JP2018032979A - Service provision system and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To take sufficient security countermeasures even when radio communication other than mobile communication is used in vehicle communication.SOLUTION: In a service provision system, a service provision server generates on-vehicle equipment authentication information, server authentication information, and a communication encryption key respectively from a random number, and distributes multiple combinations consisting of the on-vehicle equipment authentication information, server authentication information, and communication encryption keys to on-vehicle communication equipment via a mobile communication network. The on-vehicle communication equipment stores the distributed multiple combinations, selects one of the multiple combinations, uses the selected combination for equipment authentication and communication encryption with the service provision server via radio communication, uses the combination by switching for each service reception, and discards the used combination. Thus, mutual equipment authentication between the on-vehicle communication equipment and the service provision server, and tapping and alteration of communication, become difficult.SELECTED DRAWING: Figure 1

Description

  Embodiments described herein relate generally to a service providing system and method including a service providing server and an in-vehicle communication device.

  As a system for providing services for vehicles, for example, there are a distribution service for latest traffic information, a distribution service for regional information, and the like. This type of service provision includes an in-vehicle communication device mounted on a vehicle, a service provision server, and a communication environment.

  In recent years, in order to realize this kind of service provision, mounting of mobile communication devices in vehicles and use of wireless communication represented by WiFi have been advanced.

  In mobile communication, communication contents are sufficiently protected by a communication method protected by a dedicated radio base station and a communication provider. However, it is expensive compared to other means.

  On the other hand, wireless communication other than mobile communication, such as WiFi, is cheaper than mobile communication, leading to a reduction in overall operation costs. In addition, the utility value of this type of wireless communication is high as an alternative communication means when the mobile communication network is congested.

  However, in this type of wireless communication performed via an access point, there is an insufficient aspect for protecting communication contents. In other words, access points are provided with various levels of protection by various communication companies, but due to the ease of equipment procurement and installation, the contents of communication by installing fake access points that deceive access points prepared by communication companies There is a risk of interception or interception of communication contents by guidance to a fake service providing server by spoofing address information on the network due to fake DNS installation.

  In addition, the access point can be added, deleted, or changed in position at any time, and the installation equipment and installation time are not limited. Interception of communication contents may be used for obtaining specific vehicle information by content analysis or for illegal use of a service that misrepresents a regular vehicle.

  In order to prevent such interception of communication contents, both the encryption of the communication contents, the validity from the in-vehicle communication device to the service providing server, and the validity from the service providing server to the in-vehicle communication device are confirmed. Mutual device authentication is required.

  Prior art documents relating to encryption of communication contents include Patent Documents 1 to 5. Each of these patent documents discloses a technique related to handling of a communication encryption key.

  For example, Patent Document 1 discloses a technique related to key sharing in communication between a fixed station and a mobile unit with the ETC service in mind. In particular, between a fixed station and a mobile unit, two types of keys, normal key / alternate key, are shared by means different from communication between each other in advance, and the key is revoked when unauthorized use is detected And switch. At the start of communication, communication for sharing information on the key to be used is performed between the fixed station and the mobile unit. However, with the technology disclosed in Patent Document 1, it is difficult to switch keys to prevent unauthorized use until unauthorized use due to leakage of a communication encryption key comes to light. A procedure for sending and receiving is required.

  Patent Document 2 discloses a key sharing method for encrypting transmission contents from a device provided in a traffic light to a vehicle in consideration of a system for receiving traffic signal information by the vehicle. Patent Document 2 describes the encryption of one-way communication with a vehicle for that purpose, and more particularly, a specific example of encryption key distribution from a position immediately before reflecting a special situation of a traffic light. Technology is disclosed. However, encryption key distribution and accompanying vehicle information communication protection are based on the proximity of communication means, and encryption means and encryption key sharing method therefor have been disclosed. Absent. Therefore, in the technique disclosed in Patent Document 2, on the assumption that the position and the number of access points to be used change as in the service providing system, the encryption key distribution means based on the physical arrangement is assumed. Is not suitable, and transmission / reception of the encryption key itself cannot be sufficiently protected.

  Further, in Patent Document 3, in consideration of a transmission / reception system between a radio base station and a mobile communication terminal in mobile communication, protection of communication performed while the mobile communication terminal switches between a plurality of base stations as a communication counter station. Techniques related to this are disclosed. In Patent Document 3, for the purpose, encryption keys are generated and shared based on the sharing of information about mobile units on the assumption that the base station itself is a trusted environment. However, in such a method, when it is difficult to set special requirements for the access point to be used as in the service providing system, it is difficult to provide various types of information. Further, in Patent Document 3, when a base station is regarded as a service providing server, a communication encryption key is generated on the mobile side using random numbers transmitted and received by communication. Therefore, if this random number is intercepted, the encryption key itself can be reproduced, and there is a risk of unauthorized use. Furthermore, mutual device authentication between the vehicle side and the service providing server depends on identification information related to the mobile object that is fixed information, that is, the vehicle. Therefore, if this identification information is leaked, it becomes difficult to take measures until unauthorized use is detected. Furthermore, the generation of the key of the vehicle identification information and the use for device authentication lead to the calculation of the key for communication encryption from the analysis of the contents of communication interception and the individual identification by a third party using the device authentication information. There is also a fear.

  Further, Patent Literature 4 and Patent Literature 5 disclose a system including a communication device mounted on a mobile body, a plurality of access points installed on the ground, an access point control device, and a ground control device. In particular, the access point itself is configured to bear a part of the security function as a component of the system equipment, like the base station of Patent Document 3. Furthermore, as in Patent Document 3, when it is difficult to set special requirements for the access point to be used as in the service providing system, it is difficult to provide various types of information.

