JP2014014012A - Radio device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for efficiently securing security of a communication system.SOLUTION: A radio device comprises: a reception unit which receives from another radio device a packet signal including data to which an electronic signature generated by public key encryption and a message authentication code generated by common key encryption are attached; and an output unit which outputs a verification result of the data extracted from the packet signal and the message authentication code attached to the data, and also outputs a verification result of an electronic signature of data included in a packet signal which was received in the past from the other radio device having transmitted the latest packet signal.

Description

  The present invention relates to communication technology, and more particularly to a radio apparatus that receives a signal including predetermined information.

  The form of wireless communication for automobiles is roughly classified into road-to-vehicle communication and vehicle-to-vehicle communication (including road-to-vehicle communication). Both types of communication can be used for preventing collisions at intersections and rear-end collisions due to traffic jams at corners. For example, the current position information is detected in real time by GPS (Global Positioning System) in vehicle-to-vehicle communication, and the position information is exchanged between the vehicle-mounted devices, thereby preventing collision at an intersection. In road-to-vehicle communication, a roadside machine is installed at an intersection or on the roadside, and the driving support information as described above is transmitted from the roadside machine to the vehicle-mounted device.

  Compared with wired communication, wireless communication is easier to intercept by communication and impersonation by third party impersonation. Therefore, countermeasures against them are more important than wireless communication. In order to ensure the confidentiality of the communication content, a method of performing message authentication using an encryption method for communication data is effective. The encryption methods are roughly classified into public key encryption methods and common key encryption methods. The former is higher in security than the latter, but has a large amount of data and a large processing load, resulting in higher implementation costs. That is, both are in a trade-off relationship.

JP 2005-202913 A JP 2007-104310 A Special table 2010-537982

  The present invention has been made in view of such circumstances, and an object thereof is to provide a technique for efficiently ensuring the security of a communication system.

  A wireless device according to an aspect of the present invention is a wireless device, to which an electronic signature generated using a public key encryption method and a message authentication code generated using a common key encryption method are added from another wireless device. A receiver that receives the packet signal including the received data, the data extracted from the packet signal, and the verification result of the message authentication code added to the data, and the wireless device that transmitted the packet signal An output unit that outputs a verification result of an electronic signature of data included in a packet signal received in the past.

  It should be noted that any combination of the above-described constituent elements and a conversion of the expression of the present invention between a method, an apparatus, a system, a recording medium, a computer program, etc. are also effective as an aspect of the present invention.

  According to the present invention, security of a communication system can be efficiently ensured.

It is a figure which shows the structure of the communication system which concerns on the Example of this invention. FIGS. 2A to 2D are diagrams showing a superframe format defined in the communication system. FIGS. 3A to 3B are diagrams illustrating the configuration of subframes. FIGS. 4A to 4E are diagrams illustrating frame formats of each layer defined in the communication system. It is a figure which shows an example of the data structure of the security frame contained in a RSU packet. It is a figure which shows the structure of the base station apparatus which concerns on an Example. It is a figure which shows the structure of the terminal device mounted in the vehicle which concerns on an Example. FIGS. 8A to 8D are diagrams illustrating notification from the communication unit to the application unit. FIGS. 9A to 9E are diagrams showing another notification from the communication unit to the application unit. It is a figure which shows the data structure of the security frame contained in a RSU packet based on the modification 1. 11A to 11E are diagrams showing notification from the communication unit to the application unit in the data structure example of FIG. 12A and 12B are diagrams illustrating a data structure of a security frame included in an RSU packet according to the second modification. FIGS. 13A to 13F are diagrams showing notification from the communication unit to the application unit in the data structure example of FIG.

  The knowledge which became the basis of the Example of this invention is as follows. Since road-to-vehicle communication is more public than vehicle-to-vehicle communication, there is a greater demand to prevent spoofing and data tampering with road-to-vehicle communication. At the same time, it is desirable to be able to confirm the legitimacy of the sender. In view of this, a system for notifying a packet signal storing data with a public key certificate and an electronic signature from a roadside device (base station device) to a vehicle-mounted device (terminal device) has been studied.

  However, high-speed processing is required to execute verification of public key certificates and electronic signatures included in all packet signals, and it is necessary to install high-speed hardware in the terminal device. Since the public key cryptosystem is used for these verification processes, the amount of calculation increases and the circuit scale increases.

  The embodiment described below has been made in view of such circumstances, and an object thereof is to provide a technique for reducing processing load when receiving a packet signal while improving security.

  An outline of the present invention will be given before concretely explaining the embodiments of the present invention. An embodiment of the present invention relates to a communication system such as ITS (Intelligent Transport Systems). In the communication system, road-to-vehicle communication executed to provide information to a terminal device mounted on a vehicle from a base station device installed at an intersection or a roadside, and other terminal devices mounted on the vehicle Inter-vehicle communication executed to provide information to a terminal device mounted on a vehicle is used.

  In ITS, the use of wireless communication similar to wireless LAN standards such as IEEE 802.11 is being studied. In such wireless communication, an access control function called CSMA / CA (Carrier Sense Multiple Access with Collision Avidance) is used. Therefore, in the wireless communication, the same wireless channel is shared by the base station device and the plurality of terminal devices. In such CSMA / CA, after confirming that no other packet signal is transmitted by carrier sense, the packet signal is transmitted by broadcast (hereinafter, transmission of the packet signal by broadcast is referred to as “notification”).

  As inter-vehicle communication, the terminal device notifies a packet signal storing vehicle information indicating the speed and position of the vehicle in which the terminal device is mounted. The terminal device that has received the packet signal recognizes the approach of the vehicle based on the information stored in the packet signal. In addition, as a road-to-vehicle communication, the base station device notifies a packet signal in which intersection information, traffic jam information, and the like are stored.

