the P storage unit 106 of the mobile phone 101 of the vehicle owner through the P input unit 104. As a storage method, the mobile phone 101 of the vehicle owner is connected to a dedicated terminal of the dealer and downloaded, or an external storage medium such as a CD-ROM created by the dealer is installed in the computer of the vehicle owner, and the vehicle The owner's mobile phone 101 is connected and downloaded.

Since the card unit 107 is detachable inside and includes a UIM independent from the authority owner device (mobile phone) 101, the following advantages are provided.
(1) A password required for accessing the card can be set separately from the password of the mobile phone. In other words, even if the mobile phone is in the hands of another person, and the person accesses the mobile phone, the card itself cannot be accessed, and the other person can tamper with the data in the card. Can be prevented.
(2) In the case of a mobile phone, replacement with a new model mobile phone frequently occurs. Even in such a case, since the card portion is independent, the previous data can be used simply by attaching the card to a new mobile phone, and convenience is improved.

Further, when the vehicle owner performs the insurance contract procedure for the vehicle, the vehicle owner stores programs and data necessary for calculating the insurance premium later in the P storage unit 106 of the mobile phone 101 of the vehicle owner. As a storage method, similar to the storage method of programs and data necessary for operating the vehicle, the mobile phone 101 of the vehicle owner is connected to the dedicated terminal of the insurance company or agency and downloaded, or the insurance company or An external storage medium such as a CD-ROM created by the agency is installed in the vehicle owner's computer, and the mobile phone 101 of the vehicle owner is connected and downloaded.
FIG. 2 and FIG. 3 show programs and data necessary for operating the vehicle and programs and data necessary for calculating the insurance premium. FIG. 2 shows a program stored in the P storage unit 106 of the mobile phone 101 of the vehicle owner, and FIG. 3 shows data stored in the U storage unit 111 of the UIM 108. The terminal-side vehicle operation program 201 is a program that performs processing for operating the vehicle. The terminal-side payment preparation program 202 is a program that performs a payment preparation process for calculating insurance premiums. The terminal side settlement program 203 is a program that performs a settlement process for calculating the insurance premium. The vehicle owner's secret key 301 is a secret key for public key encryption, and corresponds to the vehicle owner. The vehicle owner certificate 302 is a public key certificate and includes a public key to be paired with the vehicle owner private key 301. The vehicle owner certificate 302 is issued by a public organization such as the Land Transport Bureau, a vehicle manufacturer, or the like, and is also registered with an insurance company at the time of an insurance contract. The insurance company certificate 303 is a public key certificate of the insurance company.

1.3. Configuration of Control Device (Vehicle) The vehicle 121 includes an M (M is an abbreviation for control device) communication unit 122, an M control unit 123, and an M storage unit 124. The M communication unit 122 is responsible for communication with other devices using wireless communication, infrared communication, or the like. The M control unit 123 controls the operation of the vehicle 121. That is, similarly, a microprocessor (not shown) is provided, and a control process is performed by reading a program stored in the next M storage unit. The M storage unit 124 stores programs and data necessary for the operation of the vehicle 121.
When the vehicle manufacturer ships the vehicle, the vehicle manufacturer stores a program and data necessary for the vehicle to operate in the vehicle 121. As a storage method, the M storage unit 124 is connected to a dedicated device or a dedicated terminal of a vehicle manufacturer and downloaded.
Further, when the vehicle owner performs the insurance contract procedure for the vehicle, the vehicle owner stores programs and data necessary for calculating the insurance premium later in the vehicle 121. As a storage method, the vehicle is downloaded from the mobile phone 101 of the vehicle owner to the vehicle 121 by using a program downloaded from a dedicated terminal of an insurance company or agency or a CD-ROM.

  FIG. 4 shows programs and data necessary for the operation of the vehicle and programs and data necessary for calculating the insurance premium. FIG. 4 shows programs and data stored in the M storage unit 124 of the vehicle 121. The vehicle-side vehicle operation program 405 is a program that performs processing for operating the vehicle. The vehicle certificate 402 is a public key certificate and includes a public key to be paired with the vehicle private key 401. The vehicle certificate 402 is issued by a public organization such as the Land Transport Bureau, a vehicle manufacturer, or the like, and is also registered with an insurance company at the time of an insurance contract. The vehicle owner certificate 403 is a public key encryption public key, and is the same as the vehicle owner certificate 302. The insurance company certificate 404 is a public key certificate of the insurance company and is the same as the insurance company certificate 303.

1.4. Configuration of Service Provision Management Device (Insurance Company Server) The insurance company server 141 includes an S (S is an abbreviation for management device) communication unit 142, an S display unit 143, an S input unit 144, an S control unit 145, and an S storage unit. 146. The S communication unit 142 is responsible for communication with other devices using Internet communication or the like. The S display unit 143 displays the information transmitted from the S control unit 145 on the screen. The S input unit 144 is responsible for a process in which an insurance company staff inputs information using a keyboard, a touch panel, or the like. The S control unit 145 controls processing of the vehicle insurance company server 141. That is, similarly, a microprocessor (not shown) is provided, and a control process is performed by reading a program stored in the next S storage unit. The S storage unit 146 stores programs and data necessary for processing of the insurance company server 141.
When an insurance company staff constructs a vehicle information collection system, the insurance company server 141 stores programs and data necessary for calculating insurance premiums. As a storage method, the insurance company server 141 is connected to the management server and downloaded, or an external storage medium such as a CD-ROM is installed in the insurance company server 141 and installed.

  FIG. 5 shows programs and data necessary for calculating the insurance premium. FIG. 5 shows a program stored in the S storage unit 146 of the insurance company server 141. The server-side settlement preparation program 505 is a program that performs a settlement preparation process for calculating insurance premiums. The server side settlement program 506 is a program that performs a settlement process for calculating the insurance premium. The private key 501 of the insurance company is a private key for public key encryption and corresponds to the insurance company. The insurance company certificate 502 is a public key certificate and includes a public key that is associated with the insurance company private key 501, and is the same as the insurance company certificate 303 and the insurance company certificate 404. The certificate 502 of the insurance company is issued from a certificate issuing organization or its own company. The vehicle owner certificate 503 is a vehicle owner public key certificate and is the same as the vehicle owner certificate 302 and the vehicle owner certificate 403. The vehicle certificate 504 is a vehicle public key certificate and is the same as the vehicle certificate 402.

2.1. Overall Operation Next, the operation of the present embodiment configured as described above will be described with reference to FIG.
FIG. 6 is a sequence diagram of processing showing a series of operations for performing insurance premium settlement based on vehicle information from the end of the insurance contract procedure to the first insurance premium settlement date.
The operation of the present embodiment is repeated between the end of the insurance contract procedure and the first insurance fee settlement date by the vehicle owner, and the vehicle operation from the start to the stop of the vehicle engine, specifically the engine Start processing 601, engine stop processing 602, insurance premium settlement preparation processing 603 performed on the insurance premium settlement date, vehicle operation from the vehicle owner's first start of the vehicle engine to shutdown after the settlement date, specifically Specifically, the adjustment and engine start processing 604, the adjustment and engine stop processing 605, the insurance fee adjustment processing 606 performed after the vehicle owner first operates the vehicle after the adjustment date, and the vehicle owner Vehicle operation from when the engine is started to when it is stopped, that is, an engine start process 607 and an engine stop process 608 are performed. In other words, as usage information in car insurance services with different insurance premiums depending on the situation, charging is performed based on vehicle information such as usage time, running time per period, speed, etc., and these are not known to third parties and are not falsified Notify

2.2. Vehicle Operation Operations The vehicle operation operations that the vehicle owner repeats between the end of the insurance contract procedure and the first insurance payment date will be described. That is, operations such as processing 601 and processing 602 in FIG. FIG. 7 is a flowchart showing a series of operations of the terminal-side vehicle operation program 201 in the mobile phone 101 when the vehicle owner operates the vehicle 121 using the mobile phone 101, and FIG. It is a flowchart which shows a series of operation | movement of a certain vehicle side vehicle operation program 405. FIG.
First, steps S701 and S801 in these flowcharts are steps for establishing a communication link performed between the vehicle owner's mobile phone 101 and the vehicle 121.
The next important step is the mutual authentication step of S702 and S802. There are various specific methods for this authentication. If the encryption key is shared, the public key may be transmitted, and authentication may be performed based on whether the public key stored in the vehicle matches. In addition to sending the key with the vehicle owner's signature, check the match with the stored signature, improve the correctness of being the owner, further send the signature with a random number, The confidentiality of communication may be enhanced, the vehicle identification information may also be transmitted and checked for coincidence with the stored identification information, or a random number may be used in combination. You can also send a vehicle certificate to check for a match with the stored certificate, send both the vehicle's public key and the vehicle owner's public key to check for a match, etc. The transmission / reception information is matched by combining these various types of transmission information and reception information by checking the exact match of them, or using a random number to increase confidentiality. Authenticate that you are the owner.