  Thus, in any of Patent Documents 1 to 5, there is a problem with security measures. By the way, SSL / TLS is generally used to protect communication on the Internet. In the communication between the in-vehicle communication device mounted on the vehicle by such SSL / TLS and the service providing server, when performing mutual device authentication, not only the server certificate on the server side but also the vehicle side serving as the client Client certificates are also required for in-vehicle communication devices.

  If the client certificate is public, it will be expensive to obtain, and a client certificate renewal mechanism is also required for the vehicle side when it is illegally used. Further, reflecting the complexity of the SSL / TLS communication mechanism, a vulnerability in a library that is widely used as a standard and a vulnerability resulting from the SSL / TLS standard itself have been pointed out (Non-Patent Document 1). ) In case of long-term use, library update and certificate update are indispensable. Furthermore, when considering application to a vehicle, there is a problem that it is not easy to update embedded software in addition to the limitation of computational resources. Therefore, it is desirable that the encryption communication and device authentication mechanism to be implemented be as simple as possible.

Japanese Patent No. 3445490 Japanese Patent No. 4192893 Japanese Patent No. 4619858 Patent No. 5016394 Japanese Patent No. 5503692

SSL / TLS 20 Year History and Trends--JPNIChttps: //www.nic.ad.jp/en/newsletter/No59/0800.html (searched on August 16, 2016)

  In this way, wireless communication such as WiFi that does not require special requirements for access points other than mobile communication is cheaper than mobile communication, but realistic security measures are taken. There is no technology. In terms of WiFi security measures, there is 802.1x. However, in the case of 802.1x, the installation cost is high because it is necessary for the access point itself to support it, and other infrastructure such as a Radius server is required. For this reason, 802.1x is not widely used outside the company.

Therefore, there are five main issues as follows.
(1) To provide a mechanism in which a leaked communication encryption key becomes invalid even if the communication encryption key is leaked and unauthorized use is not revealed (improvement over Patent Document 1 and Patent Document 3).
(2) Even if the communication encryption key is leaked, the unauthorized use is automatically prevented before the unauthorized use is detected. A mechanism that does not require special requirements for the position and number of access points to be used and the physical arrangement is provided (improvement over Patent Document 2, Patent Document 3, Patent Document 4, and Patent Document 5).
(3) Provide a mechanism that does not require information sharing between the access point to be used and the service providing server or the in-vehicle communication device (improvement over Patent Document 3, Patent Document 4, and Patent Document 5).
(4) Provide a mechanism that does not use fixed information for generation of communication encryption keys and device authentication, and makes it difficult for a third party to identify an individual (improvements over Patent Document 3, Patent Document 4, and Patent Document 5).
(5) The mechanism of encrypted communication and device authentication is made as simple as possible, the possibility of occurrence of vulnerability is reduced, and the demand for computer resources is reduced (improvement over non-patent document 1).

  The present invention has been made in view of such circumstances, and sufficient security measures can be taken even in the case where wireless communication other than mobile communication such as WiFi is used in vehicle communication. It is an object to provide a service providing system and method.

  In the service providing system of the embodiment, the service providing server generates in-vehicle device authentication information, server authentication information, and a communication encryption key from random numbers, and the in-vehicle device authentication information, the server authentication information, and the communication encryption A plurality of combinations of keys for use are distributed to the in-vehicle communication device via the mobile communication network. The in-vehicle communication device stores a plurality of distributed combinations, selects one of the plurality of combinations, and authenticates the selected combination with a service providing server via wireless communication and communication encryption. Used to switch the combination for each service enjoyment and discard the used combination. This makes it difficult to perform mutual device authentication and tapping and tampering of communication between the in-vehicle communication device and the service providing server.

It is a functional block diagram which shows the structural example of the service provision system of embodiment. It is a functional block diagram of the service provision system containing the detailed structural example of a vehicle-mounted communication apparatus and a service provision server. It is a data structure figure which shows an example of the key table request data for communication encryption. It is a data structure figure which shows an example of the key table for communication encryption. It is a data structure figure which shows an example of the key information table for communication encryption. It is a flowchart which shows the operation example of the service provision system of embodiment. 10 is a functional block diagram illustrating a schematic configuration example of Embodiment 3. FIG.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is a functional block diagram illustrating a configuration example of a service providing system 1 according to the embodiment of this invention.

  The service providing system 1 according to the present embodiment includes an in-vehicle communication device 10 and a service providing server 20 mounted on a vehicle 2. The in-vehicle communication device 10 and the service providing server 20 communicate via the mobile communication network 30. The in-vehicle communication device 10 communicates with the access point 40 via a wireless communication 50 such as WiFi. The access point 40 communicates with the service providing server 20 via a wide area communication network 60 such as the Internet. In FIG. 1, only one in-vehicle communication device 10 is illustrated, but actually, a plurality of in-vehicle communication devices 10 are similarly communicating with the mobile communication network 30 and the wireless communication 50. .

  FIG. 2 is a functional block diagram of the service providing system 1 including a detailed configuration example of the in-vehicle communication device 10 and the service providing server 20.

  The in-vehicle communication device 10 includes a communication encryption key acquisition processing unit 11, an in-vehicle communication encryption key management processing unit 12, a communication encryption key storage unit 13, a wireless communication detection processing unit 14, an in-vehicle service processing unit 15, and an in-vehicle communication processing unit 15. A side communication processing unit 16 is provided.

  The service providing server 20 includes a communication encryption key generation processing unit 21, a server side communication encryption key management processing unit 22, a communication encryption key storage unit 23, a communication encryption key transmission processing unit 24, a server side communication processing unit 25, And a server-side service providing unit 26.

  Each in-vehicle communication device 10 is pre-assigned with an in-vehicle communication device identifier x for identifying the in-vehicle communication device 10 as written in the communication encryption key table request data A of FIG. The in-vehicle communication device identifier x is used to prevent unauthorized use by a third party in both the in-vehicle communication device 10 and the service providing server 20, for example, in the communication encryption key storage unit 13 and the communication encryption key storage unit 23. Assume that it is stored and stored in a sufficiently protected state.

