JP2013193598A - Vehicle authentication device, and vehicle authentication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To secure vehicle security even if communication of an in-vehicle electronic control system with an external device is carried out by using the same communication standard as applied to a computer network.SOLUTION: A device identifier acquired by identification information acquisition processing is registered in a memory 12 if it is determined by a state determination processing that the vehicle state is under a security securing state, while the device identifier is not registered in the memory 12 if it is determined that the vehicle state is not under the security securing state. Further, information exchange between an external device 3 and ECU 1 identified by the device identifier is permitted if it is determined in a registration processing that the device identifier acquired by the identification information acquisition processing is registered in the memory 12, while the information exchange is prohibited when the device identifier is determined not to be registered in the memory 12.

Description

  The present invention relates to a vehicle authentication device connected to an external device using an Internet protocol, and a vehicle authentication system including the vehicle authentication device.

  Conventionally, an electronic control system to which a plurality of electronic control units (ECUs) are connected via an in-vehicle network and an external device such as a tester are connected by wire via a connector in a vehicle compartment, and abnormal data (diag Code). Communication between the electronic control system and the external device is realized in accordance with a communication standard defined in ISO14230 such as CAN or KWP, as described in Patent Document 1, for example. Similarly, when it is necessary to read internal data of the ECU or rewrite the control program in the electronic control system, an external device may be connected to be able to communicate and exchange necessary data.

  In recent years, it has been studied to communicate between an electronic control system and an external device using a communication standard (Internet protocol: IP) similar to that of a computer network.

JP 2003-318996 A

  When using an IP-based network for communication between an in-vehicle electronic control system and an external device, the convenience of exchanging data with the electronic control system is increased, but there is a risk that the vehicle will be operated by a malicious third party Will increase.

  Details are as follows. When an IP-based network can be used for communication between the electronic control system and the external device, an IP-compatible external device such as a widely used notebook PC can be wirelessly connected to the electronic control system. Therefore, it is not necessary to use a tester dedicated for diagnosis, and the trouble of connecting each time through a connector in the vehicle compartment can be saved.

  On the other hand, since it is considered that it is possible to easily connect to the electronic control system from outside the vehicle by an IP-compatible external device such as a widely used notebook PC, an electronic control system can be used by a malicious third party. There is a possibility that reading of internal data of the ECU and rewriting of the control program are easily performed.

  The present invention has been made in view of the above-described conventional problems, and its object is to ensure vehicle security even when communication is performed between an in-vehicle electronic control system and an external device using an Internet protocol. An object of the present invention is to provide a vehicular authentication device and a vehicular authentication system.

  The present invention is connected to an in-vehicle communication device (2) that is mounted on a vehicle and can communicate with an external device (3) outside the vehicle by radio or wired at least wirelessly using an Internet protocol via an in-vehicle network. The vehicle authentication device (11) provided in the electronic control device (1), and when the information including the identification information for specifying the external device is transmitted from the external device to the communication device, this identification information Information acquisition means (11, S1) for acquiring the security status in which the vehicle is in a state indicating that a legitimate user permitted to operate the vehicle operates or operates the vehicle. If the state determination unit (11, S5) determines whether or not the security assurance state is determined by the state determination unit, the identification information acquisition unit Registration means (11, S7) that does not register the identification information in the storage device when it is determined that the identification information is registered in the storage device (12) mounted on the vehicle and does not correspond to the security ensured state. When the identification information is acquired by the identification information acquisition means, the registration determination means (11, S2) for determining whether or not the identification information is registered in the storage device, and the identification information is stored in the storage device by the registration determination means. When it is determined that the information is registered, the exchange of information between the external device specified by the identification information and the electronic control device is permitted, but the identification information is not registered in the storage device by the registration determination unit. And authentication means (11, S3, S6) for prohibiting the exchange of information between the external device specified by the identification information and the electronic control device. .

  According to this, based on the fact that the identification information is not registered in the storage device mounted on the vehicle, the exchange of information between the external device specified by the identification information and the electronic control device is prohibited. Therefore, it becomes possible to prevent reading of internal data of the electronic control device and rewriting of the control program from an external device whose identification information is not registered in the storage device.

  Further, the registration of the identification information in the storage device corresponds to a security ensuring state in which the state of the vehicle indicates a state in which a legitimate user permitted to operate the vehicle operates or operates the vehicle. Since it is not performed unless it is determined by the state determination means, it can be registered only under the presence of a regular user. Therefore, it becomes difficult for a malicious third party to illegally register the identification information in the storage device, and security is ensured.

  As a result, it is possible to ensure the security of the vehicle even when communication between the in-vehicle electronic control system and the external device is performed using the Internet protocol.

In addition, the present invention is connected to an in-vehicle communication device (2) that is mounted on a vehicle and can communicate with an external device (3) outside the vehicle by wireless or at least wirelessly using an Internet protocol via an in-vehicle network A vehicle authentication device (11c) provided in the electronic control device (1, 1a), and a server (5) provided outside the vehicle and provided with a storage device for storing information,
The vehicle authentication device includes an identification information acquisition unit (11c) for acquiring identification information when the information including identification information for specifying the external device is transmitted from the external device to the communication device, State determination means (11c) for determining whether or not the state corresponds to a security ensuring state, which is a state indicating that a legitimate user permitted to operate the vehicle operates or operates the vehicle; When the state determination unit determines that the security ensured state is satisfied, the identification information acquired by the identification information acquiring unit is registered in the storage device (53) of the server, while when it is determined that the security ensured state is not satisfied. When the identification information is acquired by the registration means (11c) that does not register the identification information in the storage device and the identification information acquisition means, the identification information is stored in the storage device. A registration determination unit (11c) that determines whether or not the information is recorded, and an external device and an electronic control unit that are identified by the identification information when the registration determination unit determines that the identification information is registered in the storage device Exchange of information between the external device and the electronic control device based on the determination that the identification information is not registered in the storage device. And an authentication unit (11c) that prohibits exchange of information.