  The intersection information includes information related to the situation of the intersection such as the position information of the intersection where the base station device is installed, the route information of the intersection, the captured image of the intersection, and the position information of vehicles and pedestrians in the intersection. The terminal device displays this intersection information on the monitor. In addition, the terminal device recognizes the situation of the intersection based on this intersection information, and notifies the user of visual information or a voice message for the purpose of preventing collision with vehicles, bicycles, and pedestrians due to encounters, right turns, and left turns. May be. The traffic jam information includes information related to the congestion status of the runway where the base station device is installed, road construction, and accidents. The terminal device transmits the traffic jam in the traveling direction to the user based on the traffic jam information. Further, a detour for detouring the traffic jam may be presented.

  FIG. 1 shows a configuration of a communication system 500 according to an embodiment of the present invention. This corresponds to a case where one intersection is viewed from above. The communication system 500 includes a base station device 20, a terminal device 10a mounted on the first vehicle 100a, and a terminal device 10b mounted on the second vehicle 100b. Area 202 indicates the radio wave range of the base station apparatus 20, and area 204 indicates the radio wave area of the base station apparatus 20. The upper side of the drawing corresponds to “north”, the first vehicle 100a proceeds from “south” to “north”, and the second vehicle 100b proceeds from “east” to “west”. The base station device 20 can communicate with an external device via the external network 200.

  2A to 2D show a superframe format defined in the communication system 500. FIG. FIG. 2A shows the structure of the super frame. The superframe is formed by N subframes indicated as the first subframe to the Nth subframe. For example, when the length of the superframe is 100 msec and N is 8, a subframe having a length of 12.5 msec is defined. N may be other than 8.

  FIG. 2B shows a configuration of a super frame generated by the first base station apparatus 20a. The first base station device 20a corresponds to any one of the base station devices 20. The first base station apparatus 20a sets a road and vehicle transmission period at the beginning of the first subframe. The road and vehicle transmission period is a period during which the base station apparatus broadcasts a packet signal. When the 1st base station apparatus 20a alert | reports a packet signal, the 1st base station apparatus 20a always alert | reports in the road and vehicle transmission period which is the head period of a 1st sub-frame.

  On the other hand, the other base station apparatus 20 arranged within the radio wave arrival distance of the first base station apparatus 20a and the terminal apparatus 10 existing within the radio wave arrival distance do not notify the packet signal during the road and vehicle transmission period. It is defined that the terminal device 10 can notify the packet signal in the vehicle transmission period subsequent to the road and vehicle transmission period of the first subframe. The first base station apparatus 20a sets the vehicle transmission period in a period excluding the road and vehicle transmission period. That is, the vehicle transmission period is set from the second half of the first subframe and from the second subframe to the Nth subframe.

  FIG.2 (c) shows the structure of the super frame produced | generated by the 2nd base station apparatus 20b. The second base station device 20b is a base station device 20 different from the first base station device 20a. The second base station apparatus 20b sets a road and vehicle transmission period at the beginning of each of the second subframe and the third subframe. Also, the second base station apparatus 20b sets the vehicle transmission period from the first stage of the second subframe and the third subframe to the Nth subframe after the first subframe and the fourth subframe. Set. By setting the road and vehicle transmission period for two or more subframes as in the second base station apparatus 20b, the amount of data that can be transmitted for each superframe can be increased.

  FIG. 2D shows a configuration of a super frame generated by the third base station apparatus 20c. The third base station apparatus 20c is a base station apparatus 20 that is different from the first base station apparatus 20a and the second base station apparatus 20b. The third base station apparatus 20c sets a road and vehicle transmission period at the beginning of the Nth subframe. In addition, the third base station apparatus 20c sets the vehicle transmission period in the latter stage of the road and vehicle transmission period in the Nth subframe and from the first subframe to the (N-1) th subframe.

  The plurality of base station apparatuses 20 select different subframes, and set a road and vehicle transmission period at the beginning of the selected subframe. In this way, each base station apparatus 20 provides a notification period unique to each base station apparatus in the superframe by monopolizing the road and vehicle transmission period of one subframe in order to notify the packet signal itself. .

  The number of subframes that can be set in the superframe is finite (8 in this embodiment). Therefore, if the superframe is selected in consideration of the radio wave arrival distances of the plurality of base station apparatuses 20, the number of installed base station apparatuses 20 is not limited. Further, the road and vehicle transmission period may not be set for all the subframes in the superframe. The base station device 20 outside the radio wave reach distance may set the road and vehicle transmission period in the same superframe as the superframe defined within the radio wave reach, or the road and vehicle transmission period in a different superframe. It may be set.

  FIGS. 3A to 3B show the configuration of subframes including a road and vehicle transmission period. As shown in FIG. 3A, the subframe is configured in the order of a road and vehicle transmission period and a vehicle and vehicle transmission period. In the road and vehicle transmission period, the base station device 20 can notify the packet signal, and in the vehicle and vehicle transmission period, the terminal device 10 can notify the packet signal. FIG. 3B shows the arrangement of packet signals during the road and vehicle transmission period. As illustrated, a plurality of packet signals (hereinafter referred to as RSU packets) from the base station apparatus 20 are arranged in a road and vehicle transmission period (hereinafter referred to as RSU (Load Side Unit) period). Here, the front and rear RSU packets are separated by SIFS (Short Interframe Space).

  4A to 4D show the data structure of each layer frame defined in the communication system 500. FIG. FIG. 4A shows a data structure of a physical layer frame. As shown in the figure, a PLCP preamble, a PLCP header, a PSDU (Physical Layer Service Data Unit), and a tail are sequentially arranged in the physical layer frame. FIG. 4B shows a frame format of the MAC layer. This frame is stored in the PSDU of FIG. As shown in the drawing, a MAC header, an MSDU (MAC Layer Service Data Unit), and an FCS (Frame Check Sequence) are sequentially arranged in the MAC layer frame.

