WO2018037894A1 - Authentication device for vehicles - Google Patents

Authentication device for vehicles Download PDF

Info

Publication number
WO2018037894A1
WO2018037894A1 PCT/JP2017/028567 JP2017028567W WO2018037894A1 WO 2018037894 A1 WO2018037894 A1 WO 2018037894A1 JP 2017028567 W JP2017028567 W JP 2017028567W WO 2018037894 A1 WO2018037894 A1 WO 2018037894A1
Authority
WO
WIPO (PCT)
Prior art keywords
identification information
unit
electronic control
ecu
generated
Prior art date
Application number
PCT/JP2017/028567
Other languages
French (fr)
Japanese (ja)
Inventor
隼基 村田
Original Assignee
株式会社オートネットワーク技術研究所
住友電装株式会社
住友電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社オートネットワーク技術研究所, 住友電装株式会社, 住友電気工業株式会社 filed Critical 株式会社オートネットワーク技術研究所
Publication of WO2018037894A1 publication Critical patent/WO2018037894A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a vehicle authentication device.
  • the in-vehicle system disclosed in Patent Document 1 includes an electronic control unit (ECU) and a communication device, and the communication device can wirelessly communicate with an external device outside the vehicle using an Internet protocol.
  • the electronic control device and the communication device are connected via an in-vehicle network, and a part of the electronic control device functions as an authentication device (vehicle authentication device). If the authentication device determines in the state determination process that the vehicle state corresponds to the security ensured state, the authentication device registers the device identifier acquired in the identification information acquisition process in the memory, and determines that the vehicle does not correspond to the security ensured state. Does not register the device identifier in the memory.
  • the authentication device when it is determined in the registration process that the device identifier acquired in the identification information acquisition process is registered in the memory, the authentication device performs a connection between the external device specified by the device identifier and the electronic control unit (ECU). Exchange of information between them is permitted, and exchange of information is prohibited based on the determination that it is not registered.
  • ECU electronice control unit
  • the above-described vehicular authentication device disclosed in Patent Document 1 has a problem of ensuring vehicle security when communication is performed between an in-vehicle system and an external device using an Internet protocol.
  • this vehicular authentication device is a technique for dealing with unauthorized communication from the outside, and has a problem that it cannot cope with unauthorized communication from the inside that occurs in the in-vehicle network. For example, when an unauthorized electronic control device is connected in the vehicle due to some unauthorized work, unauthorized control (spoofing communication, etc.) by this unauthorized electronic control device cannot be prevented.
  • the present invention has been made based on the above-described circumstances, and an object thereof is to provide a vehicular authentication device that can detect an unauthorized connection when an unauthorized electronic control device is connected to a network in the vehicle. To do.
  • An authentication device for a vehicle which is an example of the present invention, A generation unit that generates identification information when a predetermined generation time arrives; A transmission unit that transmits the generated identification information to an electronic control device in response to the generation of the identification information by the generation unit; A registration unit for registering the generated identification information in response to the generation of the identification information by the generation unit; When a predetermined vehicle operation start condition is satisfied, a predetermined confirmation process is performed to confirm whether reflection information reflecting the identification information registered in the registration unit is stored in the electronic control device, A determination unit that determines whether or not the electronic control device is a regular device based on a result of the confirmation process; Have
  • the vehicular authentication device includes a generation unit that generates identification information when a predetermined generation time has arrived, and transmits the generated identification information to the electronic control unit in response to generation of the identification information by the generation unit. And a registration unit that registers the generated identification information in response to the generation of the identification information by the generation unit.
  • identification information can be generated in response to the arrival of a predetermined generation time and assigned to the registration unit and the electronic control device. Then, when a predetermined vehicle operation start condition is satisfied, a predetermined confirmation process is performed to confirm whether or not the reflection information reflecting the identification information registered in the registration unit is stored in the electronic control device. Based on the result, it can be determined whether or not the electronic control device is a regular device.
  • the reflection information reflecting the identification information is not stored in this electronic control device, so the identification information registered in the registration unit If the confirmation process for confirming whether or not the reflection information reflecting the above is stored in the electronic control device, it is possible to more accurately determine whether or not the electronic control device is illegally connected.
  • FIG. 1 is a block diagram schematically illustrating an in-vehicle system including the vehicle authentication device according to the first embodiment.
  • FIG. 2 is a flowchart illustrating an ID assignment process performed by the vehicular authentication device according to the first embodiment.
  • FIG. 3 is a flowchart illustrating an authentication process performed by the vehicular authentication device according to the first embodiment.
  • FIG. 4 is an explanatory diagram showing that the ID assigned to each ECU has been updated by the ID assignment process.
  • FIG. 5 is an explanatory diagram conceptually showing a data frame of CAN communication performed by the authentication device and each ECU.
  • FIG. 6A is an explanatory diagram for explaining an ID included in a message of each ECU when a regular ID is assigned to each ECU, and
  • FIG. 6B is a diagram in which an unauthorized ECU is connected. It is explanatory drawing explaining ID contained in the message of each ECU when there is.
  • the generation unit may function to generate identification information every time the vehicle operates.
  • the transmission unit may function to transmit the generated identification information to the electronic control device every time the generation unit generates the identification information.
  • the registration unit can function to register the generated identification information every time the generation unit generates the identification information.
  • the determination unit may function to perform a confirmation process every time the vehicle operation start condition is satisfied and determine whether or not the electronic control device is a regular device.
  • the vehicular authentication apparatus configured as described above can generate identification information every time the vehicle operates, and can assign new identification information to the registration unit and the electronic control device every time the vehicle operates. And a confirmation process can be performed for every vehicle operation
  • the generating unit can function to generate identification information every time a predetermined vehicle operation end condition is satisfied and before the next vehicle operation start condition is satisfied after the vehicle operation end condition is satisfied.
  • the transmission unit may function to transmit the identification information to the electronic control device after the generation of the identification information by the generation unit until the next vehicle operation start condition is satisfied.
  • the registration unit can function to register the identification information after the generation unit generates the identification information and until the next vehicle operation start condition is satisfied.
  • identification information is generated after the vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied, and according to this generation, until the next vehicle operation start condition is satisfied.
  • the generation information is registered and assigned to the electronic control device, these processes can be performed at a time when the influence on the vehicle operation is relatively small.
  • the timing may be a period from the end of the vehicle operation to the next start of the vehicle operation, such as parking without an owner. high. Therefore, if new identification information is generated and assigned after the vehicle operation end condition is satisfied, even if an unauthorized device is connected until the next vehicle operation start condition is satisfied, it is newly assigned. Based on the identified information, it can be more reliably specified that an unauthorized device is connected.
  • the vehicle authentication device may include a notification unit that performs notification to the outside when the determination unit determines that the electronic control device is not a legitimate device.
  • the vehicular authentication device configured in this way can notify the outside when an unauthorized electronic control device is connected.
  • the generation unit can generate identification information to be given to a plurality of electronic control devices.
  • the transmission unit may transmit each identification information generated by the generation unit to each electronic control device.
  • the registration unit can register each piece of identification information generated by the generation unit.
  • the determination unit performs a confirmation process so as to collate each identification information registered in the registration unit with information stored in the plurality of electronic control devices, and whether the plurality of electronic control devices include an unauthorized device. It may be determined whether or not.
  • the device can be specifically identified.
  • An in-vehicle communication system 100 shown in FIG. 1 includes a vehicle authentication device 1 (hereinafter also referred to as authentication device 1) and a plurality of electronic control devices 20 (hereinafter also referred to as ECU (Electronic Control Unit) 20).
  • the authentication device 1 and the electronic control device 20 are mounted on a vehicle, and these are connected by a communication line 10 and constitute an in-vehicle network 102 compliant with a communication protocol such as CAN (Controller Area Network).
  • CAN Controller Area Network
  • the authentication device 1 includes a control unit 2, a recording unit 4, a communication unit 6, and the like.
  • the authentication device 1 is configured as a gateway ECU in the in-vehicle network 102 and includes a known basic function as the gateway ECU.
  • the control unit 2 is configured using an arithmetic processing device such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit).
  • the control unit 2 has a function of performing various processes and computations. For example, the control unit 2 reads and executes a program stored in the recording unit 4 or a ROM (Read ⁇ ⁇ Only ⁇ ⁇ ⁇ Memory) not shown in FIG. 2 and FIG. 3.
  • Various processes such as the process shown in FIG.
  • the recording unit 4 is configured using, for example, an EEPROM (Electrically Erasable Programmable ROM) or a nonvolatile memory element capable of rewriting data such as a flash memory.
  • the recording unit 4 can store ID (identification) information generated by the processing of FIG. 2 described later, and the storage content of the recording unit 4 can be updated at least every time the processing of FIG. 2 is executed.
  • the communication unit 6 is configured as a communication interface connected to the communication line 10 configuring the in-vehicle network 102, and performs transmission and reception of information according to a communication standard such as CAN.
  • the communication unit 6 receives information transmitted from each ECU 20 (ECU 20A, 20B, etc.) of the in-vehicle network 102 by monitoring a signal transmitted through the communication line 10, and gives the received information to the control unit 2, for example. Further, the communication unit 6 transmits the information to the ECU 20 connected to the communication line 10 by outputting the transmission information given from the control unit 2 as a signal to the communication line 10.
  • the authentication device 1 is provided with a transmission / reception buffer composed of memory elements such as DRAM (Dynamic Random Access Memory) and SRAM (Static Random Access Memory), and temporarily stores various information. Can be memorized.
  • DRAM Dynamic Random Access Memory
  • SRAM Static Random Access Memory
  • the authentication apparatus 1 also includes an on signal (hereinafter also referred to as an IG on signal) indicating that the ignition switch has been turned on and an off signal (hereinafter also referred to as an IG off signal) indicating that the ignition switch has been turned off. ) May be entered. Specifically, when an ignition switch (not shown) provided in the vehicle on which the in-vehicle communication system 100 is mounted is turned on, the external device (for example, the power supply ECU) mounted on the vehicle is turned on for the authentication device 1. When the signal is input and the ignition switch is turned off, an IG off signal is input to the authentication device 1.
  • an on signal hereinafter also referred to as an IG on signal
  • an off signal hereinafter also referred to as an IG off signal
  • the plurality of ECUs 20 provided in the in-vehicle communication system 100 are configured as various known ECUs such as a powertrain ECU, a steering system ECU, a brake system ECU, a communication system ECU, a safety system ECU, a body system ECU, and a multimedia system ECU. Can be done.
  • Each ECU 20 includes a control unit 24, a recording unit 26, a communication unit 22, and the like.
  • a control unit 24A, a recording unit 26A, and a communication unit 22A are provided in the first ECU 20A
  • a control unit 24B, a recording unit 26B, and a communication unit 22B are provided in the second ECU 20B. Yes.
  • the control part 24 of ECU20 is comprised using arithmetic processing units, such as CPU (Central * Processing * Unit) or MPU (Micro * Processing * Unit).
  • the recording unit 26 is configured using, for example, an EEPROM (Electrically Erasable Programmable ROM) or a rewritable nonvolatile memory element such as a flash memory.
  • the ECU 20 is also provided with ROM, RAM, and the like other than the nonvolatile memory.
  • the communication unit 22 is configured as a communication interface connected to the communication line 10 and transmits and receives information according to a communication standard such as CAN.
  • the control unit 2 of the authentication device 1 monitors the input of the IG on signal to the authentication device 1 and the input of the IG off signal to the authentication device 1. For example, the IG off signal is input to the authentication device 1. 2 starts.
  • the control unit 2 first performs the process of step S1 to generate a new ID (identification information).
  • a new ID identification information
  • random numbers are generated using a known random number generation program, and random numerical values (random numbers) are extracted from a certain numerical range.
  • the extracted numerical value (random number) itself or a numerical value obtained by combining the numerical value (random number) with a predetermined numerical value is used as a new ID (identification information).
  • the control unit 2 generates such IDs (identification information) as many as the number of ECUs 20 to be communicated, and individually generates IDs (identification information) assigned to the respective ECUs 20.
  • the ID (identification information) assigned to one of the ECUs 20 and the ID (identification information) assigned to the other ECU 20 overlap when generating the ID, for example, by generating the ID for one ECU 20 again, The ID assigned to each ECU 20 should not be duplicated.
  • FIG. 4 conceptually shows the old ID assigned to each ECU 20 and the newly generated new ID.
  • ID11 is assigned to the ECU 20A and ID12 is assigned to the ECU 20B before execution of the process of FIG. 2, and a new ID is assigned to the ECU 20A by executing the process of step S1 of FIG. ID21 is produced
  • IDs assigned to ECUs other than the ECUs 20A and 20B are generated in the same manner.
  • control unit 2 corresponds to an example of a generation unit, and an ID (identification information) is generated every time the ignition switch is turned on and the vehicle operates. Specifically, the control unit 2 generates an ID (identification information) when a predetermined generation time arrives (from when the vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied). To function.
  • the control unit 2 performs the process of step S2 after the process of step S1 shown in FIG. 2, and transmits the ID (identification information) newly generated by the process of step S1 to each ECU 20.
  • the new ID 21 of the ECU 20A generated in the latest step S1 is transmitted to the ECU 20A to which the ID 11 has been assigned before the execution of the process of FIG.
  • the new ID 22 of the ECU 20B generated in the latest step S1 is transmitted to the ECU 20B to which the ID 12 has been assigned before the execution of the process of FIG.
  • a new ID is transmitted to ECUs other than ECUs 20A and 20B in the same manner.
  • a new ID is transmitted to each ECU 20 by the process of step S2, for example, a new ID is transmitted together with a predetermined update request command for requesting an ID update and an old ID.
  • the ECU 20 to be transmitted is specified by the old ID, and when the ECU 20 receives the data including the update request command and the new ID, its own ID stored so far is stored. Can be rewritten to the newly received ID.
  • the control unit 2 transmits data including the old ID (ID11 shown in FIG. 4), the update request command, and the new ID (ID21 shown in FIG. 4) to the ECU 20A by the process of step S2, the ECU 20A Can grasp and receive the data as data to be acquired by the old ID. Then, the ECU 20A receiving this data deletes the old ID (ID11 shown in FIG. 4) stored in the recording unit 26A from the recording unit 26A according to the update request command, and the new ID included in the received data. It is possible to update its own ID so as to store (ID 21 shown in FIG. 4) in the recording unit 26A. Similarly, when the control unit 2 transmits data including the old ID (ID12 shown in FIG.
