JP2016012912A - Transmission node, reception node, communication network system, message creation method, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve message inspection performance in a communication network system in which a transmission node is connected with a reception node.SOLUTION: A transmission node comprises: a transmission unit 111 that divides input transmission data into multiple pieces of sub-transmission data, and stores the sub-transmission data in a data part in a message separately transmitting each of a plurality of sets of a piece of sub-transmission data and a message authentication code (MAC) generated using the piece of sub-transmission data; and a message authentication code generation unit 114 that generates, by using a piece of sub-transmission data, a message authentication code stored in a data part in a message transmitting the message authentication code together with the piece of sub-transmission data.

Description

  The present invention relates to a transmission node, a reception node, a communication network system, a message creation method, and a computer program.

  Conventionally, a CAN (Controller Area Network) known as one of communication networks mounted on a vehicle is used for communication between various ECUs (Electronic Control Units) in the vehicle. For example, technologies described in Non-Patent Documents 1 and 2 and Patent Document 1 are known as technologies that enable message authentication in the CAN.

  In the prior art described in Non-Patent Document 1, when an authentic ECU detects an impersonation message assigned with its own ID in response to an attack that transmits an impersonation message from a fake ECU connected to the CAN, By sending a message notifying the abnormality with the ID, the abnormality is notified to the receiving ECU.

  In the prior art described in Non-Patent Document 2, information stored in an error correction (Cyclic Redundancy Check: CRC) field in a CAN frame is changed to a MAC (Message Authentication Code). In this prior art, the transmitting side generates a 64-bit MAC from the data (64 × 4 = 256 bits) of the data field in the four CAN frames from the Nth to the N + 3th, and sets the MAC to 16 bits each. The CAN frame is transmitted by dividing into four, storing each in the CRC field (16 bits) in the four CAN frames from the (N + 4) th to the (N + 7) th. On the receiving side, the MAC is obtained from the CRC field in the N + 4th to N + 7th CAN frames, and the Nth is determined by whether or not it matches the MAC generated from the data fields in the Nth to N + 3th CAN frames. To N + 3th CAN frames are determined. Thereby, when the MAC obtained from the CRC field and the MAC calculated from the data field are different, it can be determined that any of the Nth to N + 3th CAN frames is invalid.

  In the technique described in Patent Document 1, the number of times a message is transmitted for each CANID in each ECU is counted. Then, the transmitting node that has transmitted the main message transmits a MAC message including the MAC generated from the data field and CANID of the main message and the counter value corresponding to the CANID. The receiving node that has received the main message generates a MAC from the data field and CANID included in the main message and the counter value corresponding to the CANID, and determines whether the MAC matches the MAC included in the received MAC message.

International Publication No. 2013/066569

Masato Hata, Masato Tabuchi, Katsunari Yoshioka, Kazuomi Oishi, Tsutomu Matsumoto, “Blocking Unauthorized Transmission: CAN Can Do That”, Information Processing Society of Japan, Computer Security Symposium (CSS2011), pp.624-629, 2011 10 Moon. AKIRA YOSHIOKA ET AL .: “Kosei Shomei Kino o Motsu Shanai Tsushin Protocol no Teian” SYMPOSIUM ON MULTIMEDIA, DISTRIBUTED, COOPERATIVE AND MOBILE SYSTEMS (DICOM02008) RONBUNSHU vol. 2008, no. 1, 02 July 2008, pages 1270-1275 RFC 2104 HMAC: Keyed-Hashing for Message Authentication, [Search May 26, 2014], Internet <URL: http://www.rfc-editor.org/rfc/rfc2104.txt> RFC 2104 HMAC: Keyed hashing for message authentication, [Search May 26, 2014], Internet <URL: http://www.ipa.go.jp/security/rfc/RFC2104EN.html> Keisuke Takemori, Hideaki Kawabata, Ayumu Kubota, “Secure Boot with ARM + SIM / UIM”, IEICE, Symposium on Cryptography and Information Security (SCIS2014), 1B1-2, January 2014. Trusted Computing Group, [Search February 18, 2015], Internet <URL: http://www.trustedcomputinggroup.org/> “What is the mechanism of data transmission in CAN communication?” [Search February 18, 2015], Internet <URL: http://monoist.atmarkit.co.jp/mn/articles/0807/09/news140.html > AUTOSAR, “Specification of Module Secure Onboard Communication AUTOSAR Release 4.2.1”, [Search February 18, 2015], Internet <URL: http://www.autosar.org/fileadmin/files/releases/4-2/ software-architecture / communication-stack / standard / AUTOSAR_SWS_SecureOnboardCommunication.pdf>

  However, in the conventional technique described in Non-Patent Document 1 described above, it is not possible to notify an abnormality when a real ECU for monitoring communication is removed. In the prior art described in Non-Patent Document 2, in order to confirm the validity of the Nth to N + 3th CAN frames, it is necessary to wait until the N + 4th to N + 7th CAN frames are received. , It takes time to confirm the validity. For this reason, it is not suitable particularly when real-time control is required. Moreover, in the prior art described in Patent Document 1, since the MAC message is transmitted separately from the main message, the communication amount is more than doubled. Furthermore, in order to authenticate the main message, it is necessary to wait until the MAC message is received, so that the authentication takes time. For this reason, there is a problem that the CAN communication band is compressed and immediacy is lowered.

  The present invention has been made in consideration of such circumstances, and can improve message inspection performance in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected. It is an object to provide a transmission node, a reception node, a communication network system, a message creation method, and a computer program.

(1) One aspect of the present invention is the transmission node in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected, and the input transmission data is divided and divided A transmission unit for storing each of a set of transmitted authentication data and a message authentication code generated using the divided transmission data separately in a data part in the message to be transmitted; and the divided transmission data And a message authentication code generation unit that generates a message authentication code that is stored in the data part of the message to be transmitted together with the divided transmission data.
(2) According to one aspect of the present invention, in the transmission node of (1), the message authentication code generation unit includes a transmission counter unit that holds a transmission counter value that is incremented by a predetermined count value each time the message is transmitted. Uses the divided transmission data and the held transmission counter value to generate a message authentication code stored in the data part of the message to be transmitted together with the divided transmission data. In addition, among the first transmission data and the second transmission data, which are transmission data obtained by dividing the input transmission data, the predetermined count value is increased by transmission of the message storing the first transmission data. Message authentication code stored in the data part of the message to be transmitted together with the second transmission data Used to generate a transmission node.
(3) According to one aspect of the present invention, in the transmission node of (2), the message authentication code generation unit performs only the authentication of the upper extracted bits for a predetermined number of extracted bits in the bit string of the transmission counter value. Used to generate a code, and the transmitter, for the message to be transmitted, out of a bit string of the generated message authentication code, a predetermined lower bit other than the upper extracted bits in the bit string of the transmission counter value It is a transmission node that stores only a partial bit string specified by a value.
(4) According to one aspect of the present invention, the transmission node according to any one of (1) to (3) includes a secret information storage unit that stores the same secret information as the secret information held by the reception node, The message authentication code generation unit is a transmission node that uses the secret information to generate the message authentication code.