  The communication encryption key generation processing unit 21 generates a communication encryption key table B as shown in FIG. 4 and a communication encryption key information table C as shown in FIG. The communication encryption key table B includes a creation date date, a table identifier id, a communication encryption key number num, and communication encryption key information info. The table identifier id is an identifier for identifying the communication encryption key table B, and is generated from the random number by the communication encryption key generation processing unit 21. Further, as shown in the communication encryption key information table C of FIG. 5, the communication encryption key generation processing unit 21 uses the combination # consisting of the communication encryption key γ and the in-vehicle device authentication information α and the server authentication information β. Generate a large number using random numbers. For example, when 100 combinations # (# 1 to # 100) are generated, 100 pieces of in-vehicle device authentication information α (α1 to α100) are generated from 100 random numbers, and 100 pieces of 100 random numbers are generated. Server authentication information β (β1 to β100) is generated, 100 communication encryption keys γ (γ1 to γ100) are generated from 100 random numbers, and written in the communication encryption key information table C. When 100 combinations # (# 1 to # 100) are generated in this way, “100” is entered in the communication encryption key number num in the communication encryption key table B. Further, the communication encryption key information info in the communication encryption key table B defines that FIG. 5 is called. The communication encryption key generation processing unit 21 outputs the communication encryption key table B and the communication encryption key information table C thus generated to the server side communication encryption key management processing unit 22.

  The server-side communication encryption key management processing unit 22 uses the communication encryption key table B output from the communication encryption key generation processing unit 21 as a communication encryption key table request stored in the communication encryption key storage unit 23. Of the data A, the data is stored in the communication encryption key storage unit 23 in association with one in-vehicle communication device identifier x. As a result, a unique communication encryption key table B and communication encryption key information table C are assigned to each in-vehicle communication device 10.

  The communication encryption key acquisition processing unit 11 acquires the in-vehicle communication device identifier x from the communication encryption key storage unit 13 and sends it to the communication encryption key transmission processing unit 24 via the mobile communication network 30. By transmitting x, the communication encryption key table B associated with the in-vehicle communication device identifier x and the communication encryption key information table C called to the request are requested. Note that device authentication between the service providing server 20 and the in-vehicle communication device 10 is performed using a function provided in the mobile other communication network 30, for example, authentication using a SIM card and a dedicated closed network.

  Upon receiving the request, the communication encryption key transmission processing unit 24 converts the communication encryption key table B associated with the in-vehicle communication device identifier x and the communication encryption key information table C called into the communication encryption key table C into the communication encryption key. Obtained from the storage unit 23 and sent back to the requesting in-vehicle communication device 10 via the mobile communication network 30.

  In the request-source in-vehicle communication device 10, the communication encryption key acquisition processing unit 11 receives the communication encryption key table B and the communication encryption key information table C and outputs them to the in-vehicle communication encryption key management processing unit 12. .

  The in-vehicle-side communication encryption key management processing unit 12 causes the communication encryption key storage unit 13 to store the communication encryption key table B and the communication encryption key information table C output from the communication encryption key acquisition processing unit 11. . Thereby, the import of the communication encryption key table B and the communication encryption key information table C into the in-vehicle communication device 10 is completed.

  The importing of the communication encryption key table B and the communication encryption key information table C into the in-vehicle communication device 10 may be started from the service providing server 20. This is applied particularly when the communication encryption key table B needs to be updated.

  In the above description, the service providing server 20 generates the communication encryption key table B and the communication encryption key information table C. However, the communication encryption key table B and the communication encryption key information table C can be used as long as the confidentiality sufficient to transmit the communication encryption key table B and the communication encryption key information table C to the in-vehicle communication device 10 can be secured. A communication encryption key table generation server (not shown) for generating the communication encryption key table is generated. The communication encryption key table generation server generates the communication encryption key table B and the communication encryption key information table C. By outputting the communication encryption key table B and the communication encryption key information table C from the table generation server to the in-vehicle communication device 10, the communication encryption key table B and the communication encryption key information table C are transmitted to the in-vehicle communication device 10. May be implemented.

  Next, processing in the case where a service is provided from the service providing server 20 to the in-vehicle communication device 10 side will be described.

  The in-vehicle communication device 10 detects the presence of the access point 40 for the wireless LAN outside the vehicle by the wireless communication detection processing unit 14 via the wireless communication 50 and notifies the in-vehicle side service processing unit 15 of the detection result a. The detection of the access point 40 may be performed by using position information of the access point given in advance, or by monitoring the radio wave and detecting the radio wave of the access point 40.

  In response to this, the in-vehicle side service processing unit 15 instructs the in-vehicle side communication processing unit 16 to establish communication with the access point 40.

  The in-vehicle side communication processing unit 16 checks various terms of the access point 40 and confirms whether an access point name given separately and an encryption key such as WPA2 can be used. If communication cannot be established, the processing described later is not performed.

  If communication can be established, the in-vehicle communication processing unit 16 of the in-vehicle communication device 10 requests the communication encryption key γ from the in-vehicle communication encryption key management processing unit 12.

  The in-vehicle communication encryption key management processing unit 12 that has received the request is unused from the communication encryption key information table C stored in the communication encryption key storage unit 13 (the unused field s in FIG. The first combination # is searched for (“x” instead of “x”), and the in-vehicle device authentication information α and the communication encryption key γ are output to the in-vehicle communication processing unit 16. For example, FIG. 5 shows that the combination # 1 and the combination # 2 are not unused (that is, used), and the combinations # 3 to #N are unused. Therefore, in the case of FIG. 5, the in-vehicle communication encryption key management processing unit 12 searches for the first unused combination # 3 and uses the in-vehicle device authentication information α3 and the communication encryption key γ3 as the in-vehicle communication processing unit. 16 is output.