The simplest method is in the common data stored in each other, in the vehicle owner's certificate 302 in the UIM U storage 111 in the vehicle owner's mobile phone, and in the vehicle M storage 124 It is also possible to check for a match with the vehicle owner certificate 403. However, each of the above methods can perform authentication more securely and reliably. However, these detailed operations are not directly related to the service, and only authenticate whether the owner of the vehicle is indeed the same as the owner of the mobile phone, so detailed description will be omitted. In any case, it can be confirmed by mutual authentication that the control device (vehicle) or the authority owner device (mobile phone) is not an impersonation device.
S703 and S803 are steps in which the terminal-side vehicle operation program 201 of the mobile phone 101 transmits an operation start request, and the vehicle-side vehicle operation program 405 of the vehicle 121 receives it.
The vehicle-side vehicle operation program 405 determines the operation content (S804), and performs the following different processes depending on operations other than engine start / stop, engine start operation, and engine stop operation.

2.2.1. When the operation other than engine start / stop, such as unlocking / locking the door, is performed, the vehicle-side vehicle operation program 405 transmits a completion notification (S805) and enters the operation state. A transition is made (S812). When receiving the completion notification (S704), the terminal-side vehicle operation program 201 ends the process.

2.2.2. First, the operation at the start of the service will be described. This is a process corresponding to the engine start process 601 of FIG. At the time of engine start operation, the vehicle-side vehicle operation program 405 transmits a payment verification information generation code request (S806). The settlement verification information generation code is a code that is transmitted from the insurance company server to the vehicle owner's mobile phone 101 on the insurance premium settlement date in the sequence shown in FIG. In a case, it is a code for verification. This is necessary for the vehicle 121 to generate settlement verification information for verifying the vehicle information so far after the insurance contract procedure is completed at the time of insurance premium settlement or from the previous insurance premium settlement date. When receiving the payment verification information generation code request (S705), the terminal-side vehicle operation program 201 determines whether or not the payment verification information generation code is stored in the U storage unit 111 (S706). However, since the verification information generation code is not stored between the end of the insurance contract procedure and the first insurance fee settlement date as in the engine start process 601, the terminal-side vehicle operation program 201 ends the process. . If the vehicle-side vehicle operation program 405 determines that it cannot receive the payment verification information generation code (S807, S808), it starts collecting vehicle information (S811) and transitions to the operation state (S812).
Here, the vehicle information is information used for insurance premium calculation, such as measurement start date and time, travel time, travel distance, and the like. Speaking of a general control device, it is usage information such as application start date and time each time a contract service is received, service classification and application time based on the contract, and the like.

2.2.3. This is a process corresponding to the engine stop process 602 of FIG. In the case of the engine stop operation in FIG. 8, the vehicle-side vehicle operation program 405 ends the vehicle information collection (S813). For example, the operation end date and time, and the travel distance from the start to the end of the operation are recorded as vehicle information. Next, the presence / absence of the settlement verification information generation code is verified (S814). However, as in the engine stop process 602, since the settlement verification information generation code is not stored between the end of the insurance contract procedure and the first premium settlement date, verification information is generated (S821). The verification information is information used when generating the payment verification information, and is generated by the following procedure. When the vehicle operation is performed for the first time after the insurance contract procedure is completed or from the last insurance premium settlement date, the hash value of the vehicle information is used as verification information. It is also stored as the next verification code. That is, the next verification information is a hash value between the previous verification code and the next vehicle information. The hash value is a result of calculating vehicle information using a one-way function algorithm. In other words, the result is obtained by inputting to a one-way function. When the vehicle is operated after the second time, the hash value of the vehicle information and the previous verification information is used as the verification information. The vehicle-side vehicle operation program 405 transmits vehicle information (S822), and deletes the vehicle information from the M storage unit 124 (S823). When receiving the vehicle information (S705), the terminal-side vehicle operation program 201 stores the vehicle information in the U storage unit 111 (S709) and ends the process.
In the above description, the hash value is used as an example of the one-way function algorithm, but there is a MAC (Message Authentication Code) as another one-way function algorithm. When MAC is used as a one-way function, a key (password) is also required as an input. As the key (password), a public key of a vehicle or a hash value of a certificate can be used.
FIGS. 13 and 14 show information stored in the U storage unit 111 of the mobile phone 101 of the vehicle owner and the M storage unit 124 of the vehicle 121 after the vehicle owner operates the vehicle. Compared to before vehicle operation, vehicle information 304 and verification information 406 are added.

2.3. Next, at the end of use, the details of the premium settlement preparation process 603 in FIG. 6 will be described with reference to FIG. 9 and FIG. 10 showing the operation for preparing the premium settlement on the insurance premium settlement date. explain. 9 is a flowchart showing a series of operations of the server side settlement preparation program 505 in the insurance company server 141, and FIG. 10 is a flowchart showing a series of operations of the terminal side settlement preparation program 202 in the mobile phone 101 of the vehicle owner. It is.
When the insurance fee settlement date comes, the server side settlement preparation program 505 generates a random number that is different for each vehicle owner (S901). A signature is generated using information (assumed to be “a”) in which a period for paying insurance premiums is added to the generated random number, and the private key 501 of the insurance company. The signature is obtained by calculating the hash value of a using the secret key 501. Insurance premium settlement date is December 31, year-end or March 31, year-end, etc. The premium settlement period is, for example, from January 1, 2005 to December 31, 2005, April 1, 2005. March 31, 2006, etc. may be sufficient. The server side settlement preparation program 505 generates information with the signature added to “a” as a settlement verification information generation code, and transmits it by e-mail or the like (S902, S903).
When receiving the settlement verification information generation code by e-mail or the like (S1001), the terminal side settlement preparation program 202 verifies the settlement verification information generation code using the insurance company certificate 303 (S1002). In the verification, the signature of the settlement verification information generation code is decrypted using the public key acquired from the insurance company certificate 303 to acquire the hash value of a. It is assumed that a hash value is generated from the settlement verification information generation code a, and compared with the decrypted hash value of a. If they do not match, the verification fails. If the verification fails, the process ends. If the verification succeeds, the settlement verification information generation code is stored, a receipt confirmation is transmitted (S1004), and the process ends. The server side settlement preparation program 505 receives the receipt confirmation (S904) and ends the process.

When the server side settlement preparation program 505 cannot receive the receipt confirmation due to a communication failure or the like, the server side settlement preparation program 505 newly generates a random number and transmits a new settlement verification information generation code including the random number. . If the terminal-side settlement preparation program 202 has already received the settlement verification information generation code, it returns a random number included in the existing settlement verification information generation code. If the settlement verification information generation code has not been received before that time, the settlement verification information generation code received this time is used to prepare for settlement, and a receipt confirmation is returned. When the server side settlement preparation program 505 receives the random number, the settlement side verification information generation code including the random number is used for the settlement. When the receipt confirmation is received, the settlement verification information generation code transmitted this time is used for settlement. If re-transmission of the payment verification information generation code by the server-side payment preparation program 505 fails, processing is urged using a reliable means such as a telephone.
FIG. 15 and FIG. 16 show information stored in the S storage unit 146 of the insurance company server 141 and the U storage unit 111 of the mobile phone 101 of the vehicle owner after the preparation for insurance premium settlement. Compared to before preparing for insurance premium settlement, a settlement verification information generation code 507 and a settlement verification information generation code 305 are added, but they are the same.

