JP2016076996A - Radio device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a radio device that can efficiently secure security of a communication system.SOLUTION: A radio device transmits a first frame and at least one second frame as a unit. The first frame contains a public key certificate used to check an electronic signature, a digest list, an electronic signature for the digest list, application data and MAC. The second frame contains information for specifying the open key certificate, application data and MAC. The digest list contains plural digests each of which is contained in the first frame and the second frame constituting one unit and generated every application data.SELECTED DRAWING: Figure 5

Description

  The present invention relates to communication technology, and more particularly to a radio apparatus that receives a signal including predetermined information.

  The form of wireless communication for automobiles is roughly classified into road-to-vehicle communication and vehicle-to-vehicle communication (including road-to-vehicle communication). Both types of communication can be used for preventing collisions at intersections and rear-end collisions due to traffic jams at corners. For example, the current position information is detected in real time by GPS (Global Positioning System) in vehicle-to-vehicle communication, and the position information is exchanged between the vehicle-mounted devices, thereby preventing collision at an intersection. In road-to-vehicle communication, a roadside machine is installed at an intersection or on the roadside, and the driving support information as described above is transmitted from the roadside machine to the vehicle-mounted device.

  Compared with wired communication, wireless communication is easier to intercept by communication and impersonation by third party impersonation. Therefore, countermeasures against them are more important than wireless communication. In order to ensure the confidentiality of the communication content, a method of performing message authentication using an encryption method for communication data is effective. The encryption methods are roughly classified into public key encryption methods and common key encryption methods. The former is higher in security than the latter, but has a large amount of data and a large processing load, resulting in higher implementation costs. That is, both are in a trade-off relationship.

JP 2005-202913 A JP 2007-104310 A Special table 2010-537982

  The present invention has been made in view of such circumstances, and an object thereof is to provide a technique for efficiently ensuring the security of a communication system.

  A wireless device according to an aspect of the present invention is a wireless device that transmits a first frame and at least one second frame as a unit, and the first frame is a public key certificate used for verification of an electronic signature. , Digest list, electronic signature for the digest list, and application data. The second frame includes information for specifying the public key certificate and application data. The digest list includes a plurality of digests generated for each application data included in the first frame and the second frame constituting one unit.

  Another aspect of the present invention is also a wireless device. This device is a wireless device that constitutes a unit transmitted from another wireless device, each receiving a first frame and at least one second frame including application data, wherein the first frame is: A public key certificate used for verification of an electronic signature, a digest list including a plurality of digests generated for each application data included in the first frame and the second frame constituting the same unit, and the digest list Includes electronic signatures and application data. The second frame includes information for specifying the public key certificate and application data. If a part of the first frame is received in a missing state and the digest list of the first frame is not missing, the digest of the application data included in the second frame is calculated, and the digest and the first frame are calculated. If the corresponding digests in the digest list included in the list match, the application data is determined to be valid.

  It should be noted that any combination of the above-described constituent elements and a conversion of the expression of the present invention between a method, an apparatus, a system, a recording medium, a computer program, etc. are also effective as an aspect of the present invention.

  According to the present invention, security of a communication system can be efficiently ensured.

It is a figure which shows the structure of the communication system which concerns on the Example of this invention. FIGS. 2A to 2D are diagrams showing a superframe format defined in the communication system. FIGS. 3A to 3B are diagrams illustrating the configuration of subframes. FIGS. 4A to 4D are diagrams illustrating frame formats of each layer defined in the communication system. FIGS. 5A to 5B are diagrams illustrating the data structure of the security frame included in the RSU packet. It is a figure which shows the structure of the base station apparatus which concerns on an Example. FIGS. 7A to 7D are diagrams illustrating a data flow in transmission processing in the base station apparatus according to the embodiment (adopting the data structure of FIGS. 5A to 5B). It is a figure which shows the structure of the terminal device mounted in the vehicle which concerns on an Example. FIGS. 9A to 9D are diagrams illustrating a data flow in the reception process in the terminal device according to the embodiment (adopting the data structure of FIGS. 5A to 5B). FIGS. 10A to 10C are diagrams illustrating another flow of data in the reception processing in the terminal device according to the embodiment (adopting the data structure of FIGS. 5A to 5B). FIGS. 11A to 11B are diagrams illustrating an improved data structure of the security frame included in the RSU packet. 12A to 12D are diagrams illustrating an improved data flow in the reception processing in the terminal device according to the embodiment (adopting the data structure of FIGS. 11A to 11B). . FIGS. 13A to 13D are diagrams illustrating another flow of improved data in the reception processing in the terminal device according to the embodiment (the data structures of FIGS. 11A to 11B). Adopted).

  The knowledge which became the basis of the Example of this invention is as follows. Since road-to-vehicle communication is more public than vehicle-to-vehicle communication, there is a greater demand to prevent spoofing and data tampering with road-to-vehicle communication. At the same time, it is desirable to be able to confirm the legitimacy of the sender. In view of this, a system for notifying a packet signal storing data with a public key certificate and an electronic signature from a roadside device (base station device) to a vehicle-mounted device (terminal device) has been studied.

  However, when a public key certificate and an electronic signature are added to all packet signals, the overhead for data becomes larger than the overhead of the message authentication code in the common key cryptosystem. As a countermeasure, a method of reducing overhead by adding one public key certificate and electronic signature to a plurality of packet signals including a series of data groups transmitted from a specific base station apparatus is conceivable. However, if the data targeted for one signature straddles a plurality of packet signals, a group of data transmitted from a specific base station device will be lost when a packet signal loss occurs in the communication section. .

  The embodiment described below has been made in view of such a situation, and an object thereof is to provide a transmission method that is resistant to packet signal loss while improving security, and a reception method thereof. .

  An outline of the present invention will be given before concretely explaining the embodiments of the present invention. An embodiment of the present invention relates to a communication system such as ITS (Intelligent Transport Systems). In the communication system, road-to-vehicle communication executed to provide information to a terminal device mounted on a vehicle from a base station device installed at an intersection or a roadside, and other terminal devices mounted on the vehicle Inter-vehicle communication executed to provide information to a terminal device mounted on a vehicle is used.