  When the in-vehicle communication processing unit 16 receives the in-vehicle device authentication information α3 and the communication encryption key γ3 output from the in-vehicle communication encryption key management processing unit 12, the in-vehicle communication device 10 communicates with the access point 40. Preparation is complete.

  The in-vehicle side communication processing unit 16 notifies the in-vehicle side service processing unit 15 that the communication preparation is completed, and the in-vehicle side service processing unit 15 outputs the communication content b associated with the service to the in-vehicle side communication processing unit 16. .

  The in-vehicle communication processing unit 16 connects the communication content b and the in-vehicle device authentication information α3, and encrypts the communication content with the communication encryption key γ3 to create the encrypted information d. Further, the table identifier id is obtained from the communication encryption key table B stored in the communication encryption key storage unit 13 via the in-vehicle communication encryption key management processing unit 12, and the encryption information d is stored in the table identifier. Concatenated information e is created by concatenating with id. This is expressed as follows.

Encryption information d = Enc (communication encryption key γ3, vehicle equipment authentication information α3 | communication content b) (1)
Linked information e (contents to be transmitted to the service providing server 20) = table identifier id | encrypted information d (2)
Here, Enc (y, z) indicates a function for encrypting the contents of z with the key y, and y | z means concatenation of y and z as a byte string. In this embodiment, the encryption method is a common encryption method as long as it is shared so that communication between the in-vehicle communication device 10 and the service providing server 20 is not hindered, and is not limited.

  Then, the in-vehicle communication processing unit 16 transmits the encrypted information d and the connection information e to the service providing server 20 via the wireless communication 50, the access point 40, and the wide area communication network 60.

  The server side communication processing unit 25 receives the encrypted information d and the connection information e transmitted from the in-vehicle side communication processing unit 16. The server side communication processing unit 25 outputs the table identifier id included in the connection information e to the server side communication encryption key management processing unit 22.

  The server-side communication encryption key management processing unit 22 searches the communication encryption key storage unit 23 for the corresponding communication encryption key table B using the output table identifier id, and further associates with the in-vehicle communication key table B. The communication device identifier x is acquired. Then, from the communication encryption key information table C called by the communication encryption key table B, two sets of unused in-vehicle device authentication information α, server authentication information β, and communication encryption key γ are obtained. It outputs to the server side communication processing part 25 in the order stored. For example, in the case of FIG. 5, in-vehicle device authentication information α3, server authentication information β3, and communication encryption key γ3 in combination # 3, in-vehicle device authentication information α4 in combination # 4, server authentication information β4, and The communication encryption key γ4 is output to the server-side communication processing unit 25.

  Subsequently, the server-side communication processing unit 25 obtains the encryption information included in the content received from the in-vehicle communication device 10 from the two sets of communication encryption keys (for example, communication) acquired from the server-side communication encryption key management processing unit 22. The following processing is performed using the encryption key γ3, the communication encryption key γ4), and the in-vehicle device authentication information.

In-vehicle device authentication information AA | Communication content AA = Dec (communication encryption key γ3, encrypted information) (3)
In-vehicle device authentication information BB | communication content BB = Dec (communication encryption key γ4, encryption information) (4)
Here, Dec (y, z) represents a function for decrypting the contents of z with the key y.

  When the in-vehicle device authentication information α3 input from the server-side communication encryption key management processing unit 22 and the in-vehicle device authentication information AA match, the communication encryption key γ3 is used for communication as a subsequent communication encryption key, By setting the combination # 3 of the unused field s in the communication encryption key information table C to “x”, the communication encryption key information table C is updated with the communication encryption key γ3 used. If the in-vehicle device authentication information BB matches the in-vehicle device authentication information α4, the communication encryption key γ4 is used for subsequent communication, and the communication encryption keys γ3 and γ4 are used and the communication encryption key table C is updated. To do.

  If neither the in-vehicle device authentication information α input from the server-side communication encryption key management processing unit 22 matches the in-vehicle device authentication information AA or the in-vehicle device authentication information BB, the mobile communication network 30 The in-vehicle communication device 10 is notified of the error via the, and the in-vehicle communication device 10 cancels the processing, restarts communication after re-selecting the communication encryption key γ, or re-reads the communication encryption key information table C. Carry out acquisition.

  It should be noted that an upper limit of the number of times is set for resuming communication after reselecting the communication encryption key γ, and it is considered that there is a possibility of unauthorized use when a certain number of times is exceeded. Notification to the service providing server 20 may be performed via the communication network 30.

  In the above description, the case where the number of re-selection of the communication encryption key γ has been described as an example, but it may be three times or more, or only once. In the above, as an example, it is described that when the expression (3) is not established, the establishment of the expression (4) is determined, but the determination of the establishment of the expression (3) and (4) The determination of the establishment of the equation may be performed simultaneously.

  Further, in the above description, the in-vehicle communication device 10 performs encryption and the service provision server 20 decrypts as an example. However, the roles of the in-vehicle communication device 10 and the service provision server 20 are switched, and the service provision server 20 performs encryption. The in-vehicle communication device 10 may perform decoding.

  Next, the server-side communication processing unit 25 uses the server authentication information β (server authentication information β3) corresponding to the selected communication encryption key γ (for example, the communication encryption key γ3) as follows. Perform the following process.

Encryption information f = Enc (communication encryption key γ3, vehicle equipment authentication information α3 | server authentication information β3) (5)
Connection information g (contents to be transmitted to the in-vehicle communication device 10) = table identifier id | encrypted information f (6)
Then, the encrypted information f and the connection information g are transmitted to the in-vehicle communication device 10 via the wide area communication network 60, the access point 40, and the wireless communication 50.

