JP2018050334A - Data provision system, data provision device, on-vehicle computer, data provision method, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve reliability of data to be applied to an on-vehicle computer such as an ECU.SOLUTION: An on-vehicle computer 1020 of an automobile 1001 includes a first storage section for storing an initial key generated by a master key and an on-vehicle computer identifier. A data provision device 1300 includes: a second storage section for storing a master key; an initial key generation section for generating an initial key of the on-vehicle computer from an on-vehicle computer identifier and a master key; a first expectation value calculation section for calculating an expectation value of data to be applied to the on-vehicle computer by using an initial key of the on-vehicle computer; and a provision section for providing data to be applied to the on-vehicle computer and an expectation value calculated by the first expectation value calculation section to a vehicle. The on-vehicle computer 1020 includes: a second expectation value calculation section for calculating an expectation value of data provided from the provision section by using an initial key of the first storage section; and an expectation value verification section for comparing an expectation value provided from the provision section with an expectation value calculated by the second expectation value calculation section.SELECTED DRAWING: Figure 5

Description

  The present invention relates to a data providing system, a data providing apparatus, an in-vehicle computer, a data providing method, and a computer program.

  2. Description of the Related Art Conventionally, an automobile has an ECU (Electronic Control Unit), and functions such as engine control are realized by the ECU. The ECU is a kind of computer and realizes a desired function by a computer program. For example, Non-Patent Document 1 discloses a security technique for an in-vehicle control system configured by connecting a plurality of ECUs to a CAN (Controller Area Network).

Keisuke Takemori, “Protection of in-vehicle control systems based on secure elements: Organizing and considering element technologies”, IEICE, IEICE Technical Report, vol. 114, no. 508, pp. 73-78, 2015 March

  One problem has been to improve the reliability of data such as update programs applied to ECUs for in-vehicle control systems of automobiles.

  The present invention has been made in consideration of such circumstances, and is a data providing system, a data providing apparatus, an in-vehicle computer, and data provision that can improve the reliability of data applied to an in-vehicle computer such as an ECU. It is an object to provide a method and a computer program.

(1) One aspect of the present invention includes an in-vehicle computer mounted on a vehicle and a data providing device, and the in-vehicle computer stores an initial key generated from a master key and its own in-vehicle computer identifier. A first storage unit, and the data providing device includes the second storage unit that stores the master key, the in-vehicle computer identifier of the in-vehicle computer, and the master key stored in the second storage unit. An initial key generation unit that generates an initial key of the computer, and a first expected value that calculates an expected value of data applied to the in-vehicle computer using the initial key of the in-vehicle computer generated by the initial key generation unit A calculation unit; and a provision unit that provides the vehicle with data applied to the in-vehicle computer and the expected value calculated by the first expected value calculation unit. The in-vehicle computer includes a second expected value calculation unit that calculates an expected value of the data provided from the providing unit using the initial key stored in the first storage unit, and the providing unit. An expected value verification unit that compares the provided expected value with the expected value calculated by the second expected value calculation unit.
(2) One aspect of the present invention is the data providing system according to (1), wherein the providing unit transmits the data and the expected value to the vehicle via a communication line. .
(3) According to one aspect of the present invention, in the data providing system according to (1), the providing unit transmits the data and the expected value to the vehicle via a diagnostic port of the vehicle. System.
(4) One aspect of the present invention is the data providing system according to (1), wherein the data providing apparatus is provided in the vehicle.
(5) One aspect of the present invention is the data providing system according to (1), wherein the data providing device is a communication device provided in the vehicle.
(6) One aspect of the present invention is the data providing system according to (1), wherein the data providing device is an in-vehicle computer provided in the vehicle.

(7) According to one aspect of the present invention, a second storage unit that stores a master key used together with an in-vehicle computer identifier of the in-vehicle computer in generating an initial key provided in the in-vehicle computer mounted on the vehicle; Using an in-vehicle computer identifier and an initial key generation unit that generates an initial key of the in-vehicle computer from the master key stored in the second storage unit, and an initial key of the in-vehicle computer generated by the initial key generation unit Then, a first expected value calculation unit that calculates an expected value of data applied to the in-vehicle computer, data applied to the in-vehicle computer, and the expected value calculated by the first expected value calculation unit. And a providing unit that provides the vehicle.

