JP2017144843A - Authentication system of industrial vehicle - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system of an industrial vehicle which is durable to leakage of information for releasing restriction of a vehicle.SOLUTION: A server 31 comprises: a first disconnection detection part 31a; a disconnection time recording part 31a; and a sending part 31c. A portable terminal 34 comprises: a reception part 34c; and an authentication request part 34a. An industrial vehicle 1 comprises: an operation restriction part 8; a second disconnection detection part 29; a second disconnection time recording part 29 for recording a time when disconnection is performed, when the second disconnection detection part 29 detects disconnection from the server 31; an authentication execution part 29 for, according to request of authentication from the portable terminal 34, performing authentication based on a time when disconnection is performed, recorded by the disconnection time recording part 29; and a control part 29 for making an operation restriction part 8 to start restriction when the second disconnection detection part 29 detects disconnection from the server 31, and making the operation restriction part 8 finish restriction when the authentication execution part 29 succeeds in authentication.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an industrial vehicle authentication system.

An industrial vehicle represented by a hydraulic excavator is often left at the work site after the work is finished when used every day at the work site. Therefore, there is a high risk of being damaged by theft or unauthorized use, and a sufficient security function is required.
As a security function, a function that does not operate an industrial vehicle is known, such as cutting an energization circuit of a starter motor when a theft is detected. Theft is an act involving the movement of an industrial vehicle that is not intended by the owner. By sending the self-location to the management server from a device built in the industrial vehicle, the movement of the industrial vehicle is detected, that is, the theft is detected and stolen. It is possible to track industrial vehicles. However, if the person who performs the theft grasps this mechanism, it is assumed that the transmission of the self-location from the industrial vehicle to the management server is stopped, for example, by destroying the communication device. For this reason, even when communication from the industrial vehicle to the management server is interrupted, it is determined that the vehicle is stolen and measures are taken not to operate the industrial vehicle.
However, when the communication device breaks down or when the industrial vehicle moves to an out-of-communication area where radio waves do not reach, it is determined that the device is stolen and the industrial vehicle cannot be operated. In order to solve this problem, a technology for notifying an authorized user of a release code for releasing the operation stop state of the industrial vehicle and enabling the vehicle even when communication between the management server and the industrial vehicle is impossible is known. . For example, Patent Document 1 discloses that even when a vehicle is out of a wireless communication range, a release code, which is a code for releasing a state where engine start is prohibited, is received from a communication center with a mobile phone, and the mobile phone is connected to the vehicle. An invention is disclosed that cancels the engine start prohibition state of a vehicle by transmitting a cancel code.

JP 2007-30613 A

  In the invention described in Patent Document 1, a change in information for releasing the restriction of the vehicle is not taken into consideration, and it is vulnerable to leakage of information for releasing the restriction of the vehicle.

  The industrial vehicle authentication system according to the present invention includes a server, an industrial vehicle, and a portable terminal. When the server connectable to the industrial vehicle via the network detects that the connection with the industrial vehicle has been disconnected, the first disconnection detection unit detects that the connection with the industrial vehicle has been disconnected. A first disconnection time recording unit that records the time when the connection is disconnected, and a transmission unit that transmits the disconnection time recorded by the first disconnection time recording unit to the mobile terminal. The portable terminal includes a receiving unit that receives a time when the connection is disconnected from the server, and an authentication requesting unit that requests authentication from the industrial vehicle using the time when the connection received from the server is disconnected. The industrial vehicle includes an operation restriction unit that restricts the operation of the actuator of the industrial vehicle, a second disconnection detection unit that detects that the connection with the server has been disconnected, and the second disconnection detection unit that is disconnected from the server. When it is detected that the connection has been disconnected, a second disconnection time recording unit that records the disconnection time and a connection disconnection time recorded by the second disconnection time recording unit in response to an authentication request from the mobile terminal When the authentication execution unit and the second disconnection detection unit detect the disconnection with the server, the restriction by the operation restriction unit is started, and when the authentication execution unit is successfully authenticated, the restriction by the operation restriction unit is ended. And a control unit.

  According to the present invention, the time at which the connection between the excavator and the management server is cut becomes information for authentication for releasing the restricted state of the excavator. That is, when the excavator and the management server communicate with each other, the time at which the connection is disconnected, which is information for authentication, is substantially updated. Therefore, it is robust against leakage of information for authentication.

The block diagram which shows the structure of the authentication system of the industrial vehicle in 1st Embodiment. Hydraulic system diagram of excavator System configuration diagram of control controller Flow chart showing operation of information controller Flow chart showing operation of server controller The flowchart which shows operation | movement of the information controller in 2nd Embodiment. The flowchart which shows operation | movement of the server control part in the modification 1 of 2nd Embodiment. The flowchart which shows operation | movement of the information controller in 3rd Embodiment. The flowchart which shows operation | movement of the server control part in 3rd Embodiment.

(First embodiment)
Hereinafter, a first embodiment in which an industrial vehicle authentication system is applied to a hydraulic excavator will be described with reference to FIGS.
In the present embodiment, the latest time when communication is performed is a shared secret key that dynamically changes.
(Configuration of authentication system)
FIG. 1 is a block diagram showing a configuration of an industrial vehicle authentication system 100 (hereinafter referred to as “authentication system 100”) according to the first embodiment.