  • the ECU 20B can grasp and receive the data as data to be acquired based on the old ID. Then, the ECU 20B that has received this data follows the update request command and deletes the old ID (ID12 shown in FIG. 4) that has been stored in the recording unit 26B from the recording unit 26B until then, and the new ID included in the received data. It is possible to update its own ID so as to store (ID 22 shown in FIG. 4) in the recording unit 26B. In this way, the ID stored in each recording unit 26 of the ECU 20 is updated.
  • the method for assigning IDs to the ECUs 20 shown here is merely an example, and the method is not limited to this method as long as the generated new IDs can be stored in each ECU 20.
  • the control unit 2 corresponds to an example of a transmission unit, and the ID (identification information) generated in response to the generation of the ID (identification information) in the process of step S1 is the ECU 20 (electronic control unit). ) To send to.
  • the control unit 2 functions to transmit the generated ID (identification information) to the ECU 20 (electronic control device) each time an ID (identification information) is generated by the process of step S1, and more specifically. After the ID (identification information) is generated by the processing in step S1, the vehicle operation start condition is satisfied next (specifically, until the next IG ON signal is input to the authentication device 1). It functions to transmit ID (identification information) to the ECU 20 (electronic control unit).
  • the control unit 2 performs the process of step S3 after the process of step S2 shown in FIG. 2, and performs a registration process so that the recording unit 4 stores the new ID transmitted to each ECU 20.
  • the authentication apparatus 1 stores data of new IDs stored in each ECU 20 as a list.
  • control unit 2 and the recording unit 4 correspond to an example of a registration unit
  • the ID (identification information) generated in response to the generation of the ID (identification information) by the processing in step S1 is an authentication device.
  • the registration unit functions to register the generated ID (identification information) every time an ID (identification information) is generated by the process of step S1, and specifically, the ID (identification information) is processed by the process of step S1. (Identification information) is generated until the next vehicle operation start condition is satisfied (specifically, until the next IG ON signal is input to the authentication device 1). Functions to register.
  • the authentication device 1 starts or continues the CAN communication in step S11 with the start of the process of FIG.
  • the authentication device 1 and the ECU 20 perform mutual communication according to a known CAN protocol when performing CAN communication.
  • a known CAN protocol when performing CAN communication.
  • the ECU 20 transmits a data frame as shown in FIG. 5 in CAN communication.
  • This data frame has a known frame structure used in CAN communication, and its own ID (the ID assigned by the above-described processing of FIG. 2 and recorded in the recording unit) after SOF (Start Of Frame).
  • SOF Start Of Frame
  • the transmission node can be identified by the ID after the SOF, and the priority order of communication arbitration can be determined. Since the frame structure other than the ID is known, the details are omitted.
  • step S11 the control unit 2 monitors a message transmitted via the communication line 10 (CAN communication line) while the CAN communication is continuing. If a transmitted message is detected, the determination in step S12 is performed. In step S12, the control unit 2 collates the ID included in the detected message with the ID recorded in the recording unit 4 (the list of IDs (identification information) registered in the process of the latest step S3). To do. If the ID of the detected message is a regular ID registered in the recording unit 4 (in the case of No determination in step S12), the authentication process in FIG. In this case, since the detected message is a regular message transmitted from the regular ECU 20, normal communication according to the CAN protocol is continued.
  • step S12 when it is determined in step S12 shown in FIG. 3 that the ID of the message (message transmitted to the communication line 10) detected by the control unit 2 is an unauthorized ID not registered in the recording unit 4 ( In step S12, Yes), the control unit 2 performs the process of step S13 and discards the message. Specifically, the control unit 2 transmits an error frame in step S13 in response to reception of this message (message including an illegal ID). As a result, the ECU 20 connected to the communication line 10 is notified of the occurrence of an error so that a message including an unauthorized ID is not used.
  • step S12 is a “predetermined confirmation process”, and reflected information (specifically, identification information itself) reflecting an ID (identification information) registered in the recording unit 4 (registration unit) is ECU 20 ( This is a process for confirming whether or not it is stored in the electronic control unit). That is, if the ID of the message transmitted from the ECU 20 is a regular ID registered in the recording unit 4, the reflection information (specifically the ID itself) reflecting the ID registered in the recording unit 4 is stored in the ECU 20. In step S12, this is confirmed.
  • the control unit 2 performs a notification process in step S14 after the process in step S13 shown in FIG.
  • the notification process in step S14 may be a process for notifying that an unauthorized device is connected.
  • the abnormality the unauthorized device is connected by a display device such as a lamp or a display provided in the vehicle.
  • a method of performing a predetermined display display of a predetermined mark, a predetermined message, or the like
  • the abnormality notification is not limited to such notification to the user, and is not limited to visual notification.
  • it may be transmission of abnormality information to a predetermined in-vehicle device, or transmission of abnormality information to an external device. Or you may perform alerting
  • the control unit 2 corresponds to an example of a determination unit, and is registered in the registration unit when a predetermined vehicle operation start condition is satisfied (for example, when an IG on signal is generated and the vehicle is started).
  • a predetermined confirmation process for confirming whether or not the reflection information reflecting the ID (identification information) is stored in the ECU 20 (electronic control apparatus) is performed, and the ECU 20 (electronic control apparatus) is authorized based on the result of the confirmation process. It functions to determine whether or not it is a device.
  • the control unit 2 functions to perform a confirmation process every time a vehicle operation start condition is satisfied and determine whether the ECU 20 (electronic control device) is a regular device.
  • control unit 2 corresponds to an example of a notification unit, and functions to perform notification to the outside when the determination unit determines that the ECU 20 (electronic control device) is not a regular device.
  • the authentication device 1 of the present configuration has a generation unit that generates an ID (identification information) when a predetermined generation time has arrived, and an ID (identification information) generated by the generation unit.
  • the transmission unit that transmits the generated ID (identification information) to the ECU 20 (electronic control device), and the ID (identification information) generated in response to the generation of the ID (identification information) by the generation unit A registration unit.
  • an ID (identification information) can be generated in response to the arrival of a predetermined generation time, and can be assigned to the registration unit of the authentication device 1 and each ECU 20 (electronic control device). Then, when a predetermined vehicle operation start condition is established, the control unit 2 corresponding to the determination unit reflects information (specifically, reflecting ID (identification information) registered in the recording unit 4 (registration unit). Is a predetermined confirmation process for confirming whether or not the identification information itself is stored in the ECU 20, and based on the confirmation result, it can be determined whether or not the ECU 20 is a legitimate device.
  • the electronic control device to be determined when the electronic control device to be determined is an unauthorized connection later, the electronic control device has reflection information reflecting the ID (identification information) registered in the recording unit 4 (registration unit). Since it is not stored, if the confirmation process is performed to check whether the reflection information reflecting the ID (identification information) registered in the recording unit 4 (registration unit) is stored in the electronic control unit, the electronic control unit It is possible to more accurately determine whether or not is an unauthorized connection.
  • each ECU 20 as shown in FIG. 6 (A). 3 is a regular ID stored in each ECU 20, the determination of Yes is not made in step S ⁇ b> 13 shown in FIG. 3 at the time of transmission of any message, and the authentication apparatus 1 is an unauthorized electronic device. It can be confirmed that the control device is not connected.
  • the ECU 20B shown in FIG. 1 is replaced with a fraudulent ECU, the fraudulent ECU cannot know the legitimate ID. Therefore, as shown in FIG.
  • the ID is an unauthorized ID that is not registered in the recording unit 4.
  • step S13 shown in FIG. 3 the authentication device 1 can specify that the unauthorized ECU is connected and from the unauthorized ECU. It is possible to appropriately deal with the message.
  • the control unit 2 corresponding to the generation unit functions to generate ID (identification information) every time the vehicle operates, and the control unit 2 and communication unit 6 corresponding to the transmission unit generate ID (identification information). Each time it is performed, it functions to transmit the generated ID (identification information) to the ECU 20 (electronic control unit).
  • the control unit 2 and the recording unit 4 corresponding to the registration unit function to register the generated ID (identification information) every time ID (identification information) is generated, and control corresponding to the determination unit.
  • the unit 2 performs a confirmation process every time the vehicle operation start condition is satisfied, and functions to determine whether or not the electronic control device is a regular device.
  • the vehicular authentication device 1 configured as described above can generate an ID (identification information) every time the vehicle operates, and each time the vehicle operates, a new ID (identification information) is recorded in the recording unit 4 and the ECU 20. (Electronic control unit). And a confirmation process can be performed for every vehicle operation
  • the control unit 2 corresponding to the generation unit obtains an ID (identification information) every time a predetermined vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied after the vehicle operation end condition is satisfied. Functions to generate.
  • the control unit 2 and the communication unit 6 corresponding to the transmission unit transmit the ID (identification information) to the ECU 20 (electronic control unit) after the ID (identification information) is generated and until the next vehicle operation start condition is satisfied.
  • the control unit 2 and the recording unit 4 corresponding to the registration unit generate ID (identification information) after the ID (identification information) is generated and until the next vehicle operation start condition is satisfied. ) To register.
  • ID identification information
  • ECU 20 electronic control unit
  • these processes can be performed at a time when the influence on the vehicle operation is relatively small.
  • the timing may be a period from the end of the vehicle operation to the next start of the vehicle operation, such as parking without an owner. high.
  • the vehicular authentication device 1 having this configuration includes a notification unit that performs notification to the outside when the control unit 2 corresponding to the determination unit determines that the electronic control device is not a legitimate device.
  • the vehicular authentication device 1 configured as described above can inform the outside when an unauthorized electronic control device is connected.
  • the control unit 2 corresponding to the generation unit generates IDs (identification information) to be given to the plurality of ECUs 20 (electronic control devices) in the process of step S1 in FIG. 2, and the control unit 2 corresponding to the transmission unit.
  • the communication part 6 can transmit each ID (identification information) produced
  • the control part 2 and the recording part 4 corresponded to a registration part can register each ID (identification information) produced
  • the control unit 2 corresponding to the determination unit is stored in each of the IDs (identification information) registered in the recording unit 4 (registration unit) and the plurality of ECUs 20 (electronic control devices) by the process of step S12 in FIG.
  • Confirmation processing is performed so that information is collated (specifically, IDs included in messages from the respective ECUs 20 are collated with the list of the recording unit 4), and an unauthorized device is included in the plurality of electronic control devices. It functions to determine whether or not.
  • an ID identification information
  • the device is specifically specified. It becomes possible to specify.
  • Example 1 although the example in which the vehicle-mounted network 102 was comprised by the authentication apparatus 1 and several ECU20 was shown, it is not limited to this example. In any example of the present specification, devices other than the authentication device 1 and the ECU 20 may be connected to the in-vehicle network 102.
  • the identification information is input after the IG OFF signal is input.
  • generates was shown, it is not limited to this example. In any example of the present specification, it is only necessary that the identification information can be generated and updated between the generation of the IG on signal and the generation of the next IG on signal.
  • the identification information (ID) may be generated and registered in the authentication device 1 and assigned to each ECU 20.
  • registration of identification information (ID) to the authentication device 1 and transmission to each ECU 20 may be performed during operation of the vehicle (while the ignition switch is on), or after the operation of the vehicle is completed (ignition switch). May be done promptly after is turned off.
  • the identification information (ID) is generated and registered in the authentication device 1 and assigned to each ECU 20 every time the vehicle operates once (every time the ignition switch is turned on once). It is not limited to this example. In any example of the present specification, for example, identification information (ID) is generated at a predetermined timing every time the vehicle operates a predetermined number of times (every time the ignition switch is turned on a predetermined number of times). You may make it assign to each ECU20 while registering to the authentication apparatus 1. FIG.
  • Example 1 although the example which produces
  • common identification information is generated as information different from the ID assigned to each ECU 20, and this identification information is connected to the authentication device 1. You may make it memorize
  • the identification information itself is illustrated as an example of “reflection information reflecting the identification information”.
  • the reflection information may be information obtained based on the identification information. Information obtained by applying a predetermined process to the identification information may be used. For example, it may be a part of the identification information, or information obtained by encrypting the identification information.
  • a part of the identification information is assigned to the ECU 20 as the reflection information, for example, in step S12, it is determined whether or not a part of the identification information recorded in the recording unit 4 is included in the message from the ECU 20. Good.
  • step S2 it is possible to use a method in which the encrypted information obtained by encrypting the identification information based on the predetermined key information is transmitted to the ECU 20 as reflected information in step S2, and this is assigned to the ECU 20.
  • step S2 or Key information for decrypting the encrypted information is recorded in the recording unit 4 at the timing of step S3 and the like, and in step S12, the encrypted information included in the message from the ECU 20 is decrypted with the key information and stored in the recording unit 4. What is necessary is just to judge whether it corresponds with the recorded identification information.
  • the process of determining whether or not the ID of the message transmitted from the ECU 20 is a regular ID registered in the recording unit 4 is exemplified, but the process is registered in the registration unit. Any method that can confirm whether or not the reflection information reflecting the identification information is stored in the electronic control device may be used.
  • the authentication device 1 requests the ECU 20 for newly registered information from the ECU 20 at the end of the previous vehicle operation, and compares the information returned from the ECU 20 with the identification information registered in the registration unit. It may be.
  • an IG ON signal has been input to the authentication device 1
  • the predetermined vehicle operation start condition any condition may be used as long as the vehicle operation start can be specified or estimated.
  • it may be “the accessory switch is turned on” or “an operation of a predetermined device such as a starter or an engine” may be started. It may be “injected” or the like, or an external signal such as a keyless signal may be detected by the vehicle.
  • the predetermined vehicle operation end condition is not limited to “an IG off signal has been input to the authentication device 1” as long as the vehicle operation end can be specified or estimated.
  • it may be “the operation of a predetermined device such as a starter or an engine has been stopped”, or “a battery power is no longer supplied to a predetermined circuit”. It may be “no longer detected by the vehicle”.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