(8) According to one aspect of the present invention, in the in-vehicle computer mounted on the vehicle, the first storage unit that stores the initial key generated from the master key and the own in-vehicle computer identifier, and the data provision of (7) above A second expected value calculation unit that calculates the expected value of the data provided from the providing unit of the apparatus by using the initial key stored in the first storage unit; and provided from the providing unit together with the data And an expected value verification unit that compares the expected value calculated by the second expected value calculation unit with the expected value.

(9) One aspect of the present invention is a data providing method of a data providing system including an in-vehicle computer mounted on a vehicle and a data providing device, wherein the in-vehicle computer has a master key and its own in-vehicle computer identifier. A first storage step of storing the initial key generated from the first storage unit, a second storage step of storing the master key in the second storage unit, the data providing device, An initial key generation step of generating an initial key of the in-vehicle computer from the in-vehicle computer identifier of the in-vehicle computer and the master key stored in the second storage unit, and the data providing device includes the initial key generation step A first value for calculating an expected value of data applied to the in-vehicle computer using the generated initial key of the in-vehicle computer A waiting value calculating step, a providing step in which the data providing device provides data applied to the in-vehicle computer and the expected value calculated in the first expected value calculating step to the vehicle; A second expected value calculating step of calculating the expected value of the data provided by the providing step using the initial key stored in the first storage unit; and the in-vehicle computer, the providing step A data providing method including an expected value verification step of comparing the expected value provided by the second expected value calculation step with the expected value calculated by the second expected value calculation step.

(10) One aspect of the present invention is the second memory for storing, in the computer of the data providing apparatus, a master key used together with the in-vehicle computer identifier of the in-vehicle computer in generating an initial key provided in the in-vehicle computer mounted in the vehicle. An initial key generation function for generating an initial key of the in-vehicle computer from a function, an in-vehicle computer identifier of the in-vehicle computer and the master key stored in the second storage function, and the initial key generation function generated by the initial key generation function A first expected value calculation function for calculating an expected value of data applied to the in-vehicle computer using an initial key of the in-vehicle computer, data applied to the in-vehicle computer, and the first expected value calculation function. A computer program for realizing a providing function of providing the calculated expected value to the vehicle A.

(11) According to one aspect of the present invention, a first storage function for storing an initial key generated from a master key and its own in-vehicle computer identifier in an in-vehicle computer mounted on the vehicle, and the above-described (7) A second expected value calculation function for calculating the expected value of the data provided from the providing unit of the data providing apparatus using the initial key stored in the first storage function; together with the data from the providing unit A computer program for realizing an expected value verification function for comparing a provided expected value with the expected value calculated by the second expected value calculation function.

  According to the present invention, it is possible to improve the reliability of data applied to an in-vehicle computer such as an ECU.

It is a figure which shows the structural example of the motor vehicle 1001 which concerns on one Embodiment. It is a figure which shows the structural example of the server apparatus 1300 which concerns on one Embodiment. It is a figure which shows the structural example of 1st ECU1010 which concerns on one Embodiment. It is a figure which shows the structural example of 2nd ECU1020 which concerns on one Embodiment. It is a sequence chart which shows the example of the provision procedure of ECU code which concerns on one Embodiment. It is a figure which shows the structural example of the motor vehicle 1001 which concerns on one Embodiment. It is a figure showing an example of composition of maintenance tool 1200 concerning one embodiment. It is a sequence chart which shows the example of the provision procedure of ECU code which concerns on one Embodiment. It is a figure which shows the structural example of the motor vehicle 1001 which concerns on one Embodiment. It is a figure which shows the structural example of TCU1050 which concerns on one Embodiment. It is a sequence chart which shows the example of the provision procedure of ECU code which concerns on one Embodiment. It is a figure which shows the structural example of 1st ECU1010 which concerns on one Embodiment. It is a sequence chart which shows the example of the provision procedure of ECU code which concerns on one Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following embodiment, a vehicle will be described as an example of a vehicle.