  According to this, when information including identification information is transmitted from the external device, if the identification information is not registered in the storage device of the server provided outside the vehicle, the external device and the electronic control are controlled. Since the exchange of information with the device is prohibited, it becomes impossible to read the internal data of the electronic control device and rewrite the control program from an external device whose identification information is not registered in the storage device of the server. .

  Further, the registration of the identification information in the storage device corresponds to a security ensuring state in which the state of the vehicle indicates a state in which a legitimate user permitted to operate the vehicle operates or operates the vehicle. Since it is not performed unless it is determined by the state determination means, it can be registered only under the presence of a regular user. Therefore, it becomes difficult for a malicious third party to illegally register the identification information in the storage device, and security is ensured.

  As a result, it is possible to ensure the security of the vehicle even when communication between the in-vehicle electronic control system and the external device is performed using the Internet protocol.

1 is a block diagram illustrating a schematic configuration of a vehicle authentication system 100 according to Embodiment 1. FIG. It is a schematic diagram which shows an example of the data structure of a diagnosis communication data. 3 is a flowchart illustrating an example of a flow of diagnostic communication-related processing in a CPU 11 according to the first embodiment. 12 is a flowchart illustrating an example of a flow of diagnostic communication-related processing in a CPU 11 in Modification 1; It is a block diagram which shows schematic structure of the authentication system for vehicles 100a in Embodiment 2. FIG. It is a block diagram which shows the schematic structure of the authentication system for vehicles 200 in Embodiment 3.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(Embodiment 1)
As shown in FIG. 1, the vehicular authentication system 100 includes an electronic control device (hereinafter referred to as ECU) 1, a communication module 2, and an external device 3. The ECU 1 and the communication module 2 are mounted on the vehicle, and the external device 3 is used outside the vehicle. In the example of the present embodiment, the external device 3 is described as being used outside the vehicle, but may be used inside the vehicle.

  It is assumed that the ECU 1 and the communication module 2 are connected via an in-vehicle network such as an in-vehicle LAN conforming to a communication protocol such as CAN (controller area network). The communication module 2 and the external device 3 are connected by an Internet protocol (IP) -based network such as DoIP (Diagnostics over Internet Protocol). The connection between the communication module 2 and the external device 3 in the IP-based network may be a wired connection or a wireless connection, but at least a wireless connection is possible.

  The communication module 2 relays the external device 3 and the in-vehicle network. The communication module 2 receives information transmitted from the external device 3 and sends the information to the ECU 1 through the in-vehicle network, or the ECU 1 through the in-vehicle network. The information sent from is sent to the external device 3. As described above, the communication module 2 communicates with the external device 3 by at least wireless between wired and wireless, and has a transmission / reception antenna for wireless communication. The communication module 2 corresponds to the communication device of the claims.

  The external device 3 is a device that can communicate with the communication module 2 via an IP-based network, and holds identification information (hereinafter, a device identifier) for specifying the device itself. As described above, the external device 3 communicates with the communication module 2 by at least wireless between wired and wireless. It is assumed that the external device 3 performs transmission by including the device identifier of the own device when transmitting information to the communication module 2.

  The external device 3 is, for example, a notebook PC or an IP-compatible tester, and transmits a service request for requesting reading of a diagnostic diagnosis code from the ECU 1, rewriting of a control program of the ECU 1, and forced driving of electrical components controlled by the ECU 1. Diagnostic communication is performed. The diagnostic diagnostic code is information about an abnormality when there is a vehicle malfunction or abnormality. As the device identifier, for example, the MAC address of the external device 3 or a partial ID of the MAC address may be used.

  The communication module 2 and the external device 3 can be connected not only by the above-described IP-based network but also by a network such as a CAN via a DLC connector.

  Here, an example of the data structure of information (hereinafter referred to as diagnostic communication data) transmitted from the external device 3 by diagnostic communication will be described with reference to FIG. As shown in FIG. 2, the diagnosis communication data is divided into a head header area and a data area following the header area. The service area described above is stored in the data area. The header area stores a transmission source address that is the address of the own device as a transmission source, a transmission destination address that is the address of the ECU 1 that is the target of the service request, and the above-described device identifier. 2 is merely an example, and the data structure of the diagnosis communication data is not limited to that shown in FIG.

  For example, both the IP address and the MAC address may be used as the source address and the destination address. When the MAC address is used as the device identifier, the same MAC address is stored in the storage area of the transmission source address and the device identifier. Note that the MAC address as the transmission source address is rewritten to the MAC address of the communication module 2 when the communication module 2 receives the diagnosis communication data, but the MAC address as the device identifier is not rewritten.