(5) One aspect of the present invention is the reception node in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected, and is used by the transmission node every time the message is received A reception counter unit that holds a reception counter value that is incremented by a predetermined count value that is the same as a count value that is received, reception data acquired from a data unit in the received message, and the reception counter value that is held A message authentication code, and a message authentication code checking unit that checks whether the generated message authentication code matches the message authentication code acquired from the received message.
(6) According to one aspect of the present invention, in the reception node of (5), the message authentication code checking unit performs only the authentication of only the upper extracted bits corresponding to a predetermined number of extracted bits in the bit string of the reception counter value. The generated message authentication code is used to generate a code, and only a part of a bit string specified by a value of a predetermined lower bit other than the upper extracted bits in the bit string of the reception counter value is received message. This is a receiving node that is a target of a check for a match with the message authentication code acquired from.
(7) According to one aspect of the present invention, in the reception node of (6), the message authentication code checking unit includes the reception counter of the generated message authentication codes when the check result does not match. It is a receiving node that makes only a partial bit string specified by the value of the lower bit in the value increased by the count value as a target of the recheck of the match.
(8) According to one aspect of the present invention, in the reception node according to (7), the reception counter unit is configured to receive the value of the low-order bit whose result of the recheck is the same as the value of the reception counter value held by itself. It is the receiving node that makes the value of the lower bit.
(9) According to one aspect of the present invention, the receiving node according to any one of (5) to (8) includes a secret information storage unit that stores the same secret information as the secret information held by the transmitting node, The message authentication code checking unit is a receiving node that uses the secret information to generate the message authentication code.

(10) According to one aspect of the present invention, the message authentication code is inspected using the transmission node of (1) above, the reception data acquired from the data part in the message received from the transmission node, and the message authentication code. And a receiving node having a message authentication code checking unit.
(11) One aspect of the present invention is a communication network system including the transmission node (2) and the reception node (5).
(12) One aspect of the present invention is a communication network system including the transmission node of (3) and the reception node of any of (6) to (8).
(13) One aspect of the present invention is the communication network system according to any one of (10) to (12), wherein the transmission node and the reception node have the same secret information, and the transmission node and the reception node Are communication network systems that use the secret information to generate a message authentication code.

(14) One aspect of the present invention is a message creation method of the transmission node in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected, and the transmission node is input Transmitting step of dividing the transmitted data and storing each of the divided transmission data and a message authentication code generated using the divided transmission data separately in the data part in the message to be transmitted A message authentication code generating step in which the transmitting node generates a message authentication code stored in a data part in the message to be transmitted together with the divided transmission data using the divided transmission data; Is a message creation method.

(15) One embodiment of the present invention divides input transmission data into a computer of the transmission node in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected. A step of storing each of a set of the transmitted transmission data and a message authentication code generated using the divided transmission data separately in a data part in the message to be transmitted; and the divided transmission data And a message authentication code generating step for generating a message authentication code stored in a data part in the message to be transmitted together with the divided transmission data.

  According to the present invention, it is possible to improve the message inspection performance in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected.

1 is a block diagram showing a configuration of a communication network system 1 according to a first embodiment of the present invention. It is a block diagram which shows the structure of MCU_2 (node) which concerns on 1st Embodiment of this invention. It is a figure which shows the structure of the data frame which concerns on 1st Embodiment of this invention. It is a figure which shows the procedure of the transmission process which concerns on 1st Embodiment of this invention. It is a figure which shows the procedure of the reception process which concerns on 1st Embodiment of this invention. It is a figure which shows the procedure of the reception process which concerns on 1st Embodiment of this invention. It is a block diagram which shows the structure of the communication network system 1 which concerns on 2nd Embodiment of this invention. It is a sequence chart of the boot processing concerning a 2nd embodiment of the present invention. It is a sequence chart of the encryption process which concerns on 2nd Embodiment of this invention. It is a sequence chart for demonstrating the MAC production | generation process and MAC test | inspection process which concern on 2nd Embodiment of this invention. It is a block diagram which shows the data frame of the standard format of CAN. It is a block diagram which shows the data frame of the extended format of CAN. It is explanatory drawing which shows the message preparation method which concerns on one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

[First Embodiment]
In the present embodiment, as an example of a communication network system according to the present invention, a CAN as a communication network system mounted on a vehicle will be described as an example. FIG. 1 is a block diagram showing a configuration of a communication network system 1 according to the first embodiment of the present invention. In FIG. 1, a communication network system 1 has a plurality of MCUs (Micro Computing Units) _2. The MCU_2 is composed of a CPU (Central Processing Unit) and a memory, and is a kind of computer. MCU_2 implement | achieves the function applicable to this computer program, when own CPU runs a computer program. Each MCU_2 is used as an electronic control unit (ECU) that controls equipment in the vehicle.

  MCU_2 is connected to the CAN communication bus 3. In the present embodiment, for convenience of explanation, it is assumed that the communication network system 1 has three MCU_2, and the three MCU_2 are connected to the communication bus 3. The communication bus 3 transmits messages exchanged between the MCU_2. Each MCU_2 transmits and receives messages to and from each other via the communication bus 3. In CAN, a message is transmitted in a predetermined frame format. MCU_2 functions as a node (communication device) in CAN. In the present embodiment, the MCU_2 has a function of a transmitting node that transmits a message and a function of a receiving node that receives the message. As shown in FIG. 1, each of the three MCU_2 is assigned ID1, ID2, and ID3 as identifiers (IDs) in the CAN.

  FIG. 2 is a block diagram showing a configuration of MCU_2 (node) according to the first embodiment of the present invention. 2, MCU_2 includes a transmission unit 111, a reception unit 112, a frame reception processing unit 113, a MAC (message authentication code) generation unit 114, a counter unit 115, a MAC (message authentication code) inspection unit 116, and a secret information storage unit 117. Is provided.

  The transmission unit 111 transmits a message in a predetermined frame format to the communication bus 3. The receiving unit 112 receives the message in the predetermined frame format from the communication bus 3. FIG. 3 is a diagram illustrating a configuration of a data frame according to the first embodiment of the present invention. In the data frame of FIG. 3, the numbers in parentheses shown in each field indicate the number of bits of information stored in the field. The configuration of the data frame shown in FIG. 3 is partly changed with respect to the configuration of the standard format data frame in CAN. In this embodiment, the information stored in the CRC field (CRC part) in the data frame is changed to a message authentication code (MAC). The portions other than the CRC portion in the data frame are unchanged from the standard format in CAN. Hereinafter, the data frame according to the present embodiment shown in FIG. 3 is referred to as a CAN frame.