Provided is an authentication device for vehicles, capable of detecting the connection of an unauthorized electronic control device to an in-vehicle network. This authentication device (1) comprises: a generation unit which generates identification information when it is time for generation; a transmissions unit which transmits the generated identification information to an ECU (20) in response to the generation of identification information by the generation unit; a registration unit which registers the generated identification information in response to the generation of identification information by the generation unit; and a determination unit which if a predetermined vehicle movement starting condition is satisfied, performs predetermined confirmation processing for confirming whether or not reflection information reflecting the identification information registered by the registration unit is stored in the ECU (20), and determines whether or not the ECU (20) is an authorized device on the basis of the result of the confirmation processing.

Description

車両用認証装置Vehicle authentication device
 本発明は、車両用認証装置に関するものである。 The present invention relates to a vehicle authentication device.
 特許文献1で開示される車載システムは、電子制御装置(ECU)と通信装置とを備えており、通信装置は、インターネットプロトコルを用いて車両外の外部装置と無線通信可能とされている。そして、電子制御装置と通信装置とが車載ネットワークを介して接続されており、電子制御装置内の一部が認証装置(車両用認証装置)として機能している。認証装置は、状態判定処理で車両の状態がセキュリティ確保状態に該当すると判定した場合には、識別情報取得処理で取得した装置識別子をメモリに登録し、セキュリティ確保状態に該当しないと判定した場合には、装置識別子をメモリに登録しない。更に、認証装置は、登録処理で、識別情報取得処理で取得した装置識別子がメモリに登録されていると判定した場合に、その装置識別子で特定される外部装置と電子制御装置(ECU)との間での情報のやり取りを許可し、登録されていないと判定したことをもとに情報のやり取りを禁止する。 The in-vehicle system disclosed in Patent Document 1 includes an electronic control unit (ECU) and a communication device, and the communication device can wirelessly communicate with an external device outside the vehicle using an Internet protocol. The electronic control device and the communication device are connected via an in-vehicle network, and a part of the electronic control device functions as an authentication device (vehicle authentication device). If the authentication device determines in the state determination process that the vehicle state corresponds to the security ensured state, the authentication device registers the device identifier acquired in the identification information acquisition process in the memory, and determines that the vehicle does not correspond to the security ensured state. Does not register the device identifier in the memory. Furthermore, when it is determined in the registration process that the device identifier acquired in the identification information acquisition process is registered in the memory, the authentication device performs a connection between the external device specified by the device identifier and the electronic control unit (ECU). Exchange of information between them is permitted, and exchange of information is prohibited based on the determination that it is not registered.
特開2013-193598号公報JP 2013-193598 A
 特許文献1で開示される上述の車両用認証装置は、車載システムと外部装置との間でインターネットプロトコルを用いて通信を行う場合に車両のセキュリティを確保することを課題としている。しかし、この車両用認証装置は、外部からの不正通信に対処することを目的とする技術であり、車載ネットワーク内で発生する内部からの不正通信には対応できないという問題がある。例えば、何らかの不正作業によって車両内に不正な電子制御装置が接続されてしまった場合に、この不正な電子制御装置による不正制御(なりすまし通信など)を防ぐことができない。 The above-described vehicular authentication device disclosed in Patent Document 1 has a problem of ensuring vehicle security when communication is performed between an in-vehicle system and an external device using an Internet protocol. However, this vehicular authentication device is a technique for dealing with unauthorized communication from the outside, and has a problem that it cannot cope with unauthorized communication from the inside that occurs in the in-vehicle network. For example, when an unauthorized electronic control device is connected in the vehicle due to some unauthorized work, unauthorized control (spoofing communication, etc.) by this unauthorized electronic control device cannot be prevented.
 本発明は上述した事情に基づいてなされたものであり、車両内のネットワークに不正な電子制御装置が接続された場合に、その不正接続を検出し得る車両用認証装置を提供することを目的とするものである。 The present invention has been made based on the above-described circumstances, and an object thereof is to provide a vehicular authentication device that can detect an unauthorized connection when an unauthorized electronic control device is connected to a network in the vehicle. To do.
 本発明の一例である車両用認証装置は、
 所定の生成時期が到来したときに識別情報を生成する生成部と、
 前記生成部によって前記識別情報が生成されることに応じて、生成された前記識別情報を電子制御装置に送信する送信部と、
 前記生成部によって前記識別情報が生成されることに応じて、生成された前記識別情報を登録する登録部と、
 所定の車両動作開始条件が成立した場合に、前記登録部に登録された前記識別情報を反映した反映情報が前記電子制御装置に記憶されているか否かを確認する所定の確認処理を行い、前記確認処理の結果に基づいて前記電子制御装置が正規の装置であるか否かを判定する判定部と、
を有する。 An authentication device for a vehicle which is an example of the present invention,
A generation unit that generates identification information when a predetermined generation time arrives;
A transmission unit that transmits the generated identification information to an electronic control device in response to the generation of the identification information by the generation unit;
A registration unit for registering the generated identification information in response to the generation of the identification information by the generation unit;
When a predetermined vehicle operation start condition is satisfied, a predetermined confirmation process is performed to confirm whether reflection information reflecting the identification information registered in the registration unit is stored in the electronic control device, A determination unit that determines whether or not the electronic control device is a regular device based on a result of the confirmation process;
Have
 この車両用認証装置は、所定の生成時期が到来したときに識別情報を生成する生成部と、生成部によって識別情報が生成されることに応じて、生成された識別情報を電子制御装置に送信する送信部と、生成部によって識別情報が生成されることに応じて、生成された識別情報を登録する登録部とを有する。この構成によれば、所定の生成時期の到来に応じて識別情報を生成し、登録部と電子制御装置に割り当てることができる。そして、所定の車両動作開始条件が成立した場合には、登録部に登録された識別情報を反映した反映情報が電子制御装置に記憶されているか否かを確認する所定の確認処理を行い、確認結果に基づいて電子制御装置が正規の装置であるか否かを判定することができる。つまり、判定対象となる電子制御装置が後から不正に接続されたものである場合、この電子制御装置には識別情報を反映した反映情報が記憶されていないため、登録部に登録された識別情報を反映した反映情報が電子制御装置に記憶されているか否かを確認する確認処理を行えば、電子制御装置が不正接続されたものであるか否かをより正確に判定することができる。 The vehicular authentication device includes a generation unit that generates identification information when a predetermined generation time has arrived, and transmits the generated identification information to the electronic control unit in response to generation of the identification information by the generation unit. And a registration unit that registers the generated identification information in response to the generation of the identification information by the generation unit. According to this configuration, identification information can be generated in response to the arrival of a predetermined generation time and assigned to the registration unit and the electronic control device. Then, when a predetermined vehicle operation start condition is satisfied, a predetermined confirmation process is performed to confirm whether or not the reflection information reflecting the identification information registered in the registration unit is stored in the electronic control device. Based on the result, it can be determined whether or not the electronic control device is a regular device. In other words, when the electronic control device to be determined is an unauthorized connection later, the reflection information reflecting the identification information is not stored in this electronic control device, so the identification information registered in the registration unit If the confirmation process for confirming whether or not the reflection information reflecting the above is stored in the electronic control device, it is possible to more accurately determine whether or not the electronic control device is illegally connected.
図1は、実施例1の車両用認証装置を備えた車載システムを概略的に示すブロック図である。FIG. 1 is a block diagram schematically illustrating an in-vehicle system including the vehicle authentication device according to the first embodiment. 図2は、実施例1の車両用認証装置で行われるIDの割り当て処理を例示するフローチャートである。FIG. 2 is a flowchart illustrating an ID assignment process performed by the vehicular authentication device according to the first embodiment. 図3は、実施例1の車両用認証装置で行われる認証処理を例示するフローチャートである。FIG. 3 is a flowchart illustrating an authentication process performed by the vehicular authentication device according to the first embodiment. 図4は、IDの割り当て処理により各ECUに割り当てられるIDが更新されたことを示す説明図である。FIG. 4 is an explanatory diagram showing that the ID assigned to each ECU has been updated by the ID assignment process. 図5は、認証装置及び各ECUで行われるCAN通信のデータフレームを概念的に示す説明図である。FIG. 5 is an explanatory diagram conceptually showing a data frame of CAN communication performed by the authentication device and each ECU. 図6(A)は、各ECUに正規のIDが割り当てられているときに各ECUのメッセージに含まれるIDを説明する説明図であり、図6(B)は、不正なECUが接続されているときに各ECUのメッセージに含まれるIDを説明する説明図である。FIG. 6A is an explanatory diagram for explaining an ID included in a message of each ECU when a regular ID is assigned to each ECU, and FIG. 6B is a diagram in which an unauthorized ECU is connected. It is explanatory drawing explaining ID contained in the message of each ECU when there is.
 ここで、発明の望ましい例を示す。
 生成部は、車両が動作する毎に識別情報を生成するように機能し得る。送信部は、生成部によって識別情報が生成される毎に、生成された識別情報を電子制御装置に送信するように機能し得る。登録部は、生成部によって識別情報が生成される毎に、生成された識別情報を登録するように機能し得る。判定部は、車両動作開始条件が成立する毎に確認処理を行い、電子制御装置が正規の装置であるか否かを判定するように機能し得る。 Here, a desirable example of the invention will be shown.
The generation unit may function to generate identification information every time the vehicle operates. The transmission unit may function to transmit the generated identification information to the electronic control device every time the generation unit generates the identification information. The registration unit can function to register the generated identification information every time the generation unit generates the identification information. The determination unit may function to perform a confirmation process every time the vehicle operation start condition is satisfied and determine whether or not the electronic control device is a regular device.
 このように構成された車両用認証装置は、車両が動作する毎に識別情報を生成することができ、車両が動作する毎に新たな識別情報を登録部及び電子制御装置に割り当てることができる。そして、車両動作毎に確認処理を行い、電子制御装置が正規の装置であるか否かを判定することができる。よって、同じ識別情報が長期間使用されることに起因する識別情報の漏洩リスクを低減することができ、より信頼性の高い判定が可能となる。 The vehicular authentication apparatus configured as described above can generate identification information every time the vehicle operates, and can assign new identification information to the registration unit and the electronic control device every time the vehicle operates. And a confirmation process can be performed for every vehicle operation | movement, and it can be determined whether an electronic control apparatus is a regular apparatus. Therefore, it is possible to reduce the risk of leakage of identification information resulting from the use of the same identification information for a long period of time, and a more reliable determination is possible.
 生成部は、所定の車両動作終了条件が成立する毎に、車両動作終了条件が成立してから次に車両動作開始条件が成立するまでの間に識別情報を生成するように機能し得る。送信部は、生成部によって識別情報が生成された後、次に車両動作開始条件が成立するまでの間に識別情報を電子制御装置に送信するように機能し得る。登録部は、生成部によって識別情報が生成された後、次に車両動作開始条件が成立するまでの間に識別情報を登録するように機能し得る。 The generating unit can function to generate identification information every time a predetermined vehicle operation end condition is satisfied and before the next vehicle operation start condition is satisfied after the vehicle operation end condition is satisfied. The transmission unit may function to transmit the identification information to the electronic control device after the generation of the identification information by the generation unit until the next vehicle operation start condition is satisfied. The registration unit can function to register the identification information after the generation unit generates the identification information and until the next vehicle operation start condition is satisfied.
 このように、車両動作終了条件が成立してから次に車両動作開始条件が成立するまでの間に識別情報を生成し、この生成に応じて、次に車両動作開始条件が成立するまでの間に生成情報の登録及び電子制御装置に対する割り当てを行うようにすれば、車両動作への影響が比較的少ない時期にこれらの処理を行うことができる。また、車両において不正な装置が新規に接続されるとしたら、その時期は、オーナ不在の駐車時など、車両動作が終了してから次に車両動作が開始されるまでの期間である可能性が高い。よって、車両動作終了条件の成立後に新規の識別情報の生成及び割り当てを行っておけば、次に車両動作開始条件が成立するまでの間に不正な装置が接続されたとしても、新規に割り当てられた識別情報に基づき、不正な機器が接続されていることをより確実に特定することができる。 In this way, identification information is generated after the vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied, and according to this generation, until the next vehicle operation start condition is satisfied. If the generation information is registered and assigned to the electronic control device, these processes can be performed at a time when the influence on the vehicle operation is relatively small. In addition, if an unauthorized device is newly connected in the vehicle, the timing may be a period from the end of the vehicle operation to the next start of the vehicle operation, such as parking without an owner. high. Therefore, if new identification information is generated and assigned after the vehicle operation end condition is satisfied, even if an unauthorized device is connected until the next vehicle operation start condition is satisfied, it is newly assigned. Based on the identified information, it can be more reliably specified that an unauthorized device is connected.
 車両用認証装置は、判定部によって電子制御装置が正規の装置でないと判定された場合に外部への報知を行う報知部を有していてもよい。 The vehicle authentication device may include a notification unit that performs notification to the outside when the determination unit determines that the electronic control device is not a legitimate device.
 このように構成された車両用認証装置は、不正な電子制御装置が接続された場合にその旨を外部に知らしめることができる。 The vehicular authentication device configured in this way can notify the outside when an unauthorized electronic control device is connected.
 生成部は、複数の電子制御装置に与える識別情報をそれぞれ生成し得る。送信部は、生成部によって生成された各々の識別情報を各々の電子制御装置に送信し得る。登録部は、生成部によって生成された各々の識別情報を登録し得る。判定部は、登録部に登録された各々の識別情報と複数の電子制御装置に記憶された情報とを照合するように確認処理を行い、複数の電子制御装置の中に不正装置が含まれるか否かを判定するようにしてもよい。 The generation unit can generate identification information to be given to a plurality of electronic control devices. The transmission unit may transmit each identification information generated by the generation unit to each electronic control device. The registration unit can register each piece of identification information generated by the generation unit. The determination unit performs a confirmation process so as to collate each identification information registered in the registration unit with information stored in the plurality of electronic control devices, and whether the plurality of electronic control devices include an unauthorized device. It may be determined whether or not.
 このように、複数の電子制御装置のそれぞれに個別に識別情報を割り当てることで、いずれかの電子制御装置が不正装置に置き換わった場合にその装置を具体的に特定可能となる。 Thus, by individually assigning identification information to each of the plurality of electronic control devices, when any electronic control device is replaced with an unauthorized device, the device can be specifically identified.
