EP3238182A1 - On-board device for a vehicle - Google Patents

On-board device for a vehicle

Info

Publication number
EP3238182A1
EP3238182A1 EP17709787.0A EP17709787A EP3238182A1 EP 3238182 A1 EP3238182 A1 EP 3238182A1 EP 17709787 A EP17709787 A EP 17709787A EP 3238182 A1 EP3238182 A1 EP 3238182A1
Authority
EP
European Patent Office
Prior art keywords
data
memory
encrypted
short
processing unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP17709787.0A
Other languages
German (de)
French (fr)
Other versions
EP3238182B1 (en
Inventor
Leonardo GARGIANI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Autostrade Tech SpA
Original Assignee
Autostrade Tech SpA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Autostrade Tech SpA filed Critical Autostrade Tech SpA
Priority to PL17709787T priority Critical patent/PL3238182T3/en
Publication of EP3238182A1 publication Critical patent/EP3238182A1/en
Application granted granted Critical
Publication of EP3238182B1 publication Critical patent/EP3238182B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B15/00Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
    • G07B15/02Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points taking into account a variable factor such as distance or time, e.g. for passenger transport, parking systems or car rental systems
    • G07B15/04Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points taking into account a variable factor such as distance or time, e.g. for passenger transport, parking systems or car rental systems comprising devices to free a barrier, turnstile, or the like
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B15/00Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
    • G07B15/06Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems
    • G07B15/063Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems using wireless information transmission between the vehicle and a fixed station