  The encryption information f and the connection information g transmitted in this way are received by the in-vehicle communication processing unit 16 of the in-vehicle communication device 10. As shown in the following equation (7), the in-vehicle communication processing unit 16 decrypts the encrypted information f with the communication encryption key γ used for communication with the service providing server 20, and the in-vehicle device authentication information AA. 'And server authentication information BB' are obtained. Whether the in-vehicle device authentication information AA ′ and the server authentication information BB ′ coincide with the combination of the in-vehicle device authentication information α3 and the server authentication information β3 used for communication with the service providing server 20. Determine whether.

In-vehicle device authentication information AA ′ | Server authentication information BB ′ = Dec (communication encryption key γ, encryption information f) (7)
If they match, the communication encryption key γ is already used, and the information in the communication encryption key information table C is updated, that is, the unused field s is updated. Set to “X” to perform subsequent communication.

  In the case of mismatch, it is assumed that unauthorized use is suspected, and the in-vehicle communication device 10 notifies the service providing server 20 via the mobile communication network 30 and does not perform the subsequent processing.

  Next, the service providing server 20 identifies the vehicle by using the in-vehicle communication device identifier x associated with the communication encryption key table B, and the in-vehicle communication device 10 mounted on the identified vehicle. The service is provided via the wireless communication 50. The transmission / reception of the communication content i accompanying the provision of the service to the in-vehicle communication device 10 is performed by the encrypted information h made using the communication encryption key γ, as shown in the following equations (8) and (9). .

Encryption information h = Enc (communication encryption key γ, server authentication information β | communication content i) (8)
Connection information j (contents to be transmitted to the service providing server 20) = table identifier id | encrypted information h (9)
When service provision from the service providing server 20 to the in-vehicle communication device 10 is completed, the service providing server 20 notifies the in-vehicle communication device 10 of the end of the service. Conversely, service termination may be notified from the in-vehicle communication device 10 to the service providing server 20.

  When the service end is notified, the communication encryption key table B and the communication encryption key information table stored in both the issuer and the issue destination, that is, in both the service providing server 20 and the in-vehicle communication device 10. Discard C.

  The in-vehicle-side communication encryption key management processing unit 12 is also configured such that when the remaining number of unused combinations # in the communication encryption key information table C stored in the communication encryption key storage unit 13 becomes a constant value. Then, the communication encryption key acquisition processing unit 11 is activated to request the service providing server 20 to generate a new communication encryption key information table C.

  Further, the communication encryption key table B and the communication encryption key information table C called therein have an expiration date. The in-vehicle-side communication encryption key management processing unit 12 compares the creation date date of the communication encryption key table B with the current date, and when the expiration date is exceeded, regardless of the remaining number of unused combinations # Then, the communication encryption key acquisition processing unit 11 is activated to request the service providing server 20 to generate a new communication encryption key information table C.

  In response to this request, the communication encryption key generation processing unit 21 converts the combination # including the in-vehicle device authentication information α, the server authentication information β, and the communication encryption key γ to random numbers according to the procedure described above. A new communication encryption key information table C is generated, and the communication encryption key table B is updated accordingly and stored in the communication encryption key storage unit 23. The updated communication encryption key table B and the newly generated communication encryption key information table C are sent to the in-vehicle communication device 10 and stored in the communication encryption key storage unit 13 in the procedure described above. Is done.

  The expiration date check may be performed periodically or based on the location information by the in-vehicle communication encryption key management processing unit 12 or when the communication encryption key γ is requested. May be.

  Similarly, on the service providing server 20 side, the server-side communication encryption key management processing unit 22 uses the unused combination # stored in the communication encryption key information table C stored in the communication encryption key storage unit 23. When the remaining number becomes a constant value or when the expiration date is exceeded, the communication encryption key generation processing unit 21 is activated to generate a new communication encryption key information table C, and the communication encryption key The table B may be updated and stored in the communication encryption key storage unit 23 and may be sent to the in-vehicle communication device 10 and stored in the communication encryption key storage unit 13.

  Next, the operation of the service providing system 1 of the present embodiment will be described using the flowchart of FIG.

  The in-vehicle communication device identifier x is stored in advance in the communication encryption key storage unit 13 of the in-vehicle communication device 10 and the communication encryption key storage unit 23 of the service providing server 20.

  First, in the communication encryption key generation processing unit 21 of the service providing server 20, a communication encryption key table B and a communication encryption key information table C are generated (S1).

  Then, the communication encryption key acquisition processing unit 11 of the in-vehicle communication device 10 transmits the communication encryption key table B and the communication from the communication encryption key transmission processing unit 24 of the service providing server 20 via the mobile communication network 30. The encryption key information table C is acquired (S2).

  Next, the in-vehicle communication encryption key management processing unit 12 of the in-vehicle communication device 10 converts the communication encryption key table B and the communication encryption key information table C output from the communication encryption key acquisition processing unit 11 into the communication encryption. Store in the key storage unit 13 (S3).

  Then, the wireless communication detection processing unit 14 of the in-vehicle communication device 10 detects the access point 40 and notifies the in-vehicle side service processing unit 15 (S4).

  Then, the in-vehicle communication processing unit 16 of the in-vehicle communication device 10 establishes communication with the access point 40 (S5), and transmits the communication encryption key information table C to the in-vehicle communication encryption key management processing unit 12. Using the unused communication encryption key γ stored in the communication encryption key information table C, the encrypted information and the link information are transmitted to the service providing server 20 via the access point 40 (S6). .

  In the service providing server 20, the server-side communication processing unit 25 requests the server-side communication encryption key management processing unit 22 for the communication encryption key γ from the received content (S7).

  Then, the in-vehicle communication processing unit 16 of the in-vehicle communication device 10 and the server-side communication processing unit 25 of the service providing server 20 confirm the mutual validity from the communication content (S8).