  The authentication system 100 includes a hydraulic excavator 1, a management server 31, and a mobile terminal 34. The excavator 1 and the management server 31 are connected by wireless communication. When the excavator 1 cannot communicate with the management server 31, its function is remarkably restricted, and the restriction is released by performing authentication using the portable terminal 34 or by connecting to the management server 31 again. Hereinafter, a state where the function of the excavator 1 is restricted is referred to as a “restricted state”.

In the following description, it is assumed that the user of the hydraulic excavator 1 and the user of the portable terminal 34 are the same person. This user is called an operator.
The hydraulic excavator 1 controls an engine 1a that operates the hydraulic excavator 1, a starter motor 14 that starts the engine 1a, an actuator 26 that is driven to perform work on the hydraulic excavator 1, and the starter motor 14 and the actuator 26. The controller 8, the vehicle communication unit 30 that communicates with the management server 31 and the portable terminal 34, the information controller 29 that determines whether or not the hydraulic excavator 1 is set to the restricted state, and a GPS receiver (not shown) Prepare.
The information controller 29 and the vehicle communication unit 30 are always operating regardless of the operating state of the excavator 1.

  The information controller 29 includes a CPU, a ROM, a RAM, and a flash memory, and executes a program stored in the ROM by expanding it in the RAM. When the communication between the hydraulic excavator 1 and the management server 31 is interrupted due to a malfunction of the communication device or the movement of the hydraulic excavator 1 to an out-of-communication area, this program detects this communication disruption and issues a command to the controller 8. To output the excavator 1 to the restricted state. Details of the operation of this program will be described later. The flash memory of the information controller 29 stores a second key 92, vehicle time information 82, and last update time 82a used for authentication described later. The second key 92 is random data generated at the time of factory shipment of the excavator 1, that is, a random number sequence, and is the same data as the first key 91 stored in the portable terminal 34. The last update time 82a is updated every time communication with the management server 31 is performed, and the latest time when communication is performed is recorded. The last update time 82a is substituted into the vehicle time information 82 under predetermined conditions described later.

The starter motor 14 and the actuator 26 operate based on commands from the controller 8.
When the controller 8 receives a command to shift to the restricted state from the information controller 29, the controller 8 cuts off the power line of the starter motor 14 of the engine 1a and cuts off the power of the hydraulic excavator 1. However, instead of shutting off the power of the hydraulic excavator 1, the operation of the hydraulic excavator 1 may be significantly restricted, for example, by fixing the rotational speed of the engine 1a to the minimum rotational speed.

The management server 31 includes a server control unit 31a, a server storage unit 31b, and a server communication unit 31c. The server storage unit 31b and the server communication unit 31c are connected to the server control unit 31a through a signal line and operate based on a command from the server control unit 31a.
The server control unit 31a includes a CPU, a ROM, and a RAM, and develops and executes a program stored in the ROM on the RAM. The operation of this program will be described later.

The server storage unit 31b is composed of a magnetic disk or a nonvolatile memory. The server storage unit 31b has an area used as the information database 32, and further stores server time information 81 and a last update time 81a. In the information database 32, operation information of a plurality of industrial vehicles communicating with the management server 31 is recorded. The operation information is, for example, latitude / longitude for each time, speed, engine speed, load, fuel remaining amount, and the like. The server time information 81 is information used for authentication described later, and the last update time 81a is substituted according to a predetermined condition. The last update time 81a is the latest time when communication with the excavator 1 is performed.
The server communication unit 31 c performs wireless communication with the excavator 1 and the mobile terminal 34. The wireless communication is, for example, communication using a mobile phone network or communication using an artificial satellite.

The portable terminal 34 includes a portable control unit 34a, a portable storage unit 34b, a portable communication unit 34c, and an input unit (not shown). The portable storage unit 34b and the portable communication unit 34c are connected to the portable control unit 34a through a signal line, and operate based on a command from the portable control unit 34a.
The portable control unit 34a includes a CPU, a ROM, and a RAM. The program stored in the ROM is expanded on the RAM and executed. The operation of this program will be described later.
The portable storage unit 34b is composed of a nonvolatile memory. The portable key 34 and server time information 81 are stored in the portable storage unit 34b. The first key 91 is random data generated in advance, and is the same data as the second key 92 stored in the excavator 1. The first key 91 is information used for authentication described later. The server time information 81 is also information used for authentication, which will be described later, but is appropriately updated, and is received from the management server 31 by a process described later.

The portable communication unit 34 c performs wireless communication with the excavator 1 and the management server 31. However, communication with the hydraulic excavator 1 may be performed by wire.
An input unit (not shown) is constituted by a plurality of buttons, for example. The operator can input an authentication command and an acquisition command for the server time information 81 to the mobile terminal 34 using an input unit (not shown). When the authentication command is input, the portable terminal 34 transmits the first key 91 and the server time information 81 to the excavator 1 and makes an authentication request for releasing the restricted state. The portable terminal 34 acquires the server time information 81 from the management server 31 when an acquisition command for the server time information 81 is input.