 <実施例1>
 以下、本発明を具体化した実施例1について説明する。
 図1で示す車載通信システム100は、車両用認証装置1(以下、認証装置1とも称する)と、複数の電子制御装置20(以下、ECU(Electronic Control Unit)20ともいう)とを備える。認証装置1及び電子制御装置20は車両に搭載されるものであり、これらは通信線10によって接続されており、例えばCAN(Controller Area Network)などの通信プロトコルに準拠した車載ネットワーク102を構成している。なお、図1には、認証装置1と通信し得るECU20として、2つのECU20A,20Bを例示しているが、これら以外にも多数のECUが認証装置1と通信し得る構成で接続されている。 <Example 1>
Embodiment 1 of the present invention will be described below.
An in-vehicle communication system 100 shown in FIG. 1 includes a vehicle authentication device 1 (hereinafter also referred to as authentication device 1) and a plurality of electronic control devices 20 (hereinafter also referred to as ECU (Electronic Control Unit) 20). The authentication device 1 and the electronic control device 20 are mounted on a vehicle, and these are connected by a communication line 10 and constitute an in-vehicle network 102 compliant with a communication protocol such as CAN (Controller Area Network). Yes. In FIG. 1, two ECUs 20 </ b> A and 20 </ b> B are illustrated as the ECU 20 that can communicate with the authentication device 1, but many other ECUs are connected in a configuration that can communicate with the authentication device 1. .
 認証装置1は、制御部2、記録部4、通信部6などを備えており、例えば車載ネットワーク102におけるゲートウェイECUとして構成され、ゲートウェイECUとしての公知の基本機能を備えている。 The authentication device 1 includes a control unit 2, a recording unit 4, a communication unit 6, and the like. For example, the authentication device 1 is configured as a gateway ECU in the in-vehicle network 102 and includes a known basic function as the gateway ECU.
 制御部2は、CPU(Central Processing Unit)又はMPU(Micro Processing Unit)等の演算処理装置を用いて構成されている。制御部2は、様々な処理や演算を行う機能を有し、例えば記録部4又は図示しないROM(Read Only Memory)等に記憶されたプログラムを読み出して実行することにより、図2、図3に示す処理などの各種処理を行う。 The control unit 2 is configured using an arithmetic processing device such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The control unit 2 has a function of performing various processes and computations. For example, the control unit 2 reads and executes a program stored in the recording unit 4 or a ROM (Read 図 示 Only し な い Memory) not shown in FIG. 2 and FIG. 3. Various processes such as the process shown in FIG.
 記録部4は、例えば、EEPROM(Electrically Erasable Programmable ROM)又はフラッシュメモリ等のデータ書換可能な不揮発性のメモリ素子を用いて構成されている。この記録部4には、後述する図2の処理で生成されたID(identification)情報が記憶可能とされており、記録部4の記憶内容は少なくとも図2の処理の実行毎に更新され得る。 The recording unit 4 is configured using, for example, an EEPROM (Electrically Erasable Programmable ROM) or a nonvolatile memory element capable of rewriting data such as a flash memory. The recording unit 4 can store ID (identification) information generated by the processing of FIG. 2 described later, and the storage content of the recording unit 4 can be updated at least every time the processing of FIG. 2 is executed.
 通信部6は、車載ネットワーク102を構成する通信線10に接続された通信インタフェースとして構成され、例えばCANなどの通信規格による情報の送受信を行う。通信部6は、例えば、通信線10で伝送される信号を監視することによって車載ネットワーク102の各ECU20(ECU20A,20Bなど)が送信した情報を受信し、受信した情報を制御部2に与える。また、通信部6は、制御部2から与えられた送信用の情報を信号として通信線10へ出力することによって、この情報を通信線10に接続されたECU20に送信する。 The communication unit 6 is configured as a communication interface connected to the communication line 10 configuring the in-vehicle network 102, and performs transmission and reception of information according to a communication standard such as CAN. The communication unit 6 receives information transmitted from each ECU 20 ( ECU 20A, 20B, etc.) of the in-vehicle network 102 by monitoring a signal transmitted through the communication line 10, and gives the received information to the control unit 2, for example. Further, the communication unit 6 transmits the information to the ECU 20 connected to the communication line 10 by outputting the transmission information given from the control unit 2 as a signal to the communication line 10.
 なお、図示はしていないが、認証装置1には、DRAM(Dynamic Random Access Memory)やSRAM(Static Random Access Memory)等のメモリ素子で構成される送受信バッファが設けられており、各種情報を一時的に記憶し得る構成となっている。 Although not shown, the authentication device 1 is provided with a transmission / reception buffer composed of memory elements such as DRAM (Dynamic Random Access Memory) and SRAM (Static Random Access Memory), and temporarily stores various information. Can be memorized.
 また、認証装置1には、イグニッションスイッチがオンになったことを示すオン信号(以下、IGオン信号ともいう)及びイグニッションスイッチがオフになったことを示すオフ信号(以下、IGオフ信号ともいう)が入力され得る。具体的には、車載通信システム100を搭載する車両に設けられた図示しないイグニッションスイッチがオン状態となった場合に車両に搭載された外部装置(例えば電源ECU)から認証装置1に対してIGオン信号が入力され、イグニッションスイッチがオフ状態となった場合には認証装置1に対してIGオフ信号が入力される。 The authentication apparatus 1 also includes an on signal (hereinafter also referred to as an IG on signal) indicating that the ignition switch has been turned on and an off signal (hereinafter also referred to as an IG off signal) indicating that the ignition switch has been turned off. ) May be entered. Specifically, when an ignition switch (not shown) provided in the vehicle on which the in-vehicle communication system 100 is mounted is turned on, the external device (for example, the power supply ECU) mounted on the vehicle is turned on for the authentication device 1. When the signal is input and the ignition switch is turned off, an IG off signal is input to the authentication device 1.
 車載通信システム100に設けられた複数のECU20は、パワートレインECU、ステアリング系ECU,ブレーキ系ECU,通信系ECU、安全系ECU,ボディ系ECU、マルチメディア系ECUなど、公知の様々なECUとして構成され得る。各ECU20は、制御部24、記録部26、通信部22などを備えて構成されている。図1の例では、第1のECU20Aにおいて、制御部24A、記録部26A、通信部22Aが設けられており、第2のECU20Bにおいて、制御部24B、記録部26B、通信部22Bが設けられている。 The plurality of ECUs 20 provided in the in-vehicle communication system 100 are configured as various known ECUs such as a powertrain ECU, a steering system ECU, a brake system ECU, a communication system ECU, a safety system ECU, a body system ECU, and a multimedia system ECU. Can be done. Each ECU 20 includes a control unit 24, a recording unit 26, a communication unit 22, and the like. In the example of FIG. 1, a control unit 24A, a recording unit 26A, and a communication unit 22A are provided in the first ECU 20A, and a control unit 24B, a recording unit 26B, and a communication unit 22B are provided in the second ECU 20B. Yes.
 ECU20の制御部24は、CPU(Central Processing Unit)又はMPU(Micro Processing Unit)等の演算処理装置を用いて構成されている。記録部26は、例えば、EEPROM(Electrically Erasable Programmable ROM)又はフラッシュメモリ等のデータ書換可能な不揮発性のメモリ素子を用いて構成されている。また、ECU20には、不揮発性メモリ以外のROM、RAMなども設けられている。通信部22は、通信線10に接続された通信インタフェースとして構成され、例えばCANなどの通信規格による情報の送受信を行う。 The control part 24 of ECU20 is comprised using arithmetic processing units, such as CPU (Central * Processing * Unit) or MPU (Micro * Processing * Unit). The recording unit 26 is configured using, for example, an EEPROM (Electrically Erasable Programmable ROM) or a rewritable nonvolatile memory element such as a flash memory. The ECU 20 is also provided with ROM, RAM, and the like other than the nonvolatile memory. The communication unit 22 is configured as a communication interface connected to the communication line 10 and transmits and receives information according to a communication standard such as CAN.
 次に、図2等を参照し、認証装置1の制御部2で行われるID(識別情報)の割り当て処理を説明する。認証装置1の制御部2は、認証装置1へのIGオン信号の入力及び認証装置1へのIGオフ信号の入力を監視しており、例えば、認証装置1に対してIGオフ信号が入力された場合に図2の処理を開始する。 Next, ID (identification information) allocation processing performed by the control unit 2 of the authentication device 1 will be described with reference to FIG. The control unit 2 of the authentication device 1 monitors the input of the IG on signal to the authentication device 1 and the input of the IG off signal to the authentication device 1. For example, the IG off signal is input to the authentication device 1. 2 starts.
 制御部2は、図2で示す割り当て処理の実行に伴い、まず、ステップS1の処理を行い、新規のID(識別情報)を生成する。このステップS1の処理では、公知の乱数発生プログラムを用いて乱数を発生させ、ある数値範囲からランダムな数値(乱数)を取り出す。そして、その取り出した数値(乱数)そのもの、或いは、その数値(乱数)に所定の数値を組み合わせた数値を新規のID(識別情報)とする。制御部2は、このようなID(識別情報)の生成を通信対象となるECU20の数だけ行い、各ECU20に割り当てるID(識別情報)をそれぞれ個別に生成する。なお、IDの生成の際に、いずれかのECU20に割り当てるID(識別情報)と他のECU20に割り当てるID(識別情報)が重複した場合、例えば片方のECU20に対するIDの生成を再度行うことで、各ECU20に割り当てるIDが重複しないようにする。 In accordance with the execution of the assignment process shown in FIG. 2, the control unit 2 first performs the process of step S1 to generate a new ID (identification information). In the process of step S1, random numbers are generated using a known random number generation program, and random numerical values (random numbers) are extracted from a certain numerical range. The extracted numerical value (random number) itself or a numerical value obtained by combining the numerical value (random number) with a predetermined numerical value is used as a new ID (identification information). The control unit 2 generates such IDs (identification information) as many as the number of ECUs 20 to be communicated, and individually generates IDs (identification information) assigned to the respective ECUs 20. In addition, when the ID (identification information) assigned to one of the ECUs 20 and the ID (identification information) assigned to the other ECU 20 overlap when generating the ID, for example, by generating the ID for one ECU 20 again, The ID assigned to each ECU 20 should not be duplicated.
 制御部2がこのようにID(識別情報)の生成処理を行うことで、ステップS1にて各ECU20に割り当てるIDが新たに生成される。なお、図4は、各ECU20に割り当てられていた旧IDと新たに生成された新規IDを概念的に示している。図4の例では、図2の処理の実行前にECU20Aに対してID11が割り当てられ、ECU20Bに対してID12が割り当てられており、図2のステップS1の処理の実行により、ECU20Aに対するIDとして新たにID21が生成され、ECU20Bに対するIDとして新たにID22が生成された状態を概念的に示している。なお、ECU20A,20B以外のECUに割り当てるIDも同様の方法で生成する。 As the control unit 2 performs ID (identification information) generation processing in this way, an ID assigned to each ECU 20 is newly generated in step S1. FIG. 4 conceptually shows the old ID assigned to each ECU 20 and the newly generated new ID. In the example of FIG. 4, ID11 is assigned to the ECU 20A and ID12 is assigned to the ECU 20B before execution of the process of FIG. 2, and a new ID is assigned to the ECU 20A by executing the process of step S1 of FIG. ID21 is produced | generated and ID22 was newly produced | generated as ID with respect to ECU20B notionally. Note that IDs assigned to ECUs other than the ECUs 20A and 20B are generated in the same manner.
 本構成では、制御部2が生成部の一例に相当し、イグニッションスイッチがオン状態となって車両が動作する毎にID(識別情報)を生成する構成をなしている。具体的には、制御部2は、所定の生成時期が到来したとき(車両動作終了条件が成立してから次に車両動作開始条件が成立するまでの間)にID(識別情報)を生成するように機能する。 In this configuration, the control unit 2 corresponds to an example of a generation unit, and an ID (identification information) is generated every time the ignition switch is turned on and the vehicle operates. Specifically, the control unit 2 generates an ID (identification information) when a predetermined generation time arrives (from when the vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied). To function.
 制御部2は、図2で示すステップS1の処理の後にステップS2の処理を行い、ステップS1の処理で新たに生成されたID(識別情報)を各ECU20に送信する。例えば、図2の処理の実行前にID11が割り当てられていたECU20Aに対し、直近のステップS1で生成されたECU20Aの新規ID21を送信する。同様に、図2の処理の実行前にID12が割り当てられていたECU20Bに対し、直近のステップS1で生成されたECU20Bの新規ID22を送信する。ECU20A,20B以外のECUに対しても同様の方法で新規IDを送信する。 The control unit 2 performs the process of step S2 after the process of step S1 shown in FIG. 2, and transmits the ID (identification information) newly generated by the process of step S1 to each ECU 20. For example, the new ID 21 of the ECU 20A generated in the latest step S1 is transmitted to the ECU 20A to which the ID 11 has been assigned before the execution of the process of FIG. Similarly, the new ID 22 of the ECU 20B generated in the latest step S1 is transmitted to the ECU 20B to which the ID 12 has been assigned before the execution of the process of FIG. A new ID is transmitted to ECUs other than ECUs 20A and 20B in the same manner.
 ステップS2の処理により各ECU20に対して新規IDを送信する場合、例えばIDの更新を要求する所定の更新要求コマンド及び旧IDとともに新規IDを送信する。このように送信することで、旧IDによって送信対象となるECU20が特定され、そのECU20は、更新要求コマンドと新たなIDを含んだデータを受信した場合、それまでに記憶されていた自身のIDを新たに受信したIDに書き換えることができる。 When a new ID is transmitted to each ECU 20 by the process of step S2, for example, a new ID is transmitted together with a predetermined update request command for requesting an ID update and an old ID. By transmitting in this way, the ECU 20 to be transmitted is specified by the old ID, and when the ECU 20 receives the data including the update request command and the new ID, its own ID stored so far is stored. Can be rewritten to the newly received ID.
 例えば、制御部2が、ステップS2の処理によりECU20Aに対して旧ID(図4で示すID11)と更新要求コマンドと新規ID(図4で示すID21)とを含んだデータを送信した場合、ECU20Aは、旧IDによってそのデータを取得すべきデータとして把握し、受信することができる。そして、このデータを受信したECU20Aは、更新要求コマンドに従い、それまでに記録部26Aに記憶されていた旧ID(図4で示すID11)を記録部26Aから消去し、受信データに含まれる新規ID(図4で示すID21)を記録部26Aに記憶するように自身のIDを更新することができる。同様に、制御部2が、ステップS2の処理によりECU20Bに対して旧ID(図4で示すID12)と更新要求コマンドと新規ID(図4で示すID22)とを含んだデータを送信した場合、ECU20Bは、旧IDによってそのデータを取得すべきデータとして把握し、受信することができる。そして、このデータを受信したECU20Bは、更新要求コマンドに従い、それまでに記録部26Bに記憶されていた旧ID(図4で示すID12)を記録部26Bから消去し、受信データに含まれる新規ID(図4で示すID22)を記録部26Bに記憶するように自身のIDを更新することができる。このようにして、ECU20の各記録部26に記憶されたIDが更新される。なお、ここで示すECU20へのIDの割り当て方法はあくまで一例であり、生成された新規IDを各ECU20に記憶させ得る方法であればこの方法に限定されない。 For example, when the control unit 2 transmits data including the old ID (ID11 shown in FIG. 4), the update request command, and the new ID (ID21 shown in FIG. 4) to the ECU 20A by the process of step S2, the ECU 20A Can grasp and receive the data as data to be acquired by the old ID. Then, the ECU 20A receiving this data deletes the old ID (ID11 shown in FIG. 4) stored in the recording unit 26A from the recording unit 26A according to the update request command, and the new ID included in the received data. It is possible to update its own ID so as to store (ID 21 shown in FIG. 4) in the recording unit 26A. Similarly, when the control unit 2 transmits data including the old ID (ID12 shown in FIG. 4), the update request command, and the new ID (ID22 shown in FIG. 4) to the ECU 20B by the process of step S2, The ECU 20B can grasp and receive the data as data to be acquired based on the old ID. Then, the ECU 20B that has received this data follows the update request command and deletes the old ID (ID12 shown in FIG. 4) that has been stored in the recording unit 26B from the recording unit 26B until then, and the new ID included in the received data. It is possible to update its own ID so as to store (ID 22 shown in FIG. 4) in the recording unit 26B. In this way, the ID stored in each recording unit 26 of the ECU 20 is updated. Note that the method for assigning IDs to the ECUs 20 shown here is merely an example, and the method is not limited to this method as long as the generated new IDs can be stored in each ECU 20.