  Thereafter, in the in-vehicle communication device 10, the processes in steps S9 and S10 described later and the processes in steps S11 and S12 described later are performed in parallel in the service providing server 20.

  In step S9, the in-vehicle communication encryption key management processing unit 12 of the in-vehicle communication device 10 is used, and in step S11, the communication encryption key γ used by the server-side communication encryption key management processing unit 22 of the service providing server 20 is used. Are discarded as used (unused column s in combination # is set to “x”).

  In step S10, the in-vehicle communication processing unit 16 of the in-vehicle communication device 10 and the server-side communication processing unit 25 of the service providing server 20 in step S12 are respectively connected to the in-vehicle side service processing unit 15 and the server-side service processing unit 26. Encrypt / decrypt communication between them.

  Thereafter, the processing on the in-vehicle communication device 10 side and the service providing server 20 side ends (S13), and the service providing server 20 notifies the in-vehicle communication device 10 of the end of the service (S14).

  As described above, in the service providing system 1 according to the present embodiment, the service providing server 20 generates all the information used for authentication and communication encryption of the in-vehicle communication device 10 with random numbers. And the service providing server 20. Therefore, the communication route other than the mobile communication network 30, that is, the equipment on the route through the wireless communication 50, the access point 40, and the wide area communication network 60 is not shared. In addition, since the information used for communication encryption is discarded for each use in both the in-vehicle communication device 10 and the service providing server 20, it is difficult to estimate the communication encryption key. Even if it is leaked, since the communication encryption key is automatically changed with use, it is possible to make it difficult to intercept communication contents.

  Further, since the in-vehicle communication device identifier x of the in-vehicle communication device 10 connected to the vehicle identification is associated with the disposable communication encryption key only on the service providing server 20, the in-vehicle communication device identifier x and the communication encryption key Even if the content of the vehicle is estimated, it is possible to make it difficult to identify the vehicle.

  Furthermore, the highly reliable mobile communication network 30 is transmitted and received between the in-vehicle communication device identifier x, the communication encryption key table B, and the communication encryption key information table C between the in-vehicle communication device 10 and the service providing server 20. On the other hand, since the wireless communication 50 having a lower operation cost is used for transmission / reception of service information, the communication cost can be reduced. In addition, since transmission / reception of the in-vehicle communication device identifier x, the communication encryption key table B, and the communication encryption key information table C has few time restrictions on acquisition, it may be performed over time. Since the body communication network 30 can use a lower-priced low-capacity line, the communication cost can be further reduced.

  In addition, if the communication encryption key table B and the communication encryption key information table C are acquired from the service providing server 20 in advance in the in-vehicle communication device 10, at the time of receiving service provision from the service providing server 20. The communication via the mobile communication network 30 is not essential. For this reason, even if the vehicle is located outside the mobile communication network 30, the system 1 can be applied if the wireless communication 50 can communicate with the service providing server 20.

  Furthermore, in the service providing system 1 of the present embodiment, a common key method using a common communication encryption key is employed for encryption between the in-vehicle communication processing unit 16 and the server side communication processing unit 25. As a result, it is possible to implement simpler than public key methods, thus reducing the possibility of vulnerabilities due to software development and reducing the demand for computer resources such as computing speed / small amount of memory. Is also possible.

  In addition, by sharing a plurality of communication encryption keys γ and in-vehicle device authentication information α in advance by the in-vehicle communication device 10 and the service providing server 20, a communication start procedure for each service provision from the service providing server 20 is performed. It can be omitted.

  In the service providing system 1 according to the present embodiment, the used status (the status of the unused column s) of the combination # of the communication encryption key information table C held by the in-vehicle communication device 10 and the service providing server 20 matches. It is assumed that. Each time the communication encryption key γ is used, the service providing server 20 and the in-vehicle communication device 10 independently check the used state of the communication encryption key γ. A situational mismatch can occur. However, in the service providing system 1, the service providing server 20 decrypts the encrypted communication content with a plurality of communication encryption keys γ, and confirms the plurality of in-vehicle device authentication information α, thereby enabling communication encryption. The service key γ can be specified.

  An embodiment to which the service providing system 1 as described above is applied will be described. In the drawings used for the description of the following embodiments, the same portions as those in FIGS. 1 to 6 are denoted by the same reference numerals, and redundant description is avoided.

  In Example 1, in cooperation with tourist facilities, etc., by stopping at the tourist facilities, etc., the vehicle rental service that provides the latest information, traffic information, preferential ticket services etc. of the surroundings and guides to the tourist facilities, etc. In this example, the service providing system 1 is applied.

  In this embodiment, a preferential ticket service or the like for use in a store is transferred to a user's mobile phone or the like using short-range wireless communication such as Bluetooth (registered trademark). For this reason, in this embodiment, the service providing server 20 in FIG. 1 is a server that provides a partner service, the vehicle 2 is a vehicle that is driven by a user, and the access point 40 is a parking lot of the target tourist facility. The wide area network 60 is a wired line between the WiFi access point 40 and the service providing server 20.

  The in-vehicle communication device 10 stores tourist facility information of a partner. The storage destination may be the communication encryption key storage unit 13, or another storage unit (not shown) may be newly provided in the in-vehicle communication device 10. The communication encryption key table B and the communication encryption key information table C may be stored and stored in the in-vehicle communication device 10 at the time of renting the vehicle, or the mobile communication network 30 may be used while the vehicle 2 is traveling. It may be acquired by the in-vehicle communication device 10 via.

  When the user stops the vehicle 2 in the parking lot attached to the tourist facility, the wireless communication detection processing unit 14 of the in-vehicle communication device 10 detects the presence of the WiFi access point 40, and the in-vehicle side service processing unit 15 After searching for available WiFi access points and establishing communication by the in-vehicle side communication processing unit 16, the in-vehicle side service processing unit 15 uses the name of the access point that uses the service request related to the tourist facility. , Together with vehicle position information and the like, is transmitted to the service providing server 20 via WiFi.