[First Embodiment]
FIG. 1 is a diagram illustrating a configuration example of an automobile 1001 according to the present embodiment. In the present embodiment, a case where data such as an update program is applied to an ECU (electronic control unit) mounted on the automobile 1001 will be described as an example.

  In FIG. 1, an automobile 1001 includes a first ECU 1010 and a plurality of second ECUs 1020. The first ECU 1010 and the second ECU 1020 are in-vehicle computers provided in the automobile 1001. First ECU 1010 is an ECU having a gateway function among ECUs mounted on automobile 1001. The second ECU 1020 is an ECU having functions such as engine control among ECUs mounted on the automobile 1001. Examples of the second ECU 1020 include an ECU having an engine control function, an ECU having a handle control function, and an ECU having a brake control function.

  The first ECU 1010 and the plurality of second ECUs 1020 are connected to a CAN (Controller Area Network) 1030 provided in the automobile 1001. CAN 1030 is a communication network. CAN is known as one of communication networks mounted on vehicles.

  First ECU 1010 exchanges data with each second ECU 1020 via CAN 1030. Second ECU 1020 exchanges data with other second ECU 1020 via CAN 1030.

  In addition, as a communication network mounted on the vehicle, a communication network other than CAN is provided in the automobile 1001, and exchange of data between the first ECU 1010 and the second ECU 1020 via the communication network other than CAN, and Data exchange between the second ECUs 1020 may be performed. For example, the automobile 1001 may include a LIN (Local Interconnect Network). In addition, the automobile 1001 may include CAN and LIN. In addition, the automobile 1001 may include a second ECU 1020 connected to the LIN. The first ECU 1010 may be connected to CAN and LIN. Further, the first ECU 1010 exchanges data with the second ECU 1020 connected to the CAN via the CAN, and also exchanges data with the second ECU 1020 connected to the LIN via the LIN. You may exchange data with. Further, the second ECUs 1020 may exchange data via the LIN.

  The automobile 1001 includes a diagnostic port 1060. As the diagnostic port 1060, for example, an OBD (On-board Diagnostics) port may be used. A diagnostic terminal 1065 can be connected to the diagnostic port 1060. Diagnostic port 1060 is connected to first ECU 1010. The first ECU 1010 and the diagnostic terminal 1065 connected to the diagnostic port 1060 exchange data via the diagnostic port 1060.

  The automobile 1001 includes an infotainment device 1040. Examples of the infotainment device 1040 include a navigation function, a location information service function, a multimedia playback function such as music and video, a voice communication function, a data communication function, and an Internet connection function. The infotainment device 1040 is connected to the first ECU 1010. The first ECU 1010 transmits information input from the infotainment device 1040 to the second ECU 1020.

  The automobile 1001 includes a TCU (Tele Communication Unit) 1050. The TCU 1050 is a communication device. The TCU 1050 includes a communication module 1051. The communication module 1051 performs wireless communication using a wireless communication network. The communication module 1051 includes a SIM (Subscriber Identity Module) 1052. The SIM 1052 is a SIM in which information for using the wireless communication network is written. The communication module 1051 can use the SIM 1052 to connect to the wireless communication network and perform wireless communication. Note that an eSIM (Embedded Subscriber Identity Module) may be used as the SIM 1052.

  The TCU 1050 is connected to the first ECU 1010. The first ECU 1010 exchanges data with the communication module 1051 of the TCU 1050.

  In the configuration of FIG. 1, data is exchanged between the first ECU 1010 and the communication module 1051 by directly connecting the first ECU 1010 and the TCU 1050, but the present invention is not limited to this. For example, the TCU 1050 may be connected to the infotainment device 1040, and the first ECU 1010 may exchange data with the communication module 1051 of the TCU 1050 via the infotainment device 1040. Alternatively, even if the TCU 1050 is connected to the diagnostic port 1060 instead of the diagnostic terminal 1065 and the first ECU 1010 exchanges data with the communication module 1051 of the TCU 1050 connected to the diagnostic port 1060 via the diagnostic port 1060. Good. Alternatively, the first ECU 1010 may include a communication module 1051 including a SIM 1052. When the first ECU 1010 includes the communication module 1051 including the SIM 1052, the automobile 1001 may not include the TCU 1050.