  FIG. 4C shows a frame format of the LLC layer. This frame is stored in the MSDU of FIG. As shown in the figure, an LLC header and an LSDU (LLC Layer Service Data Unit) are sequentially arranged in the LLC layer frame. FIG. 4D shows the frame format of the inter-vehicle / road-vehicle shared communication control information layer. This frame is stored in the LSDU of FIG. As shown in the figure, an IR header and an APDU (Application Protocol Data Unit) are sequentially arranged in the inter-vehicle / road-vehicle shared communication control information layer frame.

  FIG. 4E shows the frame format of the security layer. This frame is stored in the APDU of FIG. As shown in the drawing, a security header (Security Header), application data (Application Data), and a security footer (Security Footer) are sequentially arranged in the frame of the security layer. Hereinafter, the MAC layer frame is referred to as a MAC frame, and the security layer frame is referred to as a security frame.

  FIG. 5 shows an example of the data structure of the security frame included in the RSU packet. In this security frame, “version”, “message information”, “nonse”, “payload data length”, “payload”, and “MAC” are arranged. “Payload” includes “public key certificate”, “signed data length”, “signed data”, and “signature”. In “signed data”, “message ID” and “application data” are arranged. The security header is “version” to “signed data length” arranged before “message ID”, and the security footer is “signature” and “MAC” arranged after “application data”.

  The version of the data structure of the frame is set in “Version”. Information necessary for the reception process of this frame is set in the “message information”. For example, a message format indicating a data protection mode in a security frame and a key for sharing a key (hereinafter referred to as a communication key) used in processing based on a common key encryption method between the base station apparatus 20 and the terminal apparatus 10 Alternatively, an identifier for specifying the key is set.

  The message format includes a plain text data format, an authenticated data format, and an authenticated encrypted data format. In the data format with authentication, a MAC (Message Authentication Code) for “payload” is generated using a communication key, and the generated MAC is set to “MAC”. In the encrypted data format with authentication, “payload” and “MAC” are encrypted using a communication key in addition to that.

  As the communication key, a common key of a pre-shared common key cryptosystem or a random value encrypted with a pre-shared key is used. The communication key is associated with the base station apparatus 20 and the terminal apparatus 10 according to information set in “message information”. For example, AES (Advanced Encryption Standard) can be used for the common key encryption. In this embodiment, MAC generation and encryption are performed in the CCM mode in the encrypted data format with authentication.

  In “nonse”, a unique value or a part thereof is set for each communication used for disturbing an encryption result in MAC generation and encryption using a communication key. This unique value may be a random number or a transmission time. Further, the source device ID may be added to the random number or the transmission time. When only the transmission time is set in “nonse”, a unique value can be generated for each communication by using the transmission time and the unique value of the base station device 20 for MAC generation and encryption. For example, a serial number or device ID included in the public key certificate can be used as the unique value of the base station device 20. When a random number is set in “nonse”, the random number and the unique value of the base station device 20 are used as unique values for each communication. In the “payload data length”, the number of bytes of the “payload” is set. By this number of bytes, it is possible to specify a range that is subject to encryption and MAC generation at the time of reception.

  A message ID is set in the “message ID”. The message ID is an identification number used to distinguish RSU packets transmitted from the same base station apparatus 20 in the security layer. The message ID is a numerical value (N remainder system, N is a natural number) that is incremented by 1 for each transmission and changes cyclically.

  In the “public key certificate”, a public key certificate for a public key unique to the base station apparatus 20 is set. A public key certificate is a certificate that links a public key and the owner of the public key. The public key certificate includes a certificate body, a signature for the signer's certificate body, and the like. The certificate body includes the signer identification information, the serial number of the public key certificate, the expiration date, the public key (including key generation algorithm and size), and the like. In the present embodiment, the signer is a certificate authority (CA). For example, the signature is generated by a public key cryptosystem such as RSA, DSA (Digital Signature Algorithm), or ECDSA (Electric Curve-DSA). In this embodiment, ECDSA is adopted.

  In the “signed data length”, the number of bytes of the signed data is set. Based on this number of bytes, it is possible to specify a range to be signed at the time of reception. In the “application data”, data notified by the base station device 20 to the terminal device 10 is set. In “Signature”, a signature for “Signed data length” is set. The signature is generated using a private key that is paired with the public key included in the “public key certificate”. In “MAC”, the MAC for “payload” is set.

  In the data format with authentication, after the signature is set in the “electronic signature”, the MAC is generated, and the generated MAC is set in “MAC”. In the encrypted data format with authentication, after “MAC” is set to “MAC”, “payload” and “MAC” are further encrypted.

  FIG. 6 shows the configuration of the base station apparatus 20 according to the present embodiment. The base station apparatus 20 includes an antenna 21, an RF unit 22, a modem unit 23, a MAC frame processing unit 24, a security processing unit 25, a data generation unit 26, a network communication unit 27, a storage unit 28, and a control unit 29.

  The configuration of the MAC frame processing unit 24, the security processing unit 25, the data generation unit 26, the network communication unit 27, the storage unit 28, and the control unit 29 can be realized by an arbitrary processor, memory, or other LSI in terms of hardware. In terms of software, it is realized by a program loaded in a memory or the like, but here, functional blocks realized by their cooperation are depicted. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The RF unit 22 receives the packet signal from the terminal device 10 and the other base station device 20 by the antenna 21 as a reception process. The RF unit 22 performs frequency conversion on the received radio frequency packet signal to generate a baseband packet signal. The RF unit 22 outputs the baseband packet signal to the modem unit 23. In general, since a baseband packet signal is formed by an in-phase component and a quadrature component, two signal lines should be shown. However, in order to simplify the drawing, only one signal line is shown in FIG. Yes. The RF unit 22 includes a low noise amplifier (LNA), a mixer, an AGC, an A / D conversion unit, and the like (not shown) as components of the reception system.

  The RF unit 22 transmits the generated packet signal from the base station apparatus 20 as a transmission process. The RF unit 22 performs frequency conversion on the baseband packet signal input from the modem unit 23 to generate a radio frequency packet signal. The RF unit 22 transmits a radio frequency packet signal from the antenna 21 during the road and vehicle transmission period assigned to itself. The RF unit 22 includes a PA (Power Amplifier), a mixer, a D / A conversion unit, and the like (not shown) as components of the transmission system.