2.4. Next, the operation of the vehicle operation for the first time after the settlement date. Next, the operation of the vehicle operation until the vehicle owner starts and stops the vehicle engine for the first time after the settlement date, that is, the settlement and engine start processing 604 in FIG. The stop process 605 will be described with reference to FIGS.
Steps S701 to S704 and S801 to S804 are the same as the vehicle operation operation that the vehicle owner repeats from the end of the insurance contract procedure until the first insurance fee settlement date, so the description is omitted here.
The vehicle-side vehicle operation program 405 determines the operation content (S804), and performs different processes depending on operations other than engine start / stop, engine start operation, and engine stop operation.

2.4.1. Operation other than engine start / stop for the first time after the settlement date When the operation other than engine start / stop is performed, the vehicle owner repeats the operation from the end of the insurance contract procedure until the first insurance settlement date. Therefore, the description is omitted here.

2.4.2. At the time of adjustment and the operation of the engine start processing 604, the vehicle-side vehicle operation program 405 transmits a payment verification information generation code request (S806). When receiving the payment verification information generation code request (S705), the terminal-side vehicle operation program 201 determines whether or not the payment verification information generation code is stored in the U storage unit 111 (S706). Since the verification information generation code is stored after preparation for insurance premium settlement, the verification information generation code is transmitted (S707), and the process is terminated. When determining that the payment verification information generation code has been received (S807, S808), the vehicle-side vehicle operation program 405 verifies the payment verification information generation code using the insurance company certificate 404 (S809). The verification method is the same as S1002 of the terminal side settlement preparation program 202. If the verification fails, the process ends. If the verification succeeds, the settlement verification information generation code is stored, vehicle information collection is started (S811), and the operation state is changed (S812).
FIG. 17 shows information stored in the M storage unit 124 of the vehicle 121 after completion of the engine start operation. Compared to before the engine starting operation is performed, the M storage unit 124 is added with a payment verification information generation code 407 and vehicle information 408.

2.4.3. At the time of adjustment and the operation of the engine stop process 605 after the adjustment date, the vehicle-side vehicle operation program 405 ends the vehicle information collection (S813). Next, the presence / absence of the settlement verification information generation code is verified (S814). After the insurance premium settlement preparation, the settlement verification information generation code is stored, so the settlement verification information is generated (S816). Here, the payment verification information is generated based on the vehicle information, the previous storage verification code stored in the M storage unit 124 (generated in S821), and the payment verification information generation code that has been sent. To do. The method for generating the checkout verification information is different between when the vehicle is operated for the first time on the day after the checkout date and when the vehicle is operated over the day after the checkout date.

2.4.4. In particular, the first vehicle operation performed on the day after the settlement date. First, the vehicle-side vehicle operation program 405 compares the operation start date and time with the insurance fee settlement period included in the settlement verification information generation code and the vehicle information collected immediately before. To do. At this time, if the vehicle operation is performed for the first time on the day after the settlement date, the vehicle information collected immediately before is information outside the insurance fee settlement period included in the settlement verification information generation code. 405 generates a hash value of the random number included in the settlement verification information generation code and the verification information 406 (hereinafter referred to as b). The signature of b is generated using the private key 401 of the vehicle, and the information added with the signatures of b and b is used as payment verification information, and is transmitted (S818) and then deleted. When receiving the payment verification information, the terminal-side vehicle operation program 201 stores it in the U storage unit 111 and transmits a vehicle information request (S708). Upon receipt of the vehicle information request (S819, S820), the vehicle-side vehicle operation program 405 generates verification information from the vehicle information (S821), transmits the vehicle information (S822), deletes the vehicle information (S823), The operation state is changed (S812). When receiving the vehicle information, the terminal-side vehicle operation program 201 stores the vehicle information in the U storage unit 111 and ends the process (S707).

2.4.5. In particular, when the vehicle operation is performed across the settlement date and the day after the settlement date, the vehicle information collected immediately before the settlement date is the information generation code for settlement verification. Since there is information included in the premium settlement period included in the vehicle information, vehicle information is divided into information within the period and information outside the period. A hash value of the vehicle information within the period and the verification information 406 is generated to generate new verification information. Thereafter, a random number included in the settlement verification information generation code and a hash value of new verification information are generated (hereinafter referred to as c). The signature of c is generated using the private key 401 of the vehicle, and the information added with the signatures of c and c is used as payment verification information, and after transmission (S818), it is deleted. When receiving the payment verification information, the terminal-side vehicle operation program 201 stores it in the U storage unit 111 and transmits a vehicle information request (S708). Upon receiving the vehicle information request (S819, S820), the vehicle-side vehicle operation program 405 generates verification information from vehicle information outside the period (S821), and transmits vehicle information within and outside the period (S822). The vehicle information is deleted (S823), and the operation state is changed (S812). When receiving the vehicle information, the terminal-side vehicle operation program 201 stores the vehicle information in the U storage unit 111 and ends the process (S707).
FIGS. 18 and 14 show information stored in the U storage unit 111 of the mobile phone 101 of the vehicle owner and the M storage unit 124 of the vehicle 121 after the vehicle owner operates the vehicle. Compared to before the vehicle operation, the U storage unit 111 is added with payment verification information 306.
Since the latest stored verification information is transmitted from the vehicle in this way, the user can use the mobile phone 101 to compare the verification information generated by the insurance company server with the previous vehicle. Tampering with information can be prevented.

2.5. Next, the detailed operation of the insurance fee settlement process 606 in FIG. 6 will be described with reference to FIGS. FIG. 11 is a flowchart showing a series of operations of the terminal side settlement program 203 in the mobile phone 101 of the vehicle owner, and FIG. 12 is a flowchart showing a series of operations of the server side settlement program 506 in the insurance company server 141. . For these, mutual verification described below is basically necessary, but in addition to that, impersonation of each other and information interception can be prevented by applying random numbers and encryption.
When the vehicle owner first stops the vehicle engine / locks the door after the settlement date, the settlement process is started.
The terminal side settlement program 203 transmits a response request to the insurance company server 141. When the server side settlement program 506 of the insurance company server 141 receives the response request, a communication link between the vehicle owner's mobile phone 101 and the insurance company server 141 is established (S1101, S1201).
The server side settlement program 506 transmits a certificate request (S1202). Upon receiving the certificate request (S1102), the terminal-side settlement program 203 transmits the vehicle owner's certificate 302 (S1103). When the server side settlement program 506 receives the vehicle owner's certificate 302 (S1203), the server side settlement program 506 collates it with the user's certificate stored in the S storage unit 146 (S1204). If the verification is successful, the process proceeds to the next step. If verification fails, the program ends. When the server-side settlement program 506 is successfully verified, the server-side settlement program 506 verifies the vehicle owner's certificate (S1206). If the verification is successful, the process proceeds to the next step. If verification fails, exit the program.

Next, the server side settlement program 506 transmits the insurance company certificate 502 (S1208).
The terminal side settlement program 203 receives the certificate 502 of the insurance company (S1104) and performs certificate verification (S1105). If the verification is successful, the process proceeds to the next step. If verification fails, exit the program. Next, the terminal-side settlement program 203 transmits a certificate reception completion notification (S1107).
Upon receipt of the certificate reception completion notification (S1209), the server side settlement program 506 generates a common key generation random number (S1210), generates a random number (S1211), server identification information, a common key generation random number, and a random number. Is encrypted with the vehicle owner's public key (S1212) and transmitted to the mobile phone 101 of the vehicle owner (S1213). The server identification information is an issuer name and serial number included in the certificate 502 of the insurance company. The vehicle owner's public key is obtained from the vehicle owner's certificate 302.