  In ITS, the use of wireless communication similar to wireless LAN standards such as IEEE 802.11 is being studied. In such wireless communication, an access control function called CSMA / CA (Carrier Sense Multiple Access with Collision Avidance) is used. Therefore, in the wireless communication, the same wireless channel is shared by the base station device and the plurality of terminal devices. In such CSMA / CA, after confirming that no other packet signal is transmitted by carrier sense, the packet signal is transmitted by broadcast (hereinafter, transmission of the packet signal by broadcast is referred to as “notification”).

  As inter-vehicle communication, the terminal device notifies a packet signal storing vehicle information indicating the speed and position of the vehicle in which the terminal device is mounted. The terminal device that has received the packet signal recognizes the approach of the vehicle based on the information stored in the packet signal. In addition, as a road-to-vehicle communication, the base station apparatus broadcasts a packet signal in which intersection information, traffic jam information, and the like are stored.

  The intersection information includes information related to the situation of the intersection such as the position information of the intersection where the base station device is installed, the route information of the intersection, the captured image of the intersection, and the position information of vehicles and pedestrians in the intersection. The terminal device displays this intersection information on the monitor. In addition, the terminal device recognizes the situation of the intersection based on this intersection information, and notifies the user of visual information or a voice message for the purpose of preventing collision with vehicles, bicycles, and pedestrians due to encounters, right turns, and left turns. May be. The traffic jam information includes information related to the congestion status of the runway where the base station device is installed, road construction, and accidents. The terminal device transmits the traffic jam in the traveling direction to the user based on the traffic jam information. Further, a detour for detouring the traffic jam may be presented.

  FIG. 1 shows a configuration of a communication system 500 according to an embodiment of the present invention. This corresponds to a case where one intersection is viewed from above. The communication system 500 includes a base station device 20, a terminal device 10a mounted on the first vehicle 100a, and a terminal device 10b mounted on the second vehicle 100b. Area 202 indicates the radio wave range of the base station apparatus 20, and area 204 indicates the radio wave area of the base station apparatus 20. The upper side of the drawing corresponds to “north”, the first vehicle 100a proceeds from “south” to “north”, and the second vehicle 100b proceeds from “east” to “west”. The base station device 20 can communicate with an external device via the external network 200.

  2A to 2D show a superframe format defined in the communication system 500. FIG. FIG. 2A shows the structure of the super frame. The superframe is formed by N subframes indicated as the first subframe to the Nth subframe. For example, when the length of the superframe is 100 msec and N is 8, a subframe having a length of 12.5 msec is defined. N may be other than 8.

  FIG. 2B shows a configuration of a super frame generated by the first base station apparatus 20a. The first base station device 20a corresponds to any one of the base station devices 20. The first base station apparatus 20a sets a road and vehicle transmission period at the beginning of the first subframe. The road and vehicle transmission period is a period during which the base station apparatus broadcasts a packet signal. When the 1st base station apparatus 20a alert | reports a packet signal, the 1st base station apparatus 20a always alert | reports in the road and vehicle transmission period which is the head period of a 1st sub-frame.

  On the other hand, the other base station apparatus 20 arranged within the radio wave arrival distance of the first base station apparatus 20a and the terminal apparatus 10 existing within the radio wave arrival distance do not notify the packet signal during the road and vehicle transmission period. It is defined that the terminal device 10 can notify the packet signal in the vehicle transmission period subsequent to the road and vehicle transmission period of the first subframe. The first base station apparatus 20a sets the vehicle transmission period in a period excluding the road and vehicle transmission period. That is, the vehicle transmission period is set from the second half of the first subframe and from the second subframe to the Nth subframe.

  FIG.2 (c) shows the structure of the super frame produced | generated by the 2nd base station apparatus 20b. The second base station device 20b is a base station device 20 different from the first base station device 20a. The second base station apparatus 20b sets a road and vehicle transmission period at the beginning of each of the second subframe and the third subframe. Also, the second base station apparatus 20b sets the vehicle transmission period from the first stage of the second subframe and the third subframe to the Nth subframe after the first subframe and the fourth subframe. Set. By setting the road and vehicle transmission period for two or more subframes as in the second base station apparatus 20b, the amount of data that can be transmitted for each superframe can be increased.

  FIG. 2D shows a configuration of a super frame generated by the third base station apparatus 20c. The third base station apparatus 20c is a base station apparatus 20 that is different from the first base station apparatus 20a and the second base station apparatus 20b. The third base station apparatus 20c sets a road and vehicle transmission period at the beginning of the Nth subframe. In addition, the third base station apparatus 20c sets the vehicle transmission period in the latter stage of the road and vehicle transmission period in the Nth subframe and from the first subframe to the (N-1) th subframe.

  The plurality of base station apparatuses 20 select different subframes, and set a road and vehicle transmission period at the beginning of the selected subframe. In this way, each base station apparatus 20 provides a notification period unique to each base station apparatus in the superframe by monopolizing the road and vehicle transmission period of one subframe in order to notify the packet signal itself. .

  The number of subframes that can be set in the superframe is finite (8 in this embodiment). Therefore, if the superframe is selected in consideration of the radio wave arrival distances of the plurality of base station apparatuses 20, the number of installed base station apparatuses 20 is not limited. Further, the road and vehicle transmission period may not be set for all the subframes in the superframe. The base station device 20 outside the radio wave reach distance may set the road and vehicle transmission period in the same superframe as the superframe defined within the radio wave reach, or the road and vehicle transmission period in a different superframe. It may be set.

  FIGS. 3A to 3B show the configuration of subframes including a road and vehicle transmission period. As shown in FIG. 3A, the subframe is configured in the order of a road and vehicle transmission period and a vehicle and vehicle transmission period. In the road and vehicle transmission period, the base station device 20 can notify the packet signal, and in the vehicle and vehicle transmission period, the terminal device 10 can notify the packet signal. FIG. 3B shows the arrangement of packet signals during the road and vehicle transmission period. As illustrated, a plurality of packet signals (hereinafter referred to as RSU packets as appropriate) are arranged in the road and vehicle transmission period (hereinafter referred to as RSU (Load Side Unit) period). Here, the front and rear RSU packets are separated by SIFS (Short Interframe Space).