Returning to FIG.
Data such as transmission data stored in the CAN frame is input to the transmission unit 111. The transmission unit 111 transmits a CAN frame in which the input data is stored in a corresponding part in the CAN frame to the communication bus 3. The transmission data is stored in a data field (data field) in FIG. The frame reception processing unit 113 performs reception processing on the CAN frame received from the communication bus 3 by the reception unit 112. The MAC generation unit 114 generates a MAC based on transmission data or the like stored in the data part in the CAN frame.

  The counter unit 115 has a function as a transmission counter unit and a function as a reception counter unit. As a function of the transmission counter unit, the counter unit 115 holds a transmission counter value that is incremented by a predetermined count value each time a CAN frame is transmitted by the transmission unit 111. In this embodiment, the count value is 1. Therefore, the counter unit 115 holds a transmission counter value that is incremented by 1 each time a CAN frame is transmitted by the transmission unit 111. This transmission counter value is incremented by 1 every time its own MCU_2 (node) transmits a CAN frame.

  As a function of the reception counter unit, the counter unit 115 holds a reception counter value that is incremented by the same predetermined count value as the transmission counter unit every time the CAN frame is received by the reception unit 112. In the present embodiment, the count value is 1. Therefore, the counter unit 115 holds a reception counter value that is incremented by 1 each time a CAN frame is received by the reception unit 112. This reception counter value is provided for each ID in the CAN frame. The ID is an ID assigned to MCU_2 (node) that transmitted the CAN frame, and is stored in the ID field (ID part) in FIG.

  In the present embodiment, since there are three MCU_2 (IDs are ID1, ID2, and ID3, respectively), as shown in FIG. 2, the counter unit 115 includes each of the three MCU_2 (each ID is ID). 3 counter values (ID1 counter value, ID2 counter value, ID3 counter value) corresponding to (ID1, ID2, ID3) are held. In the counter unit 115, the counter value corresponding to the ID of its own MCU_2 is the transmission counter value, and the counter value corresponding to the ID of the other MCU_2 is the reception counter value. For example, in MCU_1 of ID1, the ID1 counter value is a transmission counter value, the ID2 counter value is a reception counter value corresponding to ID2, and the ID3 counter value is a reception counter value corresponding to ID3.

  The MAC inspection unit 116 performs inspection on the MAC acquired from the CAN frame received from the communication bus 3 by the reception unit 112. The secret information storage unit 117 stores the same secret information in each MCU_2. This secret information is safely set in MCU_2 when MCU_2 is manufactured.

  Next, the operation of MCU_2 (node) according to the present embodiment will be described.

[Sending node operation]
First, the operation of MCU_2 as a transmission node will be described with reference to FIG. FIG. 4 is a diagram showing a procedure of transmission processing according to the first embodiment of the present invention. The transmission process in FIG. 4 is started when a CAN frame transmitted from the transmission unit 111 is created.

(Step S111) The MAC generation unit 114 acquires a transmission counter value from the counter unit 115. The MAC generation unit 114 extracts only upper bits corresponding to a predetermined number of extracted bits (L−n bits) from the bit string of the acquired transmission counter value (the number of bits is L). L-n ").

(Step S112) The MAC generation unit 114 uses the transmission data stored in the data part in the CAN frame, the higher-order extracted bits acquired in step S111, and the secret information stored in the secret information storage unit 117. To generate a MAC. For example, a hash value is calculated as the MAC. An example of a hash value calculation method is SHA-256. The hash value calculation method is described in Non-Patent Documents 3 and 4, for example.

(Step S113) The MAC generation unit 114 extracts a bit string (15 bits) stored in the CRC part in the CAN frame from the MAC bit string (MAC value) generated in step S112. This extracted bit string is specified by the value of a predetermined lower bit (the number of bits is n) other than the upper extracted bits in the bit string (the number of bits is L) of the transmission counter value acquired in step S111. . In the example shown in FIG. 4, the value of the lower bit (the number of bits is n) is “3”. As a result, a part (15 bits) specified by the value “3” is extracted from the bit string of the MAC value.

  In this embodiment, since the CRC part in the CAN frame is 15 bits, 15 bits specified by the value “3” are extracted from the bit string of the MAC value as information stored in the CRC part. For this reason, a section of 15 bits is defined for the bit string of the MAC value, and the lower bits of the transmission counter value (the number of bits is n) indicating which section of 15 bits is stored in the CRC part in the CAN frame. The value is specified. In the example of FIG. 4, K sections (one section is 15 bits) according to the total number of bits of the MAC value are defined.

  The transmission unit 111 stores transmission data (used for MAC generation in step S112) in the data unit for the CAN frame, and CRCs the 15-bit bit sequence extracted from the bit sequence of the MAC value in step S113. Store in the department. The transmission unit 111 transmits the CAN frame to the communication bus 3. The counter unit 115 increments and holds the transmission counter value by 1 by transmitting the CAN frame.

  The above is the description of the operation of the transmission node.

[Reception node operation]
Next, the operation of the MCU_2 as a receiving node will be described with reference to FIGS. 5 and 6 are diagrams showing the procedure of the reception process according to the first embodiment of the present invention. The reception process in FIG. 5 is started when the reception unit 112 receives a CAN frame.

(Step S <b> 121) The MAC checking unit 116 acquires a reception counter value corresponding to the ID stored in the ID part in the CAN frame received by the receiving unit 112 from the counter unit 115. From the bit string (the number of bits is L) of the acquired reception counter value, the MAC checking unit 116 converts only upper bits corresponding to a predetermined number of extracted bits (L−n bits) into upper extracted bits (the number of bits is “ L-n "). The method for acquiring the higher-order extracted bits is the same as the processing (step S111) of the MAC generation unit 114 described above.

(Step S122) The MAC checking unit 116 receives the received data acquired from the data part in the CAN frame received by the receiving unit 112, the upper extracted bit acquired in step S121, and the secret stored in the secret information storage unit 117. The information is used to generate a MAC. This MAC value (calculated MAC value) is calculated by the same calculation method as the MAC generation unit 114 described above (for example, calculation of a hash value by SHA-256).

(Step S123) The MAC inspection unit 116 extracts the inspection target bit string (15 bits) to be inspected from the MAC bit string (calculated MAC value) generated in Step S122. The method for extracting the bit string to be inspected is the same as the method for extracting the bit string (15 bits) stored in the CRC part in the CAN frame (step S113) in the MAC generation unit 114 described above. That is, the bit string to be inspected is a predetermined lower bit (the bit number is n) other than the upper extracted bit in the bit string (the bit number is L) of the reception counter value acquired in step S121 among the bit string of the calculated MAC value. Is a part (15 bits) specified by the value of In the example shown in FIG. 5, the value of the lower bit (the number of bits is n) is “3”. As a result, a part (for 15 bits) specified by the value “3” is extracted from the bit string of the calculated MAC value.