  The ECU 1 is configured around a known microcomputer including a CPU 11, a memory 12, such as a ROM, a RAM, and an EEPROM, a communication interface (I / F) 13, a power supply IC 14, and a bus line that connects these components. . Then, based on information input from the communication module 2, processing related to diagnostic communication (hereinafter referred to as diagnostic communication-related processing) and processing related to electrical component control (hereinafter referred to as electrical component control) in accordance with a program stored in the ROM or the like. Various processing such as related processing) is performed. The CPU 11 corresponds to the vehicle authentication device in the claims.

  Further, the ECU 1 is energized when a vehicle ignition (IG) power source is turned on and enters a wake-up state. On the other hand, when the IG power source is turned off, the ECU 1 is in a sleep state that consumes less power than during wake-up. Become.

  The wake-up state referred to here indicates a state where processing by the CPU 11 is possible. The processing in the CPU 11 is the above-described diagnosis communication-related processing, electrical component control-related processing, or the like. The sleep state here refers to a state in which power is not supplied to the CPU 11 and the function of the CPU 11 is stopped. In the sleep state, since the function of the CPU 11 is stopped, the power consumption is significantly reduced as compared with the wake-up state.

  The power supply IC 14 is always energized by, for example, a backup power supply even when the ECU 1 enters a sleep state. Further, when the ECU 1 is in a sleep state, the power supply IC 14 supplies power to the CPU 11 when a signal indicating that the communication module 2 has received information from the external device 3 is input via the communication I / F 13. When the power is supplied from the power IC 14, the CPU 11 returns to the wake-up state even when the IG power is off.

  The power supply IC 14 may be configured to supply power to the CPU 11 regardless of the type of information received from the external device 3, or a wakeup signal that requests that the information received from the external device 3 switches the ECU 1 to the wakeup state. If there is, it may be configured to supply power to the CPU 11.

  The communication module 2 may be configured to remain in a wake-up state by always energizing, for example, a backup power source or the like when the IG power source of the vehicle is off, or switch between a sleep state and a wake-up state at a constant cycle. It is good also as a structure. Switching between the sleep state and the wake-up state at a constant cycle may be realized by using a known timer circuit such as a free-run timer.

  Next, an example of diagnostic communication related processing in the CPU 11 will be described using the flowchart of FIG. This flow is started when, for example, diagnostic communication data received from the external device 3 by the communication module 2 is input via the communication I / F 13. This flow is started when the CPU 11 receives power supply from the power supply IC 14 as described above, even when the IG power supply of the vehicle is off and the ECU 1 is in the sleep state.

  First, in step S1, a device identifier acquisition process is performed, and the process proceeds to step S2. In the device identifier acquisition process, the device identifier included in the diagnosis communication data input from the communication module 2 to the CPU 11 via the communication I / F 13 is acquired. Therefore, the process of step S1 corresponds to the identification information acquisition means in the claims.

  In step S2, a registration determination process is performed, and the process proceeds to step S3. In the registration determination process, it is determined whether or not any device identifier registered in the memory 12 matches the device identifier acquired in step S1 (that is, the device identifier received from the external device 3).

  For example, if it has been registered in the memory 12 in the past in a registration process to be described later, it is determined that they match, and when the device identifier is received from the external device 3 connected to the communication module 2 for the first time, the device identifier is registered. Since it is not completed, it is determined that they do not match. Therefore, the process of step S2 corresponds to a registration determination unit in the claims.

  In step S3, if it is determined that there is a match as a result of the registration determination process (YES in step S3), the normal process described later is permitted, and the process proceeds to step S4. If it is determined that there is no match (NO in step S3), the process proceeds to step S5.

  In step S4, normal processing is performed and the flow ends. In the normal process, a process according to the service request included in the diagnosis communication data is performed. When the service request is, for example, a request for reading the diagnostic diagnosis code from the ECU 1, the diagnostic diagnosis code for the electrical component controlled by the ECU 1 is read. Then, the read diagnostic diagnosis code is sent to the communication module 2 via the communication I / F 13 and is sent from the communication module 2 to the external device 3.

  When the service request is a request for rewriting the control program of the ECU 1 or a request for forcibly driving the electrical equipment controlled by the ECU 1, the control program is rewritten or the electrical equipment is forcibly driven according to the request.

  In step S5, a state determination process is performed, and the process proceeds to step S6. In the state determination process, it is determined whether or not the vehicle state acquired from the sensor for detecting the vehicle state or another ECU via the in-vehicle network 1 corresponds to the security ensured state. Therefore, the process of step S5 corresponds to the state determination means in the claims.

  The security ensured state is a vehicle state indicating that an authorized user permitted to operate the vehicle operates or operates the vehicle. In other words, a vehicle state in which the user of the external device 3 can be limited to a regular user.

  As an example of the security ensuring state, the door lock is unlocked, the door is unlocked, the door is opened, the IG key is inserted in the IG key cylinder, the window is opened Open state, key authentication state in which the electronic key is authenticated in the keyless entry system, immobilizer release state in which the driving force source of the vehicle is permitted to be activated by the immobilizer, IG on state in which the IG power supply is on, etc. There is a vehicle condition.

  It should be noted that the door open state, key insertion state, window open state, immobility release state, and IG on state are in the “state indicating that an authorized user permitted to operate the vehicle operates the vehicle” in the claims. Equivalent to. Further, the key authentication state corresponds to “a state in which an authorized user who is permitted to operate the vehicle in the claims operates on the vehicle”.