Definitions

  • the present invention relates in general to the field of telematic traffic services.
  • the present invention relates to an on- board device for a vehicle, suitable for use in a system which supports a telematic traffic service.
  • Systems which support traffic telematic services comprise both services for the user (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) and administrator services (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).
  • These systems generally comprise an on-board device (also known as “OBU”, i.e. “On Board Unit”) suitable for installation onboard a vehicle, and a plurality of road-side devices (also known as “RSU”, i.e. “Road Side Units”) suitable for installation on the road side, on gateways or at access points, or at toll stations.
  • OBU On Board Unit
  • RSU Road Side Units
  • both the on-board device and the road-side devices are provided with respective radiofrequency communication stages (typically, DSRC, i.e. "Dedicated Short Range Communication” stages) which allow the on-board device to exchange information with the road-side devices.
  • radiofrequency communication stages typically use radiofrequency carriers, for example within the frequency range 5-6 GHz.
  • Each on-board device typically has an associated unique identification code OBU-ID, with which it is configured via software during manufacture. Moreover, when an on-board device is assigned to a user, it may be configured with information about the user (for example, personal details) and information about the vehicle (number plate, etc.). The configuration of an on-board device generally involves also the loading of the software applications which provide the telematic traffic services supported by the device.
  • an on-board device After an on-board device has been configured and installed on- board, it may be necessary to modify its configuration, for example in order to update or activate the software applications already present, or load new applications, or remove or disable those applications which are no longer of interest for the user. This is for example the case where a user wishes to activate temporarily a toll payment service in a foreign country. In this case, the configuration of the user's on-board device must be modified by loading and activating temporarily a software application able to support this service.
  • an on-board device after an on-board device has been configured and installed on-board, it may be necessary to carry out checks on operation thereof and diagnostic tests, such as a check of the charge level of its battery. It might also be necessary to check the configuration information (relating to the user and/or to the vehicle) stored by the on-board device.
  • All the aforementioned operations require access to the on-board device in order to perform writing or reading of its memory and are generally carried out by means of equipment provided with radiofrequency communication stages able to communicate with the communication stage present in the on-board device.
  • This equipment is generally present at the operating centres managed by the company which provides the telematic traffic service or by the company which manages the road or the motorway along which the telematic traffic service is provided. If a user therefore wishes to modify the configuration of his/her on-board device or check operation thereof, generally he/she must go to one of these operating centres.
  • US 2014/0316685 describes an onboard device for a system supporting traffic telematic services, which comprises a near-range communication module for communication with a first external communication device (for example, the mobile phone of the user), a far-range communication module (for example, DSRC) for communication with second external devices (for example, the roadside devices of the system) and a non-volatile memory which is accessible by both the communication modules.
  • the near-range communication module may be for example a passive NFC tag. This is supplied by the user's mobile phone during communication and in this way may access the non-volatile memory, and in so doing can supply power to it, even when the rest of the on-board device is not in an operative condition.
  • the contents of the non-volatile memory may therefore be read and/or written by means of the connection between the user's mobile phone and the near-range communication module, irrespective as to whether the rest of the on-board device is in operating mode or not. It is thus possible to modify the configuration of the on-board device, for example writing configuration data in the non-volatile memory, via the user's mobile phone. Similarly it is possible to read the contents of the non-volatile memory via the user's mobile phone.
  • the Applicant has noticed that the near-range communication module included in this device, since it has direct access to the non-volatile memory of the device both during reading and during writing, disadvantageously reduces the security of the onboard device.
  • the short-range and near-field technologies (such as NFC technology) generally have mechanisms for authentication and protection of the connection which are not particularly secure, the security of the connection being mainly based on the fact of having a coverage range of only a few centimetres.
  • a third party should come into possession of the on-board device of a user, he/she could access the on-board device using his/her own mobile phone (or another device equipped with NFC reader), and thus modify the configuration thereof, or read information stored there and use it to clone the on-board device (i.e. copy it onto another on-board device).
  • the direct access to the non-volatile memory by the near-range communication module disadvantageously could result in inefficient use of the computational and storage resources of the onboard device.
  • the user could in fact decide, for example, to write configuration data in the memory (or, similarly, read configuration data from the memory) not knowing that, precisely in that moment, the on-board device is engaged in another priority activity, for example an exchange of data with one of the road-side devices.
  • the configuration data writing operation started by the user, while being lower priority could disadvantageously deprive the higher priority activity of computational resources, with the risk of slowing down or even stopping execution thereof.
  • the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service and which solves the aforementioned problems.
  • the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service, which is more secure and which uses more efficiently its associated computational and storage resources.
  • an on-board device for a vehicle which comprises a radiofrequency communication stage for communication with the road-side devices, a short-range communication stage for communication with an electronic device (for example a mobile phone) situated in the vicinity thereof, two memories and a data processing unit cooperating with both the communication stages.
  • a first memory acts as a central operating memory accessible by the data processing unit alone and stores at least one first encryption key.
  • a second memory is directly accessible instead by the short- range communication stage, is electrically connected thereto or integrated therein and stores first data relating to the on-board device.
  • the short-range communication stage is configured to transmit to the electronic device this first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage.
  • the short-range communication stage is moreover configured to receive encrypted second data from the electronic device and store it temporarily in the second memory.
  • the data processing unit is configured to decrypt, upon reception of a wake-up signal, this encrypted second data using the encryption key stored in the first central operating memory and to store the second data in the first central operating memory.
  • the on-board device is advantageously secure since, at the moment of reception of data from the electronic device via the short- range communication stage, the data to be decrypted and the encryption key which is needed to decrypt it are stored in two physically separate memories, one of which (namely that which stores the key) is accessible only by the data processing unit, i.e. cannot be directly accessed by the short-range communication stage.
  • the short-range communication stage allows an unprotected connection to be established between electronic device and on-board device
  • the onboard device is advantageously more secure.
  • the on-board device allows moreover more efficient use of its computational and storage resources, since the transfer of the data into the first central operating memory and the subsequent processing thereof are triggered upon reception of the wake-up signal in the data processing unit.
  • the present invention provides an on- board device for a vehicle, the on-board device being suitable for use in a system which provides a telematic traffic service, the on-board device comprising:
  • a radiofrequency communication stage configured to communicate with a road-side device of said system
  • a short-range communication stage configured to communicate with an electronic device located in the vicinity thereof;
  • a second memory electrically connected to or integrated in the short-range communication stage and directly accessible by the short-range communication stage, wherein the second memory stores first data relating to the on-board device, wherein the short-range communication stage is configured to transmit to the electronic device the first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage and is moreover configured to receive from the electronic device encrypted second data and store it temporarily in the second memory, and
  • the data processing unit is configured, upon reception of a wake-up signal, to decrypt the encrypted second data using the at least one encryption key stored in the first central operating memory and to store the second data in the first central operating memory.
  • the first central operating memory is implemented inside in the data processing unit.
  • the first central operating memory is implemented outside the data processing unit, and the first central operating memory stores a hardware identifier UID 2 o of the data processing unit in a non-modifiable and non-erasable manner.
  • the device also comprises a hardware encryption interface between the first central operating memory and the data processing unit.
  • the short-range communication stage is configured to send said wake-up signal to the data processing unit.
  • the device also comprises a button manually accessible from the outside of the device, the button being configured so that, when pressed, said wake-up signal is sent to the data processing unit.
  • the first data is stored in the second memory, encrypted with a private key of an asymmetric encryption mechanism, and the short-range communication stage is configured to transmit the first data to the electronic device, encrypted with said private key.
  • the first data made available for reading and encrypted with private key in the second memory preferably comprises tag data of the on-board device, including in particular its unique identification code OBU-ID.
  • the short-range communication stage is configured to receive said first data from a central server via the electronic device and the short-range communication stage in a form encrypted with said private key, and to store directly in a permanent manner the encrypted first data in the second memory, without requesting any action of the data processing unit.
  • the short-range communication stage is configured to receive the first data from a central server via the electronic device and the short-range communication stage in a form not yet encrypted with said private key
  • the first central operating memory also stores said private key
  • the data processing unit is configured to encrypt said first data with said encrypted key and to store permanently the encrypted first data in the second memory.
  • the second memory also stores its hardware identifier UID-I 60, the hardware identifier UIDi 6 o being stored both unencrypted and encrypted with the private key together with the first data, and the short-range communication stage is configured to transmit to the electronic device the hardware identifier UIDi 6 o unencrypted and the hardware identifier UID 6 o also encrypted with the private key together with the first data, for further authentication of the first data by the electronic device.
  • the second data is received by the short-range communication stage in a form encrypted with a symmetric key identical to the encryption key stored in the first central operating memory.
  • the data processing unit is configured, upon reception of said wake-up signal, to transfer firstly the encrypted second data from the second memory to the first central operating memory and then decrypt it using the encryption key stored in the first central operating memory.
  • the data processing unit is configured, upon reception of said wake-up signal, to decrypt firstly the encrypted second data using the encryption key stored in the first central operating memory and then transfer the decrypted second data into the first central operating memory.
  • the encrypted second data is received in separate encrypted blocks and the data processing unit is configured to start decryption of the encrypted second data only after receiving, in the second memory, all the separate encrypted blocks.
  • the data processing unit is configured to read third data stored in the first central operating memory, to encrypt the third data using said encryption key stored in the first central operating memory and to forward the encrypted third data to the short-range communication stage, the short-range communication stage being configured to transmit the encrypted third data to a central server via the electronic device.
  • the second memory stores, together with said first data, also a unique identification code OBU-ID of the on-board device, the unique identification code OBU-ID of the device being stored both unencrypted and encrypted with the symmetric key, the short-range communication stage being configured to transmit to the central server via the electronic device also said unique identification code OBU-ID both unencrypted and encrypted with the symmetric key, so as to allow the central server to perform authentication of the device and decrypting of said third data.