 本構成では、制御部2が送信部の一例に相当し、ステップS1の処理にてID(識別情報)が生成されることに応じて、生成されたID(識別情報)をECU20(電子制御装置)に送信するように機能する。制御部2は、ステップS1の処理によってID(識別情報)が生成される毎に、生成されたID(識別情報)をECU20(電子制御装置)に送信するように機能しており、より具体的には、ステップS1の処理によってID(識別情報)が生成された後、次に車両動作開始条件が成立するまで(具体的には、次にIGオン信号が認証装置1に入力されるまで)の間にID(識別情報)をECU20(電子制御装置)に送信するように機能する。 In this configuration, the control unit 2 corresponds to an example of a transmission unit, and the ID (identification information) generated in response to the generation of the ID (identification information) in the process of step S1 is the ECU 20 (electronic control unit). ) To send to. The control unit 2 functions to transmit the generated ID (identification information) to the ECU 20 (electronic control device) each time an ID (identification information) is generated by the process of step S1, and more specifically. After the ID (identification information) is generated by the processing in step S1, the vehicle operation start condition is satisfied next (specifically, until the next IG ON signal is input to the authentication device 1). It functions to transmit ID (identification information) to the ECU 20 (electronic control unit).
 制御部2は、図2で示すステップS2の処理の後にステップS3の処理を行い、各ECU20に送信した新規IDを記録部4に記憶させるように登録処理を行う。この登録処理がなされることで、認証装置1には、各ECU20に記憶された新規IDのデータがリストとして記憶されることになる。 The control unit 2 performs the process of step S3 after the process of step S2 shown in FIG. 2, and performs a registration process so that the recording unit 4 stores the new ID transmitted to each ECU 20. By performing this registration process, the authentication apparatus 1 stores data of new IDs stored in each ECU 20 as a list.
 本構成では、制御部2及び記録部4が登録部の一例に相当し、ステップS1の処理によってID(識別情報)が生成されることに応じて、生成されたID(識別情報)を認証装置1内に登録するように機能する。この登録部は、ステップS1の処理によってID(識別情報)が生成される毎に、生成されたID(識別情報)を登録するように機能し、具体的には、ステップS1の処理によってID(識別情報)が生成された後、次に車両動作開始条件が成立するまで(具体的には、次にIGオン信号が認証装置1に入力されるまで)の間にそのID(識別情報)を登録するように機能する。 In this configuration, the control unit 2 and the recording unit 4 correspond to an example of a registration unit, and the ID (identification information) generated in response to the generation of the ID (identification information) by the processing in step S1 is an authentication device. Functions to register within 1. The registration unit functions to register the generated ID (identification information) every time an ID (identification information) is generated by the process of step S1, and specifically, the ID (identification information) is processed by the process of step S1. (Identification information) is generated until the next vehicle operation start condition is satisfied (specifically, until the next IG ON signal is input to the authentication device 1). Functions to register.
 次に、図3等を参照し、認証装置1の制御部2で行われる認証処理を説明する。認証装置1の制御部2は、例えば、認証装置1に対してIGオン信号が入力された場合に図3の処理を開始し、その後、図3の処理を所定の短時間毎に繰り返し行う。 Next, an authentication process performed by the control unit 2 of the authentication device 1 will be described with reference to FIG. For example, when the IG ON signal is input to the authentication device 1, the control unit 2 of the authentication device 1 starts the process in FIG. 3, and then repeats the process in FIG. 3 every predetermined short time.
 認証装置1は、図3の処理の開始に伴い、ステップS11においてCAN通信を開始又は継続する。認証装置1及びECU20は、CAN通信を行う場合、公知のCANプロトコルに従って相互の通信を行う。例えば、ECU20が送信ノードとなる場合、ECU20は、CAN通信において、図5のようなデータフレームを送信する。このデータフレームは、CAN通信で用いられる公知のフレーム構造となっており、SOF(Start Of Frame)の後に自身のID(上述の図2の処理によって割り当てられ、記録部に記録されたID)が付され、SOFの後のIDにより、送信ノードを識別することができるとともに、通信調停の優先順位を決定することができるようになっている。なお、ID以外のフレーム構造は公知であるので詳細は省略する。 The authentication device 1 starts or continues the CAN communication in step S11 with the start of the process of FIG. The authentication device 1 and the ECU 20 perform mutual communication according to a known CAN protocol when performing CAN communication. For example, when the ECU 20 becomes a transmission node, the ECU 20 transmits a data frame as shown in FIG. 5 in CAN communication. This data frame has a known frame structure used in CAN communication, and its own ID (the ID assigned by the above-described processing of FIG. 2 and recorded in the recording unit) after SOF (Start Of Frame). The transmission node can be identified by the ID after the SOF, and the priority order of communication arbitration can be determined. Since the frame structure other than the ID is known, the details are omitted.
 制御部2は、図3で示すステップS11でCAN通信を開始又は継続した後、CAN通信の継続中に通信線10(CAN通信線)を介して送信されるメッセージを監視し、通信線10に伝送されたメッセージが検出された場合にはステップS12の判断を行う。制御部2は、ステップS12において、検出されたメッセージに含まれるIDと、記録部4に記録されているID(直近のステップS3の処理で登録されたID(識別情報)のリスト)とを照合する。そして、検出されたメッセージのIDが記録部4に登録された正規のIDである場合(ステップS12にてNoの判断の場合)、図3の認証処理を終了する。この場合、検出されたメッセージは正規のECU20から送信された正規のメッセージであるため、CANプロトコルに従った通常の通信を継続させる。 After starting or continuing the CAN communication in step S11 shown in FIG. 3, the control unit 2 monitors a message transmitted via the communication line 10 (CAN communication line) while the CAN communication is continuing. If a transmitted message is detected, the determination in step S12 is performed. In step S12, the control unit 2 collates the ID included in the detected message with the ID recorded in the recording unit 4 (the list of IDs (identification information) registered in the process of the latest step S3). To do. If the ID of the detected message is a regular ID registered in the recording unit 4 (in the case of No determination in step S12), the authentication process in FIG. In this case, since the detected message is a regular message transmitted from the regular ECU 20, normal communication according to the CAN protocol is continued.
 一方、図3で示すステップS12の判断において、制御部2が検出したメッセージ(通信線10に伝送されたメッセージ)のIDが記録部4に登録されていない不正なIDであると判断した場合(ステップS12にてYes)、制御部2は、ステップS13の処理を行い、そのメッセージを破棄する。具体的には、制御部2は、このメッセージ(不正IDを含んだメッセージ)の受信に応じてステップS13にてエラーフレームを送信する。これにより、通信線10に接続されたECU20にエラーの発生を通知し、不正IDを含んだメッセージを使用させないようにする。なお、ステップS12の処理が「所定の確認処理」であり、記録部4(登録部)に登録されたID(識別情報)を反映した反映情報(具体的には、識別情報そのもの)がECU20(電子制御装置)に記憶されているか否かを確認する処理である。つまり、ECU20から送信されたメッセージのIDが記録部4に登録された正規のIDであれば記録部4に登録されたIDを反映した反映情報(具体的にはIDそのもの)がECU20に記憶されていることを特定できるため、ステップS12では、このようなことを確認しているのである。 On the other hand, when it is determined in step S12 shown in FIG. 3 that the ID of the message (message transmitted to the communication line 10) detected by the control unit 2 is an unauthorized ID not registered in the recording unit 4 ( In step S12, Yes), the control unit 2 performs the process of step S13 and discards the message. Specifically, the control unit 2 transmits an error frame in step S13 in response to reception of this message (message including an illegal ID). As a result, the ECU 20 connected to the communication line 10 is notified of the occurrence of an error so that a message including an unauthorized ID is not used. In addition, the process of step S12 is a “predetermined confirmation process”, and reflected information (specifically, identification information itself) reflecting an ID (identification information) registered in the recording unit 4 (registration unit) is ECU 20 ( This is a process for confirming whether or not it is stored in the electronic control unit). That is, if the ID of the message transmitted from the ECU 20 is a regular ID registered in the recording unit 4, the reflection information (specifically the ID itself) reflecting the ID registered in the recording unit 4 is stored in the ECU 20. In step S12, this is confirmed.
 制御部2は、図3で示すステップS13の処理の後、ステップS14において報知処理を行う。ステップS14の報知処理は、不正装置が接続されていることを報知する処理であればよく、例えば、車両内に設けられたランプや表示器などの表示装置により当該異常(不正装置が接続されている異常)を示す所定表示(所定マークや所定メッセージなどの表示)を行う方法などが挙げられる。なお、異常の報知は、このようなユーザへの報知に限定されず、視覚的な報知にも限定されない。例えば、所定の車内装置への異常情報の送信などであってもよく、車外装置への異常情報の送信などであってもよい。或いは、音声による報知などを行ってもよい。 The control unit 2 performs a notification process in step S14 after the process in step S13 shown in FIG. The notification process in step S14 may be a process for notifying that an unauthorized device is connected. For example, the abnormality (the unauthorized device is connected by a display device such as a lamp or a display provided in the vehicle). For example, a method of performing a predetermined display (display of a predetermined mark, a predetermined message, or the like) indicating the abnormality). Note that the abnormality notification is not limited to such notification to the user, and is not limited to visual notification. For example, it may be transmission of abnormality information to a predetermined in-vehicle device, or transmission of abnormality information to an external device. Or you may perform alerting | reporting by an audio | voice etc.
 本構成では、制御部2が判定部の一例に相当し、所定の車両動作開始条件が成立した場合(例えば、IGオン信号が発生して車両が始動した場合)に、登録部に登録されたID(識別情報)を反映した反映情報がECU20(電子制御装置)に記憶されているか否かを確認する所定の確認処理を行い、確認処理の結果に基づいてECU20(電子制御装置)が正規の装置であるか否かを判定するように機能する。具体的には、制御部2は、車両動作開始条件が成立する毎に確認処理を行い、ECU20(電子制御装置)が正規の装置であるか否かを判定するように機能する。 In this configuration, the control unit 2 corresponds to an example of a determination unit, and is registered in the registration unit when a predetermined vehicle operation start condition is satisfied (for example, when an IG on signal is generated and the vehicle is started). A predetermined confirmation process for confirming whether or not the reflection information reflecting the ID (identification information) is stored in the ECU 20 (electronic control apparatus) is performed, and the ECU 20 (electronic control apparatus) is authorized based on the result of the confirmation process. It functions to determine whether or not it is a device. Specifically, the control unit 2 functions to perform a confirmation process every time a vehicle operation start condition is satisfied and determine whether the ECU 20 (electronic control device) is a regular device.
 本構成では、制御部2が報知部の一例に相当し、判定部によってECU20(電子制御装置)が正規の装置でないと判定された場合に外部への報知を行うように機能する。 In this configuration, the control unit 2 corresponds to an example of a notification unit, and functions to perform notification to the outside when the determination unit determines that the ECU 20 (electronic control device) is not a regular device.
 以上のように、本構成の認証装置1は、所定の生成時期が到来したときにID(識別情報)を生成する生成部と、生成部によってID(識別情報)が生成されることに応じて、生成されたID(識別情報)をECU20(電子制御装置)に送信する送信部と、生成部によってID(識別情報)が生成されることに応じて、生成されたID(識別情報)を登録する登録部とを有する。 As described above, the authentication device 1 of the present configuration has a generation unit that generates an ID (identification information) when a predetermined generation time has arrived, and an ID (identification information) generated by the generation unit. The transmission unit that transmits the generated ID (identification information) to the ECU 20 (electronic control device), and the ID (identification information) generated in response to the generation of the ID (identification information) by the generation unit A registration unit.
 この構成によれば、所定の生成時期の到来に応じてID(識別情報)を生成し、認証装置1の登録部及び各ECU20(電子制御装置)に割り当てることができる。そして、所定の車両動作開始条件が成立した場合には、判定部に相当する制御部2により、記録部4(登録部)に登録されたID(識別情報)を反映した反映情報(具体的には識別情報そのもの)がECU20に記憶されているか否かを確認する所定の確認処理を行い、確認結果に基づいてECU20が正規の装置であるか否かを判定することができる。つまり、判定対象となる電子制御装置が後から不正に接続されたものである場合、この電子制御装置には記録部4(登録部)に登録されたID(識別情報)を反映した反映情報が記憶されていないため、記録部4(登録部)に登録されたID(識別情報)を反映した反映情報が電子制御装置に記憶されているか否かを確認する確認処理を行えば、電子制御装置が不正接続されたものであるか否かをより正確に判定することができる。 According to this configuration, an ID (identification information) can be generated in response to the arrival of a predetermined generation time, and can be assigned to the registration unit of the authentication device 1 and each ECU 20 (electronic control device). Then, when a predetermined vehicle operation start condition is established, the control unit 2 corresponding to the determination unit reflects information (specifically, reflecting ID (identification information) registered in the recording unit 4 (registration unit). Is a predetermined confirmation process for confirming whether or not the identification information itself is stored in the ECU 20, and based on the confirmation result, it can be determined whether or not the ECU 20 is a legitimate device. In other words, when the electronic control device to be determined is an unauthorized connection later, the electronic control device has reflection information reflecting the ID (identification information) registered in the recording unit 4 (registration unit). Since it is not stored, if the confirmation process is performed to check whether the reflection information reflecting the ID (identification information) registered in the recording unit 4 (registration unit) is stored in the electronic control unit, the electronic control unit It is possible to more accurately determine whether or not is an unauthorized connection.
 例えば、図4のように各ECU20のID(識別情報)が更新され、その後、このように更新された正規のECU20が継続して接続され続ける場合、図6(A)のように、各ECU20から送信されるメッセージのIDは各ECU20に記憶された正規のIDとなるため、いずれのメッセージの送信時においても図3で示すステップS13でYesの判断はなされず、認証装置1は不正な電子制御装置が接続されていないことを確認することができる。これに対し、例えば図1で示すECU20Bが不正ECUに置換された場合、この不正ECUは正規のIDを知ることができないため、図6(B)のように、不正ECUから送信されるメッセージのIDは、記録部4に登録されていない不正IDとなる。従って、この不正ECUからメッセージが送信されたときには、図3で示すステップS13においてYesの判断がなされ、認証装置1は、不正ECUが接続されていることを特定することができるとともに、不正ECUからのメッセージに対して適切に対処することが可能となる。 For example, when the ID (identification information) of each ECU 20 is updated as shown in FIG. 4, and then the regular ECU 20 updated in this way continues to be connected, each ECU 20 as shown in FIG. 6 (A). 3 is a regular ID stored in each ECU 20, the determination of Yes is not made in step S <b> 13 shown in FIG. 3 at the time of transmission of any message, and the authentication apparatus 1 is an unauthorized electronic device. It can be confirmed that the control device is not connected. On the other hand, for example, when the ECU 20B shown in FIG. 1 is replaced with a fraudulent ECU, the fraudulent ECU cannot know the legitimate ID. Therefore, as shown in FIG. The ID is an unauthorized ID that is not registered in the recording unit 4. Therefore, when a message is transmitted from the unauthorized ECU, a determination of Yes is made in step S13 shown in FIG. 3, and the authentication device 1 can specify that the unauthorized ECU is connected and from the unauthorized ECU. It is possible to appropriately deal with the message.
 生成部に相当する制御部2は、車両が動作する毎にID(識別情報)を生成するように機能し、送信部に相当する制御部2及び通信部6は、ID(識別情報)が生成される毎に、生成されたID(識別情報)をECU20(電子制御装置)に送信するように機能する。そして、登録部に相当する制御部2及び記録部4は、ID(識別情報)が生成される毎に、生成されたID(識別情報)を登録するように機能し、判定部に相当する制御部2は、車両動作開始条件が成立する毎に確認処理を行い、電子制御装置が正規の装置であるか否かを判定するように機能する。このように構成された車両用認証装置1は、車両が動作する毎にID(識別情報)を生成することができ、車両が動作する毎に新たなID(識別情報)を記録部4及びECU20(電子制御装置)に割り当てることができる。そして、車両動作毎に確認処理を行い、電子制御装置が正規の装置であるか否かを判定することができる。よって、同じID(識別情報)が長期間使用されることに起因するID(識別情報)の漏洩リスクを低減することができ、より信頼性の高い判定が可能となる。 The control unit 2 corresponding to the generation unit functions to generate ID (identification information) every time the vehicle operates, and the control unit 2 and communication unit 6 corresponding to the transmission unit generate ID (identification information). Each time it is performed, it functions to transmit the generated ID (identification information) to the ECU 20 (electronic control unit). The control unit 2 and the recording unit 4 corresponding to the registration unit function to register the generated ID (identification information) every time ID (identification information) is generated, and control corresponding to the determination unit. The unit 2 performs a confirmation process every time the vehicle operation start condition is satisfied, and functions to determine whether or not the electronic control device is a regular device. The vehicular authentication device 1 configured as described above can generate an ID (identification information) every time the vehicle operates, and each time the vehicle operates, a new ID (identification information) is recorded in the recording unit 4 and the ECU 20. (Electronic control unit). And a confirmation process can be performed for every vehicle operation | movement, and it can be determined whether an electronic control apparatus is a regular apparatus. Therefore, the risk of leakage of ID (identification information) due to the same ID (identification information) being used for a long time can be reduced, and determination with higher reliability is possible.