  For example, the door lock unlocked state is determined based on the door lock detection switch signal, the door open state is determined based on the courtesy switch signal, and the window open state is determined based on the window open / close switch signal. That's fine. The key insertion state may be determined based on the signal of the key insertion detection line, and the IG on state may be determined based on the signal of the IG switch. Furthermore, the key authentication state may be determined based on the signal from the ECU for authentication of the keyless entry system, and the immobilization release state may be determined based on the immobilizer signal.

  The security ensuring state used for the determination in the state determination process may be any one of those described above, or may be a combination of a plurality. Note that a configuration in which the key authentication state is used as the security ensuring state is more preferable from the viewpoint of convenience that the user does not have to perform an operation on the vehicle such as opening the door of the vehicle.

  In step S6, when it is determined that the security state is satisfied as a result of the state determination process (YES in step S6), the process proceeds to step S7. In addition, when it is determined that the state does not correspond to the security ensured state (NO in step S6), the normal process is prohibited and the flow is ended.

  That is, when it is determined in the registration determination process that the device identifier (identification information) is registered in the memory 12, the exchange of information between the external device 3 specified by the device identifier and the ECU 1 is permitted. On the other hand, when it is determined that the device identifier is not registered in the memory 12 and it is determined that the state determination process does not correspond to the security ensured state, the external device 3 and the ECU 1 identified by the device identifier are Information exchange between the two is prohibited. Steps S3 and S6 correspond to the authentication means in the claims.

  In step S7, a registration process is performed, and the process proceeds to step S8. In the registration process, the device identifier obtained by the device identifier obtaining process is stored in an electrically rewritable non-volatile memory such as an EEPROM in the memory 12 to perform registration in the memory 12. Therefore, the memory 12 corresponds to the storage device in the claims, and the processing in step S7 corresponds to the registration means in the claims. In step S8, normal processing is performed in the same manner as in step S4, and the flow ends.

  In the registration process, the apparatus identifier acquired in the apparatus identifier acquisition process can be registered in the memory 12 only within a predetermined time (for example, 3 minutes) after it is determined that the security determination state is met in the state determination process. It is preferable.

  According to this, by adding a time restriction to the registration of the device identifier, it is possible to reduce the risk of receiving an interruption of device identifier registration from the external device 3 of a malicious third party. As an example, the device identifier is registered only when the external device 3 is connected to the communication module 2 within 3 minutes after the door lock of the vehicle is released.

  Further, it is preferable that the CPU 11 can delete the device identifier registered in the memory 12. Therefore, the CPU 11 corresponds to an erasing unit in the claims. According to this, the capacity of the memory 12 can be effectively utilized by deleting the device identifier from the memory 12.

  For example, the device identifier of the external device 3 used for diagnosis communication in a factory before shipment of the vehicle is not used after shipment, and is deleted in order to effectively use the capacity of the memory 12. As an example, a configuration may be adopted in which an erasure request is transmitted from the external device 3 and the device identifiers in the memory 12 are individually erased or collectively erased.

  In addition, the number of times the ignition power is switched from on to off is counted by a counter (not shown) of the CPU 11, and the CPU 11 automatically erases when the number of times of switching reaches a certain number. The CPU 11 may be configured to delete the oldest stored device identifier every time the capacity of the storage area is reached.

  Further, the memory contents for storing the device identifier of the external device 3 used for the diagnosis communication in the factory before shipment can be retained only when the RAM is energized, for example, and the memory contents are lost when the energization is cut off. The registered device identifier may be automatically deleted when the IG power supply of the vehicle is turned off by selecting the volatile memory to be stored.

  As an example, an input in accordance with a user operation for selecting whether to register the device identifier registration destination memory 12 as a volatile memory or a non-volatile memory via an operation input unit (not shown) of the external device 3 is performed. Accept. When an input indicating that the registration destination of the device identifier is selected as the volatile memory is received, a signal instructing that the registration destination of the device identifier is set as the volatile memory is sent from the external device 3 to the communication module 2. To the ECU 1. When the ECU 1 receives a signal from the external device 3 instructing to register the device identifier as a volatile memory, the device identifier is registered in the volatile memory when the ECU 1 registers the device identifier. .

  According to this, since the registered device identifier is automatically deleted when the IG power supply of the vehicle is turned off, it is possible to save the trouble of deleting the device identifier. For example, in the factory before shipment, by selecting to register the device identifier in the volatile memory, the device identifier of the external device 3 used for the diagnosis communication before shipment is automatically deleted at the time of shipment. This eliminates the need for deleting the device identifier, which is unnecessary.

  In addition, when an input indicating that the registration destination of the device identifier is selected to be a nonvolatile memory is received, a signal instructing that the registration destination of the device identifier is a nonvolatile memory is transmitted from the external device 3 to the communication module. 2 to ECU1. When the ECU 1 receives a signal from the external device 3 instructing that the registration destination of the device identifier is a nonvolatile memory, the device identifier is registered in the nonvolatile memory when the ECU 1 registers the device identifier. . Note that the default registration destination when the registration destination of the device identifier is not selected may be, for example, a nonvolatile memory.