  In this embodiment, a match between the information stored in the CRC part (15 bits) in the CAN frame and the check target bit string (15 bits) extracted from the bit string of the calculated MAC value is checked. For this reason, similarly to the transmission process described above, a 15-bit section is defined for the bit string of the calculated MAC value, and the 15 bits of which section are used as the inspection target bit string are the lower bits (the number of bits) of the reception counter value. Is n). In the example of FIG. 5, K sections (one section is 15 bits) corresponding to the total number of bits of the calculated MAC value are defined.

  The MAC checking unit 116 receives the MAC value (received MAC value (15 bits)) obtained from the CRC part in the CAN frame received by the receiving unit 112 and the inspection target bit string (15 bits) extracted from the bit string of the calculated MAC value. Is matched.

  As a result of the determination, when the received MAC value matches the inspection target bit string, the MAC inspection unit 116 notifies the frame reception processing unit 113 of the inspection pass. As a result, the frame reception processing unit 113 performs a predetermined reception process on the CAN frame normally received on the CAN frame received by the reception unit 112. Further, the MAC inspection unit 116 notifies the counter unit 115 of the inspection pass. Thereby, the counter unit 115 increases the corresponding reception counter value by 1 and holds it. The reception counter value to be counted is a reception counter value corresponding to the ID stored in the ID portion in the CAN frame received by the reception unit 112.

  On the other hand, as a result of the determination, if the received MAC value and the bit string to be inspected do not match, the MAC inspection unit 116 performs the re-inspection process shown in FIG. Hereinafter, the reinspection process will be described with reference to FIG.

(Step S131) The MAC checking unit 116 extracts a recheck target bit string (15 bits) to be rechecked from the bit string of the calculated MAC value generated in Step S122. This re-examination target bit string extraction process is the same as the above-described inspection target bit string extraction process, but uses a value (increase reception counter value) obtained by increasing the reception counter value acquired in step S121. Specifically, first, 1 is added to the reception counter value acquired in step S121. Then, a part (15 bits worth) of the bit string of the calculated MAC value specified by the value of the lower bits (the number of bits is n) in the bit string of the increased reception counter value, which is a value obtained by adding 1 to the reception counter value. ) Is extracted as a re-inspection target bit string.

  The MAC checking unit 116 determines whether the extracted recheck target bit string matches the received MAC value. If the result of this determination is inconsistent, a value obtained by adding 1 to the current increased reception counter value is set as a new increased reception counter value. Then, among the bit string of the calculated MAC value, a part (for 15 bits) specified by the value of the lower bits (the number of bits is n) in the bit string of the new increased reception counter value is replaced with a new bit string to be rechecked Extract as Then, a match between the extracted new re-inspection bit string and the received MAC value is determined. This re-examination is repeated until the determination results are coincident. However, the re-examination is completed up to the end section of the bit string of the calculated MAC value (the section specified by the lower bit value “K−1”). This is because the value of the lower bits is carried and the value of the upper extracted bits used to generate the calculated MAC value changes.

  Therefore, even if the check is performed up to the section specified by the lower bit value “K−1” in the bit string of the calculated MAC value, if it does not match the received MAC value, after the lower bit value is carried The calculated MAC value is recalculated using the higher-order extracted bits, and the recalculated new calculated MAC value is used to determine a match with the received MAC value as in the above-described recheck.

(Step S132) When the re-inspection target bit string matches the received MAC value as a result of the re-inspection in Step S131, the MAC inspection unit 116 indicates to the counter unit 115 the lower-order bits related to the re-inspection target bit sequence. Notify the value and instruct counter synchronization. In response to the counter synchronization instruction, the counter unit 115 changes the value of the lower bit (the number of bits is n) of the corresponding reception counter value to the notified lower bit value. This reception counter value to be synchronized with the counter is a reception counter value corresponding to the ID stored in the ID portion in the CAN frame received by the reception unit 112. Thereby, the transmission counter value of the transmission node corresponding to the ID and the reception counter value corresponding to the ID of the reception node are synchronized.

  In the example shown in FIG. 6, the value of the lower bits (the number of bits is n) in the reception counter value acquired in step S121 is “3”. The inspection target bit string identified by this value “3” did not match the received MAC value. For this reason, the portion specified by the value “4” of the lower bits (the number of bits is n) in the bit string of the increased reception counter value obtained by adding 1 to the reception counter value acquired in step S121 is set as a recheck target bit string. A match with the received MAC value is determined. In the example of FIG. 6, even the recheck target bit string specified by the value “4” does not match the received MAC value. For this reason, the part specified by the value “5” of the lower bits (the number of bits is n) in the bit string of the new increased reception counter value obtained by adding 1 to the current increased reception counter value is set as the recheck target bit string. A match with the received MAC value is determined. In the example of FIG. 6, the recheck target bit string specified by the value “5” matches the received MAC value. As a result, the counter unit 115 changes the value of the lower bit (the number of bits is n) of the corresponding reception counter value from “3” to “5”.

  If the reinspection target bit string and the received MAC value do not match even after repeating reinspection a predetermined number of times, the MAC inspection unit 116 notifies the frame reception processing unit 113 of the inspection failure. As a result, the frame reception processing unit 113 discards the CAN frame received by the reception unit 112. This is because it is considered that an attack for transmitting a communication error or a spoofed message has occurred. Note that if the inspection fails, the MAC inspection unit 116 does not notify the counter unit 115 of the inspection pass. Thereby, the counter unit 115 does not increase the reception counter value with respect to the reception counter value corresponding to the ID stored in the ID part in the CAN frame received by the reception unit 112.

  Note that the receiving node determines that a replay attack has occurred when a CAN frame having the same MAC value is continuously received twice or more in a CAN frame having the same ID. In this case, for the CAN frame of the ID, a measure for not performing the reception process is given.

  The above is the description of the operation of the receiving node.

  According to the present embodiment, in the CAN frame transmitted from the transmission node, the MAC generated using the transmission data stored in the data portion of the CAN frame is stored in the CRC portion. In the receiving node, the CAN frame is inspected using the MAC generated using the received data acquired from the data portion of the received CAN frame and the MAC acquired from the CRC portion of the CAN frame. . This eliminates the need to transmit a MAC CAN frame separately from the CAN frame of the transmission data from the transmitting node, thereby eliminating the problem that the CAN communication band is compressed by the MAC CAN frame. Furthermore, since the transmission data and the MAC can be received in the same CAN frame, the immediacy of inspection can be realized.

  Furthermore, since the MAC is generated using the secret information common to the transmitting node and the receiving node, the CAN frame inspection is rejected in the MAC generated by the transmitting node that does not have the secret information. Thereby, the reliability with respect to the inspection of the CAN frame is improved.

  Further, by storing the section specified by the lower bits of the transmission counter value in the generated MAC bit string in the CAN frame, the MAC value stored for each CAN frame to be transmitted is different. Thereby, a replay attack in which the same CAN frame is repeatedly transmitted can be easily detected. In addition, since the transmission node generates the MAC using the transmission data of the data part in the CAN frame, it is possible to detect falsification of the transmission data at the reception node.