  FIG. 4C shows a frame format of the LLC layer. This frame is stored in the MSDU of FIG. As shown in the figure, an LLC header and an LSDU (LLC Layer Service Data Unit) are sequentially arranged in the LLC layer frame. FIG. 4D shows the frame format of the inter-vehicle / road-vehicle shared communication control information layer. This frame is stored in the LSDU of FIG. As shown in the figure, an IR header and an APDU (Application Protocol Data Unit) are sequentially arranged in the inter-vehicle / road-vehicle shared communication control information layer frame.

  FIG. 4E shows the frame format of the security layer. This frame is stored in the APDU of FIG. As shown in the drawing, a security header (Security Header), application data (Application Data), and a security footer (Security Footer) are sequentially arranged in the frame of the security layer. Hereinafter, the MAC layer frame is referred to as a MAC frame, and the security layer frame is referred to as a security frame.

  FIGS. 5A to 5B show the data structure of the security frame included in the RSU packet. A collection of security frames to be signed is a message. FIG. 5A shows the security frame transmitted at the head of the message, and FIG. 5B shows the data structure of the security frame transmitted at other than the head of the message.

  In the security frame at the head of the message shown in FIG. 5A, “version”, “message information”, “nonse”, “payload data length”, “payload”, and “MAC” are arranged. In “payload”, “signed data length”, “signed data”, and “digested data” are arranged. In “signed data”, “public key certificate”, “digest”, and “signature” are arranged. “Digest data” includes “application data length”, “message ID”, “frame ID”, “number of frames”, and “application data”. The security header is “version” − “number of frames” arranged before “application data”, and the security footer is “MAC” arranged after “application data”.

  In the security frame other than the head of the message shown in FIG. 5B, the “signed data length” and “signed data” in the security frame at the head of the message shown in FIG. "Is replaced with". " Thus, by omitting the public key certificate and signature in the security frame other than the head, the overhead of the entire message can be suppressed.

  The version of the data structure of the frame is set in “Version”. Information necessary for the reception process of this frame is set in the “message information”. For example, a message format indicating a data protection mode in a security frame and a key for sharing a key (hereinafter referred to as a communication key) used in processing based on a common key encryption method between the base station apparatus 20 and the terminal apparatus 10 Alternatively, an identifier for specifying the key is set. The message format includes a plain text data format, an authenticated data format, and an authenticated encrypted data format. In the data format with authentication, a MAC (Message Authentication Code) for “payload” is generated using a communication key, and the generated MAC is set to “MAC”. In the encrypted data format with authentication, “payload” and “MAC” are encrypted using a communication key in addition to that.

  As the communication key, a common key of a pre-shared common key cryptosystem or a random value encrypted with a pre-shared key is used. The communication key is associated with the base station apparatus 20 and the terminal apparatus 10 according to information set in “message information”. For example, AES (Advanced Encryption Standard) can be used for the common key encryption. In this embodiment, MAC generation and encryption are performed in the CCM mode in the encrypted data format with authentication.

  In “nonse”, a unique value or a part thereof is set for each communication used for disturbing the encryption result in the encryption using the communication key or the MAC generation. This unique value may be a random number or a transmission time. Further, the source device ID may be added to the random number or the transmission time. When only the transmission time is set in “nonse”, the transmission time and the unique value of the base station apparatus 20 are used as a unique value used for each communication. For example, a serial number or device ID included in the public key certificate can be used as the unique value of the base station device 20. When a random number is set in “nonse”, the random number and the unique value of the base station device 20 are used as unique values for each communication. In the “payload data length”, the number of bytes of the “payload” is set. By this number of bytes, it is possible to specify a range that is subject to encryption and MAC generation at the time of reception.

  In “signed data length”, the number of bytes of “signed data” is set. That is, the total number of bytes of “public key certificate”, “digest” and “signature” is set. Thereby, it is possible to know the number of bytes of “digest” and the arrangement position of “application data length” which is the head of “digested data”.

  In the “public key certificate”, a public key certificate for a public key unique to the base station apparatus 20 is set. A public key certificate is a certificate that links a public key and the owner of the public key. The public key certificate includes a certificate body, a signature for the signer's certificate body, and the like. The certificate body includes the signer identification information, the serial number of the public key certificate, the expiration date, the public key (including key generation algorithm and size), and the like. In the present embodiment, the signer is a certificate authority (CA). For example, the signature is generated by a public key cryptosystem such as RSA, DSA (Digital Signature Algorithm), or ECDSA (Electric Curve-DSA). In this embodiment, ECDSA is adopted.

  In “Digest”, a digest for “Digest Data” in the same message is set. For example, a hash value obtained by a hash function is set. In order to reduce the influence of overhead due to the security frame, in this embodiment, a hash value is obtained for a data string in which “digested data” included in all security frames in the message are arranged in the order of “frame ID”. In “Signature”, a signature for “Digest” is set. The signature is a signature generated using a private key that is paired with the public key included in the “public key certificate”.

  In “application data length”, the total data length of “message ID”, “frame ID”, “number of frames”, and “application data # 1” is set. As a result, the data length to be digested can be specified. A message ID is set in the “message ID”. The message ID is an identification number used to distinguish RSU packets transmitted from the same base station apparatus 20 in the security layer. The message ID is a numerical value (N remainder system, N is a natural number) that is incremented by 1 for each transmission and changes cyclically.

  The “frame ID” is set with the transmission order in the message. This transmission order indicates the order of data when “digest” is obtained. In the “number of frames”, the number of security frames constituting the message is set. In the “application data”, data notified by the base station device 20 to the terminal device 10 is set. In “MAC”, the MAC for “payload” is set.

  “Public key certificate information” is arranged in a security frame other than the head of the message. In the “public key certificate information”, the serial number or digest of the public key certificate unique to the base station apparatus 20 set in the “public key certificate” of the security frame at the head of the message is set. In this embodiment, a serial number is set. Thereby, the source base station apparatus 20 can be specified.