(System configuration of hydraulic excavator)
FIG. 2 is a hydraulic system diagram of the excavator 1. In FIG. 2, the output shaft of the engine 1 a is connected to a variable displacement first pump 2, second pump 3, and third pump 4. The pressure oil discharged from each hydraulic pump is sent to a hydraulic circuit 5 including a control valve, and the flow rate and direction are controlled and supplied to the hydraulic cylinder 6 and the hydraulic motor 7.
The control controller 8 controls the engine control calculation unit 8a and the pump control calculation unit 8b. The engine control dial 9 adjusts the command value for the engine speed. The command rotational speed adjusted by the engine control dial 9 is input to the engine control calculation unit 8 a of the controller 8. The engine control calculation unit 8a and the pump control calculation unit 8b calculate command values for driving the hydraulic cylinder 6 and the hydraulic motor 7 in accordance with the sensor signal 11 for measuring the operation pressure of the operation lever device 10 and the pump pressure. To do.

The engine control calculation unit 8a calculates a target engine speed, sends the target engine speed to the ECU 12, which is an engine controller, and the ECU 12 controls the engine speed according to the target engine speed.
The pump control calculation unit 8b sends a necessary pump torque pressure command to the pump regulator 13 that controls the pump discharge flow rate so that a pump flow rate corresponding to the lever operation amount can be obtained.
The starter motor 14 generates the initial rotation of the engine 1a using the battery 15 as a power source, and thereafter continues to rotate by itself. In addition to the above, the battery 15 is used as a power supply voltage for the controller 8, the information controller 29, the vehicle communication unit 30, and the like.

FIG. 3 is a system configuration diagram of the controller 8. The controller 8 includes an input interface 20, an output interface 21, a CPU 22, a ROM 23, and a RAM 24. The controller 8 not only controls the hydraulic system but also collects operation information of the excavator 1 and outputs it to the information controller 29.
The input interface 20 is an interface that connects the input element 25 and the CPU 22 input by an operator's operation, and the output interface 21 is an interface that connects the actuator 26 and the CPU 22.
The ROM 23 stores a control program executed by the CPU 22. The CPU 22 develops the control program in the RAM 24 and executes it.
The monitor controller 27 receives an input element 25 such as a button operated by an operator and an output of a sensor provided in the actuator 26 and transmits the output to the display device 28. The operator can check the state of the vehicle body by looking at the display device 28.

(Overview of operation)
The management server 31 transmits a communication confirmation signal, for example, PING, to the excavator 1 at regular time intervals, for example, every minute. The excavator 1 that has received this updates the last update time 82 a to the current time and transmits the latest operation information to the management server 31. At this time, if the excavator 1 is in the restricted state, the restricted state is released because the communication with the management server 31 has been recovered.
The management server 31 that has received the operation information from the excavator 1 stores the received operation information in the information database 32. Further, since the communication with the excavator 1 has succeeded, the last update time 81a is updated to the current time.

  The last update times 81a and 82a that are updated each time communication is performed in this way are used as shared secret keys that both the excavator 1 and the management server 31 have. However, the communication between the excavator 1 and the management server 31 usually requires time on the order of ms, and the last update time 81a and the last update time 82a do not exactly match. In addition, a situation is assumed in which the clocks of the excavator 1 and the management server 31 are shifted in the ms order. Therefore, in order to make the last update time 81a coincide with the last update time 82a, the granularity of the recording time is made rough. That is, the accuracy of the recording time is lowered, and for example, the time is recorded in units of 1 second or 5 seconds. Thus, by making the time granularity coarse, the last update times 81a and 82a are matched.

When the excavator 1 does not receive communication from the management server 31 for a predetermined time or more, for example, 30 minutes or more, the excavator 1 shifts to a restricted state. At this time, the last update time 82 a is substituted into the vehicle time information 82 to prepare for authentication from the portable terminal 34.
The management server 31 performs the following processing when a state in which a reply of operation information is not received even if a communication confirmation signal is transmitted to the excavator 1 continues for a predetermined time or more, for example, 30 minutes or more. That is, the last update time 81 a is substituted for the server time information 81, and the server time information 81 is transmitted to the mobile terminal 34.

  However, when the operator who is on the hydraulic excavator 1 has the portable terminal 34 and the portable terminal 34 is also in the wireless communication out-of-service area similarly to the hydraulic excavator 1, the portable terminal 34 by the management server 31 is used. The transmission of the server time information 81 to the server fails. In this case, when a transmission request for the server time information 81 is received from the portable terminal 34 later, the server time information 81 is transmitted to the portable terminal 34 again.

When the portable terminal 34 receives the server time information 81 from the management server 31, it makes an authentication request to the hydraulic excavator 1 to release the restricted state. This authentication request is made by transmitting the first key 91 and the server time information 81 to the excavator 1.
The excavator 1 that has received the authentication request from the portable terminal 34 determines whether or not the received first key 91 is equal to the second key 92 stored in the information controller 29, and the received server time information 81 is sent to the information controller 29. It is determined whether or not the vehicle time information 82 is stored. If it is determined that both are equal, the authentication is successful and the restriction state of the excavator 1 is released.