  • the present invention provides a system for providing a telematic traffic service, the system comprising a plurality of road-side devices, an electronic device and an on-board device for a vehicle, the on-board device being configured to communicate both with the plurality of road-side devices and with the electronic device, the on-board device being as described above.
  • FIG. 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to an embodiment of the present invention
  • FIG. 2 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to another embodiment of the present invention.
  • FIG 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to embodiments of the present invention.
  • This telematic traffic service may be a service for the users (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) or a service for the administrator (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).
  • the system comprises an on-board device 100, electronic device 210, a plurality of road-side devices (for the sake of simplicity not shown in Figure 1 ), a communications network 600 and central server 700 which communicates with the electronic device 210 via the communications network 600.
  • the on-board device 100 is preferably suitable for installation onboard a vehicle (for the sake of simplicity not shown in Figure 1 ), for example a motor vehicle.
  • the road-side devices are instead configured to be installed in a fixed position, for example along a road side, on an overpass or on an access gateway (for example to a car park, an urban zone, a road or motorway section, etc.).
  • the on-board device 100 is configured to communicate via radio both with the road-side devices and with the electronic device 210.
  • the on-board device 100 preferably comprises a battery 1 10, a data processing unit 120, a first memory 130, a radiofrequency communication stage 140, a short- range communication stage 150 and a second memory 160.
  • the onboard device 100 may comprise other components (for example GNSS components for satellite positioning) which will not be described in greater detail hereinbelow since they are not useful for the purposes of the present description.
  • the battery 1 10 is preferably electrically connected directly or indirectly to each of the other components of the on-board device 100 (in particular to the data processing unit 120, to the first memory 130, to the radiofrequency stage 140 and to the short-range communication stage 150), so as to power them if and when necessary.
  • the first memory 130 is preferably electrically connected to the data processing unit 120.
  • the first memory 130 may be implemented on the outside or on the inside of the data processing unit 120. In any case, the first memory 130 is accessible by the data processing unit 120 alone (in particular it is not directly accessible by the short-range communication stage 150).
  • the first memory 130 preferably stores a hardware identifier UID 2 o of the data processing unit 120 (preferably, its silicon number) in a non-modifiable and nonerasable manner.
  • This hardware identifier UID 2 o is used by the processing unit 120 to check the authenticity of the data read from the first memory 130. This advantageously makes it possible to prevent the contents of the central operating memory of one onboard device from being cloned and transferred onto another on- board device.
  • the first memory 130 is implemented outside the data processing unit 120, an interface (not shown in the drawings) is provided between the unit 120 and the memory 130, said interface being configured to perform hardware encryption of the data which the unit 120 writes into the memory 130 and hardware decryption of the data which the unit 120 reads from the memory 130.
  • the data stored in the memory 130 is thus advantageously protected at the hardware level.
  • the first memory 130 is therefore a non-volatile memory which acts as a secure central operating memory of the on-board device 100.
  • the first memory 130 stores the unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user who is owner of the vehicle and about the vehicle itself (for example number plate and/or toll class of vehicle).
  • the first memory 130 also preferably stores the software applications which provide the telematic traffic services for the user and/or for the administrator supported by the on-board device 100 and the data generated by communication of the on-board device 100 with the road-side devices of the system via the radiofrequency communication stage 140 (for example, data relating to the position of the vehicle or transit thereof through an access way).
  • the radiofrequency communication stage 140 is preferably configured to establish radio links with the road-side devices.
  • the radiofrequency stage 140 may be implemented using DSRC (Dedicated Short Range Communications) technology which, as is known, comprises radio channels and authentication, encoding and decoding procedures which have been specifically developed for telematic traffic services and uses frequency bands in the range of 5.7 - 5.9 GHz.
  • DSRC Dedicated Short Range Communications
  • the short-range communication stage 150 is preferably configured to support short-range radio links (maximum 10 cm) with the electronic device 210.
  • the electronic device 210 may belong to the same user who has been assigned the on-board device 100 or may belong to third parties (for example, the administrator of the road or motorway infrastructure along which the telematic traffic service supported by the on-board device 100 is provided, the telematic traffic service administrator, or the body or authority responsible for monitoring traffic offences).
  • the electronic device 210 is also preferably provided with cabled or wireless connectivity (for example WiFi or cellular network) to the communications network 600.
  • the electronic device 210 may be a smartphone, a tablet or a generic commercial or specially designed reader.
  • the electronic device 210 is also provided with a user interface 200 comprising input and/or output elements comprising for example pushbuttons, cursors, touchscreen, etc.
  • the electronic device 210 also comprises a short-range communication stage compatible with the short-range communication stage 150 of the on-board device 100.
  • the short-range communication stage 150 (and therefore also the corresponding short-range communication stage of the electronic device 210) is implemented using near-field technology, such as RFID (Radio-Frequency IDentification) technology with short range (i.e. radius less than 10 cm).
  • RFID Radio-Frequency IDentification
  • NFC Near Field Communication
  • the short-range communication stage included in the electronic device 210 is configured as initiator, while the short-range communication stage 150 is configured as target.
  • the short-range communication stage 150 is configured to receive from the short-range communication stage included in the electronic device 210 a radio carrier, from which it extracts its own power supply.
  • the configuration of the short-range communication stage 150 as reader is advantageous, since it allows the electronic complexity and software of the on-board unit to be reduced. It also allows the short- range communication stage 150 to operate (and therefore communicate with the corresponding short-range communication stage included in the electronic device 210) also when the battery 1 10 of the on-board device 100 is completely discharged, or when the remainder of the on-board device (in particular the data processing unit 120, the first memory 130 and the radiofrequency stage 140) is damaged or in any case not functioning.
  • the second memory 160 may be electrically connected to the short-range communication stage 150.
  • the second memory 160 may be integrated in the short-range communication stage 150.
  • the second memory 160 is directly accessible by the short-range communication stage 150 which may carry out on it both write operations and read operations also without involving the processing unit 120, as will be described in greater detail hereinbelow.
  • the second memory 160 is preferably a nonvolatile memory able to retain the data even when not electrically powered.
  • the second memory 16 may be a memory of the E 2 PROM type.
  • the second memory 160 preferably permanently stores a set of basic data relating to the on-board device 100, comprising a unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user and/or the vehicle.
  • the second memory 160 moreover is suitable for storing in a temporary or transient manner data sent by the central server 700 and destined for the data processing unit 120 and/or for the first memory 130, as will be described in greater detail hereinbelow.
  • the communications protocol via which the short-range communication stage 150 and the corresponding short-range stage included in the electronic device 210 operate thus establishes automatically a radio link.
  • the radio link thus established is preferably a two-way point-to-point link which allows a two-way exchange of data between on-board device 100 and electronic device 210.
  • the short-range communication stage 150 may transmit to the electronic device 210 data read from the second memory 160 or other components of the on-board device 100, thus allowing the reading of this data from the on-board device 100 via the electronic device 210.
  • the data read may be displayed in the form of texts or graphics on the user interface 200 of the electronic device 210.
  • the data read may be transmitted from the electronic device 210 to the central server 700 via the communications network 600.
  • read operations may allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 1 10 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to carry out for example diagnostic checks or operational tests of the on-board device 100 (for example, checking of the charged level of its battery 1 10) or checking of the configuration information about the user and/or the motor vehicle stored by the on-board device 100.
  • diagnostic checks or operational tests of the on-board device 100 for example, checking of the charged level of its battery 1 10) or checking of the configuration information about the user and/or the motor vehicle stored by the on-board device 100.
  • the short- range communication stage 150 advantageously may read it even if the battery 1 10 is completely discharged, or when the data processing unit 120 and/or the first memory 130 are not functioning.
  • the basic data stored in the second memory 160 can therefore be advantageously read by means of the electronic device 210, irrespective as to whether the on-board device 100 is functioning or not.
  • the second memory 160 therefore advantageously performs substantially an electronic tag function.
  • the short-range communication stage 150 may read it only if the battery 1 10 is charged and the on-board device 100 (at least the data processing unit 120 and the first memory 130) is functioning correctly.
  • the electronic device 210 preferably sends a command signal to the short-range communication stage 150.
  • the short-range communication stage 150 retrieves the required data from the second memory 160 and sends it to the electronic device 210, without requesting any action by the data processing unit 120.
  • the short-range communication stage 150 forwards the command signal to the data processing unit 120 which retrieves the data required (for example from the first memory 130) and sends it to the short-range communication stage 150 which in turn forwards it the electronic device 210.
  • this command signal is preceded by a wake- up signal which activates the data processing unit 120.
  • the short-range communication stage 150 may receive from the electronic device 210 data to be supplied to the other components of the on-board device 100 (in particular to the data processing unit 120 and/or to the first memory 130 and/or to the second memory 160), thus allowing writing of this data onto the on-board device 100 via the electronic device 210.
  • These write operations may for example allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 100 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to modify the configuration of the on-board device 100, for example updating or activating the software applications which are already present or loading new applications or removing or deactivating those applications which are no longer of interest for the user.
  • These write operations may therefore be advantageously performed without having to visit a customer service operating centre.
  • a write operation preferably envisages that the central server 700 transmits the data to be written to the on-board device 100 via the communications network 600 and the electronic device 210.
  • the electronic device 210 preferably does not perform any processing of the data, merely performing a transducer function between the connection to the communications network 600 (for example Wi-Fi or cellular network) and the short-range radio link with the on-board device 100 (for example NFC).
  • the data transmitted on the short-range radio link between electronic device 210 and onboard device 100 is therefore the same as the data transmitted on the communication network 600 between the central server 700 and the electronic device 210.
  • the establishment of the short-range radio link does not require any manual setting or any pairing procedure and is therefore very quick (about 1/10th of a second).
  • the short-range link has a maximum radius of 10 cm, it is intrinsically not exposed to the risk of sniffing of the transmitted data which, in any case, as will be explained below, is preferably encrypted by the central server 700.
  • the short-range communication stage 150 preferably saves it temporarily in the second memory 160.
  • a passcode write protection mechanism is provided in order to prevent any overwriting or unauthorised access to the second memory 160.
  • the short-range communication stage 150 may identify and store said data directly in a permanent manner in the second memory 160 (without requiring any action by the data processing unit 120), for example in an address location of the second memory 160 dedicated for the permanent storage of the basic data.
  • the short-range communication stage 150 may forward the data to be written in a transparent manner to the data processing unit 120, which identifies said data and transfers it back into the second memory 160, for example in the address location of the second memory 160 dedicated for the permanent storage of basic data.
  • the short-range communication stage 150 forwards said data preferably in a transparent manner to the data processing unit 120, which processes it and if necessary writes it in the first memory 130.
  • the write operation involves the data processing unit 120, the battery 1 10 must be charged. If, on the other hand, the data processing unit 120 is not involved, the write operation may be performed even if the battery 1 10 is discharged.