  In the data format with authentication, after a signature is set in “signature”, a MAC is generated, and the generated MAC is set in “MAC”. In the encrypted data format with authentication, after “MAC” is set to “MAC”, “payload” and “MAC” are further encrypted.

  FIG. 6 shows the configuration of the base station apparatus 20 according to the present embodiment. The base station device 20 includes an antenna 21, an RF unit 22, a modem unit 23, a MAC frame processing unit 24, a division coupling unit 25, a security processing unit 26, an application management unit 27, a network communication unit 28, a data generation unit 29, and a storage unit. 210 and a control unit 211.

  The configuration of the MAC frame processing unit 24, the division coupling unit 25, the security processing unit 26, the application management unit 27, the network communication unit 28, the data generation unit 29, the storage unit 210, and the control unit 211 is an arbitrary processor in hardware. It can be realized by a memory or other LSI, and is realized by a program loaded into the memory in terms of software. Here, functional blocks realized by their cooperation are depicted. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The RF unit 22 receives the packet signal from the terminal device 10 and the other base station device 20 by the antenna 21 as a reception process. The RF unit 22 performs frequency conversion on the received radio frequency packet signal to generate a baseband packet signal. The RF unit 22 outputs the baseband packet signal to the modem unit 23. In general, since a baseband packet signal is formed by an in-phase component and a quadrature component, two signal lines should be shown. However, in order to simplify the drawing, only one signal line is shown in FIG. Yes. The RF unit 22 includes a low noise amplifier (LNA), a mixer, an AGC, an A / D conversion unit, and the like (not shown) as components of the reception system.

  The RF unit 22 transmits the generated packet signal from the base station apparatus 20 as a transmission process. The RF unit 22 performs frequency conversion on the baseband packet signal input from the modem unit 23 to generate a radio frequency packet signal. The RF unit 22 transmits a radio frequency packet signal from the antenna 21 during the RSU period assigned to itself. The RF unit 22 includes a PA (Power Amplifier), a mixer, a D / A conversion unit, and the like (not shown) as components of the transmission system.

  The modem unit 23 demodulates the baseband packet signal from the RF unit 22 as a reception process. The modem unit 23 outputs the digital data obtained by demodulation to the MAC frame processing unit 24. Further, the modem unit 23 performs modulation on the MAC frame from the MAC frame processing unit 24 as transmission processing. The modem unit 23 outputs the modulated result to the RF unit 22 as a baseband packet signal.

  The communication system 500 according to the present embodiment employs an OFDM (Orthogonal Frequency Division Multiplexing) modulation scheme. In this case, the modem unit 23 performs FFT (Fast Fourier Transform) as the reception process, and executes IFFT (Inverse Fast Fourier Transform) as the transmission process.

  As a reception process, the MAC frame processing unit 24 extracts a MAC frame from the digital data passed from the modem unit 23, extracts an APDU from the extracted MAC frame, and outputs the APDU to the division coupling unit 25. Further, as a transmission process, the MAC frame processing unit 24 adds a MAC header, an LLC header, and an IR information header to the APDU from the division coupling unit 25 to generate a MAC frame. The MAC frame processing unit 24 outputs the generated MAC frame to the modem unit 23. Further, the MAC frame processing unit 24 controls the transmission / reception timing of the packet signal so as not to collide with the packet signal of another base station device 20 or the terminal device 10.

  The division combining unit 25 combines the APDUs passed from the MAC frame processing unit 24 as a reception process, assembles a security frame, and outputs the security frame to the security processing unit 26. Further, as a transmission process, the dividing / combining unit 205 divides the security frame delivered from the security processing unit 26 into APDUs having a size that can be transmitted as packet signals. At this time, the dividing / combining unit 25 adds a combined header necessary for combining in the reception process to the head of the divided security frame.

  The security processing unit 26 generates or interprets a security frame. In this embodiment, in order to pay attention to packet transmission from the base station apparatus 20, hereinafter, attention is paid to processing for generating a security frame. The security processing unit 26 generates a security frame to be output to the splitting / combining unit 25 based on the application data received from the application management unit 27, the secret key received from the certificate authority, the public key certificate, and the like.

  The security processing unit 26 includes a signature unit 261 and a common key encryption unit 262. In this embodiment, the signature unit 261 stores a public key certificate therein. The public key certificate includes a secret key issued by a certificate authority (not shown) and a public key that is paired with the secret key. By making this secret key and public key certificate unique for each base station apparatus 20, security can be improved compared to the common key cryptosystem.

  The signature unit 261 generates a signature for the signature target using a private key held by itself. In the data structure shown in FIG. 5A, signatures for “public key certificate” and “digest” are generated. The common key encryption unit 262 generates and encrypts the MAC for the encryption target by using the communication key shared with the terminal device 10. In the data structure shown in FIGS. 5A and 5B, the MAC for the “payload” is generated, and the “payload” and the “MAC” are encrypted.

  As a reception process, the application management unit 27 receives a verification result and application data from the security processing unit 26 and outputs them to the network communication unit 28 as necessary. Further, the application management unit 27 collects application data from the network communication unit 28 or the data generation unit 29 for each superframe as a transmission process. After selecting application data of the number of data that can be transmitted, the application management unit 27 arranges the selected application data in the order of transmission and outputs the selected application data to the security processing unit 26.

  The network communication unit 28 is connected to the external network 200. The network communication unit 28 receives road information related to construction and traffic jams from the external network 200. Further, the network communication unit 28 outputs the processing result by the application management unit 27 to the external network 200. Alternatively, the processing result is temporarily accumulated in the storage unit 210 and is periodically output to the external network 200.

  The data generation unit 29 generates application data including road information. The data generation unit 29 specifies the data format according to the contents of the application data. The data generation unit 29 outputs the generated application data, its data length, and its data format to the application management unit 27. The storage unit 210 stores various information. The control unit 211 controls processing of the entire base station apparatus 20.