 生成部に相当する制御部2は、所定の車両動作終了条件が成立する毎に、車両動作終了条件が成立してから次に車両動作開始条件が成立するまでの間にID(識別情報)を生成するように機能する。送信部に相当する制御部2及び通信部6は、ID(識別情報)が生成された後、次に車両動作開始条件が成立するまでの間にID(識別情報)をECU20(電子制御装置)に送信するように機能し、登録部に相当する制御部2及び記録部4は、ID(識別情報)が生成された後、次に車両動作開始条件が成立するまでの間にID(識別情報)を登録するように機能する。このように、車両動作終了条件が成立してから次に車両動作開始条件が成立するまでの間にID(識別情報)を生成し、この生成に応じて、次に車両動作開始条件が成立するまでの間にID(識別情報)の登録及びECU20(電子制御装置)に対する割り当てを行うようにすれば、車両動作への影響が比較的少ない時期にこれらの処理を行うことができる。また、車両において不正な装置が新規に接続されるとしたら、その時期は、オーナ不在の駐車時など、車両動作が終了してから次に車両動作が開始されるまでの期間である可能性が高い。よって、車両動作終了条件の成立後に新規のID(識別情報)の生成及び割り当てを行っておけば、次に車両動作開始条件が成立するまでの間に不正な装置が接続されたとしても、新規に割り当てられたID(識別情報)に基づき、不正な機器が接続されていることをより確実に特定することができる。 The control unit 2 corresponding to the generation unit obtains an ID (identification information) every time a predetermined vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied after the vehicle operation end condition is satisfied. Functions to generate. The control unit 2 and the communication unit 6 corresponding to the transmission unit transmit the ID (identification information) to the ECU 20 (electronic control unit) after the ID (identification information) is generated and until the next vehicle operation start condition is satisfied. The control unit 2 and the recording unit 4 corresponding to the registration unit generate ID (identification information) after the ID (identification information) is generated and until the next vehicle operation start condition is satisfied. ) To register. In this way, ID (identification information) is generated after the vehicle operation end condition is satisfied and until the next vehicle operation start condition is satisfied, and the vehicle operation start condition is then satisfied according to this generation. If ID (identification information) registration and allocation to the ECU 20 (electronic control unit) are performed in the meantime, these processes can be performed at a time when the influence on the vehicle operation is relatively small. In addition, if an unauthorized device is newly connected in the vehicle, the timing may be a period from the end of the vehicle operation to the next start of the vehicle operation, such as parking without an owner. high. Therefore, if a new ID (identification information) is generated and assigned after the vehicle operation end condition is satisfied, even if an unauthorized device is connected until the next vehicle operation start condition is satisfied, Based on the ID (identification information) assigned to the device, it can be more reliably specified that an unauthorized device is connected.
 本構成の車両用認証装置1は、判定部に相当する制御部2によって電子制御装置が正規の装置でないと判定された場合に外部への報知を行う報知部を有する。このように構成された車両用認証装置1は、不正な電子制御装置が接続された場合にその旨を外部に知らしめることができる。 The vehicular authentication device 1 having this configuration includes a notification unit that performs notification to the outside when the control unit 2 corresponding to the determination unit determines that the electronic control device is not a legitimate device. The vehicular authentication device 1 configured as described above can inform the outside when an unauthorized electronic control device is connected.
 本構成では、生成部に相当する制御部2が、図2のステップS1の処理で複数のECU20(電子制御装置)に与えるID(識別情報)をそれぞれ生成し、送信部に相当する制御部2及び通信部6は、図2のステップS2の処理により、生成された各々のID(識別情報)を各々のECU20(電子制御装置)に送信し得る。そして、登録部に相当する制御部2及び記録部4は、図2のステップS3の処理により、生成された各々のID(識別情報)を登録し得る。判定部に相当する制御部2は、図3のステップS12の処理により、記録部4(登録部)に登録された各々のID(識別情報)と複数のECU20(電子制御装置)に記憶された情報とを照合(具体的には、各々のECU20からのメッセージに含まれるIDを記録部4のリストと照合)するように確認処理を行い、複数の電子制御装置の中に不正装置が含まれるか否かを判定するように機能する。このように、複数のECU20(電子制御装置)のそれぞれに個別にID(識別情報)を割り当てることで、いずれかのECU20(電子制御装置)が不正装置に置き換わった場合にその装置を具体的に特定可能となる。 In this configuration, the control unit 2 corresponding to the generation unit generates IDs (identification information) to be given to the plurality of ECUs 20 (electronic control devices) in the process of step S1 in FIG. 2, and the control unit 2 corresponding to the transmission unit. And the communication part 6 can transmit each ID (identification information) produced | generated by the process of step S2 of FIG. 2 to each ECU20 (electronic control apparatus). And the control part 2 and the recording part 4 corresponded to a registration part can register each ID (identification information) produced | generated by the process of step S3 of FIG. The control unit 2 corresponding to the determination unit is stored in each of the IDs (identification information) registered in the recording unit 4 (registration unit) and the plurality of ECUs 20 (electronic control devices) by the process of step S12 in FIG. Confirmation processing is performed so that information is collated (specifically, IDs included in messages from the respective ECUs 20 are collated with the list of the recording unit 4), and an unauthorized device is included in the plurality of electronic control devices. It functions to determine whether or not. In this way, by individually assigning an ID (identification information) to each of the plurality of ECUs 20 (electronic control devices), when any ECU 20 (electronic control device) is replaced with an unauthorized device, the device is specifically specified. It becomes possible to specify.
 <他の実施例>
 本発明は上記記述及び図面によって説明した実施例に限定されるものではなく、例えば次のような実施例も本発明の技術的範囲に含まれる。 <Other embodiments>
The present invention is not limited to the embodiments described with reference to the above description and drawings. For example, the following embodiments are also included in the technical scope of the present invention.
 実施例1では、認証装置1及び複数のECU20によって車載ネットワーク102が構成された例を示したが、この例に限定されない。本明細書のいずれの例においても、車載ネットワーク102には、認証装置1やECU20以外の装置が接続されていてもよい。 In Example 1, although the example in which the vehicle-mounted network 102 was comprised by the authentication apparatus 1 and several ECU20 was shown, it is not limited to this example. In any example of the present specification, devices other than the authentication device 1 and the ECU 20 may be connected to the in-vehicle network 102.
 実施例1では、車両の動作毎に識別情報を生成する例として、制御部2に入力される信号がIGオン信号からIGオフ信号への切り替わる毎、IGオフ信号の入力後に識別情報(ID)を生成する例を示したが、この例に限定されない。本明細書のいずれの例においても、IGオン信号の発生から次のIGオン信号の発生までの間に識別情報を生成し、更新できればよい。例えば、制御部2にIGオン信号が入力されたとき(即ち、車両の始動時)を「所定の生成時期が到来したとき」とし、制御部2にIGオン信号が入力される毎に識別情報(ID)を生成し、これを認証装置1に登録するとともに各ECU20に割り当ててもよい。この場合、識別情報(ID)の認証装置1への登録及び各ECU20への送信は車両の動作中(イグニッションスイッチがオン状態の期間中)に行ってもよく、車両の動作終了後(イグニッションスイッチがオフになった後)、速やかに行ってもよい。 In the first embodiment, as an example of generating the identification information for each operation of the vehicle, every time the signal input to the control unit 2 is switched from the IG ON signal to the IG OFF signal, the identification information (ID) is input after the IG OFF signal is input. Although the example which produces | generates was shown, it is not limited to this example. In any example of the present specification, it is only necessary that the identification information can be generated and updated between the generation of the IG on signal and the generation of the next IG on signal. For example, when the IG ON signal is input to the control unit 2 (that is, when the vehicle is started), “when a predetermined generation time has arrived”, and each time the IG ON signal is input to the control unit 2, the identification information (ID) may be generated and registered in the authentication device 1 and assigned to each ECU 20. In this case, registration of identification information (ID) to the authentication device 1 and transmission to each ECU 20 may be performed during operation of the vehicle (while the ignition switch is on), or after the operation of the vehicle is completed (ignition switch). May be done promptly after is turned off.
 実施例1では、車両が1回動作する毎(イグニッションスイッチが1回オン動作する毎)に識別情報(ID)を生成すると共に認証装置1に登録し且つ各ECU20に割り当てる例を示したが、この例に限定されない。本明細書のいずれの例においても、例えば、車両が所定の複数回動作する毎(イグニッションスイッチが所定の複数回オン動作する毎)に所定のタイミングで識別情報(ID)を生成し、それを認証装置1に登録するとともに各ECU20に割り当てるようにしてもよい。 In the first embodiment, the identification information (ID) is generated and registered in the authentication device 1 and assigned to each ECU 20 every time the vehicle operates once (every time the ignition switch is turned on once). It is not limited to this example. In any example of the present specification, for example, identification information (ID) is generated at a predetermined timing every time the vehicle operates a predetermined number of times (every time the ignition switch is turned on a predetermined number of times). You may make it assign to each ECU20 while registering to the authentication apparatus 1. FIG.
 実施例1では、複数のECU20のそれぞれに割り当てる識別情報を個別に生成する例を示したが、この例に限定されない。本明細書のいずれの例においても、図2で示すS1の処理において、各ECU20に割り当てられるIDとは別の情報として共通の識別情報を生成し、この識別情報を認証装置1に接続される全てのECU20に記憶させるようにしてもよい。そして、認証装置1は、識別情報を備えたECU20からのメッセージのみを有効とし、識別情報を備えていないECUからメッセージがあった場合には、そのメッセージを破棄したり、実施例1と同様の報知処理を行うようにしてもよい。 In Example 1, although the example which produces | generates the identification information allocated to each of several ECU20 separately was shown, it is not limited to this example. In any example of the present specification, in the processing of S1 shown in FIG. 2, common identification information is generated as information different from the ID assigned to each ECU 20, and this identification information is connected to the authentication device 1. You may make it memorize | store in all ECU20. Then, the authentication device 1 validates only the message from the ECU 20 having the identification information, and when there is a message from the ECU not having the identification information, the authentication device 1 discards the message, or is the same as in the first embodiment. Notification processing may be performed.
 実施例1では、「識別情報を反映した反映情報」の例として識別情報そのものを例示したが、反映情報は、識別情報に基づいて得られる情報であればよく、具体的には、反映情報は、識別情報に対して所定の加工を施して得られる情報などであってもよい。例えば、識別情報の一部であってもよく、識別情報を暗号化した情報などであってもよい。反映情報として識別情報の一部がECU20に割り当てられる場合、例えば、ステップS12では、記録部4に記録された識別情報の一部の情報がECU20からのメッセージに含まれるか否かを判断すればよい。或いは、ステップS2において、識別情報を所定の鍵情報に基づいて暗号化した暗号情報を反映情報としてECU20に送信し、これをECU20に割り当てるような方法を用いることもでき、この場合、ステップS2又はステップS3などのタイミングでその暗号情報を解読するための鍵情報を記録部4に記録しておき、ステップS12では、ECU20からのメッセージに含まれる暗号情報を鍵情報によって解読し、記録部4に記録された識別情報と一致するか否かを判断すればよい。 In the first embodiment, the identification information itself is illustrated as an example of “reflection information reflecting the identification information”. However, the reflection information may be information obtained based on the identification information. Information obtained by applying a predetermined process to the identification information may be used. For example, it may be a part of the identification information, or information obtained by encrypting the identification information. When a part of the identification information is assigned to the ECU 20 as the reflection information, for example, in step S12, it is determined whether or not a part of the identification information recorded in the recording unit 4 is included in the message from the ECU 20. Good. Alternatively, it is possible to use a method in which the encrypted information obtained by encrypting the identification information based on the predetermined key information is transmitted to the ECU 20 as reflected information in step S2, and this is assigned to the ECU 20. In this case, step S2 or Key information for decrypting the encrypted information is recorded in the recording unit 4 at the timing of step S3 and the like, and in step S12, the encrypted information included in the message from the ECU 20 is decrypted with the key information and stored in the recording unit 4. What is necessary is just to judge whether it corresponds with the recorded identification information.
 実施例1では、確認処理の例として、ECU20から送信されたメッセージのIDが記録部4に登録された正規のIDであるか否かを判定する処理を例示したが、登録部に登録された識別情報を反映した反映情報が電子制御装置に記憶されているか否かを確認できる方法であればよい。例えば、認証装置1からECU20に対して前回の車両動作終了時に新規登録された情報を要求し、ECU20から返信された情報と登録部に登録された識別情報とを照合して判定するような方法であってもよい。 In the first embodiment, as an example of the confirmation process, the process of determining whether or not the ID of the message transmitted from the ECU 20 is a regular ID registered in the recording unit 4 is exemplified, but the process is registered in the registration unit. Any method that can confirm whether or not the reflection information reflecting the identification information is stored in the electronic control device may be used. For example, the authentication device 1 requests the ECU 20 for newly registered information from the ECU 20 at the end of the previous vehicle operation, and compares the information returned from the ECU 20 with the identification information registered in the registration unit. It may be.
 実施例1では、所定の車両動作開始条件の例として、「IGオン信号が認証装置1に入力されたこと」を例示したが、車両の動作開始が特定又は推定できる条件であればよい。例えば、「アクセサリスイッチがオン状態になること」などであってもよく、「スタータやエンジンなどの所定の機器の動作が開始すること」などであってもよく、「所定の回路にバッテリ電源が投入されること」などであってもよく、キーレス信号などの外部信号が車両によって検知されたことなどであってもよい。所定の車両動作終了条件も、「IGオフ信号が認証装置1に入力されたこと」に限定されず、車両の動作終了が特定又は推定できる条件であればよい。例えば、「スタータやエンジンなどの所定の機器の動作が停止したこと」などであってもよく、「所定の回路にバッテリ電源が供給されなくなったこと」などであってもよく、「キーレス信号が車両によって検知されなくなったこと」などであってもよい。 In the first embodiment, “an IG ON signal has been input to the authentication device 1” is exemplified as an example of the predetermined vehicle operation start condition. However, any condition may be used as long as the vehicle operation start can be specified or estimated. For example, it may be “the accessory switch is turned on” or “an operation of a predetermined device such as a starter or an engine” may be started. It may be “injected” or the like, or an external signal such as a keyless signal may be detected by the vehicle. The predetermined vehicle operation end condition is not limited to “an IG off signal has been input to the authentication device 1” as long as the vehicle operation end can be specified or estimated. For example, it may be “the operation of a predetermined device such as a starter or an engine has been stopped”, or “a battery power is no longer supplied to a predetermined circuit”. It may be “no longer detected by the vehicle”.
 1…車両用認証装置
 2…制御部(生成部、送信部、登録部、判定部、報知部)
 4…記録部(登録部)
 6…通信部(送信部)
 20…ECU(電子制御装置) DESCRIPTION OF SYMBOLS 1 ... Vehicle authentication apparatus 2 ... Control part (a production | generation part, a transmission part, a registration part, a determination part, an alerting | reporting part)
4. Recording unit (registration unit)
6. Communication unit (transmitting unit)
20 ... ECU (electronic control unit)