The terminal side settlement program 203 receives the encrypted server identification information, the common key generation random number and the random number (S1108), and decrypts them using the vehicle owner's private key 301 (S1109). Next, the server identification information is verified using the certificate 303 of the insurance company (S1110). If verification is successful, proceed to the next step. If verification fails, exit the program. The terminal-side settlement program 203 generates a common key generation random number (S1112), generates a random number (S1113), encrypts the vehicle owner identification information, the common key generation random number, and the random number with the vehicle public key. (S1114) and transmit (S1115). The identification information of the vehicle owner is the issuer name and serial number included in the vehicle owner certificate 302. The public key of the insurance company is acquired from the certificate 502 of the insurance company.
The server side settlement program 506 receives the encrypted server identification information, the common key generation random number, and the random number (S1214), and decrypts them using the private key 501 of the insurance company (S1215). Next, the vehicle owner's identification information is verified using the vehicle owner's certificate 302 (S1216). If verification is successful, proceed to the next step. If verification fails, exit the program. The server side settlement program 506 generates a common key from the common key generation random number generated in S1210 and the common key generation random number received in S1214 (S1217). For example, a value from the beginning of the hash value acquired by concatenating the common key generation random numbers to the key length is used as the common key. Next, the random number received in S1214 is transmitted to the mobile phone 101 of the vehicle owner (S1218).

The terminal-side settlement program 203 receives the random number (S1116) and verifies it by comparing with the random number generated in S1113 (S1117). If they match, go to the next step. If they do not match, the program ends. The terminal-side settlement program 203 generates a common key from the common key generation random number received in S1108 and the common key generation random number generated in S1112 (S1119). Next, vehicle information and settlement verification information are encrypted using a common key (S1120), transmitted (S1121), and the program is terminated.
The server side settlement program 506 receives the encrypted vehicle information and settlement verification information (S1219), decrypts it using the common key (S1220), and verifies the settlement verification information (S1221). The verification of the settlement verification information uses the public key acquired from the vehicle certificate 504 to decrypt the signature of the settlement verification information (denoted as d). It is assumed that the hash value of the information obtained by removing the signature from the checkout verification information is generated, and if it matches with d, the verification is successful. If they do not match, it is assumed that the verification has failed, and the process is terminated. If the verification is successful, the vehicle information is verified (S1223). The vehicle information is verified by first generating a hash value of the oldest vehicle information for the vehicle information within the insurance premium settlement period. Next, the process of generating the hash value of the hash value plus the next vehicle information is repeated until there is no vehicle information. Finally, a hash value is generated by adding the random number and the hash value of the settlement verification information generation code, and compared with the settlement verification information.

If the vehicle owner deletes part of the vehicle information or changes the contents, the server side settlement program 506 can detect that the information has not been matched with the settlement verification information generated by the vehicle 121. If verification fails, the process ends. If the verification is successful, the insurance premium is calculated from the vehicle information within the insurance premium settlement period (S1225), and the process ends.
If payment verification information or vehicle information verification fails, it is assumed that some fraudulent act has been performed, and a prescribed insurance premium such as an unlimited insurance premium is charged for punishment.
FIG. 19 shows information stored in the S storage unit 146 of the insurance company server 141 after settlement. Compared to before the settlement, vehicle information 508 and settlement verification information 509 are added to the S storage unit 146.
Since the card unit is independent, a detailed description is omitted, but there is also a system in which a dedicated card reader that is not described here and an insurance company server 141 are connected, and the server directly reads the information of the card unit 107. Is possible. In that case, it is impossible to change both the vehicle information and the payment verification information from the mobile phone 101, and the possibility of tampering is further reduced psychologically.

2.6. Vehicle operation after settlement The vehicle operation after the vehicle owner starts and stops the vehicle after settlement, that is, the operations of engine start processing 607 and engine stop processing 608 in FIG. Since this is the same as the vehicle operation from when the vehicle engine is started until it is stopped until the first insurance fee settlement date, that is, the engine start processing 601 and the engine stop processing 602, the description is omitted here.
In addition, when browsing of vehicle information is required, the vehicle owner can browse the vehicle information using the mobile phone 101 of the vehicle owner. An example of the display screen when browsing the vehicle information is shown in FIG.
Further, when an accident occurs while riding, since the vehicle information being measured is recorded in the vehicle, the insurance company can use the information to determine the accident situation and insurance application.

As described above, in this embodiment, an inexpensive individual having a general storage area does not need complicated access control by detecting an illegal act such as a change or deletion of the contents of the vehicle information by the vehicle owner. You can use your own storage media.
Further, by not holding the vehicle information in the vehicle, it is possible to prevent the vehicle information from leaking to a third party during vehicle inspection or trade-in.
Moreover, the risk of the service company by the falsified vehicle information can be avoided by detecting the fraudulent act on the vehicle information in the server of the service company.
Further, by eliminating the need for communication between the vehicle and the server of the service company, the server can safely collect vehicle information without depending on the communication status such as the deterioration of the communication status or the communication load of the server.
Further, by eliminating the need to install a high-performance communication module such as satellite communication or Internet communication in the vehicle, it is possible to reduce the equipment cost installed in the vehicle.

Embodiment 2. FIG.
In this embodiment, in addition to the service in the previous embodiment, a system that applies a similar service when a vehicle is rented to another person will be described. That is, a mode in which the vehicle owner and the vehicle borrower use the service when limited to vehicles will be described. However, of course, as described in the previous embodiment, the present invention is not limited to the borrowing of a vehicle, and is also applied to the case where the borrower borrows the control device from the authority owner in the use service of other devices and instruments. Obviously it will be done.
As an example, when a vehicle is borrowed, the vehicle borrower only has to borrow the vehicle's electronic key, and the vehicle owner is charged for payment of the service fee. The vehicle can be rented without requiring a special operation such as performing a procedure, and the convenience of the vehicle borrower is improved. Since such operations are outside the scope of this description, only the technical configuration and operation will be described here.

3.1. Overall Configuration FIG. 21 is a diagram showing a configuration of a vehicle information collection system in this embodiment.
In FIG. 21, the vehicle owner's mobile phone (authority owner device) 101, vehicle (control device) 121, and insurance company server (service provision management device) 141 are the same as in the first embodiment, and will be described here. Is omitted. As an element added in this embodiment, a vehicle borrower's mobile phone (authorized borrower device) 2101 is a mobile phone held by a person who borrows a vehicle from the vehicle owner (hereinafter, vehicle borrower). .
In this configuration, the vehicle 121 and the insurance company server 141 have the same configuration as in the first embodiment, and thus detailed description thereof is omitted.

3.2. Configuration of Mobile Phone of Vehicle Owner The configuration of mobile phone 101 of the vehicle owner is the same as that in the first embodiment. However, the contents of the P storage unit 106b are different. That is, the P storage unit 106b stores programs and data necessary for lending and operating the vehicle and programs and data necessary for calculating insurance premiums. FIGS. 22 and 3 show such necessary programs and data. FIG. 22 shows a program stored in the P storage unit 106b of the mobile phone 101 of the vehicle owner, and FIG. 3 shows data stored in the U storage unit 111 of the UIM 108. It is. The terminal-side vehicle operation program 201 is a program that performs processing for operating the vehicle. The terminal-side payment preparation program 202 is a program that performs a payment preparation process for calculating insurance premiums. The terminal side settlement program 203 is a program that performs a settlement process for calculating the insurance premium. The vehicle operation authority lending program 2201 is a program that lends vehicle operation authority to lend a vehicle to a person. The vehicle operation authority borrowing program 2202 is a program that borrows vehicle operation authority in order to borrow a vehicle from a person. The vehicle operation authority return program 2203 is a program for returning the vehicle operation authority borrowed from a person. The vehicle operation authority return receipt program 2204 is a program that receives a vehicle operation authority returned from a person.
Since these program and data acquisition methods are the same as the program and data acquisition methods described in the first embodiment, description thereof is omitted here.
Since FIG. 3 showing the U storage unit 111 of the UIM 108 is the same as that in the first embodiment, the description thereof is omitted.