  The modem unit 23 demodulates the baseband packet signal from the RF unit 22 as a reception process. The modem unit 23 outputs the digital data obtained by demodulation to the MAC frame processing unit 24. Further, the modem unit 23 performs modulation on the MAC frame from the MAC frame processing unit 24 as transmission processing. The modem unit 23 outputs the modulated result to the RF unit 22 as a baseband packet signal.

  The communication system 500 according to the present embodiment employs an OFDM (Orthogonal Frequency Division Multiplexing) modulation scheme. In this case, the modem unit 23 performs FFT (Fast Fourier Transform) as the reception process, and executes IFFT (Inverse Fast Fourier Transform) as the transmission process.

  As a reception process, the MAC frame processing unit 24 extracts a MAC frame from the digital data passed from the modem unit 23, and extracts a security frame from the extracted MAC frame. The MAC frame processing unit 24 outputs the extracted security frame to the security processing unit 25. Further, as a transmission process, the MAC frame processing unit 24 adds a MAC header, an LLC header, and an IR information header to the security frame from the security processing unit 25 to generate a MAC frame. The MAC frame processing unit 24 outputs the generated MAC frame to the modem unit 23. Further, the MAC frame processing unit 24 controls the transmission / reception timing of the packet signal so as not to collide with the packet signal of another base station device 20 or the terminal device 10.

  The network communication unit 27 is connected to the external network 200. The network communication unit 27 receives road information regarding construction and traffic jams from the external network 200. The network communication unit 27 outputs the processing result processed by the security processing unit 25 to the external network 200. Alternatively, the processing result is temporarily accumulated in the storage unit 28 and is periodically output to the external network 200.

  The data generation unit 26 generates application data including road information. The data generation unit 26 specifies the data format according to the contents of the application data. The data generation unit 26 outputs the generated application data, its data length, and its data format to the security processing unit 25. The storage unit 28 stores various information. The control unit 29 controls processing of the entire base station device 20.

  The security processing unit 25 generates or interprets a security frame. In this embodiment, in order to pay attention to packet transmission from the base station apparatus 20, hereinafter, attention is paid to processing for generating a security frame. The security processing unit 25 generates a security frame to be output to the MAC frame processing unit 24 based on the application data received from the data generation unit 26, the secret key received from the certificate authority, the public key certificate, and the like.

  The security processing unit 25 includes a signature unit 251 and a common key encryption unit 252. In this embodiment, the signature unit 251 stores a public key certificate therein. The public key certificate includes a secret key issued by a certificate authority (not shown) and a public key that is paired with the secret key. By making this secret key and public key certificate unique for each base station apparatus 20, security can be improved compared to the common key cryptosystem.

  The signature unit 251 generates a signature for the signature target using a private key held by itself. In the data structure shown in FIG. 5, a signature for “signed data” is generated. The common key encryption unit 252 generates and encrypts the MAC for the encryption target using the communication key shared with the terminal device 10. In the data structure shown in FIG. 5, the MAC for the “payload” is generated, and the “payload” and the “MAC” are encrypted.

  FIG. 7 shows a configuration of the terminal device 10 mounted on the vehicle 100 according to the embodiment. The terminal device 10 includes an antenna 11, a communication unit 16, and an application unit 17. The communication unit 16 notifies the application data received from the application unit 17 by inter-vehicle communication. Moreover, the communication unit 16 receives the packet signal from the other terminal device 10 by vehicle-to-vehicle communication, and receives the packet signal from the base station device 20 by road-to-vehicle communication. The communication unit 16 provides application data extracted from the received packet signal to the application unit 17. In addition, the communication unit 16 reports a verification result that summarizes the results of signature verification and MAC verification included in the security frame.

  First, components of the application unit 17 will be described. The application unit 17 includes a reception processing unit 171, a notification unit 172, a data generation unit 173, a storage unit 182, and a control unit 192.

  The reception processing unit 171 is based on the application data received from the communication unit 16 and the vehicle information of the own vehicle received from the data generation unit 173, the risk of collision, the approach of emergency vehicles such as ambulances and fire engines, and the road in the traveling direction. And estimation of traffic congestion at intersections. The reception processing unit 171 displays the received data on the notification unit 172 if the received data is image information.

  The notification unit 172 includes means for notifying a user such as a monitor, a lamp, and a speaker (not shown). The notification unit 172 notifies the driver of the approach of another vehicle (not shown) or the like via the notification means in accordance with the instruction from the reception processing unit 171. In addition, traffic information, image information such as intersections, etc. are displayed on the monitor.

  The data generation unit 173 identifies the current position, traveling direction, moving speed, and the like of the vehicle 100 on which the terminal device 10 is mounted based on information supplied from a GPS receiver, a gyroscope, a vehicle speed sensor, and the like (not shown). The current position is indicated by latitude and longitude. Since the method for identifying these pieces of information can be realized by a generally known technique, description thereof is omitted here.

  The data generation unit 173 generates data to be notified to other terminal apparatuses 10 and the base station apparatus 20 based on the specified information, and outputs the data to the communication unit 16. In addition, the data generation unit 173 outputs the specified information to the reception processing unit 161 as vehicle information of the own vehicle. The storage unit 182 stores various information used in the application unit 17. The control unit 192 controls processing of the entire application unit 17.

  Next, components of the communication unit 16 will be described. The communication unit 16 includes an RF unit 12, a modem unit 13, a MAC frame processing unit 14, a security processing unit 15, a storage unit 181, and a control unit 191.

  The RF unit 12, the modulation / demodulation unit 13, and the MAC frame processing unit 14 are basically in common with the configurations and operations of the RF unit 22, the modulation / demodulation unit 23, and the MAC frame processing unit 24 of FIG. Hereinafter, these components will be described focusing on the differences. The storage unit 181 stores various information used by the communication unit 16. The control unit 191 controls processing of the entire communication unit 16.