(Flow chart of hydraulic excavator)
FIG. 4 is a flowchart showing the operation of the program executed by the information controller 29.
The information controller 29 of the excavator 1 always operates the following program. The execution subject of each step described below is the CPU of the information controller 29.

In step S101, it is determined whether a communication confirmation signal is received from the management server 31. If it is determined that it has been received, the process proceeds to step S102. If it is determined that it has not been received, the process proceeds to step S106.
In step S102, the current time is substituted for the last update time 82a, and the process proceeds to step S103.
In step S103, the operation information received from the controller 8 is transmitted to the management server 31, and the process proceeds to step S104.
In step S104, the restricted state is released because communication with the management server 31 has been performed. However, no processing is performed when not in the restricted state. Next, the process proceeds to step S105.

In step S105, since it is not necessary to perform authentication, the vehicle time information 82 is deleted, and the program whose operation is represented by the flowchart of FIG. 4 is terminated.
In step S106, which is executed when it is determined that the communication confirmation signal has not been received from the management server 31, the difference between the current time and the last update time 82a is evaluated, and a predetermined time or more from the last update time 82a, for example, 30 minutes. It is determined whether or not the above has elapsed. When it is determined that the predetermined time or more has elapsed, the process proceeds to step S107, and when it is determined that the predetermined time or more has not elapsed, the process proceeds to step S104. The significance of providing this step is to prevent the excavator 1 from entering the restricted state when moving to the out-of-communication area for a short time.

In step S107, a command is output to the control controller 8, the hydraulic excavator 1 is shifted to the restricted state, for example, the power line of the starter motor 14 of the engine 1a is disconnected, and the process proceeds to step S108.
In step S108, in preparation for the authentication request from the portable terminal 34, the last update time 82a is substituted into the vehicle time information 82, and the program whose operation is represented by the flowchart of FIG.

(Management server flowchart)
FIG. 5 is a flowchart showing the operation of the program executed by the server control unit 31a.
The server control unit 31a of the management server 31 always operates the following program. The execution subject of each step described below is the CPU of the server control unit 31a.
In step S201, it is determined whether or not the current time is a timer time, for example, 0 seconds per minute. If it is determined that the timer time is reached, the process proceeds to step S202. If it is determined that the timer time is not reached, the program whose operation is represented by the flowchart of FIG. 5 is terminated.

In step S202, a communication confirmation signal such as PING is transmitted to the excavator 1, and the process proceeds to step S203.
In step S203, it is determined whether operation information has been received from the excavator 1. If it is determined that the operation information has been received, the process proceeds to step S204. If it is determined that the operation information has not been received, the process proceeds to step S207.
In step S204, the operation information received from the excavator 1 is recorded in the information database 32, and the process proceeds to step S205.

In step S205, the current time is substituted for the last update time 81a, and the process proceeds to step S206.
In step S206, since it is not necessary for the portable terminal 34 to request authentication from the excavator 1, the server time information 81 is deleted, and the program whose operation is represented by the flowchart of FIG. 5 is terminated.

In step S207, which is executed when it is determined that the operation information is not received in step S203, the difference between the current time and the last update time 81a is evaluated, and a predetermined time or more, for example, 30 minutes or more have elapsed from the last update time 81a. Judge whether or not. If it is determined that the predetermined time or more has elapsed, the process proceeds to step S208. If it is determined that the predetermined time or more has not elapsed, the process proceeds to step S206. Note that the threshold in this step and the threshold in step S106 in FIG. 4, that is, the “predetermined time” in both steps are the same time.
In step S208, the last update time 81a is substituted into the server time information 81, and the process proceeds to step S209.
In step S209, the server time information 81 is transmitted to the portable terminal 34, and the program whose operation is represented by the flowchart of FIG.

According to the first embodiment described above, the following operational effects are obtained.
(1) The industrial vehicle authentication system 100 includes a management server 31, an industrial vehicle, that is, a hydraulic excavator 1, and a portable terminal 34. The management server 31 that can be connected to the excavator 1 via a network includes a first disconnection detection unit that detects that the connection to the excavator 1 has been disconnected, that is, a server control unit 31a (FIG. 5, steps S203 and S207), When the first disconnection detecting unit detects that the connection with the industrial vehicle is disconnected, a first disconnection time recording unit that records the time when the connection is disconnected, that is, the server control unit 31a (FIG. 5, S205, S208), A server communication unit 31c that transmits to the portable terminal 34 the time when the connection recorded by the first disconnection time recording unit is disconnected. The mobile terminal 34 uses the time when the connection with the excavator 1 is disconnected from the management server 31, that is, the mobile communication unit 34c that receives the server time information 81 and the time when the connection received from the management server 31 is disconnected. An authentication request unit that requests the hydraulic excavator 1 for authentication, that is, a portable control unit 34a is provided. The industrial vehicle, that is, the hydraulic excavator 1 includes an operation limiting unit that limits the operation of the actuator 26 of the industrial vehicle, that is, a second disconnection detection unit that detects that the connection between the control controller 8 and the management server 31 is disconnected, That is, when the information controller 29 (FIG. 4, steps S101 and S106) and the second disconnection detecting unit detect that the connection with the server is disconnected, the time when the connection is disconnected, that is, the vehicle time information 82 is recorded. 2 In accordance with the disconnection time recording unit, that is, the information controller 29 (FIG. 4, steps S102, S108) and the connection recorded by the second disconnection time recording unit in response to a request for authentication from the portable terminal 34. When the authentication execution unit that performs authentication, that is, the information controller 29 and the second disconnection detection unit detect disconnection of the connection with the management server 31 To initiate limited by the work limit unit (Fig. 4, step S107), a control unit for authentication execution unit to terminate the restriction by the operation restriction part successful authentication, i.e. the information controller 29.