Claims (6)

  1.  所定の生成時期が到来したときに識別情報を生成する生成部と、
     前記生成部によって前記識別情報が生成されることに応じて、生成された前記識別情報を電子制御装置に送信する送信部と、
     前記生成部によって前記識別情報が生成されることに応じて、生成された前記識別情報を登録する登録部と、
     所定の車両動作開始条件が成立した場合に、前記登録部に登録された前記識別情報を反映した反映情報が前記電子制御装置に記憶されているか否かを確認する所定の確認処理を行い、前記確認処理の結果に基づいて前記電子制御装置が正規の装置であるか否かを判定する判定部と、
    を有する車両用認証装置。     A generation unit that generates identification information when a predetermined generation time arrives;
    A transmission unit that transmits the generated identification information to an electronic control device in response to the generation of the identification information by the generation unit;
    A registration unit for registering the generated identification information in response to the generation of the identification information by the generation unit;
    When a predetermined vehicle operation start condition is satisfied, a predetermined confirmation process is performed to confirm whether reflection information reflecting the identification information registered in the registration unit is stored in the electronic control device, A determination unit that determines whether or not the electronic control device is a regular device based on a result of the confirmation process;
    A vehicular authentication device.
  2.  前記生成部は、車両が動作する毎に前記識別情報を生成し、
     前記送信部は、前記生成部によって前記識別情報が生成される毎に、生成された前記識別情報を前記電子制御装置に送信し、
     前記登録部は、前記生成部によって前記識別情報が生成される毎に、生成された前記識別情報を登録し、
     前記判定部は、前記車両動作開始条件が成立する毎に前記確認処理を行い、前記電子制御装置が正規の装置であるか否かを判定する請求項1記載の車両用認証装置。     The generation unit generates the identification information every time the vehicle operates,
    The transmission unit transmits the generated identification information to the electronic control device each time the identification information is generated by the generation unit,
    The registration unit registers the generated identification information each time the identification information is generated by the generation unit,
    The vehicular authentication device according to claim 1, wherein the determination unit performs the confirmation process every time the vehicle operation start condition is satisfied, and determines whether or not the electronic control device is a regular device.
  3.  前記生成部は、所定の車両動作終了条件が成立する毎に、前記車両動作終了条件が成立してから次に前記車両動作開始条件が成立するまでの間に前記識別情報を生成し、
     前記送信部は、前記生成部によって前記識別情報が生成された後、次に前記車両動作開始条件が成立するまでの間に前記識別情報を前記電子制御装置に送信し、
     前記登録部は、前記生成部によって前記識別情報が生成された後、次に前記車両動作開始条件が成立するまでの間に前記識別情報を登録する請求項1又は請求項2に記載の車両用認証装置。     The generating unit generates the identification information every time when a predetermined vehicle operation end condition is satisfied and after the vehicle operation end condition is satisfied until the next vehicle operation start condition is satisfied,
    The transmission unit transmits the identification information to the electronic control device until the vehicle operation start condition is satisfied next after the identification information is generated by the generation unit,
    3. The vehicle according to claim 1, wherein the registration unit registers the identification information after the generation information is generated by the generation unit and until the vehicle operation start condition is satisfied next time. Authentication device.
  4.  前記判定部によって前記電子制御装置が正規の装置でないと判定された場合に外部への報知を行う報知部を有する請求項1から請求項3のいずれか一項に記載の車両用認証装置。 The vehicular authentication device according to any one of claims 1 to 3, further comprising a notification unit that performs notification to the outside when the determination unit determines that the electronic control device is not a legitimate device.
  5.  前記生成部は、複数の前記電子制御装置に与える前記識別情報をそれぞれ生成し、
     前記送信部は、前記生成部によって生成された各々の前記識別情報を各々の前記電子制御装置に送信し、
     前記登録部は、前記生成部によって生成された各々の前記識別情報を登録し、
     前記判定部は、前記登録部に登録された各々の前記識別情報と複数の前記電子制御装置に記憶された情報とを照合する前記確認処理を行い、複数の前記電子制御装置の中に不正装置が含まれるか否かを判定する請求項1から請求項4のいずれか一項に記載の車両用認証装置。     The generation unit generates the identification information to be given to a plurality of the electronic control devices,
    The transmission unit transmits the identification information generated by the generation unit to each of the electronic control devices,
    The registration unit registers each identification information generated by the generation unit,
    The determination unit performs the confirmation process of collating each identification information registered in the registration unit with information stored in a plurality of electronic control devices, and an unauthorized device is included in the plurality of electronic control devices. The vehicular authentication device according to any one of claims 1 to 4, wherein it is determined whether or not is included.
  6.  前記登録部に登録された前記識別情報を反映した前記反映情報は、前記識別情報である請求項1から請求項5のいずれか一項に記載の車両用認証装置。 The vehicular authentication device according to any one of claims 1 to 5, wherein the reflected information reflecting the identification information registered in the registration unit is the identification information.
PCT/JP2017/028567 2016-08-25 2017-08-07 Authentication device for vehicles WO2018037894A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2016-164288 2016-08-25
JP2016164288A JP2018030464A (en) 2016-08-25 2016-08-25 Authentication device for vehicle