  The first ECU 1010 includes a main computing unit 1011 and an HSM (Hardware Security Module) 1012. The main arithmetic unit 1011 executes a computer program for realizing the function of the first ECU 1010. The HSM 1012 has a cryptographic processing function and the like. HSM 1012 has tamper resistance. The HSM 1012 is an example of a secure element (Secure Element: SE). The HSM 1012 includes a storage unit 1013 that stores data such as keys. The main arithmetic unit 1011 uses an HSM 1012.

  The second ECU 1020 includes a main computing unit 1021 and a SHE (Secure Hardware Extension) 1022. The main computing unit 1021 executes a computer program for realizing the function of the second ECU 1020. The SHE 1022 has a cryptographic processing function and the like. SHE1022 has tamper resistance. SHE1022 is an example of a secure element. The SHE 1022 includes a storage unit 1023 that stores data such as keys. The main computing unit 1021 uses SHE1022.

  An in-vehicle computer system 1002 provided in the automobile 1001 is configured by connecting a first ECU 1010 and a plurality of second ECUs 1020 to a CAN 1030. The first ECU 1010 has a gateway function and monitors communication between the inside and the outside of the in-vehicle computer system 1002. In the present embodiment, the in-vehicle computer system 1002 functions as an in-vehicle control system for the automobile 1001.

  In the following description, when the first ECU 1010 and the second ECU 1020 are not particularly distinguished, they are simply referred to as an ECU.

  Server device 1300 sends and receives data to and from communication module 1051 of TCU 1050 of automobile 1001 via a communication line. Server apparatus 1300 transmits and receives data to and from communication module 1051 via a wireless communication network used by communication module 1051 of TCU 1050 of automobile 1001. Alternatively, the server device 1300 may transmit / receive data to / from the communication module 1051 via a communication network such as the Internet and the wireless communication network. Further, for example, the server device 1300 and the communication module 1051 may be connected by a dedicated line such as a VPN (Virtual Private Network) line, and data may be transmitted and received through the dedicated line. For example, a dedicated line such as a VPN line may be provided by a wireless communication network corresponding to the SIM 1052.

  Server device 1300 provides vehicle 1001 with an ECU code applied to the ECU. The ECU code is an example of data applied to the ECU. The ECU code may be a computer program such as an update program installed in the ECU, or may be setting data such as a parameter setting value set in the ECU.

  FIG. 2 is a diagram illustrating a configuration example of the server device 1300. In FIG. 2, the server device 1300 includes a communication unit 11, a storage unit 12, an expected value calculation unit 13, a verification unit 14, and an initial key generation unit 15. The communication unit 11 communicates with other devices via a communication line. The storage unit 12 stores data such as keys. The expected value calculation unit 13 calculates an expected value for the ECU code. The verification unit 14 verifies an electronic signature or the like. The initial key generation unit 15 generates an initial key for the ECU.

  The functions of the server device 1300 are realized by a CPU provided in the server device 1300 executing a computer program. The server device 1300 may be configured using a general-purpose computer device, or may be configured as a dedicated hardware device.

  FIG. 3 is a diagram illustrating a configuration example of the first ECU 1010. In FIG. 3, the first ECU 1010 includes a main computing unit 1011, an HSM 1012, and an interface unit 20. The main computing unit 1011 includes a control unit 21 and a storage unit 22. The HSM 1012 includes a storage unit 1013, an expected value calculation unit 31, and a verification unit 32.

  The interface unit 20 includes an interface for transmitting / receiving data via the CAN 1030, an interface for transmitting / receiving data to / from the infotainment device 1040, an interface for transmitting / receiving data to / from the TCU 1050, and an interface for transmitting / receiving data via the diagnostic port 1060. Prepare. The main computing unit 1011 transmits / receives data to / from devices other than the first ECU 1010 via the interface unit 20.

  The control unit 21 controls the first ECU 1010. The storage unit 22 stores data. The storage unit 1013 stores data such as keys. The expected value calculation unit 31 calculates an expected value of data such as an ECU code. The verification unit 32 verifies the expected value.