  In the present embodiment, the configuration in which the normal process in step S8 is performed after the registration process in step S7 is shown, but the present invention is not necessarily limited thereto. For example, after the registration process in step S7, the process proceeds to the registration determination process in step S2, and the flow may be repeated and the normal process in step S8 may be omitted.

  In other words, unless it is determined that the device identifier (identification information) is registered in the memory 12 in the registration determination process, information exchange between the external device 3 specified by the device identifier and the ECU 1 is not permitted. Also good.

  In the present embodiment, the configuration in which the registration determination process is performed prior to the state determination process after the apparatus identifier acquisition process is shown, but the present invention is not necessarily limited thereto. For example, after the device identifier acquisition process, the state determination process may be performed before the registration determination process (hereinafter, modified example 1).

  Here, an example of a diagnosis communication-related process in the CPU 11 in the first modification will be described using the flowchart of FIG. The flow in FIG. 4 is also started when, for example, diagnostic communication data received from the external device 3 by the communication module 2 is input via the communication I / F 13.

  First, in step S11, a device identifier acquisition process is performed in the same manner as in step S1, and the process proceeds to step S12. In step S12, a state determination process is performed in the same manner as in step S5, and the process proceeds to step S13.

  In step S13, when it is determined that the security state is satisfied as a result of the state determination process (YES in step S13), the process proceeds to step S14. On the other hand, if it is determined that it does not correspond to the security ensured state (NO in step S13), the process proceeds to step S16.

  In step S14, a registration process is performed in the same manner as in step S7, and the process proceeds to step S15. In the registration process of the first modification, the device identifier already registered in the memory 12 may be overwritten and stored, for example. In step S15, normal processing is performed in the same manner as in step S4, and the flow ends.

  In step S16, registration determination processing is performed in the same manner as in step S2, and the process proceeds to step S17. If it is determined in step S17 that there is a match as a result of the registration determination process (YES in step S17), the normal process is permitted, and the process proceeds to step S18. If it is determined that there is no match (NO in step S17), the normal process is prohibited and the flow ends. In step S18, normal processing is performed in the same manner as in step S4, and the flow ends.

  In any configuration of the first embodiment and the first modification, when information including a device identifier is transmitted from the external device 3, if the device identifier is not registered in the memory 12, the external device 3 Since the exchange of information with the ECU 1 is prohibited, it is impossible to read the internal data of the ECU 1 and rewrite the control program from the external device 3 whose device identifier is not registered in the memory 12.

  Further, the registration of the device identifier in the memory 12 is not performed unless it is determined in the state determination process that the vehicle state corresponds to the security ensured state, and therefore can be registered only under the presence of a regular user. Therefore, it becomes difficult for a malicious third party to illegally register the device identifier in the memory 12, and security is ensured. As a result, it is possible to ensure vehicle security even when communication is performed between the in-vehicle electronic control system and the external device 3 using the Internet protocol.

  According to the configuration of the first embodiment, even when the IG power supply of the vehicle is off and the ECU 1 is in the sleep state, when the communication module 2 receives information from the external device 3 by wireless communication, the ECU 1 Return to wake-up state. Therefore, the external device 3 can be authenticated without the user performing an operation of opening the vehicle door and turning on the IG power supply.

  If the external device 3 has an apparatus identifier already registered in the memory 12, the user can exchange information with the ECU 1 without opening the vehicle door and turning on the IG power supply. Is possible. Further, when only the above-described key authentication state is set to the security ensured state, even if the device identifier is not registered in the memory 12, if it is an authorized user, exchange of information with the ECU 1 is possible. It becomes possible to do.

  Details are as follows. In the configuration in which only the key authentication state is the security ensured state, the authentication of the external device 3 can be established without the user performing an operation on the vehicle such as opening the vehicle door. Therefore, even if the external device 3 is not registered in the memory 12, if it is a legitimate user, the authentication of the external device 3 is established and the exchange of information between the external device 3 and the ECU 1 can be started. it can.

  In the above-described embodiment, each time the communication module 2 receives diagnostic communication data from the external device 3, the diagnostic communication-related processing is performed to authenticate the external device 3. However, the configuration is not necessarily limited thereto. . For example, after the communication connection between the external device 3 and the communication module 2 is started (communication established) and the authentication of the external device 3 is established, the communication between the external device 3 and the ECU 1 is continued until the communication connection is released. It is also possible to adopt a configuration that permits exchange of diagnostic communication data that does not include a device identifier (hereinafter, modified example 2).

  In the second modification, after the communication is established and the authentication of the external device 3 is established, the information from the external device 3 (for example, diagnostic communication data) is not authenticated until the communication connection is released In other words. Note that “until the communication connection is released” refers to the time from when the virtual circuit between the external device 3 and the communication module 2 is established (constructed) to when the virtual circuit is disconnected.

  According to the configuration of the modified example 2, after the authentication of the external device 3 is established, the authentication is performed every time the diagnostic communication data is received until the communication connection between the external device 3 and the communication module 2 is released. Since it becomes unnecessary, the load on the CPU 11 can be reduced. Further, by reducing the load on the CPU 11, it is possible to shorten the time for exchanging information between the ECU 1 and the external device 3 after the authentication is established until the communication connection is released, and to reduce power consumption.

  In the case of the configuration as in the second modification, it is not necessary to always include the device identifier in the diagnostic communication data by storing the device identifier in the header area of the diagnostic communication data. For example, the apparatus identifier can be stored in the data area of the diagnosis communication data until the authentication is established, and the apparatus identifier is not included in the diagnosis communication data after the authentication is established.