  • the data processing unit 120 if it is involved in the write operation, it preferably starts processing of the data to be written upon reception of a wake-up signal.
  • This wake-up signal may be sent to the data processing unit 120 by the short-range communication stage 150 or by the user of the on-board device 100, for example by means of a special button which can be accessed manually on the outside of the on-board device 100.
  • the on-board device 100 may be provided with one or more indicators (for example LED light indicators) designed to provide the user with visual feedback as regards the outcome of the data write operation on the on-board device 100.
  • the on-board device 100 may be provided with a light indicator configured to signal to the user whether the operation of writing the data in the first memory 130 has been successfully completed.
  • the on-board device 100 therefore is substantially able to operate in three different operating configurations:
  • This operating configuration is generally useful for the purpose of verification of operation of the on-board device 100, for diagnostic purposes and, generally, for the purpose of reading the data contained in the first memory 130;
  • This operating configuration is generally useful for the purpose of configuration of the on-board device 100 (for example in order to modify the tag data, update or activate the software applications already present, or load new applications, or in order to remove or disable those applications which are no longer of interest for the user, see the aforementioned example where the user wishes to activate temporarily a toll payment service in a foreign country).
  • the system shown in Figure 1 is preferably configured to provide a secure connection between the on-board device 100 and electronic device 210 and optionally between central server 700 and on-board device 100.
  • a mechanism for ensuring the authenticity of the data read from the second memory 160 namely so that the electronic device 210 and/or the central server 700 can be sure that the read data really relates to the on-board device 100 and has not instead been cloned by another on-board device
  • a mechanism for protecting the data exchanged between the central server 700 and the on-board device 100 is preferably configured to provide a secure connection between the on-board device 100 and electronic device 210 and optionally between central server 700 and on-board device 100.
  • the mechanism for ensuring the authenticity of the data read from the second memory 160 is based on asymmetric encryption of the data made available during reading by means of permanent storage in the second memory 160.
  • the data which can be read from the second memory 160 is stored in the second memory 160 encrypted with a private key.
  • the central server 700 preferably sends to the onboard device 100 the data to be rendered readable from the second memory 160 in a form already encrypted with private key.
  • the short-range communication stage 150 may store it directly in the second memory 160, without requesting any action by the data processing unit 120.
  • the central server 700 may send to the on-board device 100 the data to be rendered readable from the second memory in a form not yet encrypted with private key.
  • the short-range communication stage 150 preferably forwards it to the data processing unit 120 which encrypts it with private key and stores it permanently in the second memory 160. In this second case, therefore, action by the data processing unit 120 and storage of the private key in the first memory 130 are required.
  • the electronic device 210 or the central server 700 requests reading of this data
  • said data is transmitted, encrypted with private key, to the electronic device 210 via the short-range communication stage 150.
  • no command is sent to the data processing unit 120 of the on-board device 100, which is not required to perform reading operations from the second memory 160.
  • the electronic device 210 preferably uses the public key in order to decrypt the read data which is encrypted with private key.
  • the public key since it may be freely distributed, is preferably saved locally in the electronic device 210 (for example within an application executed by the device 210 for managing reading of data from the device 100), thus freeing the electronic device 210 from the need to be connected to the central server 700 during the whole of the operation of reading of the data stored by the second memory 160.
  • the hardware identifier UIDi 6 o is preferably written by the manufacturer of the memory 160 in a specific area thereof so that it is stored permanently and is available in read-only mode and therefore cannot be modified.
  • the hardware identifier UID 6 o is stored both unencrypted and encrypted with private key together with the data to be rendered readable (for example the basic data) permanently saved in the second memory 160 (containing, as described above, the identifier OBU-ID and optionally data about the user and/or the vehicle).
  • the hardware identifier UIDi 6 o is preferably transmitted to the electronic device 210 unencrypted, together with the data to be read encrypted with private key.
  • the electronic device 210 After carrying out decryption of the data to be read with public key, the electronic device 210 preferably compares the hardware identifier UID-I 60 received unencrypted with the hardware identifier UIDi 6 o obtained from decryption with public key. If the two hardware identifiers coincide, the data to be read is further authenticated.
  • the private key (which is the same for encryption and decryption) is preferably known only to the central server 700 and to the on-board device 100. Therefore, reading of this data in electronic tag mode by the electronic device 210 requires in any case forwarding of the data to the central server 700 which decrypts it with the private key known to it and, if authenticated, retransmits it unencrypted to the electronic device 210.
  • the mechanism for protecting the data transmitted from the central server 700 to the on-board device 100 is preferably based on symmetric encryption of the transmitted data.
  • This symmetric encryption uses a same private key to encrypt and decrypt the data, which key must therefore be known both to the central server 700 and to the on-board device 100.
  • the private key is stored in the first memory 130 of the on-board device 100, preferably in a non-erasable and non-modifiable area of the first memory 130.
  • the central server 700 preferably encrypts the data to be written with the private key and transmits it to the electronic device 210 where, as described above, it is temporarily saved in the second memory 160.
  • the data processing unit 120 preferably (upon reception of a wake-up signal, as described above) decrypts the data to be written using the private key stored in the first memory 130 and stores it in the first memory 130. This operation may be performed in different ways.
  • the data processing unit 120 firstly transfers the encrypted data from the second memory 162 to the first memory 130 and then decrypts it, using the symmetric key stored in the first memory 130.
  • the data processing unit 120 firstly recovers the symmetric key from the first memory 130, then uses it to decrypt the data (for example saved temporarily in an associated internal RAM memory), and finally transfers it into the first memory 130.
  • the data to be decrypted and the private key which is used to decrypt said data reside in two physically separate memories, one of which (namely the first memory 130 which stores the private key) is accessible only for the data processing unit 120 and therefore is not directly accessible by the short-range communication stage 150.
  • the short-range communication stage 150 allows an unprotected connection to be established between electronic device 210 and on-board device 100, the on-board device 100 is advantageously very secure.
  • the central server 700 divides the data to be written into blocks (before or after performing symmetric-key encryption of said data), which it then transmits to the on-board device 100 via the electronic device 210.
  • the data processing unit 120 waits for reception of all the encrypted blocks in the second memory 160. This advantageously further increases the security and reliability of the communication between central server 700 and on-board device 100 since the blocks, before being written in the memory 130, must be decrypted by a process which is totally external to the memory 160 in which it is temporarily stored.
  • the security of the private key used for symmetric encryption is preferably ensured in the manner described below.
  • personalisation at the factory of the on-board device 100 is performed, this operation comprising the following steps:
  • the secure server stores (in a manner not accessible from outside) at least one master key, on the basis of which it then calculates at least one derived key using the OBU-ID code received as diversifier.
  • the secure server then provides at its output the at least one derived key calculated.
  • the secure server stores a master administration key MAdBTKey and a master application key MApBTKey on the basis of which it calculates, respectively, a derived administration key DAdBTKey and a derived application key DApBTKey, using the OBU-ID code received as diversifier.
  • the two derived keys, output by the secure server may be used for different applications.
  • this operation is preferably performed at the factory, the at least one derived key being sent to the onboard device 100 via the radiofrequency communication stage 140.
  • the derived key(s) is/are then stored in the first memory 130 so that it/they is/are protected (non-readable), non- modifiable and non-erasable without the action of the processing unit 120.
  • the central server 700 preferably uses a second secure HSM server (also containing the master key(s)), supplying it with the unique identification code OBU-ID of the on- board device 100 and obtaining from it the specific derived key to be used for communication with the on-board device 100.
  • the transmitted data, encrypted by the central server 700 with derived key is received as described above by the data processing unit 120 which, using the appropriate derived key stored in its first memory 130, decrypts the data received which is finally stored in the first memory 130.
  • a first step preferably envisages that the electronic device 210, after being registered (logged in) with the central server 700, obtains from the on-board device 100 via the short-range link with the short- range communication stage 150 the following data read from the second memory 160:
  • the central server 700 preferably uses the aforementioned second secure HSM server (indicated by the reference number 710 in Figure 2), supplying it with the unique identification code OBU-ID of the on-board device 100 received unencrypted and obtaining from it the specific derived key to be used for communication with the on-board device 100. Once the derived key has been obtained, the central server 700 decrypts the data received and validates its correctness.
  • the configuration data sent from the central server 700 to the onboard device 100 and encrypted with derived key may also comprise data to be stored in the second memory 160, so that it remains readable by the electronic device 210 via short-range radio communication. This data may or may not be already encrypted by the central server 700 for the purposes of authentication, as described above.
  • the data processing unit 120 once the message with the derived key has been decrypted, identifies the data to be made available for reading and establishes whether it is already encrypted for the purposes of authentication. If this is so, it permanently stores it in the second memory 160. If this is not the case, it retrieves from the first memory 130 the private key of the asymmetric encryption intended to allow authentication of the data read, uses it to encrypt the data and stores it permanently in the second memory 160.
  • a session key may also be used for communication between the central server 700 and the on-board device 100.
  • the sender namely the central server 700 if data is written in the on-board device 100, or the on-board device 100 if data is read from the on-board device 100 calculates a session key, for example based on the derived key and a random number. The session key is recalculated (and is therefore different) for each communication session.
  • the sender preferably uses the calculated session key to further encrypt the data to be transmitted, already encrypted with the derived key of the symmetric encryption mechanism.
  • the sender also preferably encrypts the calculated session key, using for example the public key of the recipient (namely the on-board device 100 if data is written, or the central server 700 if data is read) and also sends this to the recipient.
  • the recipient upon reception of the data and the encrypted session key, decrypts the session key using the associated private key and then uses the session key to decrypt the data received (to be further decrypted using the derived key).
  • This mechanism is advantageous since it represents a solution which is less complex from a computational point of view compared to asymmetric encryption of all the data exchanged between central server 700 and on-board device 100 and which allows the calculation time necessary for encryption and decryption of the exchanged data to be reduced significantly.
  • protection with the session key is used only on the link between electronic device 210 and central server 700.
  • the management of the session keys in this case is entrusted to the electronic device 210 and not to the on-board device 100.
  • writing of the data in the second memory 160 may be managed by the data processing unit 120, interfaced in this case with the data connection interface (for example the radio communication technology internal modem or Bluetooth interface).
  • the data connection interface for example the radio communication technology internal modem or Bluetooth interface.
  • the short-range communication stage 150 may be used solely for the function of reading data from the memory 160.
  • the on-board device described in addition to allowing the reading of data (for example for verification or diagnostic purposes) and the writing of data (for example for configurational purposes) by the electronic device 210 allows in fact the exchange of data with the electronic device 210 and the central server 700 to be managed in a particularly secure manner.