3.3. Configuration of a mobile phone of a vehicle lessee A mobile phone 2101 of a vehicle lessee includes a Q communication unit 2102, a Q display unit 2103, a Q input unit 2104, a Q control unit 2105, a Q storage unit 2106, and a Q card unit 2107. .
The Q communication unit 2102 is responsible for communication with other devices using wireless communication, infrared communication, or the like. The Q display unit 2103 displays the information transmitted from the Q control unit 2105 on the screen. The Q input unit 2104 is responsible for a process in which vehicle borrowing inputs information using an operation button, a touch panel, or the like. The Q control unit 2105 controls processing of the mobile phone 2101 of the vehicle borrower. This function is obtained by reading and executing a program stored in the Q storage unit 2106 by a microprocessor (not shown). The Q storage unit 2106 stores programs and data necessary for processing of the mobile phone 2101 of the vehicle borrower. The Q card unit 2107 can be equipped with a UIM (User Identity Module) 2108 inside.
The UIM 2108 includes a V communication unit 2109, a V control unit 2110, and a V storage unit 2111 inside.
The V communication unit 2109 is responsible for communication with other devices using wireless communication or other communication means. The V control unit 2110 controls processing of the UIM 2108. Also, a control function is obtained by reading and executing a program stored in the V storage unit by a microprocessor (not shown). The V storage unit 2111 stores programs and data necessary for processing of the UIM 2108.

A vehicle borrower uses a vehicle borrower's mobile phone 2101 to purchase a vehicle or borrow another person's vehicle. The data is stored in the mobile phone 2101 of the vehicle borrower. As for the storage method, as with loading of other programs and data, the mobile phone 2101 of the vehicle lessee is connected to a dedicated terminal of the dealer and downloaded, or an external storage medium such as a CD-ROM created by the dealer is used. It is installed in a vehicle borrower's computer, connected to the vehicle borrower's mobile phone 2101 and downloaded.
FIG. 23 and FIG. 24 show programs and data necessary for operating / renting a vehicle and programs and data necessary for calculating insurance premiums. FIG. 23 shows a program stored in the Q storage unit 2106 of the mobile phone 2101 of the vehicle lessee, and FIG. 24 shows data stored in the V storage unit 2111 of the UIM 2108. The terminal-side vehicle operation program 2301 is a program that performs processing for operating the vehicle. The vehicle operation authority borrowing program 2303 is a program that borrows vehicle operation authority in order to borrow a vehicle from a person. The vehicle operation authority return program 2304 is a program that returns a vehicle operation authority borrowed from a person. The vehicle borrower's private key 2401 is a secret key for public key cryptography and corresponds to the vehicle borrower. The vehicle borrower's certificate 2402 is a public key certificate and includes a public key that is paired with the vehicle borrower's private key 2401. The vehicle borrower certificate 2402 is issued by a public organization such as the Land Transport Bureau or a vehicle manufacturer.

4.1. Overall Operation Next, the operation of the system according to the present embodiment configured as described above will be described with reference to FIG.
FIG. 25 is a sequence diagram of processing showing a series of operations for paying insurance premiums based on vehicle information of the vehicle owner and the vehicle borrower from the end of the insurance contract procedure to the first insurance premium settlement date.
The operation of the present embodiment is repeated for the vehicle owner from the end of the insurance contract procedure until the first insurance fee settlement date, the vehicle operation from the start of the vehicle engine to the stop, that is, the engine start processing 2501, engine stop A process 2502, a vehicle operation authority lending process 2503 from the vehicle owner to the vehicle lessee, a vehicle operation from the start of the engine of the vehicle borrowed by the vehicle borrower to the stop, that is, an engine start process 2504, an engine Stop processing 2505, vehicle operation authority return processing 2506 from the vehicle borrower to the vehicle owner, insurance fee reimbursement preparation processing 2507 performed on the insurance reimbursement date, and the vehicle owner starting the vehicle engine for the first time after the reimbursement date Vehicle operation from start to stop, that is, settlement and engine start processing 2508, settlement and engine stop processing 2509, settlement Thereafter, an insurance fee adjustment process 2510 performed after the vehicle owner first operates the vehicle, and a vehicle operation after the vehicle owner starts and stops the vehicle after the adjustment, that is, an engine start process 2511, And engine stop processing 2512.
Hereinafter, these processing operations will be described separately.

4.2. Operation of vehicle operation by vehicle owner Basically, the vehicle operation by the vehicle owner is the same as that in the first embodiment, and therefore, the description of the same part is omitted and the different part will be described.
First, the operation of the vehicle operation that the vehicle owner repeats from the end of the insurance contract procedure to the first insurance premium settlement date, that is, the engine start processing 2501 is the same as that of the first embodiment. That is, processing is performed based on the flowchart of the terminal-side vehicle operation program 201 in FIG. 7 and the flowchart of the vehicle-side vehicle operation program 405 in FIG. In steps S701, S801 to S703, S803, a communication link is established (S701, S801), mutual authentication is performed (S702, S802), and an operation start request is transmitted and received (S703, S803). The authentication steps S702 and S802 are important but will not be described in detail here.
Hereinafter, the vehicle-side vehicle operation program 405 determines the operation content (S804), and performs different processes depending on operations other than engine start / stop, engine start operation, and engine stop operation.
Since operations other than engine start / stop, such as door unlocking / locking, are the same as in the first embodiment, description thereof is omitted here.

4.2.1. In the case of the operation of the engine start process 2501 by the vehicle owner, the steps up to S808 are the same as those in the first embodiment. If it is determined in S808 that the payment verification information generation code cannot be received, the vehicle-side vehicle operation program 405 starts collecting vehicle information (S811) and transitions to the operation state (S812). The vehicle information is information used for insurance premium calculation such as driver identification information, operation start date and time, measurement information of travel distance, and the like. The driver identification information is a public key described in the driver's certificate.

4.2.2. In the case of the operation of the engine stop process 2502 by the vehicle owner, the processes up to S814 are the same as those in the first embodiment. In S814, the presence / absence of the payment verification information generation code is verified, and if it is determined that the payment verification information generation code is not stored, verification information is generated for each driver (S821). The verification information is information used when generating the payment verification information, and is generated by the procedure described in the first embodiment. The verification information is stored for each driver. The steps after S822 are the same as those in the tenth embodiment.
The information stored in the U storage unit 111 of the mobile phone 101 of the vehicle owner and the M storage unit 124 of the vehicle 121 after the vehicle owner performs the vehicle operation is as shown in FIGS. Compared with before performing, vehicle information 304 and verification information 406 are added.

4.3. Vehicle operation authority lending process by the vehicle owner The details of the vehicle operation authority lending process 2503 are performed in the sequence shown in FIG. 27 is a flowchart showing processing performed by the vehicle operation authority lending program 2201 in the P storage unit 106b of the vehicle owner's mobile phone, and FIG. 28 is in the Q storage unit 2106 of the vehicle borrower's mobile phone. 10 is a flowchart showing processing performed by a vehicle operation authority borrowing program 2303.
First, the mobile phone 101 of the vehicle owner transmits a public key request transmission 2601 of the vehicle borrower in S2701. Thereafter, the vehicle owner's public key is transmitted in the procedure described in FIGS. When authentication is completed, a ticket transmission 2605 indicating the authority of the vehicle owner to operate the vehicle is performed.
There are various authentication methods for sending the ticket, but it is not directly related to the high-reliability use information transmission / reception that prevents tampering and information leakage, which is the main point of this application. Description is omitted.
FIG. 31 shows information stored in the V storage unit 2111 in the card unit of the cell phone 2101 of the vehicle borrower after lending operation authority from the vehicle owner to the vehicle borrower. Compared to before the operation authority is lent, the V storage unit 2111 is added with a ticket 2403 indicating the authority to operate the vehicle.