  The security processing unit 15 generates or interprets a security frame. In this embodiment, in order to pay attention to packet reception from the base station apparatus 20, attention is paid to processing for interpreting a security frame stored in the packet signal. The security processing unit 15 includes a verification unit 151 and a common key encryption unit 152.

  The common key encryption unit 152 performs reception processing using a communication key. That is, decryption of encrypted data and MAC verification are performed using a communication key. In the data structure shown in FIG. 5, decryption of “payload” and “MAC” encrypted using a communication key and MAC verification for “payload” are performed. The MAC verification is a process of generating a MAC for “payload” and confirming whether or not the MAC value matches the value set in “MAC”. If they match, it is determined that the verification is successful.

  The verification unit 151 verifies the “public key certificate” and the “signature”. In order to verify the public key certificate, in this embodiment, the verification unit 151 stores therein an authentication key for verifying a public key certificate issued by a not-shown certificate authority. This authentication key is a public key that is paired with the private key used to generate the signature of the public key certificate in the certificate authority.

  The verification unit 151 does not have a processing capability to verify the signatures of all received RSU packets. Therefore, the security processing unit 15 selects a specific RSU packet from the received RSU packet and verifies the signature. That is, the signature verification process is thinned out.

  The RSU packet whose signature is to be verified is selected as follows, for example. When the vehicle 100 on which the terminal device 10 is mounted enters the area 202 within the radio wave range from the area 204 outside the radio range of the base station apparatus 20, the security processing unit 15 gives priority to the RSU packet transmitted from the base station apparatus 20. To choose. After that, the security processing unit 15 selects RSU packets transmitted from the plurality of base station devices 20 equally. The security processing unit 15 may select by weighting according to the strength of the received radio wave, the distance between the received terminal device 10 and the base station device 20 that has transmitted the RSU packet. The selection method of the RSU packet for signature verification is not limited to these, and any method can be adopted.

  When signature verification is thinned out, verification results (hereinafter referred to as current results) for application data provided from the communication unit 16 to the application unit 17 include the following two reports. That is, a report indicating that signature verification has been thinned out and a verification result (hereinafter referred to as a previous report) for a security frame included in the RSU packet transmitted by the same base station apparatus 20 that has been completed before the report are included. .

  Whether or not the security frame is included in the RSU packet transmitted by the same base station device 20 is confirmed by whether or not the public key certificates included in the security frame match. Specifically, it is confirmed by whether the issuer of the public key certificate and the serial number of the certificate match. It may be confirmed whether or not the digests (for example, hash values) of the public key certificates match.

  The configuration of the MAC frame processing unit 14, security processing unit 15, reception processing unit 171, notification unit 172, data generation unit 173, storage unit 181, storage unit 182, control unit 191 and control unit 192 in FIG. Can be realized by an arbitrary processor, memory, or other LSI, and is realized by a program loaded into the memory in terms of software, but here, functional blocks realized by their cooperation are depicted. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  FIGS. 8A to 8D show the timing of providing application data and verification results from the communication unit 16 to the application unit 17 and their relationship. FIG. 8A shows the timing at which the security frame extracted from the RSU packet received from one base station apparatus 20 is input to the security processing unit 15. The right arrow horizontal line indicates the elapsed time. On the line, a scale is added every superframe period (100 msec). A security frame input to the security processing unit 15 is indicated by a square, and #i (i = 0 to N, N is a natural number) inside thereof indicates a message ID.

  In the example of FIG. 8A, the base station apparatus 20 transmits an RSU packet including two application data in a super frame. In the terminal device 10, the top application data of each superframe received from the same base station device 20 is input to the security processing unit 15 at 100 msec intervals. Note that the security frames of message ID = 1 and message ID = 7 indicated by bold lines are security frames for signature verification. The security frame of another message ID is a security frame in which signature verification processing is thinned out.

  In FIG. 8A, the arrow described as “signature verification processing” indicates the verification time for the security frame to be verified. An arrow described as “MAC verification” indicates a verification time for a security frame obtained by thinning out signature verification. Since MAC verification uses common key cryptography, it can be designed with a fixed delay in units of blocks, and can be speeded up. On the other hand, since signature verification is more complicated than MAC verification, the processing time is longer.

  FIG. 8B shows the timing at which the security processing unit 15 provides the application data extracted from the security frame to the application unit 17. The provision timing of the application data extracted from the security frame of message ID = 1 and the message ID = 2 immediately after the signature verification, and the security frame of message ID = 7 and the message ID = 8 immediately after the signature verification is signature verification. Affected by the processing time. The provision timing of application data extracted from these security frames is delayed from the provision timing of application data extracted from other security frames.

  FIG. 8C shows the current result provided together with the application data of FIG. The communication unit 16 reports the message ID, signature verification result, MAC verification result, and ERROR not shown to the application unit 17. The message ID is the message ID of the security frame from which the application data has been extracted. In the signature verification result, a status of signature verification success (= 0), thinning (= 1), or failure (= 3) is set. In the MAC verification result, the status of signature verification success (= 0), key sharing violation (= 2), or failure (= 3) is set.

  In ERROR, a comprehensive result including errors other than verification is set. The security processing unit 15 sets ERROR to normal (= 0) when the application data extracted from the security frame is valid, and abnormal (= 1) when invalid. Therefore, if signature verification fails (= 3), or MAC verification is key sharing violation (= 2) or failure (= 3), an error (= 1) is set in ERROR.

  Further, when a signature or MAC is not added to the security frame, that is, when the message format is a plain text data format, success (= 0) is set for both the signature verification result and the MAC authentication result. FIG. 8C does not show an example of a state in which application data extracted from the security frame is invalid for the sake of simplicity. The signature results of message ID = 1 and message ID = 7 for signature verification are both successful (= 0).