(Embodiment 2)
The present invention is not limited to the first embodiment described above, and the following embodiment (hereinafter referred to as the second embodiment) is also included in the technical scope of the present invention. Hereinafter, the second embodiment will be described with reference to FIG. For convenience of explanation, members having the same functions as those shown in the drawings used in the description of the above-described embodiment are denoted by the same reference numerals, and description thereof is omitted.

  In the first embodiment, the configuration in which the device identifier of the external device 3 is registered in the memory 12 of each ECU 1 included in the vehicular authentication system 100 and the CPU 11 of each ECU 1 authenticates the external device 3 is shown. In contrast to this configuration, the vehicle authentication system 100a according to the second embodiment is different in that only the memory 12 of the ECU 1a functioning as a gateway registers the device identifier, and the external device 3 is authenticated only by the CPU 11a of the ECU 1a. .

  As shown in FIG. 5, the vehicular authentication system 100a includes an ECU 1a, an ECU 1b, a communication module 2, and an external device 3. It is assumed that the ECU 1a and the communication module 2 are connected by an IP-based network such as DoIP. Moreover, ECU1a, ECU1b, and ECU1b shall be connected by vehicle-mounted networks, such as in-vehicle LAN based on communication protocols, such as CAN (controller areanetwork), for example.

  The ECU 1a has the same configuration as the ECU 1 of the first embodiment except that it functions as a gateway. The ECU 1a includes a CPU 11a instead of the CPU 11 of the ECU 1, and includes a communication I / F 15 in addition to the communication I / F 13.

  The gateway here is a network base that serves as an entrance to the in-vehicle network. For example, as described in the example of the present embodiment, when relaying networks having different communication protocols such as CAN and IP-based networks, protocol conversion is also performed.

  The ECU 1b has the same configuration as that of the ECU 1a except that it does not have a configuration relating to the function as a gateway and does not perform diagnostic communication-related processing, and the above-described electrical component control-related processing according to a program stored in a ROM or the like. Various processes such as are performed.

  In addition, as with the ECU 1, both the ECUs 1a and 1b are energized when the vehicle IG power is turned on and enter a wake-up state, whereas when the IG power source is turned off, the power consumption is greater than during wake-up. It is assumed that there are few sleep states.

  The power supply IC 14 of the ECU 1a supplies power to the CPU 11a when a signal indicating that the communication module 2 has received information from the external device 3 is input via the communication I / F 13 when the ECU 1a is in the sleep state. . When the power is supplied from the power supply IC 14, the CPU 11a returns to the wake-up state even when the IG power is off.

  In addition, the CPU 11a of the ECU 1a that has returned to the wake-up state transmits a wake-up signal to the other ECU 1b via the communication I / F 15, and the other ECU 1b also returns to the wake-up state. In the ECU 1a, the communication I / F 13 is used for an IP-based network, and the communication I / F 15 is used for an in-vehicle network (CAN in this example).

  The CPU 11a of the ECU 1a authenticates the external device 3 that is communicatively connected to the communication module 2 in the same manner as the diagnosis communication related process described in the first embodiment. When the authentication of the external device 3 is established, the exchange of information between the ECU 1b specified by the transmission destination address included in the diagnostic communication data of the external device 3 and the external device 3 is permitted. On the other hand, when the authentication of the external device 3 is not established, the exchange of information between the ECU 1b specified by the transmission destination address included in the diagnostic communication data of the external device 3 and the external device 3 is prohibited.

  According to the configuration of the second embodiment, since the ECU 1a functioning as a gateway performs the diagnosis communication-related processing as a representative, the ECU 1b connected to the ECU 1a via the vehicle-mounted network does not need to perform the diagnosis communication-related processing, and the CPU of the ECU 1b The load can be reduced.

  Further, since it is not necessary to store the device identifier in the memory of each ECU 1b, the capacity of the memory of each ECU 1b can be used effectively. Further, since the ECU 1a functioning as a gateway performs the diagnosis communication-related processing as a representative, the security of the vehicle when the communication between the external device 3 and the ECU 1b is performed without the ECU 1b authenticating the external device 3 is ensured. be able to.

(Embodiment 3)
The present invention is not limited to the first embodiment described above, and the following embodiment (hereinafter referred to as the third embodiment) is also included in the technical scope of the present invention. Hereinafter, the third embodiment will be described with reference to FIG. For convenience of explanation, members having the same functions as those shown in the drawings used in the description of the above-described embodiment are denoted by the same reference numerals, and description thereof is omitted.

  In Embodiment 1, the structure which registers the apparatus identifier of the external apparatus 3 in the memory 12 of ECU1 mounted in a vehicle was shown. In contrast to this configuration, the vehicle authentication system 200 according to the third embodiment is different in that the device identifier of the external device 3 is registered in the storage unit 53 of the server 5 provided outside the vehicle.

  As shown in FIG. 5, the vehicle authentication system 100 a includes an ECU 1 c, a communication module 2, an external device 3, a DCM (data communication module) 4, and a server 5. The ECU 1c and the DCM 4 may be connected by an IP-based network such as DoIP, or may be connected by an in-vehicle LAN that conforms to a communication protocol such as CAN (controller area network).