  FIG. 4 is a diagram illustrating a configuration example of the second ECU 1020. In FIG. 4, the second ECU 1020 includes a main computing unit 1021, a SHE 1022, and an interface unit 40. The main computing unit 1021 includes a control unit 41 and a storage unit 42. The SHE 1022 includes a storage unit 1023, an expected value calculation unit 51, and a verification unit 52.

  The interface unit 40 includes an interface that transmits and receives data via the CAN 1030. The main computing unit 1021 transmits and receives data to and from devices other than the second ECU 1020 through the interface unit 40.

  The control unit 41 controls the second ECU 1020. The storage unit 42 stores data. The storage unit 1023 stores data such as keys. The expected value calculation unit 51 calculates an expected value of data such as an ECU code. The verification unit 52 verifies the expected value.

  Next, an example of a procedure for providing the ECU code according to the present embodiment will be described with reference to FIG. FIG. 5 is a sequence chart illustrating an example of a procedure for providing an ECU code. In the example of the ECU code providing procedure shown in FIG. 5, the ECU code applied to the second ECU 1020 is taken as an example, but the ECU code applied to the first ECU 1010 is also applied to the ECU code. The same procedure can be applied only by becoming the first ECU 1010.

  In FIG. 5, the server device 1300 includes a master key Master_Secret and a server public key certificate Cert_sv. The master key Master_Secret and the server public key certificate Cert_sv are stored in the storage unit 12. However, the master key Master_Secret is preferably stored in a secure storage area in the storage area of the storage unit 12.

  The SHE 1022 of the second ECU 1020 includes the initial key Key_ecu of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is stored in the storage unit 1023 of the SHE 1022 of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is written in advance in the SHE 1022 of the second ECU 1020. For example, when the second ECU 1020 is manufactured, the initial key Key_ecu is written in the SHE 1022 of the second ECU 1020.

  A method for generating the initial key Key_ecu is determined in advance. In the present embodiment, as an example of a method for generating the initial key Key_ecu, a digest value is calculated from a master key Master_Secret and an ECU identifier (ECU identifier) ECU_ID. In the present embodiment, the initial key Key_ecu of the second ECU 1020 is a digest value calculated using the master key Master_Secret and the ECU identifier ECU_ID of the second ECU 1020. Examples of the digest value include a value calculated by a hash function and a value calculated by an exclusive OR operation.

  Note that the initial key Key_ecu of the first ECU 1010 is also stored in advance in the HSM 1012 of the first ECU 1010 in the same manner as the second ECU 1020. The initial key Key_ecu of the first ECU 1010 is stored in the storage unit 1013 of the HSM 1012 of the first ECU 1010.

(Step S101) The ECU code to be provided to the automobile 1001 is preliminarily attached with an electronic signature using a private key corresponding to the server public key certificate Cert_sv. The verification unit 14 of the server device 1300 verifies the electronic signature attached to the ECU code provided to the automobile 1001 using the server public key certificate Cert_sv stored in the storage unit 12. If the verification of the electronic signature is successful, the server apparatus 1300 advances the process to step S102 and subsequent steps. On the other hand, the server device 1300 stops providing the ECU code when the verification of the electronic signature fails. When the ECU code provided to the automobile 1001 is valid, the electronic signature need not be verified.

(Step S102) Communication unit 11 of server device 1300 transmits to ECU 1001 a request message (ECU identifier request message) of ECU identifier ECU_ID of second ECU 1020 to which the ECU code is applied. In the automobile 1001, the ECU identifier request message received by the communication module 1051 is transferred to the second ECU 1020 to which the ECU code is applied via the first ECU 1010.

(Step S103) Upon receiving the ECU identifier request message, the control unit 41 of the second ECU 1020 returns its own ECU identifier ECU_ID. The ECU identifier ECU_ID of the second ECU 1020 is transferred to the communication module 1051 via the first ECU 1010. The communication module 1051 transmits the transferred ECU identifier ECU_ID to the server device 1300. The server device 1300 receives the ECU identifier ECU_ID transmitted from the communication module 1051, that is, the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied, by the communication unit 11.