  FIG. 8D shows a Previous result provided together with the application data of FIG. The communication unit 16 reports the Previous_flag, Previous_message ID, Previous_signature verification result, and ERROR not shown to the application unit 17 as the Previous result. In the previous_flag, valid (= 1) is set when a valid verification result is set in the previous_signature verification result, and invalid (= 0) is set when it is not set. When a valid verification result is not set in the previous_signature verification result, success (= 0) or failure (= 3) is set in the signature verification result of the current result.

  In the previous_message ID, a message ID of a security frame in which the signature verification result is reported is set according to the previous_signature verification result. In the previous_signature verification result, a signature verification result for which signature verification processing has been completed in the past is set. More specifically, the last signature verification result after the signature verification process is set.

  A status of either success (= 0) or failure (= 3) is set in the previous_signature verification result. In FIG. 8D, the signature verification result of message ID = 1 is set in the Previous_signature verification result provided together with the application data of message ID = 2 to 6 for which signature verification processing has been thinned out. Similarly, the signature verification result of message ID = 7 is set in the Previous_signature verification result provided together with the application data of message ID = 8-10.

  The application unit 17 decides to adopt the application data according to the current result and the previous result provided together with the application data. When the signature verification result of the current result is successful (= 0) or the previous_signature verification result is successful (= 0), the application data is adopted.

  FIGS. 9A to 9E show the timing of providing application data and another verification result from the communication unit 16 to the application unit 17 and the relationship thereof. In the example illustrated in FIGS. 9A to 9E, a status (= 2) indicating that signature verification is being processed is newly added as a status to the signature verification result included in the current result. When the signature verification result is being processed (= 2), the signature verification has not been completed, and therefore, it is handled in the same manner as thinning-out (= 1). Hereinafter, differences from FIGS. 8A to 8D will be described.

  As described above, signature verification takes longer processing time than MAC verification. As shown in FIG. 9A, the communication unit 16 provides application data to the application unit 17 when the MAC verification is completed. Thereby, the communication unit 16 can provide the data extracted from the RSU packet to the application unit 17 according to the reception interval of the RSU packet. Further, it is not necessary to provide a large buffer memory for output.

  Comparing FIG. 9B and FIG. 8B, the former is output earlier than the latter, and the application data extracted from the security frames with message ID = 1, 2, 7, 8 is output earlier. The application data extracted from the security frame with message ID = 1, 7 is output before the signature verification process is completed. Therefore, as shown in FIG. 9C, the signature verification result of the current result of message ID = 1, 7 is being processed (= 2).

  In FIG. 9D, the Previous_flag of the Previous result for the security frame with the message ID = 1, 2 is invalid (= 0). This indicates that there is no security frame extracted from the RSU packet received from the same base station apparatus 20 before the security frame with the message ID = 1 being verified. Or, even if a security frame extracted from the RSU packet received from the same base station apparatus 20 previously exists, it indicates that the signature verification processing of the security frame has not been executed. For example, in an initial state in which the base station apparatus 20 enters the radio wave area 202 from the radio wave area 204, a previous result in which Invalid (= 0) is set in the Previous_flag is reported.

  On the other hand, the Previous_flag of the Previous result for the security frame with the message ID = 3 to 6 is valid (= 1). As shown in FIGS. 9A and 9B, the signature verification process for the security frame with message ID = 1 ends before the application data of the security frame with message ID = 3 to 6 is output. In the previous_signature verification result for the security frame with message ID = 3 to 6, the signature verification result for the security frame with message ID = 1 is set. In FIG. 9D, success (= 0) is set.

  Similarly to the example shown in FIGS. 8A to 8D, the application unit 17 receives the application data when the signature verification of the current result is successful (= 0) or the previous_signature verification result is successful (= 0). adopt.

  FIG. 9E shows a sender ID provided together with the application data shown in FIG. The sender ID is an identification number assigned by the security processing unit 15 for each public key certificate included in the security frame. The security processing unit 15 receives a security frame. If the source ID for the public key certificate included in the security frame is not assigned, the security processing unit 15 assigns the source ID. If already assigned, use that value.

  In FIG. 9 (e), when a security frame with message ID = 1 is received, the security processing unit 15 assigns a sender ID = 10 and continues to use that value thereafter. A random number may be assigned to the transmission source ID, or incremented values may be assigned in order. However, the random number or incremented value is a subframe so that the same source ID is not assigned to different sources (that is, public key certificates) received adjacent to the RSU packet. It is necessary that the data length has a sufficient margin for the number of data.

  Based on the sender ID and message ID, the application unit 17 specifies the application data extracted from the security frame that has been successfully verified. The application unit 17 temporarily holds application data whose signature verification result of the current result is being processed (= 2), its current result, and the transmission source ID. Then, the application unit 17 waits for a Previous_signature verification result that has the same transmission source ID and matches the Current result message ID and the Previous result Previous_message ID. If the previous_signature verification result satisfying the condition is received and the previous_error of the previous report is normal (= 0), the application unit 17 reads the held application data. Even when the security frame input to the security processing unit 15 is subjected to such processing, the same result as in FIG. 8 can be obtained.

  FIG. 10 shows a data structure of a security frame included in the RSU packet according to the first modification. Hereinafter, the difference in the data structure of the security frame in FIG. 5 will be described. In the first modification, “signature” is moved before “application data” so that the signature verification process can be started as soon as possible. Accordingly, “signed data” is changed from “message ID” and “application data” to “message ID” and “digest”. “Application data length” and “application data” are arranged between “signature” and “MAC”.

  In “Digest”, digests for “Application Data Length” and “Application Data” are set. The digest is a value obtained by convolving the target data with a one-way function and storing it in a predetermined data length. In the first modification, a hash value obtained by a hash function is set. In the “application data length”, the data length of subsequent application data is set.