4.4. Vehicle Operation Processing by Vehicle Borrower Engine start processing 2504 by the vehicle borrower is performed based on FIG. 7 and FIG. However, as a matter of course, information unique to the vehicle owner such as a certificate of the vehicle owner is authenticated by information indicated by the ticket 2403.
That is, when an operation start request is transmitted / received after mutual authentication in S701, S801 to S703, and S803, the operation following the engine start is performed in S705, S806 to S812, similarly to the procedure described in the first embodiment.
Engine stop processing 2505 by the vehicle borrower is also performed in the same manner as the procedure described in the first embodiment.
Further, the vehicle 121 classifies and stores the usage information corresponding to the ticket 2403, generates verification information based on the usage information or based on the verification code, and the vehicle borrower's mobile phone 2101 together with the vehicle information. Send to.
FIG. 32 shows information stored in the V storage unit 2111 of the cell phone 2101 of the vehicle lessee after the vehicle lessee has operated the vehicle. Compared to before vehicle operation, vehicle information 2404 is added to the V storage unit 2111.

4.5. Vehicle Operation Authority Return Processing by Vehicle Borrower Next, the operation authority return operation from the vehicle borrower to the vehicle owner will be described with reference to FIGS. 26, 29, and 30. FIG. 29 is a flowchart showing a series of operations of the vehicle operation authority return program 2304 of the vehicle borrower's mobile phone 2101, and FIG. 30 is a series of operations of the vehicle operation authority return receipt program 2204 in the vehicle owner's mobile phone 101.
When the expiration date is included in the ticket 2403 of the mobile phone 2101 of the vehicle lessee, the vehicle operation authority return program 2304 is activated when the expiration date is reached. When the expiration date is not included in the ticket 2403, the vehicle operation authority return program 2304 is activated when the vehicle borrower presses the ticket return operation button using the cell phone 2101 of the vehicle borrower.
The vehicle operation authority return program 2304 verifies the ticket holding status (S2901). Since the ticket 2403 is stored in the cellular phone 2101 of the vehicle lessee, it is confirmed whether or not the expiration date is included in the ticket 2403 (S2902). If the expiration date is included, it is checked whether the expiration date has expired (S2903). If the expiration date is not included in the ticket 2403 or if the expiration date has expired, the vehicle information is transmitted to the vehicle owner's mobile phone 101 by e-mail or the like (S2904), and the ticket 2403 is deleted ( S2605), and the process ends.
When the vehicle owner's mobile phone 101 receives a mail or the like from the vehicle borrower's mobile phone 2101, the vehicle operation authority return receipt program 2204 is activated.
The vehicle operation authority return receipt program 2204 verifies reception of vehicle information (S3001). Since the vehicle information of the vehicle borrower is received, the vehicle information is verified (S3002). In the verification, the driver identification information included in the vehicle information is confirmed using a vehicle borrower's certificate or the like. Thereafter, the vehicle information is stored for each driver.
FIG. 33 shows information stored in the V storage unit 2111 of the card unit in the cell phone 2101 of the vehicle borrower after the operation authority is returned from the vehicle borrower to the vehicle owner. Compared with before the operation authority is returned, the ticket is deleted from the V storage unit 2111.

4.6. Insurance premium settlement preparation processing The insurance premium settlement preparation processing 2507 performed on the insurance premium settlement date is the same as the insurance premium settlement preparation processing 603 according to the first embodiment, and a description thereof will be omitted here.

4.7. Operation of vehicle operation for the first time after the settlement date Next, the operation of the vehicle operation from when the vehicle owner starts the vehicle engine for the first time after the settlement date until it stops will be described with reference to FIGS. .
Steps S701 to S704 and S801 to S804 are the same as the vehicle operation operation that the vehicle owner repeats from the end of the insurance contract procedure until the first insurance fee settlement date, so the description is omitted here.
The vehicle-side vehicle operation program 405 determines the operation content (S804), and performs different processes depending on operations other than engine start / stop, engine start operation, and engine stop operation.
Here, when the first operation other than starting / stopping the engine after the settlement date, that is, the door opening / closing operation, etc., the vehicle owner repeats the operation of the vehicle operation from the end of the insurance contract procedure until the first premium settlement date. Since it is the same as that at the time, description is omitted here.

4.7.1. First engine start operation after the settlement date Since the engine start operation is the same as in the first embodiment, the description thereof is omitted here.

4.7.2. First engine stop operation after the settlement date At the time of engine stop operation, the vehicle-side vehicle operation program 405 ends vehicle information collection (S813). Next, the presence / absence of the settlement verification information generation code is verified (S814). After the insurance premium settlement preparation, the settlement verification information generation code is stored, so the settlement verification information is generated (S816). The method for generating the checkout verification information is different between when the vehicle is operated for the first time on the day after the checkout date and when the vehicle is operated over the day after the checkout date.

4.7.3. In particular, the first vehicle operation performed on the next day of the settlement date. First, according to the flowchart of FIG. 8, the vehicle side vehicle operation program 405 starts the operation from the premium settlement period included in the settlement verification information generation code and the vehicle information collected immediately before. Compare date and time. When the vehicle is operated for the first time on the day after the settlement date, the vehicle information collected immediately before is the information outside the insurance fee settlement period included in the settlement verification information generation code. The verification information 406 is concatenated to generate new verification information. Next, the vehicle-side vehicle operation program 405 generates a random number included in the settlement verification information generation code and a hash value of new verification information (hereinafter referred to as e). Subsequently, a signature for e is generated using the private key 401 of the vehicle, and information added with the signatures of e and e is used as payment verification information. After transmission (S817), the signature is deleted (S818).
When the terminal-side vehicle operation program 201 receives the payment verification information, the terminal-side vehicle operation program 201 stores it in the U storage unit 111 and transmits a vehicle information request (S708). Upon receipt of the vehicle information request (S819, S820), the vehicle-side vehicle operation program 405 generates verification information from the vehicle information (S821), transmits the vehicle information (S822), deletes the vehicle information (S823), The operation state is changed (S812). When receiving the vehicle information, the terminal-side vehicle operation program 201 stores the information in the U storage unit 111 for each driver, and ends the process (S707).

4.7.4. In particular, when the vehicle operation is performed across the settlement date and the next day of the settlement date, the vehicle information collected immediately before the settlement date is included in the settlement verification information generation code. Because there is information included in the insurance premium settlement period, vehicle information is divided into information within the period and information outside the period. The driver verification information corresponding to the driver identification information included in the vehicle information within the period is acquired, a hash value of the vehicle information and the verification information within the period is generated, and new verification information is generated. Thereafter, a random number included in the settlement verification information generation code and a hash value of new verification information are generated (hereinafter referred to as f). The signature of f is generated using the private key 401 of the vehicle, and the information added with the signatures of f and f is used as payment verification information, and is deleted after transmission (S818).
When receiving the payment verification information, the terminal-side vehicle operation program 201 stores it in the U storage unit 111 and transmits a vehicle information request (S708). Upon receiving the vehicle information request (S819, S820), the vehicle-side vehicle operation program 405 generates verification information from vehicle information outside the period (S821), and transmits vehicle information within and outside the period (S822). The vehicle information is deleted (S823), and the operation state is changed (S812). When receiving the vehicle information, the terminal-side vehicle operation program 201 stores the information in the U storage unit 111 for each driver, and ends the process (S707).
FIGS. 18 and 14 show information stored in the U storage unit 111 of the mobile phone 101 of the vehicle owner and the M storage unit 124 of the vehicle 121 after the vehicle owner operates the vehicle. Compared to before the vehicle operation, the U storage unit 111 is added with payment verification information 306.