  When server device 1300 acquires the ECU identifier ECU_ID of second ECU 1020 to which the ECU code is applied in advance, steps S102 and S103 described above are not necessary. For example, when the server apparatus 1300 manages a list of ECU identifiers ECU_ID of the second ECU 1020 of the automobile 1001, the server apparatus 1300 uses the ECU identifier of the second ECU 1020 to which the ECU code is applied from the list. ECU_ID may be acquired.

(Step S104) The initial key generation unit 15 of the server apparatus 1300 uses the master key Master_Secret stored in the storage unit 12 and the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied, to the ECU An initial key Key_ecu of the second ECU 1020 to which the code is applied is generated.

(Step S <b> 105) The expected value calculation unit 13 of the server device 1300 calculates the expected value of the ECU code provided to the automobile 1001 using the initial key Key_ecu generated by the initial key generation unit 15. In the present embodiment, CMAC (Cipher-based Message Authentication Code) is used as an example of an expected value. Therefore, the expected value calculation unit 13 calculates the CMAC of the ECU code to be provided to the automobile 1001 using the initial key Key_ecu generated by the initial key generation unit 15.

(Step S106) The communication unit 11 of the server apparatus 1300 transmits the ECU code and the CMAC of the ECU code calculated by the expected value calculation unit 13 to the automobile 1001. In the automobile 1001, the ECU code received by the communication module 1051 and the CMAC of the ECU code are transferred via the first ECU 1010 to the second ECU 1020 to which the ECU code is applied.

(Step S107) When the control unit 41 of the second ECU 1020 receives the ECU code and the CMAC of the ECU code, the control unit 41 passes the ECU code to the SHE 1022 and requests calculation of the CMAC. The expected value calculation unit 51 of the SHE 1022 calculates the CMAC of the ECU code using the initial key Key_ecu stored in the storage unit 1023. The SHE 1022 passes the CMAC calculated by the expected value calculation unit 51 to the control unit 41.

(Step S108) The control unit 41 of the second ECU 1020 compares the CMAC received together with the ECU code via the first ECU 1010 with the CMAC calculated by the SHE 1022. As a result of the comparison, if the two match, the CMAC verification is passed, and if the two do not match, the CMAC verification fails. When the verification of the CMAC is successful, the control unit 41 proceeds with the process after step S109. On the other hand, when the verification of the CMAC fails, the control unit 41 stops the application of the ECU code.

(Step S109) The control unit 41 of the second ECU 1020 applies the ECU code received via the first ECU 1010. In addition, the control unit 41 passes the CMAC received together with the ECU code via the first ECU 1010 to the SHE 1022, and requests that the CMAC be registered in the secure boot expected value. In response to the request, the SHE 1022 registers the CMAC in the secure boot expected value.

(Step S110) The control unit 41 of the second ECU 1020 performs a secure boot after the application of the ECU code. In this secure boot, the control unit 41 passes the ECU code to the SHE 1022 and requests CMAC verification in the secure boot. The verification unit 52 of the SHE 1022 calculates the CMAC of the ECU code using the initial key Key_ecu stored in the storage unit 1023. Next, the verification unit 52 of the SHE 1022 compares the CMAC of the calculation result with the secure boot expected value. As a result of the comparison, if the two match, the CMAC verification in the secure boot is passed, and if the two do not match, the CMAC verification in the secure boot fails. The SHE 1022 responds to the control unit 41 with the CMAC verification result in the secure boot. The control unit 41 advances the execution of the ECU code when the CMAC verification in the secure boot is acceptable. On the other hand, when the verification of CMAC in the secure boot fails, the control unit 41 stops the execution of the ECU code.

(Step S111) The control unit 41 of the second ECU 1020 transmits the CMAC verification result in the secure boot to the first ECU 1010. The CMAC verification result in the secure boot is transferred to the communication module 1051 via the first ECU 1010. The communication module 1051 transmits the CMAC verification result in the transferred secure boot to the server apparatus 1300. The server apparatus 1300 receives the CMAC verification result in the secure boot transmitted from the communication module 1051 by the communication unit 11.