  Since the authentication system 100 is configured as described above, the time when the connection between the excavator 1 and the management server 31 is disconnected becomes information for authentication to release the restricted state of the excavator 1. When the excavator 1 and the management server 31 communicate with each other, the time at which the connection is disconnected is substantially updated. Therefore, even if the server time information 81 is leaked, if communication between the excavator 1 and the management server 31 is performed, the vehicle time information 82 used for authentication of the excavator 1 is updated. Since the authentication is not successful, the server time information 81 is robust against leakage. Moreover, according to this system, the information used for authentication can be easily updated.

(2) The portable terminal 34 includes a portable storage unit 34b that stores the first key 91 for authentication. The authentication request unit of the portable terminal 34 requests the hydraulic excavator 1 for authentication using the time when the connection received from the management server 31 is disconnected and the first key information. The industrial vehicle includes an industrial vehicle storage unit that stores a second key 92 for authentication, that is, an information controller 29. The authentication execution unit of the industrial vehicle performs authentication based on the time when the connection recorded by the second disconnection time recording unit is disconnected and the second key 92.
Therefore, since the first key 91 stored in the portable storage unit 34b is also used for authentication, the safety is improved. In particular, since the second key 92 is stored only in the hydraulic excavator 1 and the management server 31 does not have information on the second key 92, the management server 31 is prevented from releasing the restricted state of the hydraulic excavator 1 alone. it can.

(3) The first disconnection time recording unit of the management server 31, that is, the server control unit 31 a and the second disconnection time recording unit of the excavator 1, that is, the information controller 29, indicate the time when the connection was disconnected and finally connected. The time of success.
Therefore, since the communication is a real-time exchange performed between the management server 31 and the information controller 29, a time difference between the time recorded by the management server 31 and the time recorded by the information controller 29 hardly occurs.

(Modification 1)
In the first embodiment described above, a communication confirmation signal is transmitted from the management server 31 to the excavator 1 at a predetermined time. However, the management server 31 may transmit the communication confirmation signal at random timing. For example, when an affirmative determination is made in step S201 in FIG. 5, the communication confirmation signal may be transmitted at random timing by waiting for a random time and then proceeding to step S202.
According to the first modification, it is difficult to predict the timing at which communication is performed, that is, the server time information 81, and safety can be improved. In the first embodiment, since the last communication time is the server time information 81 and the vehicle time information 82, there is no problem even if the regularity of the transmission timing of the communication confirmation signal is lost.

(Modification 2)
In the first embodiment described above, the time at which communication was performed was recorded as the last update time 81a and the last update time 82a. However, the time interval may be determined in advance and shared between the excavator 1 and the management server 31, and the time determined from the time interval may be used as follows. That is, the last update time 81a and the last update time 82a may be set at a predetermined time interval that is visited next to the communication time.

For example, the time recorded as the last update time by the excavator 1 and the management server 31 determines that the time interval is 1 minute. In this case, when the excavator 1 receives a communication confirmation signal from the management server 31 at “10: 2: 30”, the information controller 29 determines as follows. That is, the time set at a predetermined time interval is “10: 2: 0”, “10: 3: 0”, and so on. "Time 3 minute 0 second" is recorded as the last update time 82a.
The predetermined time interval may be stored in the portable storage unit 34b and the information controller 29 together with the first key 91 and the second key 92, or the time interval itself may be used as the first key 91 and the second key 92. It may be stored.

According to the second modification, the following operational effects can be obtained.
(1) The first disconnection time recording unit of the management server 31 and the second disconnection time recording unit of the hydraulic excavator 1 set the time when the connection is disconnected as a time set at a predetermined time interval.
Therefore, when the clock of the excavator 1 and the clock of the management server 31 do not match, the last update time recorded by the excavator 1 and the management server are set by setting the time interval longer than the clock deviation time. The last update time recorded by 31 can be matched.