4.8. Next, FIG. 11 shows a processing flow performed by the terminal side settlement program 203 of the mobile phone 101 of the vehicle owner used in the previous embodiment, with details of the insurance fee settlement processing 2510, the server side of the insurance company server 141 This will be described with reference to FIG. 12 showing a processing flow performed by the settlement program 506.
When the vehicle owner first operates the vehicle after the settlement date, the settlement process is started.
Since the settlement process is the same as that in the first embodiment up to S1119, the description is omitted here.
Next, since the vehicle owner has received vehicle information from the vehicle borrower during the vehicle operation authority return process 2506, the vehicle information including the received vehicle information and the vehicle information for each driver and the settlement verification are included using the common key. The information is encrypted (S1120), transmitted (S1121), and the program is terminated. The server side settlement program 506 receives the encrypted vehicle information and settlement verification information for each driver (S1219), decrypts them using the common key (S1220), and verifies the settlement verification information (S1221). . In order to verify the settlement verification information, the signature of the settlement verification information is decrypted using the public key obtained from the vehicle certificate 504 (denoted as g). It is assumed that the server side settlement program 506 generates a hash value of information obtained by removing the signature from the settlement verification information, and the verification is successful if it matches g. If they do not match, it is assumed that the verification has failed, and the process is terminated. If the verification is successful, the vehicle information is verified (S1223).

In order to verify the vehicle information, a hash value of the oldest vehicle information is first generated for each driver for the vehicle information within the insurance premium settlement period. Next, the server side settlement program 506 repeats the process of generating a hash value obtained by adding the next vehicle information to the hash value for each driver until there is no vehicle information. Next, the server side settlement program 506 generates a hash value of data obtained by concatenating the hash values for each driver. Finally, a hash value is generated by adding the random number and the hash value of the settlement verification information generation code, and compared with the settlement verification information.
If the vehicle owner deletes part of the vehicle information or changes the contents, the server side settlement program 506 can detect that the information has not been matched with the settlement verification information generated by the vehicle 121. If verification fails, the process ends. If the verification is successful, the insurance premium is calculated from the vehicle information within the insurance premium settlement period (S1225), and the process ends.
If payment verification information or vehicle information verification fails, it is assumed that some fraudulent activity has been performed, and a predetermined insurance premium such as an unlimited insurance premium is used.
FIG. 19 shows information stored in the S storage unit 146 of the insurance company server 141 after settlement. Compared to before the settlement, vehicle information 508 and settlement verification information 509 are added to the S storage unit 146.

4.9. Vehicle operation after checkout The vehicle operation after the checkout until the vehicle owner starts and stops the vehicle is repeated from the end of the insurance contract procedure until the first insurance payment date. Since this is the same as the vehicle operation from the start to the stop, the description is omitted here.
In addition, the vehicle owner and the vehicle borrower can browse the vehicle information using the mobile phone 101 of the vehicle owner and the mobile phone 2101 of the vehicle borrower. An example of the display screen when browsing the vehicle information is the same as in FIG.
Further, even when an accident occurs during the vehicle operation of the vehicle owner and the vehicle lessee, since the vehicle information being measured is recorded in the vehicle as in the first embodiment, the insurance company uses the information to record the vehicle information. Accident situation and insurance coverage can be determined.
As described above, in this embodiment, the following effects are added in addition to the effects in the first embodiment. In other words, the vehicle borrower only needs to borrow the electronic key of the vehicle, and the vehicle owner is charged for payment of the service fee, so that the vehicle borrower performs a special contract procedure before boarding the vehicle. The vehicle can be rented without requiring any operation, and the convenience of the vehicle borrower is improved.

In addition, each said embodiment is not limited to said structure, For example, you may change as follows. That is, in the first embodiment and the second embodiment, the public key certificate is used, but any information including the public key may be used.
In addition, data to be transmitted / received between the vehicle and the vehicle owner's mobile phone and between the vehicle owner's mobile phone and the insurance company server is encrypted or / and signed according to the data content and processing load. Also good.
Furthermore, in the second embodiment, between the vehicle and the mobile phone of the vehicle owner, between the vehicle and the mobile phone of the vehicle borrower, between the mobile phone of the vehicle owner and the mobile phone of the vehicle borrower, and the mobile phone of the vehicle owner Data transmitted / received between insurance company servers may be encrypted or / and signed according to the contents of the data and the processing load.
In each of the above-described embodiments, the authentication procedure shown in ISO / IEC 98970-3 three-pass mutual authentication is used at the time of insurance premium settlement, but other authentication procedures that can obtain the same effect are used. Also good.
Furthermore, in each of the above-described embodiments, the timing of starting the operation of the vehicle is the engine start. However, unlocking the door, starting the vehicle, and releasing the parking brake may be used instead. Moreover, the timing of the end of the operation of the vehicle may be used when the door is locked, the vehicle is stopped, or the parking brake is applied, instead of the engine stop.
In the second embodiment, the vehicle borrower may manually delete the expired ticket together with the vehicle information without the vehicle operation authority return program deleting it.

Further, as the authentication of the vehicle operation in the first embodiment, it is confirmed by using the following method that the owner of the mobile phone that is the authority owner device matches the driver of the vehicle that is the control device. Also good.
1) When authentication is obtained after performing biometric authentication using a fingerprint, a voiceprint, or the like on a mobile phone, the vehicle operation is enabled by the mobile phone terminal side vehicle operation program.
2) Install a camera in the vehicle seat, check if the face of the operator matches the face information registered in the mobile phone, and start the engine by the terminal side vehicle operation program. Enable.
3) Vehicle information includes information on driving habits, such as how to step on the accelerator and brakes, travel speed, etc., and was determined based on the driver applied by the vehicle owner and driving habits of the vehicle information at the time of insurance premium adjustment. It is determined whether the driver is the same person.

In each of the above embodiments, the operation start / end date, operation start / end time, and travel distance are used as the vehicle information. Instead, the operation start / end date, operation start / end time are used. Information that can be used for services such as traveling speed at regular intervals may be used.
Similarly, different values may be used for each insurance premium settlement, such as the current time and sequential number, instead of the random number used for the settlement verification information generation code.
Similarly, as a method for generating the adjustment verification information, the adjustment verification information generation code may be encrypted using the verification information as a key instead of generating the hash value.
In the second embodiment, the case where the verification information for all the drivers is connected has been described as the method for generating the adjustment verification information. Instead, the adjustment verification information may be generated for each driver. In this case, payment verification information is generated from the verification information and the payment verification information generation code for each driver.
In the second embodiment, the driver's public key is used as the driver identification information. Instead, the driver's license number, insurance card number, and driver's certificate are included in the driver's certificate. Any information that can identify the driver, such as a calligraphy, may be used.
In each of the above embodiments, the configuration has been described as an apparatus or a system. However, these may be a method of transmitting and receiving highly reliable information by a general-purpose computer using a microprocessor. In that case, a function for realizing the operations of FIGS. 7 and 8 is obtained by a program, the program is stored in each storage unit (memory), read by the processor and executed.