  The service providing server 20 confirms the communication path, and returns a service related to the tourist facility from the access point name, vehicle position information, and the like to the in-vehicle communication device 10 via WiFi.

  Services provided in relation to tourist facilities may vary from facility to facility. For example, in tourist facility Y, a short introduction video is distributed as the latest information on the surrounding area, and a navigation map is displayed. You may issue coupons for mobile phones that can be used occasionally.

  The in-vehicle side service processing unit 15 determines whether or not the tourist facility is a partner based on the location information of the vehicle 2, the nearby WiFi access point name, or the Bluetooth Beacon information, and the like. May be instructed to start communication.

  When the stop is the tourist facility Y, the in-vehicle-side service processing unit 15 can acquire video content using a WiFi line with a low operation cost.

  Even when the stop is a tourist facility Z, the vehicle-side service processing unit 15 can obtain a coupon in the vehicle-mounted communication device 10 from the same mechanism, and the vehicle-mounted communication device 10 continues to use a well-known technology. It is also possible to transmit coupon information to a mobile phone.

  The advantage of this embodiment is that if there is an existing WiFi access point on the tourist facility side, for example, an access point installed by a mobile carrier, no additional equipment or installation equipment is required. It is possible to provide various services without requiring new cost burden on the tourist facility side.

  Further, for the service provider side, the main subject of communication can be realized by WiFi communication with low operation cost, so that the overall operation cost can be suppressed.

  This type of service is also possible using a combination of a mobile phone and an application. However, in the vehicle 2 equipped with the in-vehicle communication device 10, the possibility that the tourist facility can be displayed on the map on the navigation system and the user can be guided is higher than that of the mobile phone, and the user is relatively expensive. The vehicle rental provider who pays the cost and the tourist facility side can work together to provide more attractive services for users.

  In the second embodiment, in the vehicle rental service such as a shared car / rental car, the position on the service provider side when a problem occurs on the vehicle side (accident, breakdown, sudden illness, etc.), or the position grasp for theft prevention, In this example, the service providing system 1 is applied.

  In the present embodiment, the service providing server 20 in FIG. 1 collects location information, and the WiFi access point 40 installed in each place and the service providing server 20 are connected by a wide area network 60 that is a wired line. The configuration is as follows.

  Then, the in-vehicle side service processing unit 15 of the in-vehicle communication device 10 collects position information from the GPS mounted on the vehicle 2 and calculates position information by estimating the vehicle position from information on WiFi access points existing in the vicinity. To do.

  The in-vehicle service processing unit 15 searches for an available WiFi access point (access point 40) from nearby WiFi access points, and calculates after communication is established by the in-vehicle communication processing unit 16. The location information is transmitted to the service providing server 20 using the access point 40 via WiFi.

  The service providing server 20 records the received position information in association with the in-vehicle communication device identifier α that identifies the vehicle 2, and responds to the position of the vehicle 2 in response to a request from the service provider. Thereby, the service provider can use the vehicle position information for displaying the target vehicle position on the map, confirming the movement to the facility / area to the designated position, and responding to the problem.

  The advantage of the present embodiment is that it is possible to grasp the vehicle position using an existing WiFi access point installed by a communication company or the like while making it difficult for a third party to track the vehicle 2.

  When all communication is transmitted / received via the mobile communication network 30, the traffic amount per vehicle position information is small, but the cumulative operation cost due to communication at any time is considerable. It will be a thing. On the other hand, according to the present embodiment, the main subject of communication can be realized by WiFi communication with a low operation cost, so that the entire operation cost can be suppressed.

  Also, in this embodiment, in establishing communication between the in-vehicle communication device 10 and the service providing server 20, complicated procedures for communication encryption key determination and device authentication as seen in SSL / TLS communication are not required. . This is because when a connection from a moving vehicle 2 to a plurality of WiFi access points fixed on the ground is considered, the time consumed for establishing repeated communication is reduced, and as a result, position information can be transmitted. The amount can be increased.

  The same type of location information notification service is also possible using a combination of a mobile phone and an application. However, when considering the vehicle lending service, the target position is not the position of the user or the mobile phone but the position of the vehicle 2. Therefore, a mobile phone that can be moved separately from the vehicle 2 is unsuitable, and it is preferable to apply the system 1 to the in-vehicle communication device 10 installed in the vehicle 2 to collect position information.

  The third embodiment is an example in which a service providing system 1 is used to implement a service for acquiring vehicle information from a vehicle stopped on a site by wireless communication in order to improve services at a gas station or dealers. .

  In the present embodiment, a part of vehicle information is quickly collected by wireless communication, reflected in a service for customers such as oil exchange, and the necessity of acquiring detailed information by another means such as wired is further determined.

  A schematic configuration for this purpose is shown in FIG. The configuration shown in FIG. 7 is a partial modification of the configuration shown in FIG. Accordingly, in the description of the present embodiment as well, the same reference numerals in the drawings used in the description are assigned to the same parts as those in FIGS. 1 to 6 and different points will be described.

  That is, in the configuration shown in FIG. 7, an access point 40 that is a WiFi access point installed in a parking lot or the like of the target facility is provided in a service providing facility 70 that does not exist in FIG. In addition to the access point 40, the service providing facility 70 also includes a service providing device 72 connected to the access point 40 via a wired line. In addition to being able to communicate with the access point 40 via a wired line, the service providing device 72 can also communicate with the service providing server 20 via the wide-area communication network 60 using WiFi. Present service offerings. Here, it is assumed that the service providing server 20 holds information related to the service providing facility 70 and the service providing device 72 in advance.