(Modification 3)
In the first embodiment described above, the authentication is performed using two times, that is, the time when the communication is disconnected and the key information shared in advance. However, the authentication may be performed using only the time when the communication is disconnected without using the key information.
In this case, the excavator 1 may not store the second key 92, and the portable terminal 34 may not store the first key 91. When the portable terminal 34 receives the server time information 81 from the management server 31, the portable terminal 34 transmits the server time information 81 as it is to the hydraulic excavator 1 for authentication. The hydraulic excavator 1 that has received the authentication request from the portable terminal 34 determines whether or not the received server time information 81 is equal to the vehicle time information 82 stored in the information controller 29. The restriction state of the excavator 1 is released.
According to the third modification, the configuration and operation of the authentication system 100 can be simplified.

(Second Embodiment)
With reference to FIG. 6, a second embodiment of the industrial vehicle authentication system will be described. In the following description, the same components as those in the first embodiment are denoted by the same reference numerals, and different points will be mainly described. Points that are not particularly described are the same as those in the first embodiment. This embodiment is different from the first embodiment mainly in that the server time information 81 is processed using the first key 91 and authentication is performed using the processed information.

(Constitution)
The physical configurations of the excavator 1, the management server 31, and the portable terminal 34 are the same as those in the first embodiment. Operations related to authentication of programs executed by the information controller 29 of the excavator 1 and the portable control unit 34a of the portable terminal 34 are different.

(Overview of operation)
The information controller 29 and the portable control unit 34a use a message authentication code for authentication. The message authentication code is used to obtain an output, that is, a MAC value, using a certain input value and key information. For example, the portable control unit 34a calculates a MAC value using the server time information 81 as an input value and the first key 91 as key information, and the information controller 29 uses the vehicle time information 82 as an input value and the second key 92 as key information. Calculate the MAC value. As described in the first embodiment, if normal processing is performed, the server time information 81 and the vehicle time information 82 are equal, and the first key 91 and the second key 92 are equal. Two MAC values are equal.

(Hydraulic excavator operation)
FIG. 6 is a flowchart showing the operation of a program executed by the information controller 29 in the second embodiment.
The difference from the flowchart shown in FIG. 4 in the first embodiment is that step S108A is provided after step S108. Only differences from the first embodiment will be described.
In step S108A executed after step S108, the CPU of the information controller 29 calculates authentication information, that is, a MAC value. This MAC value is calculated using, for example, the vehicle time information 82 as an input value and the second key 92 as key information. The program whose operation is represented by the flowchart of FIG.
When receiving the authentication request, that is, the MAC value from the portable terminal 34, the hydraulic excavator 1 compares the received MAC value with the MAC value calculated in step S108A, and determines that the authentication is successful if the two match, the hydraulic excavator 1 The restriction state 1 is released.

(Management server operation)
The operation of the management server 31 is the same as that of the first embodiment. That is, in terms of authentication, the server time information 81 is transmitted to the portable terminal 34 when a predetermined time or more has elapsed since the last update time 81a.

(Mobile device operation)
When receiving the server time information 81 from the management server 31, the portable control unit 34a of the portable terminal 34 creates authentication information for authentication, that is, a MAC value. For example, the MAC value is calculated using the server time information 81 as an input value and the first key 91 as key information. The portable control unit 34a makes an authentication request by transmitting the MAC value to the excavator 1.
The MAC value calculation method only needs to be unified between the hydraulic excavator and the portable terminal, and the input value and the key information may be interchanged.

  According to the second embodiment described above, since the portable terminal 34 does not need to transmit the first key 91 that is the shared secret key when making an authentication request to the excavator 1, the communication of the authentication request is performed first. There is no risk of the first key 91 leaking by being intercepted by the three parties. Even if the MAC value used as authentication information in this embodiment is intercepted, it is very difficult to guess the first key 91 from the MAC value, and the confidentiality of the first key 91 can be improved.

(Modification 1 of the second embodiment)
In the second embodiment, the mobile terminal 34 generates authentication information. However, the management server 31 may include the second key 92 and the management server 31 may generate authentication information instead of the mobile terminal 34.

(Configuration and operation of hydraulic excavator)
The configuration and operation of the hydraulic excavator 1 are the same as those in the second embodiment.
(Configuration and operation of mobile terminal)
The configuration of the mobile terminal 34 is different from that of the second embodiment in that the first key 91 is not stored in the mobile storage unit 34b. When the authentication information is received from the management server 31, authentication is performed by transmitting the received authentication information to the excavator 1 as it is.

(Management server configuration and operation)
The server storage unit 31b of the management server 31 further stores a first key 91. The operation of the server control unit 31a will be described with reference to FIG.
FIG. 7 is a flowchart illustrating the operation of a program executed by the server control unit 31a in the first modification of the second embodiment.

The difference from the flowchart shown in FIG. 5 in the first embodiment is that step S208A is provided after step S208, and step S209A is provided instead of step S209. Only differences from the first embodiment will be described.
In step S208A executed after step S208, the CPU of the server control unit 31a calculates authentication information, that is, a MAC value. For example, the MAC value is calculated using the server time information 81 as an input value and the first key 91 as key information. Next, the process proceeds to step S209A.

In step S209A, the authentication information created in step S208A, that is, the MAC value is transmitted to the portable terminal 34, and the program whose operation is represented by the flowchart of FIG. 7 is terminated.
According to this modification, the first key 91 is not stored in the mobile terminal 34 and it is difficult to estimate the first key 91 from the authentication information received from the management server 31. There is no risk of information leaking.