  The security frame verification process according to the first modification is executed as follows. In the encrypted data format with authentication, first, “payload” and “MAC” are decrypted using a communication key. Next, MAC authentication for “payload”, signature verification for “signed data”, and digest match confirmation for “application data length” and “application data” are performed. In the digest match confirmation, hash values for “application data length” and “application data” are obtained, and it is confirmed whether or not the hash value matches the value set in “digest”. If they match, it is determined to be successful, and if they do not match, it is determined to be failed. In the data format with authentication, decoding of “payload” and “MAC” is omitted in the above verification process. Other processes are the same as those in the case of the encrypted data format with authentication.

  FIGS. 11A to 11E show the timing of providing application data and verification results from the communication unit 16 to the application unit 17 and their relationship according to the first modification. 11A to 11E are premised on the security frame having the data structure shown in FIG. Similarly to FIGS. 9A to 9E, the signature verification result of the current result includes an in-process (= 2) status. Hereinafter, differences from FIGS. 9A to 9E will be described.

  A digest determination result is newly included in the Current result of FIG. The digest determination result indicates the result of the digest match confirmation, and success (= 0) or failure (= 1) is set. If the digest determination result is failure (= 1), an error (= 1) is set in ERROR.

  When the signature verification result of the current result is successful (= 0), the application unit 17 adopts the application data if the digest determination result is successful (= 1). When the signature verification result of the current result is thinning (= 1) or being processed (= 2), if the Previous_signature verification result is successful (= 0), application data is adopted.

  The application unit 17 specifies the application data extracted from the security frame that has been successfully verified by the source ID and the message ID. The application unit 17 temporarily holds the application data whose signature verification result of the current result is being processed (= 2), the current result, and the transmission source ID. Then, the application unit 17 waits for a Previous_signature verification result that has the same transmission source ID and matches the Current result message ID and the Previous result Previous_message ID. If the previous_signature verification result satisfying the condition is received and the previous_error of the previous report is normal (= 0), the application unit 17 reads the held application data.

  12A to 12B show the data structure of the security frame included in the RSU packet according to the second modification. Hereinafter, the difference in the data structure of the security frame in FIG. 10 will be described. In the second modification, one signature is added to a plurality of security frames. In the second modification, a set of security frames to be signed is a message.

  FIG. 12A shows the data structure of the security frame transmitted at the head of the message, and FIG. 12B shows the data structure of the security frame transmitted at other than the head of the message. In the data structure of FIG. 12A, “digest” of the data structure according to the first modification of FIG. 10 is changed to “digest list”. “Number of frames” is arranged at the position of “message ID” in the data structure according to the first modification. Further, “message ID” and “frame ID” are arranged between “application data length” and “application data”. The data structure of FIG. 12B excludes “signed data length”, “signed data” and “signature” used for signature verification from the data structure of FIG. The data structure is changed to “public key certificate information”.

  In the “number of frames”, the number of security frames constituting the message is set. The number of security frames matches the number of digests set in the “digest list”. In the “digest list”, a list in which digests for “application data length”, “message ID”, “frame ID”, and “application data” of security frames to which the same message belongs is arranged in the order of transmission is set.

  In “application data length”, the total data length of “message ID”, “frame ID”, and “application data” is set. The data length to be digested can be specified by the “application data length”. In “frame ID”, the transmission order in the message is set. The value set in the “frame ID” matches the digest position set in the “digest list”.

  The “public key certificate information” is arranged only in the subsequent security frame shown in FIG. In the “public key certificate information”, the serial number and digest of the public key certificate unique to the base station apparatus 20 set in the “public key certificate” of the top security frame are set. In the second modification, it is assumed that a serial number is set.

  If the serial number of the public certificate acquired from “public key certificate” or “public key certificate information” matches the message ID set in “message ID”, the security processing unit 15 It is determined that it is a security frame belonging to.

  FIGS. 13A to 13F show the timing of providing application data and verification results from the communication unit 16 to the application unit 17 and their relationship according to the second modification. FIGS. 13A to 13F are premised on the security frame having the data structure shown in FIGS. Hereinafter, differences from FIGS. 11A to 11E will be described.

  FIG. 13A shows the timing at which the security frame extracted from the RSU packet received from one base station apparatus 20 is input to the security processing unit 15. The right arrow horizontal line indicates the elapsed time. On the line, a scale is added every superframe period (100 msec). A security frame input to the security processing unit 15 is indicated by a square, an internal% j (j = 0 to M, M is a natural number) indicates a frame ID, and #i (i = 0 to N, N is a natural number) is Indicates the message ID.

  In the example of FIG. 13A, the base station apparatus 20 transmits an RSU packet including two application data in a super frame. It constitutes one message. Therefore,% 1 is a security frame having the data structure of FIG. 12A, and% 2 is a security frame having the data structure of FIG. 12B.

  FIG. 13C shows the current result. In FIG. 13C, a frame ID is newly included in the current result. A security frame can be specified by a sender ID, a message ID, and a frame ID.

  FIG. 13 (d) shows the Previous result. In FIG. 13D, the Previous_Digest determination result and the Previous_MAC verification result are newly included in the Previous result. In the previous_digest determination result, success (= 0) is set when a match of hash values is confirmed in any security frame constituting the message. In all the security frames constituting the message, failure (= 1) is set when the hash values do not match.

  In the previous_MAC verification result, success (= 0) is set when the MAC verification is successful in any security frame constituting the message. In all security frames constituting the message, failure (= 3) is set when MAC authentication fails. Set when key sharing violation (= 2). Similarly to the Current result, Previous_ERROR (not shown) is included in the Previous result. The previous_ERROR is set to normal (= 0) when the previous_signature verification result, the previous_digest determination result, and the previous_MAC verification result are all successful (= 0). Otherwise, an abnormality (= 1) is set.

  When the ERROR of the Current result is normal (= 0) and the signature verification result of the Current result is successful (= 0), the application unit 17 adopts the application. Further, the application unit 17 adopts the application data when the Previous_ERROR of the Previous result is normal (= 0).