Publications (1)

Publication Number Publication Date
WO2018037894A1 true WO2018037894A1 (en) 2018-03-01

Family

ID=61246483

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/028567 WO2018037894A1 (en) 2016-08-25 2017-08-07 Authentication device for vehicles

Country Status (2)

Country Link
JP (1) JP2018030464A (en)
WO (1) WO2018037894A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021166321A1 (en) * 2020-02-18 2021-08-26 住友電気工業株式会社 Security system, vehicle, security device, and validity determination method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003212093A (en) * 2002-01-21 2003-07-30 Denso Corp Vehicle theft preventive device and program
JP2005203882A (en) * 2004-01-13 2005-07-28 Denso Corp Communication system and key transmitting method
JP2012222527A (en) * 2011-04-06 2012-11-12 Toyota Motor Corp In-vehicle network, management node, and number assignment method
WO2015170452A1 (en) * 2014-05-08 2015-11-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ In-car network system, electronic control unit and update processing method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003212093A (en) * 2002-01-21 2003-07-30 Denso Corp Vehicle theft preventive device and program
JP2005203882A (en) * 2004-01-13 2005-07-28 Denso Corp Communication system and key transmitting method
JP2012222527A (en) * 2011-04-06 2012-11-12 Toyota Motor Corp In-vehicle network, management node, and number assignment method
WO2015170452A1 (en) * 2014-05-08 2015-11-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ In-car network system, electronic control unit and update processing method

Also Published As

Publication number Publication date
JP2018030464A (en) 2018-03-01

Similar Documents

Publication Publication Date Title
JP7170780B2 (en) Fraud detection rule update method, fraud detection electronic control unit, and in-vehicle network system
US7602915B2 (en) Communication system having plurality of nodes sharing a common cipher key, cipher key dispatching apparatus for use in the system, and anti-theft apparatus utilizing information derived from cipher key utilization
US9648023B2 (en) Vehicle module update, protection and diagnostics
JP6782446B2 (en) Monitoring equipment, communication systems, vehicles, monitoring methods, and computer programs
JP5729337B2 (en) VEHICLE AUTHENTICATION DEVICE AND VEHICLE AUTHENTICATION SYSTEM
US10135866B2 (en) Method of preventing drive-by hacking, and apparatus and system therefor
JP6327344B2 (en) Network system, communication control method, and storage medium
JP6192673B2 (en) Key management system, key management method, and computer program
WO2019012888A1 (en) Vehicle-mounted device, management method, and management program
JP7412506B2 (en) Fraud detection rule update method, fraud detection electronic control unit and in-vehicle network system
JP7006335B2 (en) In-vehicle communication system, in-vehicle communication method, and program
JP2005203882A (en) Communication system and key transmitting method
CN112153646A (en) Authentication method, equipment and system
JP6981755B2 (en) In-vehicle network system
JP2005001534A (en) Anti-theft system
WO2018037894A1 (en) Authentication device for vehicles
JP6769270B2 (en) In-vehicle electronic control device, in-vehicle electronic control system, relay device
WO2017122402A1 (en) Data communication system for vehicle
JP7013921B2 (en) Verification terminal
JP2015227157A (en) Data gateway, and method for interfering with vehicular operation thereof
JP2013112120A (en) In-vehicle communication system
WO2018100789A1 (en) Distribution system, key generation device, in-vehicle computer, data security device, distribution method and computer program
JP7281714B2 (en) Information processing device, information processing system and program
JP2013110458A (en) Gateway device
JP2020137009A (en) Network system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17843379

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17843379

Country of ref document: EP

Kind code of ref document: A1