It is a figure which shows the structure of the highly reliable information transmission / reception system in Embodiment 1 of this invention, especially a vehicle information system. It is a figure which shows the program in the memory | storage part of the mobile telephone of a vehicle owner in Embodiment 1. FIG. It is a figure which shows the information in the card | curd part of the mobile telephone of a vehicle owner in Embodiment 1. FIG. 3 is a diagram showing information in a storage unit of a vehicle in the first embodiment. FIG. 6 is a diagram showing information in a storage unit of an insurance company server in Embodiment 1. FIG. 4 is a sequence diagram showing basic processing in Embodiment 1. FIG. It is a figure which shows the processing flow which the vehicle operation program which the vehicle owner in Embodiment 1 has has. It is a figure which shows the processing flow which the vehicle side vehicle operation program in the vehicle in Embodiment 1 performs. It is a figure which shows the processing flow which the server side adjustment preparation program in the server in Embodiment 1 performs. It is a figure which shows the processing flow which the terminal side adjustment preparation program in the terminal in Embodiment 1 performs. It is a figure which shows the processing flow which the terminal side adjustment program in the terminal in Embodiment 1 performs. It is a figure which shows the processing flow which the server side adjustment program in the server in Embodiment 1 performs. It is a figure which shows the information after the contract in the card | curd part of the mobile telephone of the vehicle owner in Embodiment 1. FIG. FIG. 3 is a diagram showing information after a contract in the storage unit of the vehicle in the first embodiment. It is a figure which shows the information containing the adjustment preparation information in the memory | storage part of the insurance company server in Embodiment 1. FIG. It is a figure which shows the information containing the adjustment preparation information in the card | curd part of the mobile telephone of a vehicle owner in Embodiment 1. FIG. It is a figure which shows the information containing the verification information after the adjustment date in the memory | storage part of the vehicle in Embodiment 1. FIG. It is a figure which shows the information containing the verification information after the adjustment date in the card | curd part of the vehicle owner in Embodiment 1. FIG. It is a figure which shows the information containing the verification information after the adjustment date in the memory | storage part of the insurance company server in Embodiment 1. FIG. 6 is a diagram showing an example of browsed vehicle information in Embodiment 1. FIG. It is a figure which shows the structure of the highly reliable information transmission / reception system in Embodiment 2 of this invention, especially a vehicle information system. It is a figure which shows the program in the memory | storage part of the mobile telephone of the vehicle owner in Embodiment 2. FIG. It is a figure which shows the program in the memory | storage part of a mobile telephone of a vehicle borrower in Embodiment 2. FIG. It is a figure which shows the information in the card | curd part of the mobile telephone of a vehicle borrower in Embodiment 2. FIG. FIG. 11 is a sequence diagram showing basic processing in the second embodiment. FIG. 10 is a sequence diagram showing details of a vehicle operation authority lending process in the second embodiment. It is a figure which shows the processing flow which the vehicle operation authority loan program in Embodiment 2 performs. It is a figure which shows the processing flow which the vehicle operation authority borrowing program in Embodiment 2 performs. It is a figure which shows the processing flow which the vehicle operation authority return program in Embodiment 2 performs. It is a figure which shows the processing flow which the vehicle operation authority return receipt program in Embodiment 2 performs. It is a figure which shows the information in the card | curd part of a vehicle borrower after receiving the vehicle operation authority in Embodiment 2. FIG. It is a figure which shows the information in the card | curd part of a vehicle borrower after receiving the vehicle operation authority in Embodiment 2, and drive | working a vehicle. It is a figure which shows the information in a card | curd part of a vehicle borrower after returning the vehicle operation authority in Embodiment 2. FIG.

Explanation of symbols

  101 Vehicle owner's mobile phone (authority owner device), 102 P communication unit, 103 P display unit, 104 P input unit, 105 P (authority owner device) control unit, 106, 106b P storage unit, 107 card unit 108 UIM, 109 U communication unit, 110 U control unit, 111 U storage unit, 121 vehicle (control device), 122 M communication unit, 123 M (control device) control unit, 124 M storage unit (control device memory), 141 insurance company server (service provision management device), 142 S communication unit, 143 S display unit, 144 S input unit, 145 S control unit, 146 S storage unit, 2101 vehicle borrower's mobile phone (authority borrower device), 2102 Q communication unit, 2103 Q display unit, 2104 Q input unit, 2105 Q control unit, 2106 Q storage unit, 2107 Q card unit, 2108 U IM, 2109 V communication unit, 2110 V control unit, 2111 V storage unit, S811 vehicle information collection start step, S813 vehicle information collection end step, S821 verification information generation step, S822 vehicle information transmission step, S823 vehicle information deletion step.

Claims (3)

A control device that obtains vehicle information that is used from the start of operation to the end of operation and generates verification information using the vehicle information, and stores the vehicle information and the verification information received from the control device An authority owner device that receives the vehicle information and the verification information from the authority owner device, and verifies whether the vehicle information has been tampered with by the authority owner device using the verification information. A vehicle information collection system comprising a management device, and performing a service with different charging according to the vehicle information ,
The controller is
A controller memory for storing stores the vehicle information from the time the operation start of the control unit until at the end of the operation,
The control device as the next verification code to generate the verification information using the vehicle information that has been accumulated and stored in the controller memory and the verification code for receiving generated from the rights owner device by the management device memory is stored, and sends the generated the verification information to the authorized owner device, the vehicle information the authority accumulated stored in the controller memory from the authorized owner device receives a transmission request for the vehicle information and sent to the owner device, and a control unit control unit for deleting the vehicle information that has been accumulated and stored from the controller memory by the transmission of the vehicle information,
The authority owner device is:
Authority holding device memory for storing the vehicle information ;
Perform an operation instruction to the control unit, for receiving the vehicle information transmitted from the control unit in response to the operation instruction accumulates storage instruction to the rights owned device memory, transmitted from the management device wherein said receiving the verification information, the vehicle information that was accumulated and stored in the verification information received and the rights owned device memory the said control device by transferring a verification code to said control device generates management An authority owner control that transmits to the device ,
The management device
Wherein to generate the verification code transmitted to the authorized owner device, the verification corresponding to the code for the verification received the verification information and the vehicle information sent from the authorized owner device, the received vehicle information collection system in which the vehicle information by using the use information is characterized Rukoto a management apparatus control unit, which verifies whether it is tampered with by the authorized owner device. A control device that acquires vehicle information, which is usage information from the start of operation to the end of operation, and generates verification information using the vehicle information, and the vehicle used by an authority owner who has access authority to the control device An authority owner device for storing information and the verification information received from the control device; and receiving the vehicle information and the verification information from the authority owner device and using the verification information, the vehicle information is In a vehicle information verification method used in a vehicle information collection system that includes a management device that verifies whether or not it has been tampered with by an authority owner device, and that performs a service with different charges depending on the vehicle information,
And vehicle information storage step of storing stores the vehicle information from the time the operation start of the control device control apparatus until the operation end to the control unit memory provided to the control device,
A first verification code transmission step in which the management device generates a verification code and transmits it to the authority holder device;
A request step in which the control device requests the authority owner device for the verification code transmitted to the authority owner device in the first verification code transmission step;
A second verification code transmission step in which the authority device transmits the verification code to the control device in response to the request step;
The control device that has received the verification code transmitted in the second verification code transmission step uses the vehicle information stored in the control device memory in the verification code and the vehicle information storage step. a generating step of generating the verification information,
The verification information generated by the generation step, a verification code storage step in which the control device is stored in the controller memory as the next verification code,
A vehicle information transmission step in which the control device transmits the vehicle information stored in the vehicle information storage step to the authority holder device in response to a transmission request from the authority owner device;
A verification information transmission step in which the control device transmits the verification information generated by the generation step to the authority holder device;
A deletion step of deleting the vehicle information the vehicle information and the control device to be transmitted has been accumulated and stored in the controller memory by the vehicle information transmission step from the control unit memory,
Vehicle information / verification information transmission step in which the authority owner apparatus transmits the vehicle information transmitted in the vehicle information transmission step and the verification information transmitted in the verification information transmission step to the management apparatus;
The management device that has received the vehicle information and the verification information transmitted in the vehicle information / verification information transmission step uses the received verification information to falsify the vehicle information by the authority owner device. A verification step for verifying whether or not
A vehicle information verification method comprising: An authority owner device used by an authority owner who has access authority of the control device, vehicle information which is use information of the control device from the authority owner device, and verification information generated by the control device are received and And a management device that verifies whether or not the vehicle information has been tampered with by the authority owner device, and is used in a vehicle information collection system that provides services with different charges depending on the vehicle information In the control device ,
A controller memory for storing stores the vehicle information from the time the operation start of the control unit until at the end of the operation,
The verification information is generated using the vehicle information accumulated and stored in the control device memory and the verification code generated by the management device and received from the authority owner device, and the control is used as the next verification code. device memory is stored, and sends the generated the verification information to the authorized owner device, the vehicle information accumulated stored in the controller memory receives a transmission request for the vehicle information from the authorized owner device wherein sent to the authorized owner device, a control device according to claim Rukoto and a control unit control unit for deleting the vehicle information that has been accumulated and stored in the controller memory by the transmission of the vehicle information.

Images