  In the present embodiment, the upper extracted bits of the counter value are used for generating the MAC, and which part of the MAC is stored in the CRC unit is determined by the lower bits other than the upper extracted bits of the counter value. For this reason, in the MAC recheck, it is not necessary to recalculate the MAC until the carry of the lower bits occurs, and the recheck can be repeated while changing the recheck target bit string from the same MAC. it can. Thereby, the amount of calculation at the time of inspection can be reduced and it can contribute to shortening of inspection time.

  In addition, according to the present embodiment, there is also an effect that there are few changes to the existing frame format of CAN.

  In the present embodiment, since only a part of the generated MAC is stored in the CRC part in the CAN frame, there is a possibility that a collision between the MACs occurs. For example, the collision of hash values may occur at the power of “1/2” to the 15th power (= 1/32768). However, even if a hash value collision occurs, the probability that a further hash value collision will occur is 1/32768, so the probability that a hash value collision will occur continuously becomes very small. For example, if a plurality of CAN frames having the same transmission data are transmitted continuously (the MAC of each CAN frame is different), MAC (hash value) collision does not occur in any of the plurality of CAN frames, and normal Therefore, it is considered that there is little influence on the communication quality due to collision of hash values.

  In the above-described embodiment, the MAC is stored in the CRC part in the CAN frame, but may be stored in the data part. For example, storing in the head part or the last part of a data part is mentioned. However, storing in the last part is considered to have less influence on the existing usage of the data part. Further, since the size of the data part is 64 bits, it is possible to increase the part stored in the CAN frame in the generated MAC as compared with the CRC part (15 bits). However, if the portion of the generated MAC that is stored in the CAN frame is increased, the size of the transmission data is reduced by that amount. Therefore, the size of the MAC stored in the data portion is allowed to be affected by the MAC collision. It is preferable to keep it as small as possible. When the MAC is stored in the data part, the CRC function can be utilized by storing the CRC in the CRC part.

[Second Embodiment]
The second embodiment is a configuration example for MCU_2 to safely hold the secret information in the first embodiment described above. FIG. 7 is a block diagram showing the configuration of the communication network system 1 according to the second embodiment of the present invention. A communication network system 1 shown in FIG. 7 is mounted on a vehicle. In the communication network system 1 shown in FIG. 7, a plurality of MCU_2-a and 2-b are connected to the CAN communication bus 3. Also in the second embodiment, similarly to the first embodiment described above, for convenience of explanation, it is assumed that three MCU_2-a and 2-b are connected to the communication bus 3. As shown in FIG. 7, each of the three MCU_2-a, 2-b is given an identifier (ID) in the CAN, and ID1 is assigned to the MCU_2-a, and each MCU_2-b has ID2, ID3. Are assigned to each.

  The MCU_2-a operates as a master in the process of authenticating the MCU_2-b connected to the communication bus 3. Hereinafter, MCU_2-a is referred to as "master MCU_2-a". Further, MCU_2-b is referred to as “end MCU_2-b”. Moreover, when not distinguishing MCU_2-a and 2-b in particular, it will be called "MCU_2".

  Next, the configuration of the master MCU_2-a and the end MCU_2-b will be described with reference to FIG. Since the master MCU_2-a and the end MCU_2-b have the same configuration, the configuration of the master MCU_2-a and the end MCU_2-b will be described below as MCU_2.

  The MCU_2 has a CPU_10, a flash memory 11, a RAM (random access memory) _12, a boot loader 13, and a secure element 14. The secure element 14 includes a secure RAM_21, a secure ROM (Read Only Memory) _22, a verification unit 23, and an encryption processing unit 24.

  CPU_10 implement | achieves the function as a node in CAN, and the function as ECU which controls the apparatus in a vehicle by running a computer program. The flash memory 11 stores a computer program executed by the CPU_10 and a signature for the computer program. RAM_12 stores data. The RAM_12 becomes an execution area when the CPU_10 executes the computer program.

  The boot loader 13 performs boot processing when the MCU_2 is powered on. The boot loader 13 is in ROM so that the contents of the boot process cannot be changed.

  The secure element 14 is configured as a safe element that cannot be accessed from outside the secure element 14 with respect to data held inside the secure element 14. The secure RAM_21 is a temporary storage area for data held inside the secure element 14. The secure RAM_21 is configured not to be accessible from outside the secure element 14. The secure ROM_22 stores a key used inside the secure element 14. The secure ROM_22 is configured not to be accessible from outside the secure element 14. A key is securely written in advance in the secure ROM_22 when the MCU_2 is manufactured.

  The verification unit 23 performs a program validity verification process in the boot process by the boot loader 13 using a signature verification key held in the secure ROM_22. The verification unit 23 uses the secure RAM_21 as a temporary storage area in the program validity verification process.

  The encryption processing unit 24 performs encryption processing on information exchanged between its own MCU_2 and another MCU_2, using an encryption key held in the secure ROM_22. The encryption process is an encryption process or a decryption process. The cryptographic processing unit 24 uses the secure RAM_21 as a temporary storage area in the cryptographic processing.

  Next, a boot process according to the present embodiment will be described with reference to FIG. FIG. 8 is a sequence chart of the boot process according to the present embodiment. The process of FIG. 8 is started when the MCU_2 is powered on.

(Step S <b> 1) The boot loader 13 reads a computer program and a signature from the flash memory 11. Next, the boot loader 13 calculates a hash value of the read computer program.

(Step S <b> 2) The boot loader 13 transmits the calculated hash value and the signature read from the flash memory 11 to the secure element 14.

(Step S3) In the secure element 14, the verification unit 23 verifies the match between the value included in the signature received from the boot loader 13 and the hash value received from the boot loader 13, using the signature verification key held in the secure ROM_22. To do. In this verification process, the secure RAM_21 is used as a temporary storage area for data in the verification process. When the verification is successful, the secure element 14 notifies the boot loader 13 of the verification success.

(Step S4) When the boot loader 13 receives the notification of the verification success from the secure element 14, the boot loader 13 loads the computer program read from the flash memory 11 in Step S1 into the RAM_12. Thereby, CPU_10 can execute the computer program loaded in RAM_12.

  On the other hand, when there is no verification success notification from the secure element 14 (for example, the boot loader 13 does not receive a verification success notification from the secure element 14 even after a predetermined time has passed since the transmission of step S2, When a notification of verification failure is received from the secure element 14), the computer program read from the flash memory 11 in step S1 is not loaded into the RAM_12. In this case, the boot loader 13 stops the activation of MCU_2.

  According to the boot process according to the present embodiment described above, the validity verification of the computer program executed by the CPU_10 is safely performed by the signature verification by the secure element 14. As a result, the correct computer program is loaded into the RAM_12, which is the execution area of the CPU_10, and the CPU_2 executes the computer program loaded into the RAM_12, whereby the MCU_2 is normally activated. Therefore, in the communication network system 1 according to the present embodiment, each MCU_2 has a secure boot (Secure System) that verifies the validity of the computer program (for example, an operating system (OS)) of the MCU_2 when the MCU_2 is activated. Boot) is realized. The secure boot is described in Non-Patent Document 5, for example.