  The DCM 4 is an in-vehicle communication module used for telematics communication, and communicates with the server 5 via a communication network such as the Internet. The ECU 1c can communicate with the server 5 via the DCM 4.

  The server 5 is a server device that registers the device identifier of the external device 3. As shown in FIG. 5, the server 5 includes a communication unit 51, a control unit 52, and a storage unit 53. The server 5 may be composed of a single server or may be composed of a plurality of servers.

  The communication unit 51 is used for communication with the DCM 4, and transmits information to the DCM 4 according to an instruction from the control unit 52, or receives information from the DCM 4 and inputs it to the control unit 52. The control unit 52 is configured mainly by a microcomputer including a CPU, a ROM, a RAM, and the like, and executes various processes by executing various control programs stored in the ROM. The storage unit 53 stores the device identifier of the external device 3.

  The ECU 1 c includes a CPU 11 c instead of the CPU 11 of the ECU 1 and a memory 12 c instead of the memory 12. The CPU 11c is the same as the CPU 11 except that a part of the registration process and the registration determination process in the above-described diagnostic communication-related processes are different. Therefore, the CPU 11c corresponds to an identification information acquisition unit, a state determination unit, and an authentication unit. The memory 12 is the same as the memory 12 except that the device identifier of the external device 3 is not registered.

  Here, an example of registration processing and registration determination processing of the CPU 11c will be described. In the registration process of the CPU 11c, the device identifier acquired in the device identifier acquisition process is sent to the DCM 4 via the communication I / F 13 and transmitted from the DCM 4 to the server 5. The device identifier transmitted from the CPU 11 c to the server 5 is received by the communication unit 51 of the server 5 and input to the control unit 52. Then, it is registered by being stored in the storage unit 53 by the control unit 52. Therefore, the CPU 11c corresponds to the registering means in the claims.

  The device identifier stored in the storage unit 53 may be configured to be erasable by a command from the CPU 11c or a command from the control unit 52, as described in the first embodiment. In addition, in the registration process of the CPU 11c, the apparatus identifier acquired by the apparatus identifier acquisition process can be registered in the storage unit 53 of the server 5 only within a predetermined time after the state determination process determines that the security ensured state is met. It is preferable that

  In the registration determination process of the CPU 11c, some of the device identifiers registered in the storage unit 53 of the server 5 match the device identifier acquired in the device identifier acquisition process (that is, the device identifier received from the external device 3). It is determined whether or not.

  As an example, the device identifier acquired in the device identifier acquisition process and a request signal (hereinafter referred to as a verification request signal) for verifying whether this device identifier has been registered in the storage unit 53 are sent to the DCM 4 via the communication I / F 13. It is assumed that the data is transmitted from the DCM 4 to the server 5. The device identifier and the verification request signal transmitted from the CPU 11 c to the server 5 are received by the communication unit 51 of the server 5 and input to the control unit 52. Then, the control unit 52 that has received the verification request signal verifies whether the received device identifier has been registered in the storage unit 53.

  The control unit 52 sends the collation result from the communication unit 51 to the ECU 1c via the DCM 4. The CPU 11c of the ECU 1c receives the collation result via the communication I / F 13. In the CPU 11c, when the collation result indicates that the transmitted device identifier is already registered in the storage unit 53, the CPU 11c acquires the device identifier registered in the storage unit 53 by the device identifier acquisition process. It is determined that there is a device that matches the device identifier. In addition, when the collation result indicates that the transmitted device identifier is not registered in the storage unit 53, the device acquired by the device identifier acquisition process among the device identifiers registered in the storage unit 53. It is determined that there is no match with the identifier. Therefore, the CPU 11c corresponds to a registration determination unit in the claims.

  Note that, in the third embodiment, the external device 3 may be authenticated by performing diagnostic communication-related processing only in the ECU 1a functioning as a gateway as in the second embodiment.

  In the third embodiment, the ECU 1c relays the DCM 4 to access the server 5, but the present invention is not necessarily limited thereto. For example, the ECU 1c may access the server 5 by relaying a mobile terminal such as a mobile phone connected to the in-vehicle device having the Bluetooth (registered trademark) communication function by the Bluetooth (registered trademark) communication. Note that this in-vehicle device is connected to an in-vehicle network, for example.

  According to the configuration of the third embodiment, it is impossible to read the internal data of the ECU 1c and rewrite the control program from the external device 3 whose device identifier is not registered in the storage unit 53 of the server 5. Further, since the registration of the device identifier in the storage unit 53 is not performed unless it is determined in the state determination process that the vehicle state corresponds to the security ensured state, the same effects as those of the first embodiment are obtained.

In the above-described embodiment, the configuration in which the in-vehicle LAN such as CAN is used for connection between the ECUs 1, 1 a, and 1 c and the communication module 2 is not necessarily limited to this. For example, an IP-based network such as DoIP may be used for connection between the ECUs 1, 1 a, 1 c and the communication module 2. The present invention is not limited to the above-described embodiments, Various modifications can be made within the scope shown in the above, and embodiments obtained by appropriately combining technical means disclosed in different embodiments are also included in the technical scope of the present invention.