Landscapes

  • Business, Economics & Management (AREA)
  • Finance (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An on-board device for telematic traffic services is described. The on-board devices comprises a radiofrequency communication stage for communicating with a road-side device, a short-range communication stage for communicating with a user device (a mobile phone for example), a data processing unit cooperating with both the communication stages, a central operating memory - accessible only by the data processing unit - which stores an encryption key, and a second memory directly accessible by the short-distance communication stage. The short-range communication stage receives encrypted data from the user device and stores it temporarily in the second memory which can be directly accessed by it. Upon reception of a wake-up signal, the data processing unit decrypts this encrypted second data using the encryption key stored in the central operating memory and transfers said data into the central operating memory.

Description

ON-BOARD DEVICE FOR A VEHICLE
Technical field of the invention
The present invention relates in general to the field of telematic traffic services. In particular the present invention relates to an on- board device for a vehicle, suitable for use in a system which supports a telematic traffic service.
Prior art
Systems which support traffic telematic services are known. These services comprise both services for the user (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) and administrator services (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).
These systems generally comprise an on-board device (also known as "OBU", i.e. "On Board Unit") suitable for installation onboard a vehicle, and a plurality of road-side devices (also known as "RSU", i.e. "Road Side Units") suitable for installation on the road side, on gateways or at access points, or at toll stations.
Generally, both the on-board device and the road-side devices are provided with respective radiofrequency communication stages (typically, DSRC, i.e. "Dedicated Short Range Communication" stages) which allow the on-board device to exchange information with the road-side devices. These radiofrequency communication stages typically use radiofrequency carriers, for example within the frequency range 5-6 GHz.
Each on-board device typically has an associated unique identification code OBU-ID, with which it is configured via software during manufacture. Moreover, when an on-board device is assigned to a user, it may be configured with information about the user (for example, personal details) and information about the vehicle (number plate, etc.). The configuration of an on-board device generally involves also the loading of the software applications which provide the telematic traffic services supported by the device.
After an on-board device has been configured and installed on- board, it may be necessary to modify its configuration, for example in order to update or activate the software applications already present, or load new applications, or remove or disable those applications which are no longer of interest for the user. This is for example the case where a user wishes to activate temporarily a toll payment service in a foreign country. In this case, the configuration of the user's on-board device must be modified by loading and activating temporarily a software application able to support this service.
Moreover, after an on-board device has been configured and installed on-board, it may be necessary to carry out checks on operation thereof and diagnostic tests, such as a check of the charge level of its battery. It might also be necessary to check the configuration information (relating to the user and/or to the vehicle) stored by the on-board device.
All the aforementioned operations require access to the on-board device in order to perform writing or reading of its memory and are generally carried out by means of equipment provided with radiofrequency communication stages able to communicate with the communication stage present in the on-board device. This equipment is generally present at the operating centres managed by the company which provides the telematic traffic service or by the company which manages the road or the motorway along which the telematic traffic service is provided. If a user therefore wishes to modify the configuration of his/her on-board device or check operation thereof, generally he/she must go to one of these operating centres.
US 2014/0316685 describes an onboard device for a system supporting traffic telematic services, which comprises a near-range communication module for communication with a first external communication device (for example, the mobile phone of the user), a far-range communication module (for example, DSRC) for communication with second external devices (for example, the roadside devices of the system) and a non-volatile memory which is accessible by both the communication modules. The near-range communication module may be for example a passive NFC tag. This is supplied by the user's mobile phone during communication and in this way may access the non-volatile memory, and in so doing can supply power to it, even when the rest of the on-board device is not in an operative condition. The contents of the non-volatile memory may therefore be read and/or written by means of the connection between the user's mobile phone and the near-range communication module, irrespective as to whether the rest of the on-board device is in operating mode or not. It is thus possible to modify the configuration of the on-board device, for example writing configuration data in the non-volatile memory, via the user's mobile phone. Similarly it is possible to read the contents of the non-volatile memory via the user's mobile phone.
Short description of the invention
The Applicant has noticed that the on-board device described by US 2014/0316685 has a number of drawbacks.
Firstly, the Applicant has noticed that the near-range communication module included in this device, since it has direct access to the non-volatile memory of the device both during reading and during writing, disadvantageously reduces the security of the onboard device. The short-range and near-field technologies (such as NFC technology) generally have mechanisms for authentication and protection of the connection which are not particularly secure, the security of the connection being mainly based on the fact of having a coverage range of only a few centimetres. If, therefore, for example, a third party should come into possession of the on-board device of a user, he/she could access the on-board device using his/her own mobile phone (or another device equipped with NFC reader), and thus modify the configuration thereof, or read information stored there and use it to clone the on-board device (i.e. copy it onto another on-board device).
Moreover, the direct access to the non-volatile memory by the near-range communication module disadvantageously could result in inefficient use of the computational and storage resources of the onboard device. The user could in fact decide, for example, to write configuration data in the memory (or, similarly, read configuration data from the memory) not knowing that, precisely in that moment, the on-board device is engaged in another priority activity, for example an exchange of data with one of the road-side devices. In this case, the configuration data writing operation started by the user, while being lower priority, could disadvantageously deprive the higher priority activity of computational resources, with the risk of slowing down or even stopping execution thereof.
In view of the above, the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service and which solves the aforementioned problems.
In particular, the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service, which is more secure and which uses more efficiently its associated computational and storage resources.
According to embodiments of the present invention, this object is achieved by an on-board device for a vehicle, which comprises a radiofrequency communication stage for communication with the road-side devices, a short-range communication stage for communication with an electronic device (for example a mobile phone) situated in the vicinity thereof, two memories and a data processing unit cooperating with both the communication stages. A first memory acts as a central operating memory accessible by the data processing unit alone and stores at least one first encryption key. A second memory is directly accessible instead by the short- range communication stage, is electrically connected thereto or integrated therein and stores first data relating to the on-board device. The short-range communication stage is configured to transmit to the electronic device this first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage. The short-range communication stage is moreover configured to receive encrypted second data from the electronic device and store it temporarily in the second memory. The data processing unit is configured to decrypt, upon reception of a wake-up signal, this encrypted second data using the encryption key stored in the first central operating memory and to store the second data in the first central operating memory.
The on-board device is advantageously secure since, at the moment of reception of data from the electronic device via the short- range communication stage, the data to be decrypted and the encryption key which is needed to decrypt it are stored in two physically separate memories, one of which (namely that which stores the key) is accessible only by the data processing unit, i.e. cannot be directly accessed by the short-range communication stage. Despite the fact, therefore, that the short-range communication stage allows an unprotected connection to be established between electronic device and on-board device, the onboard device is advantageously more secure. The on-board device allows moreover more efficient use of its computational and storage resources, since the transfer of the data into the first central operating memory and the subsequent processing thereof are triggered upon reception of the wake-up signal in the data processing unit. This allows implementation of the mechanisms for managing the priority of the various operations which involve the data processing unit and the first central operating memory of the on-board device, whereby, for example, for the activity of processing data received from the short-range communication stage, the data processing unit receives wake-up signals after completing execution of the higher priority activities (for example, the data exchange activities between radiofrequency communication stage and road-side devices).
According to a first aspect, the present invention provides an on- board device for a vehicle, the on-board device being suitable for use in a system which provides a telematic traffic service, the on-board device comprising:
a radiofrequency communication stage configured to communicate with a road-side device of said system;
- a short-range communication stage configured to communicate with an electronic device located in the vicinity thereof;
a data processing unit cooperating with the radiofrequency communication stage and with the short-range communication stage,
- a first central operating memory accessible by the data processing unit, wherein the first central operating memory stores at least one encryption key;
a second memory electrically connected to or integrated in the short-range communication stage and directly accessible by the short-range communication stage, wherein the second memory stores first data relating to the on-board device, wherein the short-range communication stage is configured to transmit to the electronic device the first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage and is moreover configured to receive from the electronic device encrypted second data and store it temporarily in the second memory, and
wherein the data processing unit is configured, upon reception of a wake-up signal, to decrypt the encrypted second data using the at least one encryption key stored in the first central operating memory and to store the second data in the first central operating memory.
Preferably, the first central operating memory is implemented inside in the data processing unit.
Alternatively, the first central operating memory is implemented outside the data processing unit, and the first central operating memory stores a hardware identifier UID 2o of the data processing unit in a non-modifiable and non-erasable manner.
Preferably, the device also comprises a hardware encryption interface between the first central operating memory and the data processing unit.
Preferably, the short-range communication stage is configured to send said wake-up signal to the data processing unit.
In addition or alternatively, the device also comprises a button manually accessible from the outside of the device, the button being configured so that, when pressed, said wake-up signal is sent to the data processing unit.
Preferably, the first data is stored in the second memory, encrypted with a private key of an asymmetric encryption mechanism, and the short-range communication stage is configured to transmit the first data to the electronic device, encrypted with said private key. The first data made available for reading and encrypted with private key in the second memory preferably comprises tag data of the on-board device, including in particular its unique identification code OBU-ID.
According to an advantageous variant, the short-range communication stage is configured to receive said first data from a central server via the electronic device and the short-range communication stage in a form encrypted with said private key, and to store directly in a permanent manner the encrypted first data in the second memory, without requesting any action of the data processing unit.
According to another variant, the short-range communication stage is configured to receive the first data from a central server via the electronic device and the short-range communication stage in a form not yet encrypted with said private key, the first central operating memory also stores said private key and the data processing unit is configured to encrypt said first data with said encrypted key and to store permanently the encrypted first data in the second memory.
Preferably the second memory also stores its hardware identifier UID-I 60, the hardware identifier UIDi6o being stored both unencrypted and encrypted with the private key together with the first data, and the short-range communication stage is configured to transmit to the electronic device the hardware identifier UIDi6o unencrypted and the hardware identifier UID 6o also encrypted with the private key together with the first data, for further authentication of the first data by the electronic device.
Preferably, the second data is received by the short-range communication stage in a form encrypted with a symmetric key identical to the encryption key stored in the first central operating memory.
According to a first variant, the data processing unit is configured, upon reception of said wake-up signal, to transfer firstly the encrypted second data from the second memory to the first central operating memory and then decrypt it using the encryption key stored in the first central operating memory.
According to another variant, the data processing unit is configured, upon reception of said wake-up signal, to decrypt firstly the encrypted second data using the encryption key stored in the first central operating memory and then transfer the decrypted second data into the first central operating memory.
Preferably, the encrypted second data is received in separate encrypted blocks and the data processing unit is configured to start decryption of the encrypted second data only after receiving, in the second memory, all the separate encrypted blocks.
Preferably, the data processing unit is configured to read third data stored in the first central operating memory, to encrypt the third data using said encryption key stored in the first central operating memory and to forward the encrypted third data to the short-range communication stage, the short-range communication stage being configured to transmit the encrypted third data to a central server via the electronic device.
Preferably, the second memory stores, together with said first data, also a unique identification code OBU-ID of the on-board device, the unique identification code OBU-ID of the device being stored both unencrypted and encrypted with the symmetric key, the short-range communication stage being configured to transmit to the central server via the electronic device also said unique identification code OBU-ID both unencrypted and encrypted with the symmetric key, so as to allow the central server to perform authentication of the device and decrypting of said third data.
According to a second aspect, the present invention provides a system for providing a telematic traffic service, the system comprising a plurality of road-side devices, an electronic device and an on-board device for a vehicle, the on-board device being configured to communicate both with the plurality of road-side devices and with the electronic device, the on-board device being as described above. Brief description of the drawings
The present invention will become clearer from the following description, provided by way of a non-limiting example, to be read with reference to the accompanying drawings, in which:
- Figure 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to an embodiment of the present invention; and
- Figure 2 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to another embodiment of the present invention. Detailed description of embodiments of the invention
Figure 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to embodiments of the present invention. This telematic traffic service may be a service for the users (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) or a service for the administrator (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).
The system comprises an on-board device 100, electronic device 210, a plurality of road-side devices (for the sake of simplicity not shown in Figure 1 ), a communications network 600 and central server 700 which communicates with the electronic device 210 via the communications network 600.
The on-board device 100 is preferably suitable for installation onboard a vehicle (for the sake of simplicity not shown in Figure 1 ), for example a motor vehicle. The road-side devices are instead configured to be installed in a fixed position, for example along a road side, on an overpass or on an access gateway (for example to a car park, an urban zone, a road or motorway section, etc.).
As will be described in greater detail below, the on-board device 100 is configured to communicate via radio both with the road-side devices and with the electronic device 210.
In particular, as shown in Figure 1 , the on-board device 100 preferably comprises a battery 1 10, a data processing unit 120, a first memory 130, a radiofrequency communication stage 140, a short- range communication stage 150 and a second memory 160. The onboard device 100 may comprise other components (for example GNSS components for satellite positioning) which will not be described in greater detail hereinbelow since they are not useful for the purposes of the present description.
The battery 1 10 is preferably electrically connected directly or indirectly to each of the other components of the on-board device 100 (in particular to the data processing unit 120, to the first memory 130, to the radiofrequency stage 140 and to the short-range communication stage 150), so as to power them if and when necessary.
The first memory 130 is preferably electrically connected to the data processing unit 120. The first memory 130 may be implemented on the outside or on the inside of the data processing unit 120. In any case, the first memory 130 is accessible by the data processing unit 120 alone (in particular it is not directly accessible by the short-range communication stage 150).
In the event of being realized externally, the first memory 130 preferably stores a hardware identifier UID 2o of the data processing unit 120 (preferably, its silicon number) in a non-modifiable and nonerasable manner. This hardware identifier UID 2o is used by the processing unit 120 to check the authenticity of the data read from the first memory 130. This advantageously makes it possible to prevent the contents of the central operating memory of one onboard device from being cloned and transferred onto another on- board device.
By way of a further security measure, if the first memory 130 is implemented outside the data processing unit 120, an interface (not shown in the drawings) is provided between the unit 120 and the memory 130, said interface being configured to perform hardware encryption of the data which the unit 120 writes into the memory 130 and hardware decryption of the data which the unit 120 reads from the memory 130. The data stored in the memory 130 is thus advantageously protected at the hardware level. The first memory 130 is therefore a non-volatile memory which acts as a secure central operating memory of the on-board device 100.
Preferably, the first memory 130 stores the unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user who is owner of the vehicle and about the vehicle itself (for example number plate and/or toll class of vehicle). The first memory 130 also preferably stores the software applications which provide the telematic traffic services for the user and/or for the administrator supported by the on-board device 100 and the data generated by communication of the on-board device 100 with the road-side devices of the system via the radiofrequency communication stage 140 (for example, data relating to the position of the vehicle or transit thereof through an access way).
The radiofrequency communication stage 140 is preferably configured to establish radio links with the road-side devices. For example, the radiofrequency stage 140 may be implemented using DSRC (Dedicated Short Range Communications) technology which, as is known, comprises radio channels and authentication, encoding and decoding procedures which have been specifically developed for telematic traffic services and uses frequency bands in the range of 5.7 - 5.9 GHz.
The short-range communication stage 150 is preferably configured to support short-range radio links (maximum 10 cm) with the electronic device 210.
The electronic device 210 may belong to the same user who has been assigned the on-board device 100 or may belong to third parties (for example, the administrator of the road or motorway infrastructure along which the telematic traffic service supported by the on-board device 100 is provided, the telematic traffic service administrator, or the body or authority responsible for monitoring traffic offences). The electronic device 210 is also preferably provided with cabled or wireless connectivity (for example WiFi or cellular network) to the communications network 600. For example, the electronic device 210 may be a smartphone, a tablet or a generic commercial or specially designed reader. Preferably, the electronic device 210 is also provided with a user interface 200 comprising input and/or output elements comprising for example pushbuttons, cursors, touchscreen, etc. The electronic device 210 also comprises a short-range communication stage compatible with the short-range communication stage 150 of the on-board device 100.
Preferably, the short-range communication stage 150 (and therefore also the corresponding short-range communication stage of the electronic device 210) is implemented using near-field technology, such as RFID (Radio-Frequency IDentification) technology with short range (i.e. radius less than 10 cm). Of the various RFID technologies it is possible to use, for example, NFC (Near Field Communication) technology which, as is known, operates at the frequency of 13.56 MHz and may reach a maximum transmission speed of 424 kbit/s. Preferably, the short-range communication stage included in the electronic device 210 is configured as initiator, while the short-range communication stage 150 is configured as target. In other words, the short-range communication stage 150 is configured to receive from the short-range communication stage included in the electronic device 210 a radio carrier, from which it extracts its own power supply.
The configuration of the short-range communication stage 150 as reader is advantageous, since it allows the electronic complexity and software of the on-board unit to be reduced. It also allows the short- range communication stage 150 to operate (and therefore communicate with the corresponding short-range communication stage included in the electronic device 210) also when the battery 1 10 of the on-board device 100 is completely discharged, or when the remainder of the on-board device (in particular the data processing unit 120, the first memory 130 and the radiofrequency stage 140) is damaged or in any case not functioning.
The second memory 160 may be electrically connected to the short-range communication stage 150. Alternatively, the second memory 160 may be integrated in the short-range communication stage 150. In both cases, the second memory 160 is directly accessible by the short-range communication stage 150 which may carry out on it both write operations and read operations also without involving the processing unit 120, as will be described in greater detail hereinbelow. The second memory 160 is preferably a nonvolatile memory able to retain the data even when not electrically powered. For example, the second memory 16 may be a memory of the E2PROM type.
The second memory 160 preferably permanently stores a set of basic data relating to the on-board device 100, comprising a unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user and/or the vehicle. The second memory 160 moreover is suitable for storing in a temporary or transient manner data sent by the central server 700 and destined for the data processing unit 120 and/or for the first memory 130, as will be described in greater detail hereinbelow.
In order to establish a radio link between the on-board device 100 and the electronic device 210, the two devices are moved close to each other (at a distance of less than 10 cm). The communications protocol via which the short-range communication stage 150 and the corresponding short-range stage included in the electronic device 210 operate thus establishes automatically a radio link. The radio link thus established is preferably a two-way point-to-point link which allows a two-way exchange of data between on-board device 100 and electronic device 210.
In particular, by means of the short-range radio link between electronic device 210 and on-board device 100, the short-range communication stage 150 may transmit to the electronic device 210 data read from the second memory 160 or other components of the on-board device 100, thus allowing the reading of this data from the on-board device 100 via the electronic device 210.
Optionally, the data read may be displayed in the form of texts or graphics on the user interface 200 of the electronic device 210. In addition or alternatively, the data read may be transmitted from the electronic device 210 to the central server 700 via the communications network 600.
These read operations may allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 1 10 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to carry out for example diagnostic checks or operational tests of the on-board device 100 (for example, checking of the charged level of its battery 1 10) or checking of the configuration information about the user and/or the motor vehicle stored by the on-board device 100.
If the data to be read is stored in the second memory 160 (as in the case, for example, of the aforementioned basic data), the short- range communication stage 150 advantageously may read it even if the battery 1 10 is completely discharged, or when the data processing unit 120 and/or the first memory 130 are not functioning.
The basic data stored in the second memory 160 can therefore be advantageously read by means of the electronic device 210, irrespective as to whether the on-board device 100 is functioning or not. The second memory 160 therefore advantageously performs substantially an electronic tag function.
If instead the data to be read is not stored in the second memory
160, the short-range communication stage 150 may read it only if the battery 1 10 is charged and the on-board device 100 (at least the data processing unit 120 and the first memory 130) is functioning correctly.
In order to start a read operation, the electronic device 210 preferably sends a command signal to the short-range communication stage 150.
If the read operation relates to data stored in the second memory 160 (for example the aforementioned basic data), the short-range communication stage 150 retrieves the required data from the second memory 160 and sends it to the electronic device 210, without requesting any action by the data processing unit 120.
If instead the read operation relates to data which is not stored in the second memory 160 (operation for which, as mentioned above, the battery 1 10 must be sufficiently charged), the short-range communication stage 150 forwards the command signal to the data processing unit 120 which retrieves the data required (for example from the first memory 130) and sends it to the short-range communication stage 150 which in turn forwards it the electronic device 210. Preferably, this command signal is preceded by a wake- up signal which activates the data processing unit 120.
In addition to the read operations, by means of the short-range radio link between electronic device 210 and on-board device 100, the short-range communication stage 150 may receive from the electronic device 210 data to be supplied to the other components of the on-board device 100 (in particular to the data processing unit 120 and/or to the first memory 130 and/or to the second memory 160), thus allowing writing of this data onto the on-board device 100 via the electronic device 210.
These write operations may for example allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 100 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to modify the configuration of the on-board device 100, for example updating or activating the software applications which are already present or loading new applications or removing or deactivating those applications which are no longer of interest for the user. These write operations may therefore be advantageously performed without having to visit a customer service operating centre.
A write operation preferably envisages that the central server 700 transmits the data to be written to the on-board device 100 via the communications network 600 and the electronic device 210.
The electronic device 210 preferably does not perform any processing of the data, merely performing a transducer function between the connection to the communications network 600 (for example Wi-Fi or cellular network) and the short-range radio link with the on-board device 100 (for example NFC). The data transmitted on the short-range radio link between electronic device 210 and onboard device 100 is therefore the same as the data transmitted on the communication network 600 between the central server 700 and the electronic device 210.
It should be noted that the establishment of the short-range radio link does not require any manual setting or any pairing procedure and is therefore very quick (about 1/10th of a second). Moreover, since the short-range link has a maximum radius of 10 cm, it is intrinsically not exposed to the risk of sniffing of the transmitted data which, in any case, as will be explained below, is preferably encrypted by the central server 700.
Once the data to be written has been received via the short-range radio link, the short-range communication stage 150 preferably saves it temporarily in the second memory 160. In order to prevent any overwriting or unauthorised access to the second memory 160, preferably a passcode write protection mechanism is provided. Alternatively, it is possible to provide in the second memory 160 one or more areas which are protected or have a write function enabled only by the data processing unit 120 and not by the short-range communication stage 150.
If the write operation relates to data to be stored permanently in the second memory 160 (for example the aforementioned basic data), the short-range communication stage 150 may identify and store said data directly in a permanent manner in the second memory 160 (without requiring any action by the data processing unit 120), for example in an address location of the second memory 160 dedicated for the permanent storage of the basic data. Alternatively, the short-range communication stage 150 may forward the data to be written in a transparent manner to the data processing unit 120, which identifies said data and transfers it back into the second memory 160, for example in the address location of the second memory 160 dedicated for the permanent storage of basic data.
If instead the write operation relates to the data intended for the data processing unit 120 and/or for the first memory 130 (for example, the aforementioned configuration data), the short-range communication stage 150 forwards said data preferably in a transparent manner to the data processing unit 120, which processes it and if necessary writes it in the first memory 130.
It should be noted that, if the write operation involves the data processing unit 120, the battery 1 10 must be charged. If, on the other hand, the data processing unit 120 is not involved, the write operation may be performed even if the battery 1 10 is discharged.
Preferably, if the data processing unit 120 is involved in the write operation, it preferably starts processing of the data to be written upon reception of a wake-up signal. This wake-up signal may be sent to the data processing unit 120 by the short-range communication stage 150 or by the user of the on-board device 100, for example by means of a special button which can be accessed manually on the outside of the on-board device 100.
According to an advantageous variant, the on-board device 100 may be provided with one or more indicators (for example LED light indicators) designed to provide the user with visual feedback as regards the outcome of the data write operation on the on-board device 100. For example, the on-board device 100 may be provided with a light indicator configured to signal to the user whether the operation of writing the data in the first memory 130 has been successfully completed.
To summarise, the on-board device 100 according to the present invention therefore is substantially able to operate in three different operating configurations:
- first operating configuration: reading, via short-range radio link with the electronic device 210, of basic data stored in the second memory 160 (electronic tag function);
- second operating configuration: reading, via short-range radio link with the electronic device 210, of data not stored in the second memory 160. This operating configuration is generally useful for the purpose of verification of operation of the on-board device 100, for diagnostic purposes and, generally, for the purpose of reading the data contained in the first memory 130; and
- third operating configuration: writing, via short-range radio link with the electronic device 210, of data in the first memory 130 or in the second memory 160. This operating configuration is generally useful for the purpose of configuration of the on-board device 100 (for example in order to modify the tag data, update or activate the software applications already present, or load new applications, or in order to remove or disable those applications which are no longer of interest for the user, see the aforementioned example where the user wishes to activate temporarily a toll payment service in a foreign country).
The system shown in Figure 1 is preferably configured to provide a secure connection between the on-board device 100 and electronic device 210 and optionally between central server 700 and on-board device 100. For this purpose, a mechanism for ensuring the authenticity of the data read from the second memory 160 (namely so that the electronic device 210 and/or the central server 700 can be sure that the read data really relates to the on-board device 100 and has not instead been cloned by another on-board device) and a mechanism for protecting the data exchanged between the central server 700 and the on-board device 100.
Preferably, the mechanism for ensuring the authenticity of the data read from the second memory 160 (for example the basic data of the on-board device 100) is based on asymmetric encryption of the data made available during reading by means of permanent storage in the second memory 160.
In particular, the data which can be read from the second memory 160 is stored in the second memory 160 encrypted with a private key. In order not to have to keep the private key stored in the onboard device 100, the central server 700 preferably sends to the onboard device 100 the data to be rendered readable from the second memory 160 in a form already encrypted with private key. In this case, upon reception of the data encrypted with private key from the central server 700, the short-range communication stage 150 may store it directly in the second memory 160, without requesting any action by the data processing unit 120.
Alternatively, the central server 700 may send to the on-board device 100 the data to be rendered readable from the second memory in a form not yet encrypted with private key. In this case, upon reception of the data not encrypted with private key from the central server 700, the short-range communication stage 150 preferably forwards it to the data processing unit 120 which encrypts it with private key and stores it permanently in the second memory 160. In this second case, therefore, action by the data processing unit 120 and storage of the private key in the first memory 130 are required.
If, subsequently, the electronic device 210 or the central server 700 requests reading of this data, said data is transmitted, encrypted with private key, to the electronic device 210 via the short-range communication stage 150. During this operation, no command is sent to the data processing unit 120 of the on-board device 100, which is not required to perform reading operations from the second memory 160.
Therefore, according to a first variant, the electronic device 210 preferably uses the public key in order to decrypt the read data which is encrypted with private key. The public key, since it may be freely distributed, is preferably saved locally in the electronic device 210 (for example within an application executed by the device 210 for managing reading of data from the device 100), thus freeing the electronic device 210 from the need to be connected to the central server 700 during the whole of the operation of reading of the data stored by the second memory 160.
Optionally, it is possible to provide additional authentication of the data read, based on a hardware identifier UID 6o of the memory 160 (for example, its silicon number). According to this variant, the hardware identifier UIDi6o is preferably written by the manufacturer of the memory 160 in a specific area thereof so that it is stored permanently and is available in read-only mode and therefore cannot be modified. Preferably, in the second memory 160 the hardware identifier UID 6o is stored both unencrypted and encrypted with private key together with the data to be rendered readable (for example the basic data) permanently saved in the second memory 160 (containing, as described above, the identifier OBU-ID and optionally data about the user and/or the vehicle).
The hardware identifier UIDi6o is preferably transmitted to the electronic device 210 unencrypted, together with the data to be read encrypted with private key.
After carrying out decryption of the data to be read with public key, the electronic device 210 preferably compares the hardware identifier UID-I 60 received unencrypted with the hardware identifier UIDi6o obtained from decryption with public key. If the two hardware identifiers coincide, the data to be read is further authenticated.
In this way, it is possible advantageously to prevent the second memory 160 from being cloned and transferred onto another onboard device. If the contents of the second memory 160 of the onboard device 100 were to be copied onto another on-board device, the lack of correspondence between the two hardware identifiers would be detected and the data read would thus not be authenticated. The non-clonability of the data stored in the second memory 160, namely the impossibility of copying this data into the memory of another on-board device, is thus advantageously ensured.
As an alternative to asymmetric encryption, it is possible to envisage symmetric encryption of the data stored permanently by the second memory 160. In this way, the private key (which is the same for encryption and decryption) is preferably known only to the central server 700 and to the on-board device 100. Therefore, reading of this data in electronic tag mode by the electronic device 210 requires in any case forwarding of the data to the central server 700 which decrypts it with the private key known to it and, if authenticated, retransmits it unencrypted to the electronic device 210.
As regards instead the mechanism for protecting the data transmitted from the central server 700 to the on-board device 100, it is preferably based on symmetric encryption of the transmitted data. This symmetric encryption uses a same private key to encrypt and decrypt the data, which key must therefore be known both to the central server 700 and to the on-board device 100. In particular, the private key is stored in the first memory 130 of the on-board device 100, preferably in a non-erasable and non-modifiable area of the first memory 130.
With reference, for example, to an operation for writing data in the first memory 130, the central server 700 preferably encrypts the data to be written with the private key and transmits it to the electronic device 210 where, as described above, it is temporarily saved in the second memory 160.
If the battery 1 10 and the data processing unit 120 are operative and functioning, the data processing unit 120 preferably (upon reception of a wake-up signal, as described above) decrypts the data to be written using the private key stored in the first memory 130 and stores it in the first memory 130. This operation may be performed in different ways.
According to a first variant, the data processing unit 120 firstly transfers the encrypted data from the second memory 162 to the first memory 130 and then decrypts it, using the symmetric key stored in the first memory 130.
According to a second variant, the data processing unit 120 firstly recovers the symmetric key from the first memory 130, then uses it to decrypt the data (for example saved temporarily in an associated internal RAM memory), and finally transfers it into the first memory 130.
It should be noted that, in both the variants, in any case the data to be decrypted and the private key which is used to decrypt said data reside in two physically separate memories, one of which (namely the first memory 130 which stores the private key) is accessible only for the data processing unit 120 and therefore is not directly accessible by the short-range communication stage 150. Despite the fact, therefore, that the short-range communication stage 150 allows an unprotected connection to be established between electronic device 210 and on-board device 100, the on-board device 100 is advantageously very secure.
Moreover, according to an advantageous variant, the central server 700 divides the data to be written into blocks (before or after performing symmetric-key encryption of said data), which it then transmits to the on-board device 100 via the electronic device 210. Preferably, before starting decryption of the data to be written in the first memory 130 as described above, the data processing unit 120 waits for reception of all the encrypted blocks in the second memory 160. This advantageously further increases the security and reliability of the communication between central server 700 and on-board device 100 since the blocks, before being written in the memory 130, must be decrypted by a process which is totally external to the memory 160 in which it is temporarily stored.
The security of the private key used for symmetric encryption is preferably ensured in the manner described below.
Preferably, personalisation at the factory of the on-board device 100 is performed, this operation comprising the following steps:
(i) Reading, via the radiofrequency communication stage 140, a unique identifier of the on-board device 100, for example its unique identification code OBU-ID;
(ii) Transmitting the code OBU-ID to the input of a secure server (for example of the HSM - Hardware Security Module - type). The secure server stores (in a manner not accessible from outside) at least one master key, on the basis of which it then calculates at least one derived key using the OBU-ID code received as diversifier. The secure server then provides at its output the at least one derived key calculated. Preferably the secure server stores a master administration key MAdBTKey and a master application key MApBTKey on the basis of which it calculates, respectively, a derived administration key DAdBTKey and a derived application key DApBTKey, using the OBU-ID code received as diversifier. The two derived keys, output by the secure server, may be used for different applications.
(iii) Storing the at least one derived key in the on-board device 100.
As already mentioned, this operation is preferably performed at the factory, the at least one derived key being sent to the onboard device 100 via the radiofrequency communication stage 140. The derived key(s) is/are then stored in the first memory 130 so that it/they is/are protected (non-readable), non- modifiable and non-erasable without the action of the processing unit 120.
During operation of the on-board device 100, as regards transmission of the data to be written from the central server 700 to the on-board device 100, the central server 700 preferably uses a second secure HSM server (also containing the master key(s)), supplying it with the unique identification code OBU-ID of the on- board device 100 and obtaining from it the specific derived key to be used for communication with the on-board device 100. The transmitted data, encrypted by the central server 700 with derived key, is received as described above by the data processing unit 120 which, using the appropriate derived key stored in its first memory 130, decrypts the data received which is finally stored in the first memory 130.
In the case of transmission of data from the on-board device 100 to the central server 700, it is necessary to allow the on-board device 100 to be identified by the central server 700 so that the central server 700 may calculate (via the secure second server) the derived key necessary for decryption of the data received from the on-board device 100. This requires an exchange of data between on-board device 100 and central server 700, which will now be described in greater detail with reference to Figure 2.
A first step preferably envisages that the electronic device 210, after being registered (logged in) with the central server 700, obtains from the on-board device 100 via the short-range link with the short- range communication stage 150 the following data read from the second memory 160:
- the unique identification code OBU-ID of the on-board device 100 unencrypted (so as to allow the central server 700 to calculate the derived key);
- the code OBU-ID encrypted with the derived key (to ensure authentication); and
- the data to be transmitted encrypted by the data processing unit 120 with the derived key. This data is then sent to the central server 700 via the communications network 600 (Figure 2 shows the sake of simplicity a repeater 800 of the communications network 600).
Once the aforementioned data has been received, the central server 700 preferably uses the aforementioned second secure HSM server (indicated by the reference number 710 in Figure 2), supplying it with the unique identification code OBU-ID of the on-board device 100 received unencrypted and obtaining from it the specific derived key to be used for communication with the on-board device 100. Once the derived key has been obtained, the central server 700 decrypts the data received and validates its correctness.
The configuration data sent from the central server 700 to the onboard device 100 and encrypted with derived key may also comprise data to be stored in the second memory 160, so that it remains readable by the electronic device 210 via short-range radio communication. This data may or may not be already encrypted by the central server 700 for the purposes of authentication, as described above.
The data processing unit 120, once the message with the derived key has been decrypted, identifies the data to be made available for reading and establishes whether it is already encrypted for the purposes of authentication. If this is so, it permanently stores it in the second memory 160. If this is not the case, it retrieves from the first memory 130 the private key of the asymmetric encryption intended to allow authentication of the data read, uses it to encrypt the data and stores it permanently in the second memory 160.
Optionally, a session key may also be used for communication between the central server 700 and the on-board device 100. Preferably, the sender (namely the central server 700 if data is written in the on-board device 100, or the on-board device 100 if data is read from the on-board device 100) calculates a session key, for example based on the derived key and a random number. The session key is recalculated (and is therefore different) for each communication session.
The sender preferably uses the calculated session key to further encrypt the data to be transmitted, already encrypted with the derived key of the symmetric encryption mechanism. The sender also preferably encrypts the calculated session key, using for example the public key of the recipient (namely the on-board device 100 if data is written, or the central server 700 if data is read) and also sends this to the recipient.
The recipient, upon reception of the data and the encrypted session key, decrypts the session key using the associated private key and then uses the session key to decrypt the data received (to be further decrypted using the derived key).
This mechanism is advantageous since it represents a solution which is less complex from a computational point of view compared to asymmetric encryption of all the data exchanged between central server 700 and on-board device 100 and which allows the calculation time necessary for encryption and decryption of the exchanged data to be reduced significantly.
According to a number of variants, protection with the session key is used only on the link between electronic device 210 and central server 700. The management of the session keys in this case is entrusted to the electronic device 210 and not to the on-board device 100.
If the on-board device 100 is equipped with a data connection interface (for example if it is a satellite device also equipped with radio communication technology or Bluetooth), writing of the data in the second memory 160 (and then in the memory 130) may be managed by the data processing unit 120, interfaced in this case with the data connection interface (for example the radio communication technology internal modem or Bluetooth interface). In this case, the short-range communication stage 150 may be used solely for the function of reading data from the memory 160.
The advantages of the on-board device 100 are clear from the above description.
The on-board device described, in addition to allowing the reading of data (for example for verification or diagnostic purposes) and the writing of data (for example for configurational purposes) by the electronic device 210 allows in fact the exchange of data with the electronic device 210 and the central server 700 to be managed in a particularly secure manner.