  7A to 7D are diagrams illustrating a flow of data from the network communication unit 28 or the data generation unit 29 to the MAC frame processing unit 24 in the transmission processing of the base station apparatus 20 according to the embodiment. . In the example shown in FIGS. 7A to 7D, the data structures shown in FIGS. 5A to 5B and 4D are assumed. In the figure, APP1-APP3 indicates application data, SH1-SH3 indicates a security header, SF1-SF3 indicates a security footer, and EH1-EH7 indicates a combined header. The numerical value of the subscript indicates the transmission order. The security frame composed of SH1, APP1, and SF1 in FIG. 7C follows the data structure in FIG. 5A, and the security frame composed of SH2, APP2, and SF2 in FIG. 7C and SH3, APP3. , SF3 constituted by the security frame follows the data structure shown in FIG. Further, a data string starting with EH1 to EH7 in FIG. 7D is stored in the APDU in FIG. 4D.

  FIG. 7A shows the output from the network communication unit 28 or the data generation unit 29 to the application management unit 27. Application data is input to the application management unit 27 in the order of APP1, APP3, and APP2.

  FIG. 7B shows an output from the application management unit 27 to the security processing unit 26. The application data APP1-APP3 are rearranged in the order of transmission and output to the security processing unit 26.

  FIG. 7C shows an output from the security processing unit 26 to the division coupling unit 25. The security processing unit 26 adds a security header SH1-SH3 and a security footer SF1-SF3 to each of the application data APP1-APP3, and outputs them to the division coupling unit 25. In the data structure of FIGS. 5A and 5B, the security header SH1 for the head security frame is larger in size than the security headers SH2 and SH3 other than the head.

  FIG. 7 (d) shows the output from the division coupling unit 25 to the MAC frame processing unit 24. The dividing / combining unit 25 divides the first security frame having a large size into five as a dividing process, and does not divide security frames other than the first one having a small size. The division combining unit 25 outputs each security frame after the division processing to the MAC frame processing unit 24 as an APDU. Prior to the output of the APDU to the MAC frame processing unit 24, the division combining unit 25 adds the combination headers EH1-EH7 to the head of each APDU.

  FIG. 8 shows a configuration of the terminal device 10 mounted on the vehicle 100 according to the embodiment. The terminal device 10 includes an antenna 11, a communication unit 12, and an application unit 13. The communication unit 12 notifies the application data received from the application unit 13 via the antenna 11 by inter-vehicle communication. Further, the communication unit 12 receives the packet signal from the other terminal device 10 via the antenna 11 through vehicle-to-vehicle communication, and receives the packet signal (RSU packet) from the base station device 20 through road-to-vehicle communication. The communication unit 12 provides application data extracted from the received packet signal to the application unit 13. The communication unit 12 also reports a verification result that summarizes the results of signature verification and MAC verification included in the security frame.

  First, components of the application unit 13 will be described. The application unit 13 includes a reception processing unit 131, a notification unit 132, a data generation unit 133, a storage unit 134, and a control unit 135.

  The reception processing unit 131 is based on the application data received from the communication unit 12 and the vehicle information of the host vehicle received from the data generation unit 133. The risk of collision, the approach of an emergency vehicle such as an ambulance or a fire engine, and the road in the traveling direction. And estimation of traffic congestion at intersections. The reception processing unit 131 displays the received data on the notification unit 132 if the received data is image information.

  The notification unit 132 includes means for notifying a user such as a monitor, a lamp, and a speaker (not shown). In accordance with an instruction from the reception processing unit 131, the notification unit 132 notifies the driver of the approach of another vehicle (not shown) via the notification unit. In addition, traffic information, image information such as intersections, etc. are displayed on the monitor.

  The data generation unit 133 specifies a current position, a traveling direction, a moving speed, and the like of the vehicle 100 on which the terminal device 10 is mounted based on information supplied from a GPS receiver, a gyroscope, a vehicle speed sensor, and the like (not shown). The current position is indicated by latitude and longitude. Since the method for identifying these pieces of information can be realized by a generally known technique, description thereof is omitted here.

  The data generation unit 133 generates data to be notified to other terminal apparatuses 10 and the base station apparatus 20 based on the specified information, and outputs the data to the communication unit 12. In addition, the data generation unit 133 outputs the specified information to the reception processing unit 131 as vehicle information of the own vehicle. The storage unit 134 stores various information used by the application unit 13. The control unit 135 controls processing of the entire application unit 13.

  Next, components of the communication unit 12 will be described. The communication unit 12 includes an RF unit 121, a modem unit 122, a MAC frame processing unit 123, a division coupling unit 124, a security processing unit 125, a storage unit 126, and a control unit 127.

  The RF unit 121, the modem unit 122, the MAC frame processing unit 123, and the division coupling unit 124 are basically the same as the configuration and operation of the RF unit 22, the modem unit 23, the MAC frame processing unit 24, and the division coupling unit 25 in FIG. To do. Hereinafter, these components will be described focusing on the differences. The storage unit 126 stores various information used in the communication unit 12. The control unit 127 controls processing of the entire communication unit 12.

  The security processing unit 125 generates or interprets a security frame. In this embodiment, in order to pay attention to packet reception from the base station apparatus 20, attention is paid to processing for interpreting a security frame stored in the packet signal. The security processing unit 125 includes a verification unit 1251 and a common key encryption unit 1252.

  The common key encryption unit 1252 performs reception processing using a communication key. That is, decryption of encrypted data and MAC verification are performed using a communication key. In the data structure shown in FIGS. 5A and 5B, decryption of “payload” and “MAC” encrypted using a communication key and MAC verification for “payload” are performed. The MAC verification is a process of generating a MAC for “payload” and confirming whether or not the MAC value matches the value set in “MAC”. If they match, it is determined that the verification is successful.

  The verification unit 1251 verifies the “public key certificate” and the “signature”. In this embodiment, in order to verify the public key certificate, the verification unit 1251 stores therein an authentication key for verifying a public key certificate issued by a not-shown certificate authority. This authentication key is a public key that is paired with the private key used to generate the signature of the public key certificate in the certificate authority.