1.1C ECU (electronic control device), 2 communication module (communication device), 3 external device, 4 DCM, 5 server, 11 CPU (vehicle authentication device, erasure means), 11c CPU (vehicle authentication device, identification information) Acquisition means, state determination means, registration means, registration determination means, authentication means), 12 memory (storage device mounted on the vehicle), 53 storage unit (storage device of server), 100 vehicle authentication system, S1 identification information acquisition Means, S2 registration determination means, S3 / S6 authentication means, S5 status determination means, S7 registration processing

Claims (11)

Mounted on the vehicle,
An electronic control device (1) connected via an in-vehicle network to an in-vehicle communication device (2) capable of communicating at least wirelessly and wirelessly with an external device (3) outside the vehicle using an Internet protocol. A vehicle authentication device (11) comprising:
Identification information acquisition means (11, S1) for acquiring identification information when information including identification information for specifying the external device is transmitted from the external device to the communication device;
State determination means for determining whether or not the state of the vehicle corresponds to a security ensuring state that is a state in which a legitimate user permitted to operate the vehicle operates or operates the vehicle. 11, S5)
When it is determined by the state determination means that the security ensuring state is satisfied, the identification information acquired by the identification information acquisition means is registered in the storage device (12) mounted on the vehicle, while it is determined that the security ensuring state is not satisfied. If so, registration means (11, S7) for not registering the identification information in the storage device;
A registration determination unit (11, S2) for determining whether or not the identification information is registered in the storage device when the identification information is acquired by the identification information acquisition unit;
When the registration determination means determines that the identification information is registered in the storage device, the registration determination means permits the exchange of information between the external device specified by the identification information and the electronic control device. The authentication means (11, 11) prohibits the exchange of information between the external device specified by the identification information and the electronic control device based on the determination that the identification information is not registered in the storage device. S3, S6). A vehicular authentication device, comprising: In claim 1,
If the authentication means determines that the identification information is not registered in the storage device by the registration determination means, and the state determination means determines that it does not correspond to the security ensured state, the identification information A vehicular authentication device that prohibits exchange of information between the external device specified by the electronic control device and the electronic control device. In claim 1 or 2,
A vehicular authentication apparatus comprising: erasing means (11) for erasing identification information registered in the storage device. In any one of Claims 1-3,
The registration unit registers the identification information acquired by the identification information acquisition unit in the storage device only within a predetermined time after the state determination unit determines that the security ensuring state is satisfied. Authentication device. In any one of Claims 1-4,
After allowing the authentication unit to exchange information between the external device and the electronic control device, until the communication connection between the external device and the communication device is released, the external device and the electronic control device A vehicular authentication device, which permits the exchange of information not including the identification information with an electronic control device. A communication device (2) mounted on a vehicle and capable of communicating with the external device wirelessly or at least wirelessly;
An external device (3) outside the vehicle;
The vehicle authentication device (11) according to any one of claims 1 to 4, which is provided in an electronic control device (1) mounted on the vehicle and connected to the communication device via an in-vehicle network. A vehicle authentication system characterized by the above. In claim 6,
The electronic control device including the vehicle authentication device is a sleep state with low power consumption when the ignition power of the vehicle is turned off.
Even if the device is in the sleep state, when information transmitted wirelessly from the external device is input via the communication device, the vehicle returns from the sleep state. Authentication system. In claim 6 or 7,
There are a plurality of electronic control devices (1a, 1b) connected to the in-vehicle network of the vehicle, and among the plurality of electronic control devices, an electronic control device that functions as a gateway between the in-vehicle network and the communication device ( 1a) includes the vehicle authentication device only,
The authentication means includes
When the registration determination means determines that the identification information is registered in the storage device, the information exchange between the external device specified by the identification information and the electronic control device (1a, 1b) is permitted. On the other hand, based on the determination that the identification information is not registered in the storage device, the exchange of information between the external device specified by the identification information and the electronic control device is prohibited. Vehicle authentication system. In any one of Claims 6-8,
The vehicle authentication apparatus includes a volatile memory and a nonvolatile memory as the storage device. In claim 9,
The vehicular authentication device can select either the volatile memory or the non-volatile memory as the storage device for registering the identification information in accordance with a user operation on the external device. A vehicle authentication system. An electronic control device (which is mounted on a vehicle and connected via an in-vehicle network to an in-vehicle communication device (2) capable of at least wirelessly and wiredly communicating with an external device (3) outside the vehicle using an Internet protocol ( A vehicle authentication device (11c) provided in 1c);
A server (5) provided outside the vehicle and provided with a storage device for storing information,
The vehicle authentication device
An identification information acquisition means (11c) for acquiring identification information when identification information for identifying the external device is transmitted from the external device to the communication device;
State determination means for determining whether or not the state of the vehicle corresponds to a security ensuring state that is a state in which a legitimate user permitted to operate the vehicle operates or operates the vehicle. 11c)
When it is determined by the state determination means that the security ensuring state is satisfied, the identification information acquired by the identification information acquisition means is registered in the storage device (53) of the server, while when it is determined that the security ensuring state is not satisfied. Registration means (11c) that does not register the identification information in the storage device;
A registration determination unit (11c) for determining whether or not the identification information is registered in the storage device when the identification information is acquired by the identification information acquisition unit;
When the registration determination unit determines that the identification information is registered in the storage device, the information exchange between the external device specified by the identification information and the electronic control device is permitted. Provided with authentication means (11c) for prohibiting the exchange of information between the external device specified by the identification information and the electronic control device based on the determination that it is not registered in the storage device A vehicle authentication system characterized by the above.

Images