Claims

An on-board device (100) for a vehicle, said on-board device (100) being suitable for use in a system which provides a telematic traffic service, said on-board device (100) comprising:
- a radiofrequency communication stage (140) configured to communicate with a road-side device of said system;
- a short-range communication stage (150) configured to communicate with an electronic device (210) located in the vicinity thereof;
- a data processing unit (120) cooperating with said radiofrequency communication stage (140) and with said short-range communication stage (150),
- a first central operating memory (130) accessible by said data processing unit (120), wherein said first central operating memory (130) stores at least one encryption key;
- a second memory (160) electrically connected to or integrated in said short-range communication stage (150) and directly accessible by said short-range communication stage (150), wherein said second memory (160) stores first data relating to said on-board device (100); and
wherein said short-range communication stage (150) is configured to transmit to said electronic device (210) said first data, also in power down mode or in the event of malfunctioning of said radiofrequency communication stage (140) and is moreover configured to receive from said electronic device (210) encrypted second data and store it temporarily in said second memory (160);
and wherein said data processing unit (210) is configured, upon reception of a wake-up signal, to decrypt said encrypted second data using said encryption key stored in said first central operating memory (130) and to store said second data in said first central operating memory (130).
The device (100) according to claim 1 , wherein said first central operating memory (130) is implemented inside said data processing unit (120).
The device (100) according to claim 1 , wherein said first central operating memory (130) is implemented outside said data processing unit (120) and wherein said first central operating memory (130) stores a hardware identifier UID120 of said data processing unit (120) in a non-modifiable and non-erasable manner.
The device (100) according to claim 3, also comprising a hardware encryption interface between said first central operating memory (130) and said data processing unit (120).
The device (100) according to any one of the preceding claims, wherein said short-range communication stage (150) is configured to send said wake-up signal to said data processing unit (120).
The device (100) according to any one of the preceding claims, wherein said device (100) further comprises a button manually accessible from the outside of the said device (100), said button being configured so that, when pressed, said wake-up signal is sent to said data processing unit (120).
The device (100) according to any one of the preceding claims, wherein said first data is stored in said second memory (160) in a form encrypted with a private key of an asymmetric encryption mechanism, and wherein said short-range communication stage (150) is configured to transmit said first data to said electronic device (210) in a form encrypted with said private key.
The device (100) according to claim 7, wherein said short-range communication stage (150) is configured to receive said first data from a central server (700) via said electronic device (210) and said short-range stage (150) in a form already encrypted with said private key, and to store directly in a permanent manner said encrypted first data in said second memory (160), without requesting any action of said data processing unit (120).
9. The device (100) according to claim 7, wherein said short-range communication stage (150) is configured to receive said first data from a central server (700) via said electronic device (210) and said short-range communication stage (150) in a form not yet encrypted with said private key, wherein said first central operating memory (130) stores said private key and wherein said data processing unit (120) is configured to encrypt said first data with said encrypted key and to store in a permanent manner said encrypted first data in said second memory (160).
10. The device (100) according to any one of claims 7 to 9, wherein said second memory (160) also stores a hardware identifier UID-I 60 of said second memory (160), said hardware identifier UID-I 60 being stored both unencrypted and encrypted with said private key together with said first data, and wherein said short- range communication stage (150) is configured to transmit to said electronic device (210) said hardware identifier UIDi6o unencrypted and said hardware identifier UID 6o also encrypted with said private key together with said first data, for further authentication of said first data by said electronic device (210).
1 1 . The device (100) according to any one of the preceding claims, wherein said second data is received by said short-range communication stage in a form encrypted with a symmetric key identical to said encryption key stored in said first central operating memory (130).
12. The device (100) according to any one of the preceding claims, wherein said data processing unit (120) is configured, upon reception of said wake-up signal, to transfer firstly said encrypted second data from said second memory (160) to said first central operating memory (130) and then decrypt it using said encryption key stored in said first central operating memory (130).
13. The device (100) according to any one of claims 1 to 12, wherein said data processing unit (120) is configured, upon reception of said wake-up signal, to decrypt firstly said encrypted second data using said encryption key stored in said first central operating memory (130) and then transfer said second decrypted data into said first central operating memory (130).
14. The device (100) according to one of the preceding claims, wherein said encrypted second data is received in separate encrypted blocks and wherein said data processing unit (120) is configured to start decrypting said encrypted second data only after receiving, in said second memory (160), all said separate encrypted blocks.
15. The device (100) according to any one of the preceding claims, wherein said data processing unit (120) is configured to read third data stored in said first central operating memory (130), to encrypt said third data using said encryption key stored in said first central operating memory (130) and to forward said encrypted third data to said short-range communication stage (150), said short-range communication stage (150) being configured to transmit said encrypted third data to a central server (700) via said electronic device (210).
16. The device (100) according to claim 15, wherein said second memory (160) stores, together with said first data, also a unique identification code OBU-ID of said device (100), said unique identification code OBU-ID of said device (100) being stored both unencrypted and encrypted with said symmetric key, said short- range communication stage (150) being configured to transmit to said central server (700) via said electronic device (210) also said unique identification code OBU-ID both unencrypted and encrypted with said symmetric key, so as to allow said central server (700) to perform authentication of said device (700) and decrypting of said third data.
17. A system for providing a telematic traffic service, said system comprising a plurality of road-side devices, an electronic device (210) and an on-board device (100) for a vehicle, said on-board device (100) being configured to communicate both with said plurality of road-side devices and with said electronic device (210), said on-board device (100) being according to any one of claims 1 to 16.
EP17709787.0A 2016-01-14 2017-01-13 On-board device for a vehicle Active EP3238182B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PL17709787T PL3238182T3 (en) 2016-01-14 2017-01-13 On-board device for a vehicle

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ITUB2016A009991A ITUB20169991A1 (en) 2016-01-14 2016-01-14 COMMUNICATION SYSTEM FOR EXTRACTION DEVICES FOR MOTORWAYS OR ACCESS ACCESS, DEVICE AND ASSOCIATED METHOD.
PCT/IB2017/050184 WO2017122165A1 (en) 2016-01-14 2017-01-13 On-board device for a vehicle

Publications (2)

Publication Number Publication Date
EP3238182A1 true EP3238182A1 (en) 2017-11-01
EP3238182B1 EP3238182B1 (en) 2019-04-24

Family

ID=55861096

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17709787.0A Active EP3238182B1 (en) 2016-01-14 2017-01-13 On-board device for a vehicle

Country Status (6)

Country Link
EP (1) EP3238182B1 (en)
CL (1) CL2018001747A1 (en)
ES (1) ES2735805T3 (en)
IT (1) ITUB20169991A1 (en)
PL (1) PL3238182T3 (en)
WO (1) WO2017122165A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT201900010758A1 (en) * 2019-07-03 2021-01-03 Telepass S P A On-board device for telematic traffic services
IT202100016715A1 (en) * 2021-06-25 2022-12-25 Telepass S P A ON-BOARD VEHICLE UNIT FOR ROAD TRAFFIC SERVICES WITH RADIO-FREQUENCY COMMUNICATION TRANSPONDER

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102019202681A1 (en) * 2018-03-29 2019-10-02 Robert Bosch Gmbh control unit
CN112365614A (en) * 2020-10-10 2021-02-12 浙江省交通运输科学研究院 Vehicle-mounted interaction device for expressway, information interaction and charging system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3156562B2 (en) * 1995-10-19 2001-04-16 株式会社デンソー Vehicle communication device and traveling vehicle monitoring system
ES2555468T3 (en) * 2013-04-19 2016-01-04 Kapsch Trafficcom Ag On-board installation for a vehicle
EP2793194B1 (en) * 2013-04-19 2017-03-15 Kapsch TrafficCom AG Method for charging an onboard unit with an electronic ticket
US9111123B2 (en) * 2013-06-28 2015-08-18 International Business Machines Corporation Firmware for protecting data from software threats
SI2860703T1 (en) * 2013-10-08 2016-10-28 Kapsch Trafficcom Ag Method for checking toll transactions and components therefor

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT201900010758A1 (en) * 2019-07-03 2021-01-03 Telepass S P A On-board device for telematic traffic services
WO2021001776A1 (en) * 2019-07-03 2021-01-07 Telepass S.P.A. System comprising an on-board unit for telematic traffic services
IT202100016715A1 (en) * 2021-06-25 2022-12-25 Telepass S P A ON-BOARD VEHICLE UNIT FOR ROAD TRAFFIC SERVICES WITH RADIO-FREQUENCY COMMUNICATION TRANSPONDER
EP4109416A1 (en) * 2021-06-25 2022-12-28 Telepass S.p.A. On-board vehicle unit for road traffic services with radio frequency communication transponder

Also Published As

Publication number Publication date
EP3238182B1 (en) 2019-04-24
PL3238182T3 (en) 2019-11-29
CL2018001747A1 (en) 2018-10-26
WO2017122165A1 (en) 2017-07-20
ITUB20169991A1 (en) 2017-07-14
ES2735805T3 (en) 2019-12-20

Similar Documents

Publication Publication Date Title
US11212100B2 (en) Systems and methods of providing and electronically validating tickets and tokens
EP2498225B1 (en) Road toll system and method
EP3238182B1 (en) On-board device for a vehicle
US9098950B2 (en) Method and system for the user-specific initialization of identification devices in the field
CN104468784B (en) A kind of system and method that board units software upgrading is realized by DSRC interfaces
JP4167490B2 (en) Road toll collection system
KR20120116924A (en) Vehicle access control services and platform
JP2014509414A (en) Method, apparatus and system for secure access to an area with a gate
US11716194B2 (en) Vehicle communication for authorized entry
US11482017B2 (en) Method and apparatus to recognize transported passengers and goods
JP3445490B2 (en) Mobile communication method and mobile communication system
EP3416352B1 (en) On-board device for a vehicle
JP6105365B2 (en) OBE control system
JP2013258491A (en) Car sharing system and car sharing provisioning method
JP2017097788A (en) Toll collection system and toll collection method
CN109840959A (en) Vehicular communication equipment and charging method
WO2018213198A1 (en) Systems and methods of providing and electronically validating tickets and tokens
JP5310090B2 (en) Payment system
ES2712643T3 (en) Method for transmitting, through a telecommunications network, authorization information or authorization associated with a telecommunication terminal, telecommunication terminal, system, computer program and computer program
JP2002109593A (en) Radiocommunication equipment and method of information change
EP4109416A1 (en) On-board vehicle unit for road traffic services with radio frequency communication transponder
KR20180122538A (en) Apartment basement garage emergency bell device
JP6580868B2 (en) Information providing system, information providing method, and computer program
JP2002095050A (en) Information transmitting system, radio communications equipment, and moving object
CN114973435A (en) Ticket checking method, gate, server, mobile terminal and storage medium

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170726

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1246479

Country of ref document: HK

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20180919

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

GRAR Information related to intention to grant a patent recorded

Free format text: ORIGINAL CODE: EPIDOSNIGR71

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTC Intention to grant announced (deleted)
INTG Intention to grant announced

Effective date: 20190214

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1125031

Country of ref document: AT

Kind code of ref document: T

Effective date: 20190515

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602017003524

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20190424

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

REG Reference to a national code

Ref country code: GR

Ref legal event code: EP

Ref document number: 20190402150

Country of ref document: GR

Effective date: 20191016

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190724

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190824

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190724

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2735805

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20191220

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190824

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602017003524

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

26N No opposition filed

Effective date: 20200127

REG Reference to a national code

Ref country code: AT

Ref legal event code: UEP

Ref document number: 1125031

Country of ref document: AT

Kind code of ref document: T

Effective date: 20190424

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200113

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200131

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200131

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200113

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20210113

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210113

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

REG Reference to a national code

Ref country code: DE

Ref legal event code: R081

Ref document number: 602017003524

Country of ref document: DE

Owner name: MOVYON S.P.A., IT

Free format text: FORMER OWNER: AUTOSTRADE TECH S.P.A., ROMA, IT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190424

REG Reference to a national code

Ref country code: ES

Ref legal event code: PC2A

Owner name: MOVYON S.P.A.

Effective date: 20220701

REG Reference to a national code

Ref country code: BE

Ref legal event code: HC

Owner name: MOVYON S.P.A.; IT

Free format text: DETAILS ASSIGNMENT: CHANGE OF OWNER(S), CHANGE OF OWNER(S) NAME; FORMER OWNER NAME: AUTOSTRADE TECH S.P.A.

Effective date: 20220607

REG Reference to a national code

Ref country code: AT

Ref legal event code: HC

Ref document number: 1125031

Country of ref document: AT

Kind code of ref document: T

Owner name: MOVYON S.P.A., IT

Effective date: 20221025

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230529

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: PL

Payment date: 20231221

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GR

Payment date: 20240122

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20240227

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: AT

Payment date: 20240122

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240119

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20240117

Year of fee payment: 8

Ref country code: FR

Payment date: 20240124

Year of fee payment: 8

Ref country code: BE

Payment date: 20240119

Year of fee payment: 8