  The configuration of the MAC frame processing unit 123, the security processing unit 125, the reception processing unit 131, the notification unit 132, the data generation unit 133, the storage unit 126, the storage unit 134, the control unit 127, and the control unit 135 in FIG. Can be realized by an arbitrary processor, memory, or other LSI, and is realized by a program loaded into the memory in terms of software, but here, functional blocks realized by their cooperation are depicted. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  9A to 9D are diagrams illustrating a data flow from the MAC frame processing unit 123 to the application unit 13 in the reception process in the terminal device 10 according to the embodiment. In the example shown in FIGS. 9A to 9D, the data structure shown in FIGS. 5A and 5B is assumed, and the RSU packet including the APDU shown in FIG. 7D is received. FIGS. 9A to 9D are examples in the case where all packet signals in the super frame can be received. In FIGS. 9A to 9D, APP1-APP3, SH1-SH3, SF1-SF3, and EH1-EH7 are the same as FIGS. 7A-D.

  FIG. 9A shows an output from the MAC frame processing unit 123 to the division combining unit 124. Seven APDUs are output. FIG. 9A shows a state where all the RSU packets in the super frame have been received.

  FIG. 9B shows an output from the division coupling unit 124 to the security processing unit 125. The division combining unit 124 removes the combined headers EH1-EH5 of the five APDUs from the top, and combines the APDUs from which the combined headers EH1-EH5 have been removed. This combination is performed based on the information of the combination header. As a result, the top security frames SH1, APP1, and SF1 are restored. Similarly, the subsequent combining unit 124 removes the combined headers EH6 and EH7, and restores the second security frames SH2, APP2, and SF2 and the third security frames SH3, APP3, and SF3, respectively. The division coupling unit 124 outputs the restored three security frames to the security processing unit 125.

  FIG. 9C shows output of application data from the security processing unit 125 to the application unit 13. The security processing unit 125 extracts the application data APP1-APP3 from the security frame and outputs them to the application unit 13 in the order of input.

  FIG. 9D shows the output of the verification result from the security processing unit 125 to the application unit 13. For each of the application data APP1 to APP3 shown in FIG. 9C, the security processing unit 125 transmits information indicating the verification success to the application unit 13.

  10A to 10D are diagrams illustrating another flow of data from the MAC frame processing unit 123 to the application unit 13 in the reception processing in the terminal device 10 according to the embodiment. The examples shown in FIGS. 10A to 10D are examples when the RSU packet including the APDU of FIG. 7D is received on the premise of the data structure of FIGS. 5A and 5B. FIGS. 10A to 10D are examples when packet signals are lost in the wireless communication section in the superframe. Each of FIGS. 10A to 10D shows a data flow between the same functional blocks as those of FIGS. 9A to 9D. In FIGS. 10A to 10D, data indicated by broken lines is missing.

  As shown in FIG. 10A, the packet signal including the third APDU indicated by the broken line is lost in the wireless communication section, and the APDU does not exist. The missing APDU includes APP1 (3/5) which is a part of the application data APP1.

  The division combining unit 124 receives the data shown in FIG. 10A and forms a security frame. The dividing / combining unit 124 outputs the data shown in FIG. 10B without forming a security frame including the missing application data APP1. In the data shown in FIG. 10B, the leading security frame is missing.

  The security processing unit 125 receives the data shown in FIG. 10B, and decomposes and interprets the security frame. The security processing unit 125 can extract the application data APP2 and APP3 included in the subsequent security frame. The security processing unit 125 outputs data shown in FIG.

  In the data structure shown in FIGS. 5A and 5B, if the first security frame is lost, the security processing unit 125 cannot verify the signature of the subsequent security frame. In order to notify the verification failure for all the security frames, the security processing unit 125 outputs the verification result shown in FIG. The application data APP1 is not output to the application unit 13 due to omission, and the signature verification result is not output.

  As described above, in the data structure shown in FIGS. 5A and 5B, if the packet signal constituting the head security frame is lost, the subsequent security frame cannot be verified. Unlike the subsequent security frame, the first security frame includes a public key certificate and a signature. The first security frame has a large overhead, and the probability of missing a packet signal is higher than the subsequent security frame. Hereinafter, a method for correcting this problem by correcting the data structure of the security frame will be described.

  11 (a)-(b) show an improved data structure of the security frame included in the RSU packet. Hereinafter, differences from the data structure of the security frame shown in FIGS. 5A to 5B will be described. 11A shows a security frame transmitted at the beginning of the message, FIG. 11A shows a security frame transmitted at the beginning of the message, and FIG. 11B shows a data structure of a security frame transmitted outside the beginning of the message. . In FIG. 11A, “Digest” in FIG. 5A is changed to “Digest List”, and “List Number” is arranged before “Digest List”. FIG. 11B shows a data structure similar to that shown in FIG.

  In “Number of Lists”, the number of digests set in the “Digest List” is set. This value matches the number of security frames that make up the message. That is, it matches the “number of frames”. Therefore, it is possible to delete the “number of frames” in the data structures of FIG. 11A and FIG. 11B, but in FIG. 11A and FIG. Yes.

  In the “digest list”, a list in which hash values for “digested data” of each security frame belonging to the same message are arranged as a digest in the order of transmission (that is, in order of frame ID) is set.

  Even when the APDU in which the security frame having the data structure shown in FIG. 11A is divided is lost in the wireless communication section, the division combining unit 124 combines the APDUs as much as possible from the head and outputs the combined APDU to the security processing unit 125. . However, the missing APDU is discarded. When the APDU in which the security frame having the data structure shown in FIG. 11B is divided is lost in the wireless communication section, the division combining unit 124 abandons the combination of the APDUs and discards the excess APDU.

  When a security frame having the data structure shown in FIG. 11A is input to the security processing unit 125, the common key encryption unit 1252 performs decryption and MAC verification on the input security frame using a communication key. Do. The common key encryption unit 1252 outputs the decrypted data to the verification unit 1251. Also, the MAC verification result is reported to the application unit 13.

  The verification unit 1251 confirms the validity of the public key certificate set in “public key certificate”. The verification unit 1251 extracts a public key from the public key certificate, and verifies the signature set to “signature” using the public key. When the public key certificate is valid and the signature verification is successful, the entire signature verification is considered successful. When the public key certificate is invalid or signature verification fails, the entire signature verification is considered as failure. When signature verification is completed, the verification unit 1251 stores the signature verification result, the serial number of the public key certificate, the number of lists set in the “number of lists”, and the digest list set in the “digest list”. 126 temporarily evacuates.