  Next, an encryption process according to the present embodiment will be described with reference to FIG. FIG. 9 is a sequence chart of encryption processing according to the present embodiment. The process of FIG. 9 is started by a predetermined opportunity. Here, a case where a random number that is secret information is safely notified from the master MCU_2-a to the end MCU_2-b will be described as an example. Data transmission / reception between the master MCU_2-a and the end MCU_2-b is performed via the communication bus 3.

(Step S11) The master MCU_2-a transmits the initial random number held in its own RAM_12 to the end MCU_2-b as a challenge. The master MCU_2-a passes the initial random number transmitted as a challenge to the end MCU_2-b to its own secure element 14.

(Step S12) The end MCU_2-b passes the initial random number, which is a challenge received from the master MCU_2-a, to its own secure element 14. The encryption processing unit 24 of the end MCU_2-b encrypts the passed initial random number using the secret key Ks held in its own secure ROM_22. In this encryption process, the secure RAM_21 of the end MCU_2-b is used as a temporary storage area for data in the encryption process. Next, the end MCU_2-b transmits encrypted data Ks (initial random number), which is an encrypted initial random number, to the master MCU_2-a as a response.

(Step S13) The master MCU_2-a passes the encrypted data Ks (initial random number), which is a response received from the end MCU_2-b, to its own secure element 14. The encryption processing unit 24 of the master MCU_2-a decrypts the passed encrypted data Ks (initial random number) using the public key Kp of the corresponding end MCU_2-b held in its own secure ROM_22. Next, the encryption processing unit 24 of the master MCU_2-a verifies the match between the decrypted data obtained by the decryption and the initial random number transmitted to the end MCU_2-b as a challenge in step S11. In the decryption process and the verification process, the secure RAM_21 of the master MCU_2-a is used as a temporary storage area for data in the decryption process and the verification process. Based on the success of the verification, it can be determined that the authentication of the end MCU_2-b is successful.

  If the verification is successful, the encryption processing unit 24 of the master MCU_2-a generates a random number that is secret information, and discloses the generated random number to the corresponding end MCU_2-b held in its own secure ROM_22. Encrypt using key Kp. In these random number generation processing and encryption processing, the secure RAM_21 of the master MCU_2-a is used as a temporary storage area for data in the random number generation processing and encryption processing. Next, the master MCU_2-a transmits encrypted data Kp (random number), which is encrypted secret information (random number), to the end MCU_2-b.

  The end MCU_2-b passes the encrypted data Kp (random number) received from the master MCU_2-a to its own secure element 14. The encryption processing unit 24 of the end MCU_2-b decrypts the passed encrypted data Kp (random number) using the secret key Ks held in its own secure ROM_22. In this decryption process, the secure RAM_21 of the end MCU_2-b is used as a temporary storage area for data in the decryption process. By the decryption process, a random number which is secret information is acquired from the encrypted data Kp (random number). The acquired random number is safely held in the secure RAM_21 of the end MCU_2-b.

  According to the encryption processing according to the present embodiment described above, encryption processing (encryption processing) of information exchanged between the MCU_2 (between the master MCU_2-a and the end MCU_2-b in the above-described example) by the encryption processing by the secure element 14. Security processing and decryption processing) are performed safely. Thereby, the safety | security of the information exchanged between MCU_2 is maintained.

  Furthermore, the master MCU_2-a can perform reliable authentication of the end MCU_2-b by a challenge / response based on the encryption processing. Then, secret information can be safely transmitted from the master MCU_2-a to the authenticated end MCU_2-b based on the encryption processing. This secret information can be used as the secret information in the first embodiment described above. In the example described above, a random number that is secret information is securely transmitted from the master MCU_2-a to the end MCU_2-b.

  Next, with reference to FIG. 10, the MAC generation processing and the MAC inspection processing according to the present embodiment will be described. FIG. 10 is a sequence chart for explaining the MAC generation processing and the MAC inspection processing according to the present embodiment. By the above-described encryption processing according to FIG. 9, a random number, which is secret information, is securely transmitted from the master MCU_2-a to the authenticated end MCU_2-b. The master MCU_2-a and the end MCU_2-b store the random number, which is the secret information, in the secure RAM_21. The secure RAM_21 safely holds the random number (secret information) as the secret information storage unit 117 in the first embodiment described above.

  In FIG. 10, the transmission side MCU_2 operates as a transmission node. The transmitting MCU_2 may be the master MCU_2-a or the end MCU_2-b. The receiving side MCU_2 operates as a receiving node. The receiving MCU_2 may be the master MCU_2-a or the end MCU_2-b. The transmission side MCU_2 holds a transmission counter value and transmission data in the RAM_12. The receiving side MCU_2 holds the reception counter value in the RAM_12. The process of FIG. 10 is started when a CAN frame transmitted from the transmission side MCU_2 is created.

(Step S21) The transmission side MCU_2 passes the transmission data and the transmission counter value from the RAM_12 to the secure RAM_21. The secure element 14 of the transmission side MCU_2 generates a MAC by using a random number (secret information), transmission data, and a transmission counter value held in the secure RAM_21. This MAC generation method is the same as in the first embodiment described above. However, the MAC is generated safely in the secure RAM_21. A 15-bit bit string (CRC portion extracted MAC bit string) extracted from the MAC value bit string as a result of the MAC generation is passed from the secure RAM_21 to the RAM_12.

(Step S22) For the CAN frame, the transmission side MCU_2 stores the transmission data transferred from the RAM_12 to the secure RAM_21 in step S21 in the data part, and the CRC part extraction MAC passed from the secure RAM_21 to the RAM_12 in step S21. The bit string is stored in the CRC part. The transmitting side MCU_2 transmits the CAN frame to the communication bus 3. This CAN frame is received by the receiving MCU_2 via the communication bus 3.

(Step S23) The receiving MCU_2 holds the CAN frame received from the communication bus 3 in the RAM_12. The receiving MCU_2 passes the received data acquired from the data part in the CAN frame held in the RAM_12 and the received MAC value acquired from the CRC part to the secure RAM_21. Further, the receiving side MCU_2 passes the reception counter value corresponding to the ID stored in the ID part in the CAN frame held in the RAM_12 from the RAM_12 to the secure RAM_21.

  Next, the secure element 14 of the receiving MCU_2 uses the random number (secret information), the received data, and the reception counter value held in the secure RAM_21 to generate a MAC. This MAC generation method is the same as in the first embodiment described above. However, the MAC is generated safely in the secure RAM_21. As a result of the generation of the MAC, a 15-bit inspection target bit string is extracted from the bit string of the calculated MAC value. Next, the secure element 14 of the receiving MCU_2 determines whether the received MAC value held in the secure RAM_21 matches the check target bit string. If the result of this determination is inconsistent, re-examination is performed as in the first embodiment described above.