According to this modification, the following effects can be obtained.
(1) The management server 31 includes a server storage unit 31b that stores a first key 91 for authentication,
An authentication information creating unit that creates authentication information using the first key 91, that is, a server control unit 31a (step S208A in FIG. 7), is provided. The server communication unit 31 c of the management server 31 transmits the authentication information created by the authentication information creation unit to the mobile terminal 34. The authentication request unit of the portable terminal 34 requests authentication from the excavator 1 using the authentication information received from the management server 31. The excavator 1 includes an industrial vehicle storage unit that stores a second key 92 for authentication, that is, an information controller 29. The authentication execution unit of the excavator 1, that is, the information controller 29 performs authentication based on the time when the connection recorded by the second disconnection time recording unit is disconnected and the second key 92.
Therefore, the first key 91 is not stored in the portable terminal 34, and it is possible to prevent the information of the first key 91 from leaking even if the portable terminal 34 is stolen. The mobile terminal 34 receives the MAC value calculated using the first key 91 from the management server 31, but it is very difficult to infer the first key 91 from the MAC value, and the first key 91 is secured. The

(Modification 2 of the second embodiment)
In the second embodiment described above, authentication information is created using a message authentication code. The first key 91 and the second key 92 are random data. However, the first key 91 and the second key 92 may be information related to time operation, and the time when the server time information 81 and the vehicle time information 82 are operated may be authentication information.
For example, if the first key 91 is “2 hours and 10 minutes forward” and the server time information 81 is “April 1, 2015 23:30:20”, the authentication information is “April 2, 2015 Day 1:40:20 ".
According to this modification, since the authentication information is the time information itself, there is an advantage that it is difficult to notice the presence of the first key 91.

(Third embodiment)
A third embodiment of an industrial vehicle authentication system will be described with reference to FIGS. In the following description, the same components as those in the first embodiment are denoted by the same reference numerals, and different points will be mainly described. Points that are not particularly described are the same as those in the first embodiment. This embodiment is different from the first embodiment mainly in the following two points. The first point is that the time when communication is originally performed and the time when communication is not performed is set as server time information 81 and vehicle time information 82. The second point is that the first key 91 and the second key 92 are not used for authentication.

(Constitution)
The physical configurations of the excavator 1, the management server 31, and the portable terminal 34 are the same as those in the first embodiment. However, the second key 92 is not stored in the excavator 1, and the first key 91 is not stored in either the management server 31 or the portable terminal 34. The operations of the information controller 29 of the excavator 1 and the server control unit 31a of the management server 31 are different from those of the first embodiment.

(Overview of operation)
The excavator 1 and the management server 31 determine the timing for transmitting and receiving a communication confirmation signal in advance. If the excavator 1 fails to receive a communication confirmation signal from the management server 31 at that timing, the excavator 1 shifts to a restricted state and stores the time as vehicle time information 82. If the management server 31 cannot receive the operation information from the excavator 1 even though it has transmitted the communication confirmation signal at a predetermined timing, the management server 31 stores the time as the server time information 81.

(Flow chart of hydraulic excavator)
FIG. 8 is a flowchart showing the operation of a program executed by the information controller 29 in the third embodiment. Since there are a plurality of differences from the flowchart shown in FIG. 4 described in the first embodiment, description will be made in order from the top. However, the description of the steps described in the first embodiment is simplified. The execution subject of each step described below is the CPU of the information controller 29.
In step S121, it is determined whether or not the current time is a timer time, for example, 0 seconds per minute. If it is determined that the timer time is reached, the process proceeds to step S101. If it is determined that the timer time is not reached, the program whose operation is represented by the flowchart of FIG. 8 is terminated.

In step S101, it is determined whether or not a communication confirmation signal has been received from the management server 31. If it is determined that it has been received, the process proceeds to step S103. If it is determined that it has not been received, the process proceeds to step S107.
Steps S103 to S105 are the same as those in the first embodiment, and a description thereof will be omitted.
In step S107, which is executed when it is determined in step S101 that a communication confirmation signal has not been received, a command is output to the controller 8, the hydraulic excavator 1 is shifted to the restricted state, and the process proceeds to step S122.

In step S122, it is determined whether or not any time is set in the vehicle time information 82. When it is determined that the time is set in the vehicle time information 82, the program whose operation is represented by the flowchart of FIG. 8 is terminated. This is to avoid overwriting the vehicle time information 82. When it is determined that the time is not set in the vehicle time information 82, the process proceeds to step S108B.
In step S108B, the current time, that is, the timer time at which step S121 is executed is substituted into the vehicle time information 82, and the program whose operation is represented by the flowchart of FIG. 8 is terminated.

(Management server flowchart)
FIG. 9 is a flowchart illustrating the operation of a program executed by the server control unit 31a in the third embodiment. The difference from the flowchart shown in FIG. 5 described in the first embodiment is that step S205 is omitted and step S206 is executed after step S204, and the processing when step S203 is negatively determined. It is a different point. Hereinafter, a case where a negative determination is made in step S203 will be described.