  Subsequently, the verification unit 1251 calculates a digest of “digested data” using a hash function. The verification unit 1251 compares the digest at the head of the digest list temporarily saved in the storage unit 126 with the calculated digest. When the signature verification result temporarily saved in the storage unit 126 is successful and the digest comparison results match, the verification unit 1251 reports the final signature verification result to the application unit 13 as success. When the signature verification result temporarily saved in the storage unit 126 fails or the digest comparison results do not match, the final signature verification result is reported as failure.

  When a security frame having the data structure shown in FIG. 11B is input to the security processing unit 125, the common key encryption unit 1252 performs decryption and MAC verification on the input security frame using a communication key. Do. The common key encryption unit 1252 outputs the decrypted data to the verification unit 1251. Also, the MAC verification result is reported to the application unit 13.

  The verification unit 1251 searches the digest list temporarily saved in the storage unit 126 based on the serial number of the public key certificate set in the “public key certificate information”. When there is a digest list temporarily saved in the storage unit 126, the verification unit 1251 applies a hash function to the data set in the “digested data” to obtain a hash value of the data. This hash value is a digest of the data.

  Subsequently, the verification unit 1251 compares the obtained digest with the “frame ID” -th digest in the digest list temporarily saved in the storage unit 126. When the digest list corresponding to the storage unit 126 exists, the signature verification is successful, and the digest comparison results match, the final signature verification result is reported to the application unit 13 as success. If the digest list corresponding to the storage unit 126 does not exist, the signature verification fails even if the digest list exists, or the digest comparison results do not match, the final signature verification result is reported as failure.

  When the security frame having the data structure shown in FIG. 11A is input to the security processing unit 125, the common key encryption unit 1252 outputs the decrypted data to the verification unit 1251 even if the MAC verification fails. Since the block cipher such as AES cipher is used for the common key cipher, when the security frame is an encrypted data format with authentication, the common key encryption unit 1252 decrypts or generates the MAC in units of blocks, and processes the processed block. The data are sequentially output to the verification unit 1251. Since the decrypted data is provided to the verifying unit 1251 without waiting for the MAC verification result, the decrypted data is provided to the verifying unit 1251 even if the MAC verification fails. The verification unit 1251 performs signature verification as long as data can be extracted from the “signed data”. When the security frame is in the data format with authentication, the common key encryption unit 1252 sequentially outputs the processed blocks to the verification unit 1251 while generating the MAC in units of blocks. As a result, the same result as the encrypted data format with authentication can be obtained.

  12A to 12D are diagrams illustrating an improved data flow from the MAC frame processing unit 123 to the application unit 13 in the reception processing in the terminal device 10 according to the embodiment. 12 (a)-(d) is based on the data structure of FIGS. 11 (a)-(b), and is divided into APDUs according to FIGS. 7 (a)-(d), and RSU packets are broadcast. Assuming that The security frame configured by SH1, APP1, and SF1 in FIG. 7C follows the data structure in FIG. 12A, and the security frame configured by SH2, APP2, and SF2 in FIG. 7C and SH3, APP3. , SF3 is configured according to the data structure shown in FIG. Further, a data string starting with EH1 to EH7 in FIG. 7D is stored in the APDU in FIG. 4D. It is an example when a packet signal is lost in the wireless communication section as in FIGS. 10 (a)-(d).

  FIG. 12A is the same as FIG. As shown in FIG. 12B, a part of the security frame having the data structure shown in FIG. 11A at the top is missing. The splitting / combining unit 124 also outputs the partially missing security frame to the security processing unit 125. In the security frame, a part of the application data APP1 and the security footer SF1 are missing, but the security header SH1 is not missing. The security processing unit 125 can acquire “public key certificate”, “number of lists”, “digest list”, and “signature” from the security header SH1. Therefore, signature verification for the application data APP2 and APP3 is possible.

  When the signature verification for the application data APP2 and APP3 is successful, the verification unit 1251 reports to the application unit 13 that the signature verification result of the application data APP2 and APP3 is successful as shown in FIG. Note that the signature verification result of the application data APP1 is not reported due to the partial omission of the application data APP1.

  13A to 13D are diagrams illustrating another flow of improved data from the MAC frame processing unit 123 to the application unit 13 in the reception processing in the terminal device 10 according to the embodiment. The example shown in FIGS. 13A to 13D also assumes the data structure of FIGS. 11A to 11B. FIGS. 13A to 13D are examples in the case where a packet signal different from the missing packet signal shown in FIGS. 10A to 10D and FIGS. 12A to 12D is lost in the wireless communication section. It is.

  As shown in FIG. 13A, the packet signal including the sixth APDU indicated by the broken line is lost in the wireless communication section, and the APDU does not exist. The missing APDU includes application data APP2. As shown in FIG. 13B, the second security frame having the data structure shown in FIG. 11B from the beginning is missing. When the signature verification of the application data APP1 and APP3 is successful, the verification unit 1251 reports to the application unit 13 that the signature verification result of the application data APP1 and APP3 is successful as shown in FIG. Note that the signature verification result of the application data APP2 is not reported due to the lack of the application data APP2.

  Note that the data flow when there is no missing packet signal is the same as that shown in FIGS. The reception processing unit 131 of the application unit 13 receives application data, a signature verification result, and a MAC verification result from the security processing unit 125. The reception processing unit 131 determines whether to adopt application data based on the signature verification result and the MAC verification result. When the signature verification result is successful and the MAC verification is successful, the application data is adopted.