  The application unit 17 specifies the application data extracted from the security frame that has been successfully verified by the source ID and the message ID. The application unit 17 temporarily holds the application data whose signature verification result of the current result is being processed (= 2), the current result, and the transmission source ID. Then, the application unit 17 waits for a Previous_signature verification result that has the same transmission source ID and matches the Current result message ID and the Previous result Previous_message ID. If the previous_signature verification result satisfying the condition is received and the previous_error of the previous report is normal (= 0), the application unit 17 reads the held application data. Further, even when the signature verification result of the current result is successful (= 0), the application unit 17 reads the held application data. In addition, as a previous result, a signature verification result, a digest determination result, and a MAC verification result may not be individually output and provided, but only a verification success and failure may be provided.

  As described above, according to the present embodiment, security can be ensured by verifying the signature and MAC added to the data included in the RSU packet. At this time, propagation delay can be suppressed by thinning out signature verification with a high processing load. The application data from which the signature verification is thinned out is substituted by the signature verification result added to the application data included in the RSU packet received in the past from the same base station apparatus 20. Thereby, the propagation delay to the application unit 17 can be suppressed while ensuring a certain level of security. Therefore, security can be secured efficiently.

  In addition, by providing a status of processing (= 2) in the signature verification result, application data for executing signature verification can be output to the application unit 17 before the verification is completed. Thereby, the propagation delay of application data from the communication unit 16 to the application unit 17 can be further suppressed.

  In the first modification, the signature verification processing start timing can be advanced by arranging “signature” before “application data” in the data structure of the security frame.

  In the second modification, the signature verification process can be reduced by adding one signature to a message including a plurality of security frames.

  The present invention has been described based on the embodiments. This embodiment is an exemplification, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are also within the scope of the present invention. is there.

  In the embodiment, the application data acquired from the security frame is provided to the application unit 17 regardless of whether or not the application data can be used in the application unit 17. In this regard, if a result that clearly cannot use application data in the application unit 17 is set in the current result, the communication unit 16 provides application data with a data length of 0, a current result, a previous result, and a sender ID. May be. That is, application data need not be provided.

  The outline of one embodiment of the present invention is as follows. A wireless device according to an aspect of the present invention is a wireless device, to which an electronic signature generated using a public key encryption method and a message authentication code generated using a common key encryption method are added from another wireless device. A receiver that receives the packet signal including the received data, the data extracted from the packet signal, and the verification result of the message authentication code added to the data, and the wireless device that transmitted the packet signal An output unit that outputs a verification result of an electronic signature of data included in a packet signal received in the past.

  According to this aspect, the verification result of the electronic signature added to the data extracted from the received packet signal is verified with the verification result of the electronic signature added to the data extracted from the packet signal received from the same wireless device in the past. Substitute with the result. According to this, the number of verifications of the electronic signature can be reduced, the processing load can be reduced, and the data output delay can be suppressed.

  The output unit thins out the verification of the electronic signature added to the data included in the received packet signal, and when outputting the data with the verification thinned out, the verification of the electronic signature added to the data is not You may output the information which shows having been drawn. The verification result of the past digital signature is also output. When outputting data whose electronic signature verification is not thinned out, the verification result of the electronic signature added to the data is output.

  According to this aspect, the processing load can be reduced and the data output delay can be suppressed by thinning out the electronic signature verification process.

  The output unit outputs data extracted from the packet signal and a verification result of a message authentication code added to the data, and outputs a plurality of packet signals received so far from the wireless device that transmitted the packet signal. Among the verification results of the electronic signature of the included data, the verification result of the last executed electronic signature is output.

  According to this aspect, it is possible to output the most reliable verification result among the verification results of the electronic signature subjected to the verification process.

  The output unit outputs the data before the verification of the electronic signature added to the data extracted from the packet signal and outputs information indicating that the verification of the electronic signature is being processed.

  According to this aspect, the data whose electronic signature is being verified can be output before the verification ends. Therefore, it is possible to suppress output delay of data for performing verification of the electronic signature.

  The output unit outputs the data extracted from the packet signal and the verification result to an application unit that uses the data.

  According to this aspect, the application unit can determine whether to use data with reference to the verification result.

  500 communication system, 100 vehicle, 200 external network, 202,204 area, 20 base station device, 21 antenna, 22 RF unit, 23 modem unit, 24 MAC frame processing unit, 25 security processing unit, 251 signature unit, 252 common key Encryption unit, 26 data generation unit, 27 network communication unit, 28 storage unit, 29 control unit, 10 terminal device, 11 antenna, 16 communication unit, 12 RF unit, 13 modem unit, 14 MAC frame processing unit, 15 security processing unit DESCRIPTION OF SYMBOLS 1, 151 Verification part, 152 Common key encryption part, 181 Storage part, 191 Control part, 17 Application unit, 171 Reception processing part, 172 Notification part, 173 Data generation part, 182 Storage part, 192 Control part

Claims (5)

A wireless device,
A receiving unit that receives a packet signal including data to which an electronic signature generated using a public key encryption method and a message authentication code generated using a common key encryption method are added from another wireless device;
The data extracted from the packet signal and the verification result of the message authentication code added to the data are output, and the electronic signature of the data included in the packet signal received in the past from the wireless device that transmitted the packet signal An output unit for outputting the verification result;
A wireless device comprising:   The output unit thins out the verification of the electronic signature added to the data included in the received packet signal, and when outputting the data with the verification thinned out, the verification of the electronic signature of the data is thinned out The wireless device according to claim 1, wherein information indicating that is output.   The output unit outputs data extracted from the packet signal and a verification result of a message authentication code added to the data, and outputs a plurality of packet signals received so far from the wireless device that transmitted the packet signal. The wireless device according to claim 1, wherein a verification result of the lastly executed electronic signature among the verification results of the electronic signature of the included data is output.   The output unit outputs the data before verifying the electronic signature added to the data extracted from the packet signal, and outputs information indicating that the electronic signature is being verified. The wireless device according to any one of claims 1 to 3.   5. The radio apparatus according to claim 1, wherein the output unit outputs data extracted from the packet signal and a verification result to an application unit that uses the data. 6.

Images