In step S211, which is executed when a negative determination is made in step S203, it is determined whether or not any time is set in the server time information 81. If it is determined that the time is set in the server time information 81, the program whose operation is represented by the flowchart of FIG. 8 is terminated. This is to avoid overwriting the server time information 81. If it is determined that the time is not set in the server time information 81, the process proceeds to step S208B.
In step S208B, the current time, that is, the timer time at which step S201 is executed is substituted for the server time information 81, and the process proceeds to step S209.
In step S209, the server time information 81 is transmitted to the portable terminal 34, and the program whose operation is represented by the flowchart of FIG. 9 is terminated.

According to the third embodiment described above, the following operational effects can be obtained.
(1) The first disconnection time recording unit of the management server 31, that is, the server control unit 31a, and the second disconnection time recording unit of the excavator 1, that is, the information controller 29, the connection failed, and the connection failed. First time.

The above-described embodiments and modifications may be combined.
In the above-described embodiments and modifications, the present invention is applied to a hydraulic excavator. However, general industrial vehicles including a work vehicle and a construction machine having a traveling device and a working actuator, such as a wheel loader, a dump truck, and a bulldozer. Etc. are also applicable.
Although various embodiments and modifications have been described above, the present invention is not limited to these contents. Other embodiments conceivable within the scope of the technical idea of the present invention are also included in the scope of the present invention.

1… Hydraulic excavator (industrial vehicle)
8 ... Control controller (operation restriction part)
29 ... Information controller (second cutting detection unit, second cutting time recording unit, authentication execution unit, control unit, industrial vehicle storage unit, authentication information creation unit)
31 ... Management server (server)
31a ... Server control unit (first cutting detection unit, first cutting time recording unit)
31b ... Server storage unit 31c ... Server communication unit (transmission unit)
34 ... mobile terminal 34a ... mobile control unit (authentication request unit)
34b ... Portable storage unit (portable terminal storage unit)
34c ... Mobile communication unit (receiving unit)
100 ... Industrial vehicle authentication system

Claims (5)

An industrial vehicle authentication system including a server, an industrial vehicle, and a mobile terminal,
The server that can be connected to the industrial vehicle via a network,
A first disconnection detecting unit for detecting that the connection with the industrial vehicle is disconnected;
A first disconnection time recording unit that records a time when the connection is disconnected when the first disconnection detection unit detects that the connection with the industrial vehicle is disconnected;
A transmission unit that transmits the time at which the connection was disconnected, recorded by the first disconnection time recording unit, to the mobile terminal;
The portable terminal is
A receiving unit for receiving a time when the connection is disconnected from the server;
An authentication requesting unit that requests authentication from the industrial vehicle using the time when the connection received from the server is disconnected;
The industrial vehicle is
An operation restriction unit for restricting the operation of the actuator of the industrial vehicle;
A second disconnection detecting unit for detecting that the connection with the server has been disconnected;
When the second disconnection detecting unit detects that the connection with the server is disconnected, a second disconnection time recording unit that records the time when the connection is disconnected;
In response to the authentication request from the mobile terminal, an authentication execution unit that performs authentication based on the time at which the connection recorded by the second disconnection time recording unit is disconnected;
A control unit configured to start restriction by the operation restriction unit when the second disconnection detection unit detects disconnection of the connection with the server, and to terminate restriction by the operation restriction unit when the authentication execution unit succeeds in authentication. Industrial vehicle authentication system. The industrial vehicle authentication system according to claim 1,
The portable terminal further includes a portable terminal storage unit that stores first key information for authentication,
The authentication request unit of the mobile terminal requests authentication from the industrial vehicle using the time when the connection received from the server is disconnected and the first key information,
The industrial vehicle further includes an industrial vehicle storage unit that stores second key information for authentication,
The industrial vehicle authentication system, wherein the authentication execution unit of the industrial vehicle performs authentication based on the time at which the connection was disconnected recorded by the second disconnection time recording unit and the second key information. The industrial vehicle authentication system according to claim 1,
The server
A server storage unit for storing first key information for authentication;
An authentication information creating unit that creates authentication information using the time when the connection is disconnected and the first key information;
The transmission unit of the server transmits the authentication information created by the authentication information creation unit to the mobile terminal,
The authentication request unit of the mobile terminal requests authentication from the industrial vehicle using the authentication information received from the server,
The industrial vehicle further includes an industrial vehicle storage unit that stores second key information for authentication,
The industrial vehicle authentication system, wherein the authentication execution unit of the industrial vehicle performs authentication based on the time at which the connection was disconnected recorded by the second disconnection time recording unit and the second key information. The industrial vehicle authentication system according to claim 1,
The first disconnection time recording unit of the server and the second disconnection time recording unit of the industrial vehicle use the time when the connection is disconnected as a time set at a predetermined time interval. Authentication system. The industrial vehicle authentication system according to claim 1,
The first disconnection time recording unit of the server and the second disconnection time recording unit of the industrial vehicle indicate the time when the connection was disconnected, the last time when the connection was successful, or the first time when the connection failed Industrial vehicle certification system.

Images