  As a final signature verification result, the security processing unit determines a comprehensive judgment between the signature verification result of the security frame having the data structure of FIG. 11A including the digest list including the digest for the application data of itself and the digest comparison result. 125 is output to the reception processing unit 131, but the security processing unit 125 individually receives the signature verification result, digest comparison result, and MAC verification result of the security frame having the data structure of FIG. You may make it output to 131. FIG. The verification unit 1251 can process the signature verification and the digest comparison independently, and can report the digest comparison result even if the signature is missing. In this case, the reception processing unit 131 adopts the application data when the signature verification result is successful, the digest comparison results match, and the MAC verification is successful. Further, the reception processing unit 131 adopts the application data when the past signature verification result for the same base station apparatus 20 is successful, the digest comparison results are the same, and the MAC verification is successful. If only reliable data is to be used, application data is not used under the latter condition.

  Although the success of the MAC verification result is included in the application data adoption conditions, the MAC verification result may be excluded from the application data adoption conditions in view of the effects of the signature and the digest list. In this case, if the digest comparison results do not match, the application data is determined to be invalid and is not adopted. If the digest comparison results match, the application data adoption / non-adoption is determined based on the signature verification result of any security frame having the data structure shown in FIG. Similarly, if only reliable data is to be adopted, the application data must be successful if the signature verification result of the security frame having the data structure shown in FIG. 11A including the digest list including the digest for the application data is not successful. Is not adopted.

  As described above, according to the present embodiment, overhead can be reduced by adding a public key certificate and an electronic signature only to the first frame among a plurality of frames constituting a message. In addition, a digest for each divided application data is listed instead of the digest for the entire application data and added to the top frame. As a result, it is possible to improve resistance to packet signal loss. That is, if the security header of the first frame is not lost, signature verification can be performed on the remaining data that is not lost even if other data is lost. In this regard, when one digest is added to the entire application data, if a part of the application data is lost, it is impossible to verify the signature of the remaining application data.

  As described above, according to the present embodiment, it is possible to realize a communication system that has low overhead, high communication error tolerance, and can ensure a certain level of security. Therefore, security can be secured efficiently.

  The present invention has been described based on the embodiments. This embodiment is an exemplification, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are also within the scope of the present invention. is there.

  In the above-described embodiment, the frame including the public key certificate, digest list, and signature is arranged at the head of the message. In this regard, the frame is not necessarily limited to being arranged at the head. You may arrange | position after 2nd.

  The outline of one embodiment of the present invention is as follows. A transmission apparatus according to an aspect of the present invention is a transmission apparatus that transmits a first frame and at least one second frame as a unit. The first frame includes a public key certificate used for verification of an electronic signature, a digest list, an electronic signature for the digest list, and application data. The second frame includes information for specifying the public key certificate and application data. The digest list includes a plurality of digests generated for each application data included in the first frame and the second frame constituting one unit.

  The digest may be a hash value generated by applying a hash function to the application data. The first frame may be transmitted to the head of the unit, and at least one second frame constituting the same unit may be transmitted subsequent to the first frame.

  According to this aspect, by adding a digest list including a plurality of digests generated for each of a plurality of application data to the first frame, either of the application data included in the first frame or the second frame is missing. However, the signature verification of the remaining application data is possible. Therefore, it is possible to provide a transmission method with high communication error tolerance.

  A receiving apparatus according to an aspect of the present invention constitutes one unit transmitted from the transmitting apparatus described above, and each receives a first frame and at least one second frame including application data. The first frame is a digest including a public key certificate used for verifying an electronic signature, and a plurality of digests generated for each application data included in the first frame and the second frame constituting the same unit. A list, an electronic signature for the digest list, and application data are included. The second frame includes information for specifying the public key certificate and application data. If a part of the first frame is received in a missing state and the digest list of the first frame is not missing, the digest of the application data included in the second frame is calculated, and the digest and the first frame are calculated. If the corresponding digests in the digest list included in the list match, the application data is determined to be valid.

  According to this aspect, even if a part of the first frame is lost, if the digest list included in the first frame is not lost, the validity of the application included in the second frame can be verified.

  If a part of the first frame is missing and received, and the digest list and electronic signature of the first frame are not missing, the electronic signature contained in the first frame is successfully verified, and the second frame The digest of the application data included in the file is calculated, and if the digest matches the corresponding digest in the digest list included in the first frame, the application data may be determined to be valid.

  According to this aspect, even if a part of the first frame is lost, if the digest list and the electronic signature included in the first frame are not lost, the validity of the application included in the second frame can be verified.

  500 communication system, 100 vehicle, 200 external network, 202 area, 204 area outside, 20 base station device, 21 antenna, 22 RF unit, 23 modem unit, 24 MAC frame processing unit, 25 division coupling unit, 26 security processing unit, 261 Signature unit, 262 Common key encryption unit, 27 Application management unit, 28 Network communication unit, 29 Data generation unit, 210 Storage unit, 211 Control unit, 10 Terminal device, 11 Antenna, 12 Communication unit, 13 Application unit, 121 RF Unit, 122 modem unit, 123 MAC frame processing unit, 124 division combining unit, 125 security processing unit, 1251 verification unit, 1252 common key encryption unit, 126 storage unit, 127 control unit, 131 Reception processing unit, 132 notification unit, 133 data generation unit, 134 storage unit, 135 control unit.

Claims (3)

A wireless device in a communication system using road-to-vehicle communication and vehicle-to-vehicle communication, wherein the first frame and at least one second frame are generated as a unit, and the generated first frame and second frame are generated as a unit. A wireless device that transmits a packet signal including data units divided into sizes that can be transmitted,
The first frame includes a public key certificate used for verification of an electronic signature, a digest list, an electronic signature for the digest list, and a payload including application data and a message authentication code for the payload,
The second frame includes information for specifying the public key certificate, a payload including application data, and a message authentication code for the payload,
The digest list includes a plurality of digests generated for each application data included in the first frame and the second frame constituting one unit,
The wireless device, wherein the public key certificate, the digest list, and the electronic signature included in the first frame are included in one of data units obtained by dividing the first frame.   The wireless device according to claim 1, wherein the digest is a hash value generated by applying a hash function to the application data.   A packet signal including a data unit obtained by dividing the first frame is transmitted to the head of the unit, and a packet signal including a data unit obtained by dividing at least one second frame constituting the same unit The radio apparatus according to claim 1 or 2, wherein the radio apparatus transmits a packet signal including a data unit obtained by dividing one frame.