  When the user stops the vehicle 2 in the parking lot at the gas station / dealer facility, the wireless communication detection processing unit 14 of the in-vehicle communication device 10 detects the presence of the WiFi access point 40, and the in-vehicle service processing unit. 15, search for available WiFi access points, and after communication is established by the in-vehicle side communication processing unit 16, the in-vehicle side service processing unit 15 uses a request for a service related to the service providing facility 70. Along with the access point name, vehicle position information, and the like, it is transmitted to the service providing server 20 via the wide area communication network 60 by WiFi.

  The service providing server 20 confirms the communication path and determines that the service providing device 72 exists in the service providing facility 70 from the access point name, vehicle position information, and the like.

  Next, the service providing server 20 communicates with the service providing device 72 using the information related to the service providing device 72, and uses the in-vehicle device authentication information α, the server authentication information β, and the communication encryption key γ. Send by well-protected communication. In addition, the service providing server 20 instructs the in-vehicle communication device 10 to set the subsequent communication partner as the service providing device 72.

  The in-vehicle communication device 10 encrypts and transmits the vehicle information in the same manner as when transmitting the vehicle information to the service providing server 20.

  The service providing device 72 uses the communication encryption key γ received from the service providing server 20 to decrypt the content received from the in-vehicle communication device 10, obtains necessary vehicle information, and sends it to the person in charge of the service providing facility 72. Present service offerings.

  Thereafter, the in-vehicle communication device 10 and the service providing device 72 perform encrypted communication as necessary.

  The in-vehicle device authentication information α, the server authentication information β, and the communication encryption key γ do not include information for specifying the vehicle 2, and this combination # is discarded after use. It is possible to temporarily use the service providing device 72 that provides the information. As a result, the in-vehicle communication device 10 provides limited information such as the cooling water temperature, the average rotation speed, and the travel distance to the service providing device 72 in a form in which history management is not possible, and the service providing device 72 provides the acquired information to the customer. Can be reflected in services for

  Thus, according to the present embodiment, since the information can be directly delivered from the in-vehicle communication device 10 to the service providing device 72 that the service providing server 20 has approved to provide information, the load on the service providing server 20 Various services can be provided without increasing the service level.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. These embodiments and modifications thereof are included in the invention described in the claims and their equivalents, as well as included in the scope and gist of the invention.

DESCRIPTION OF SYMBOLS 1 Service provision system, 2 Vehicle, 10 In-vehicle communication apparatus, 11 Communication encryption key acquisition process part, 12 In-vehicle side communication encryption key management process part, 13 Communication encryption key memory | storage part, 14 Wireless communication detection process part, 15 In-vehicle Side service processing unit, 16 in-vehicle side communication processing unit, 20 service providing server, 21 communication encryption key generation processing unit, 22 server side communication encryption key management processing unit, 23 communication encryption key storage unit, 24 communication encryption key Transmission processing unit, 25 server side communication processing unit, 26 server side service processing unit, 30 mobile communication network, 40 access point, 50 wireless communication, 60 wide area communication network, 70 service providing facility, 72 service providing device.

Claims (7)

A service providing system comprising a service providing server for generating and distributing a communication encryption key, and an in-vehicle communication device capable of communicating with the service providing server via a mobile communication network and wireless communication,
The service providing server generates in-vehicle device authentication information, server authentication information, and a communication encryption key from random numbers, and includes the in-vehicle device authentication information, the server authentication information, and the communication encryption key. A plurality of combinations are distributed to the in-vehicle communication device via the mobile communication network,
The in-vehicle communication device stores the plurality of distributed combinations, selects one of the plurality of combinations, and selects the selected combination with the service providing server via the wireless communication. Used for device authentication and communication encryption, switching the combination for each service enjoyment, discarding the used combination,
A service providing system in which mutual device authentication and tapping and tampering of communication between the in-vehicle communication device and the service providing server are difficult. When the number of stored unused combinations is reduced to a predetermined value, the in-vehicle communication device instructs the service providing server to generate a new combination,
The service providing system according to claim 1, wherein the service providing system generates a new combination according to the instruction and distributes the new combination to the in-vehicle communication device.   The service providing server selects two or more combinations from the stored combinations, and uses the selected combinations to perform decryption processing of encrypted communication contents from the in-vehicle communication device, The service providing system according to claim 1, wherein a correct communication encryption key is determined based on a result of the decryption process.   The in-vehicle communication device selects two or more combinations from the stored combinations, and uses the selected combinations to perform decryption processing of encrypted communication contents from the service providing server, The service providing system according to claim 1, wherein a correct communication encryption key is determined based on a result of the decryption process.   The service providing system according to claim 1, wherein the combination is shared only between the service providing server and the in-vehicle communication device, and not shared with equipment on a communication path of the wireless communication.   The combination is provided with an expiration date, and when the expiration date is exceeded, the service providing server generates a new combination and distributes it to the in-vehicle communication device, thereby providing the service providing server and the in-vehicle communication device. The service providing system according to claim 1, wherein the stored combination is updated. A service providing method implemented by a service providing server that generates and distributes a communication encryption key, and an in-vehicle communication device that can communicate with the service providing server via a mobile communication network and wireless communication,
The service providing server generates in-vehicle device authentication information, server authentication information, and a communication encryption key from random numbers, and includes the in-vehicle device authentication information, the server authentication information, and the communication encryption key. A plurality of combinations are distributed to the in-vehicle communication device via the mobile communication network,
The in-vehicle communication device stores the plurality of distributed combinations, selects one of the plurality of combinations, and selects the selected combination with the service providing server via the wireless communication. Used for device authentication and communication encryption, switching the combination for each service enjoyment, discarding the used combination,
A service providing method in which mutual device authentication and tapping and tampering of communication between the in-vehicle communication device and the service providing server are difficult.