  As described above, according to the present embodiment, a MAC is generated and checked using a random number (secret information) that is securely held in the secure RAM_21. Thereby, the reliability with respect to the inspection of the CAN frame is improved.

  As mentioned above, although embodiment of this invention was explained in full detail with reference to drawings, the specific structure is not restricted to this embodiment, The design change etc. of the range which does not deviate from the summary of this invention are included.

  For example, in the above-described embodiment, one MCU_2 has the function of the transmission node and the function of the reception node. However, one MCU_2 may have only the function of the transmission node, or one MCU_2 may have only the function of the receiving node.

  Further, one MCU_2 may be configured as one semiconductor device. By making one MCU_2 into one chip as one semiconductor integrated circuit, safety is further improved.

  Further, as the secure element, for example, an eSIM (Embedded Subscriber Identity Module) or SIM (Subscriber Identity Module) used for wireless communication may be used. eSIM and SIM are a kind of computer, and a desired function is realized by a computer program. Alternatively, a cryptographic processing chip having tamper resistance may be used as the secure element. As a tamper-resistant cryptographic processing chip, for example, a cryptographic processing chip called a TPM (Trusted Platform Module) is known. About TPM, it describes in the nonpatent literature 6, for example.

  Moreover, embodiment mentioned above is applicable to a motor vehicle, a bicycle with a motor | power_engine, a railway vehicle etc. as a vehicle, for example.

  In the above-described embodiment, the communication network system mounted on the vehicle has been described as an example of the communication network system according to the present invention. However, the communication network system according to the present invention can be applied to various fields. Is possible. For example, MCU_2 may be applied as a computer that controls home appliances, and the MCU_2 of each home appliance may be connected via a home network. Alternatively, the MCU_2 may be applied as a smart meter, and the MCU_2 of each smart meter may be connected via a communication network.

[Embodiment of message creation method]
A message creation method according to an embodiment of the present invention will be described. In the present embodiment, a CAN data frame will be described as an example of a message. FIG. 11 is a configuration diagram showing a data frame in a CAN standard format. FIG. 12 is a block diagram showing a data frame in the CAN extended format. The CAN data frame is described in Non-Patent Document 7, for example. In the data frames of FIGS. 11 and 12, the numbers in parentheses shown in each field indicate the number of bits of information stored in the field.

  In the present embodiment, the MAC is stored in a data field (Data Field) in the data frame. In the standard format of FIG. 11 and the extended format of FIG. 12, data of up to 8 bytes can be stored in the data portion. The MAC is stored in a predetermined location in the data part. For example, storing in the head part or the last part of a data part is mentioned. However, storing in the last part is considered to have less influence on the existing usage of the data part.

  Next, with reference to FIG. 13, a data frame creation method according to the present embodiment will be described. FIG. 13 is an explanatory diagram showing a message creation method according to an embodiment of the present invention. In FIG. 13, it is assumed that the data length of the MAC stored in the data part is 4 bytes. Therefore, the maximum data length of transmission data that can be stored in the data portion is 4 bytes. For this reason, when the data length of the transmission data exceeds 4 bytes, the transmission data is divided, a MAC is generated for each divided transmission data, and each of the divided transmission data and MAC sets is separated. Are stored in the data portion of the data frame.

  Here, as shown in FIG. 13, the transmission data is assumed to be 8 bytes. The transmission data is input to both the transmission unit 111 and the MAC generation unit 114 shown in FIG. When the transmission data is input to the transmission unit 111 and the MAC generation unit 114, the processing in FIG. 13 is started.

(Step S201) The transmission unit 111 divides the input 8-byte transmission data into first transmission data and second transmission data of 4 bytes each. For example, among the input 8-byte transmission data, the upper 4 bytes are set as the first transmission data, and the lower 4 bytes are set as the second transmission data. The MAC generation unit 114 divides the input 8-byte transmission data into 4-byte first transmission data and second transmission data in the same manner as the transmission unit 111.

(Step S202) The MAC generation unit 114 generates a 4-byte first MAC using the 4-byte first transmission data. This first MAC generation method is the same as the MAC generation method of the first embodiment shown in FIG. 4 described above. However, the transmission data used for the MAC calculation in step S112 in FIG. 4 is the first transmission data. In step S113 of FIG. 4, the bit string (extracted value) extracted from the MAC bit string calculated using the first transmission data in step S112 is 4 bytes. This 4-byte extracted value is the first MAC.

(Step S203) The transmission unit 111 stores the first transmission data and the first MAC in the data part of the first data frame. The transmission unit 111 transmits the first data frame to the communication bus 3. The counter unit 115 increases the transmission counter value by 1 by transmission of the first data frame and holds it.

(Step S204) The MAC generation unit 114 generates a 4-byte second MAC using the 4-byte second transmission data. This second MAC generation method is the same as the MAC generation method of the first embodiment shown in FIG. 4 described above. However, with respect to the transmission data and the higher-order extracted bits used in the calculation of the MAC in step S112 in FIG. This is a transmission counter value increased by 1 by transmission of one data frame. Further, in step S113 of FIG. 4, the bit string (extracted value) extracted from the MAC bit string calculated using the second transmission data in step S112 is 4 bytes. This 4-byte extracted value is the second MAC.

(Step S205) The transmission unit 111 stores the second transmission data and the second MAC in the data part of the second data frame. The transmission unit 111 transmits the second data frame to the communication bus 3. The counter unit 115 increases the transmission counter value by 1 by transmission of the second data frame and holds it.

  According to the data frame creation method described above, the transmission data and the MAC can be stored in the data portion of the data frame while the MAC data length is maintained at a predetermined length (for example, 4 bytes). As a result, it is possible to improve the message inspection performance in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected.

  The first data frame and the second data frame in which the first transmission data and the second transmission data divided from the input one transmission data are separately stored are attached with the same label. You may notify a node that one transmission data is comprised from the transmission data in each data part of the 1st data frame and 2nd data frame which attached the same label.

  In the data frame creation method described above, both the transmission unit 111 and the MAC generation unit 114 each divide the input transmission data into the first transmission data and the second transmission data. The input transmission data may be divided into first transmission data and second transmission data, and the first transmission data and the second transmission data may be supplied to the MAC generation unit 114.

  In the data frame creation method described above, the MAC generation method according to the first embodiment shown in FIG. 4 described above is used as a MAC generation method to be stored in the data frame. A method may be used. For example, the MAC generation method described in Non-Patent Document 8 may be used.

  Further, the data length of the MAC stored in the data frame may be determined for each pair of the transmission node and the reception node. In this case, the data length of the MAC stored in the data frame is set for each pair of the transmission node and the reception node.

  For example, it is assumed that the communication network system 1 shown in FIG. 1 is mounted on an automobile and the MCU_2 is used as an electronic control unit (ECU) that controls equipment in the automobile. Information for controlling devices in the vehicle is transmitted and received between ECUs (MCU_2) using data frames. The data length of the MAC stored in the data frame is determined for each set of ECUs (MCU_2) for transmitting and receiving the information. For example, the data length of the MAC stored in the data frame exchanged between the ECU (MCU_2) and the communication partner ECU (MCU_2) is determined according to the importance of the control function of the ECU (MCU_2). For example, the higher the importance, the longer the MAC data length. When the importance of the control function of the ECU (MCU_2) is low, the MAC may not be stored in the data frame exchanged between the ECU (MCU_2) and the communication partner ECU (MCU_2).

  Alternatively, for each set of ECUs (MCU_2), the data length of the MAC stored in the data frame may be determined according to the maximum data length of the transmission data transmitted and received using the data frame. For example, the data length of the MAC to be stored in the data frame is determined within the range of the empty size of the data portion when transmission data having the maximum data length is stored in the data portion. In this case, since the transmission data and the MAC having the maximum data length can be stored in the data portion, it is not necessary to divide the transmission data and transmit it in separate data frames.

[MAC example]
As the MAC, for example, a hash value is calculated. An example of a hash value calculation method is SHA-256. Or as MAC, for example, calculating Code MAC (CMAC) is mentioned. CMAC is a MAC based on a common key encryption.

Further, a computer program for realizing the above-described function of MCU_2 may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed.
The “computer-readable recording medium” means a flexible disk, a magneto-optical disk, a ROM, a writable nonvolatile memory such as a flash memory, a portable medium such as a DVD (Digital Versatile Disk), and a built-in computer. A storage device such as a hard disk.

Further, the “computer-readable recording medium” means a volatile memory (for example, DRAM (Dynamic Random) inside a computer that becomes a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. Access Memory)) is also included, which holds a program for a certain period of time.
Further, the program may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1 ... Communication network system, 2, 2-a, 2-b ... MCU, 3 ... Communication bus, 10 ... CPU, 11 ... Flash memory, 12 ... RAM, 13 ... Boot loader, 14 ... Secure element, 21 ... Secure RAM, DESCRIPTION OF SYMBOLS 22 ... Secure ROM, 23 ... Verification part, 24 ... Encryption processing part, 111 ... Transmission part, 112 ... Reception part, 113 ... Frame reception processing part, 114 ... MAC (message authentication code) generation part, 115 ... Counter part, 116 ... MAC (message authentication code) inspection unit, 117 ... Secret information storage unit

Claims (15)

The transmission node in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected;
The input transmission data is divided, and each set of the divided transmission data and the message authentication code generated using the divided transmission data is stored separately in the data portion in the message to be transmitted. A transmission unit;
Using the divided transmission data, a message authentication code generation unit for generating a message authentication code stored in a data part in the message to be transmitted together with the divided transmission data;
A sending node with A transmission counter unit that holds a transmission counter value that is incremented by a predetermined count value every time the message is transmitted
The message authentication code generator
Using the divided transmission data and the held transmission counter value, a message authentication code stored in a data part in the message to be transmitted is generated together with the divided transmission data. ,
Transmission that has been increased by the predetermined count value due to the transmission of the message storing the first transmission data out of the first transmission data and the second transmission data that are transmission data obtained by dividing the input transmission data A counter value is used to generate a message authentication code stored in a data part in the message to be transmitted together with the second transmission data.
The transmission node according to claim 1. The message authentication code generation unit uses only the upper extracted bits for a predetermined number of extracted bits in the bit string of the transmission counter value to generate the message authentication code,
The transmitting unit is configured to determine, for the message to be transmitted, a part of a bit sequence of the generated message authentication code identified by a value of a predetermined lower bit other than the upper extracted bits in the bit sequence of the transmission counter value. Store only bit strings,
The transmission node according to claim 2. A secret information storage unit for storing the same secret information as the secret information held in the receiving node;
The message authentication code generation unit uses the secret information to generate the message authentication code.
The transmission node according to any one of claims 1 to 3. A receiving node in a communication network system in which a transmitting node that transmits a message and a receiving node that receives the message are connected;
A reception counter unit that holds a reception counter value that is incremented by the same predetermined count value as the count value used in the transmission node each time the message is received;
A message authentication code is generated using the received data acquired from the data part in the received message and the held reception counter value, and the message authentication acquired from the generated message authentication code and the received message A message authentication code checking unit that checks whether the code matches,
Receiving node with The message authentication code checking unit uses only the upper extracted bits corresponding to a predetermined number of extracted bits in the bit string of the reception counter value to generate the message authentication code, and among the generated message authentication codes, the reception counter Only a part of a bit string specified by a value of a predetermined lower bit other than the higher-order extracted bits in the bit string of the value is a target of checking for a match with the message authentication code acquired from the received message.
The receiving node according to claim 5. The message authentication code checking unit is specified by the value of the lower bit in a value obtained by incrementing the reception counter value by the count value in the generated message authentication code when the result of the check does not match. Only a part of the bit string is subject to re-examination of the match,
The receiving node according to claim 6. The reception counter unit sets the value of the low-order bit that matches the result of the reexamination to the value of the low-order bit of the reception counter value held by itself.
The receiving node according to claim 7. A secret information storage unit for storing the same secret information as the secret information held in the transmission node;
The message authentication code inspection unit uses the secret information to generate the message authentication code.
The receiving node according to any one of claims 5 to 8. A sending node according to claim 1;
A receiving node comprising a message authentication code checking unit for checking a message authentication code using received data and a message authentication code acquired from a data part in a message received from the sending node;
A communication network system.   A communication network system comprising the transmitting node according to claim 2 and the receiving node according to claim 5.   A communication network system comprising the transmission node according to claim 3 and the reception node according to any one of claims 6 to 8. The sending node and the receiving node have the same secret information, and the sending node and the receiving node use the secret information to generate a message authentication code;
The communication network system according to any one of claims 10 to 12. A method for creating a message of the transmitting node in a communication network system in which a transmitting node that transmits a message and a receiving node that receives the message are connected,
In the message in which the transmitting node divides input transmission data, and separately transmits each of a set of divided transmission data and a message authentication code generated using the divided transmission data. A transmission step to store in the data part;
A message authentication code generating step in which the transmission node generates a message authentication code stored in a data part of the message to be transmitted together with the divided transmission data, using the divided transmission data;
To create a message containing A computer of the transmission node in a communication network system in which a transmission node that transmits a message and a reception node that receives the message are connected;
The input transmission data is divided, and each set of the divided transmission data and the message authentication code generated using the divided transmission data is stored separately in the data portion in the message to be transmitted. Sending step;
A message authentication code generating step of generating a message authentication code stored in a data portion in the message to be transmitted together with the divided transmission data using the divided transmission data;
A computer program for running.

Images