(Step S112) The verification unit 14 of the server apparatus 1300 determines whether the application of the ECU code provided to the automobile 1001 is successful based on the CMAC verification result in the secure boot received from the communication module 1051 of the automobile 1001. When the verification result of CMAC in secure boot is acceptable, the application of the ECU code is successful, and when the verification result of CMAC in secure boot is unacceptable, the application of the ECU code is unsuccessful.

  Note that the control unit 41 of the second ECU 1020 may include the CMAC calculated by the SHE 1022 in step S107 in the CMAC verification result in the secure boot. In this case, the verification unit 14 of the server device 1300 compares the CMAC included in the CMAC verification result in the secure boot with the CMAC of the ECU code transmitted together with the ECU code to the automobile 1001 in step S106, and the comparison result The success or failure of application of the ECU code provided to the automobile 1001 may be determined based on this. When the comparison result is coincident, the application of the ECU code is successful, and when the comparison result is not coincident, the application of the ECU code is unsuccessful.

  According to the first embodiment described above, the server apparatus 1300 generates an initial key of the ECU to which the ECU code is applied, generates an expected value of the ECU code using the generated initial key, The generated expected value is provided to the automobile 1001. The ECU of the automobile 1001 verifies the expected value received together with the ECU code using its own initial key. Thereby, the reliability of the ECU code applied to the ECU of the automobile 1001 can be improved.

  In the first embodiment, the server device 1300 corresponds to a data providing device, and the communication unit 11 corresponds to a providing unit. In the example of FIG. 5 described above, the control unit 41 of the second ECU 1020 corresponds to an expected value verification unit.

[Second Embodiment]
FIG. 6 is a diagram illustrating a configuration example of an automobile 1001 according to the present embodiment. In the present embodiment, a case where data such as an update program is applied to an ECU (electronic control unit) mounted on the automobile 1001 will be described as an example.

  In FIG. 6, parts corresponding to those in FIG. In the configuration example of the automobile shown in FIG. 6, a maintenance tool 1200 can be connected to the diagnosis port 1060. The first ECU 1010 and the maintenance tool 1200 connected to the diagnostic port 1060 exchange data via the diagnostic port 1060. The maintenance tool 1200 may have a function of a conventional diagnostic terminal connected to the OBD port.

  The maintenance tool 1200 includes a control module 1201. The control module 1201 includes an IC (Integrated Circuit) chip 1202. The IC chip 1202 includes a storage unit 1203 that stores data such as keys. The IC chip 1202 has tamper resistance. The IC chip 1202 is an example of a secure element. The IC chip 1202 is a kind of computer and realizes a desired function by a computer program.

  The server apparatus 1300 transmits and receives data to and from the maintenance tool 1200 via a communication line. For example, the server apparatus 1300 and the maintenance tool 1200 may be connected by a dedicated line such as a VPN line, and data may be transmitted / received through the dedicated line.

  Server device 1300 provides ECU code applied to the ECU to maintenance tool 1200. The ECU code is an example of data applied to the ECU. The ECU code may be a computer program such as an update program installed in the ECU, or may be setting data such as a parameter setting value set in the ECU.

  FIG. 7 is a diagram illustrating a configuration example of the maintenance tool 1200. In FIG. 7, the maintenance tool 1200 includes a communication unit 61, a diagnostic port interface 62, and a control module 1201. The control module 1201 includes a control unit 71 and an IC chip 1202. The IC chip 1202 includes a storage unit 1203, an expected value calculation unit 73, a verification unit 74, and an initial key generation unit 75. The communication unit 61 communicates with other devices via a communication line. The diagnostic port interface 62 transmits / receives data to / from other devices via the diagnostic port 1060 of the automobile 1001.

  The control unit 71 controls the maintenance tool 1200. The storage unit 1203 stores data such as keys. The expected value calculation unit 73 calculates an expected value for the ECU code. The verification unit 74 verifies an electronic signature or the like. The initial key generation unit 75 generates an initial key for the ECU.

  The function of the control unit 71 is realized by a CPU provided in the control unit 71 executing a computer program. The function of the IC chip 1202 is realized by the CPU provided in the IC chip 1202 executing a computer program.

  Next, an example of a procedure for providing an ECU code according to the present embodiment will be described with reference to FIG. FIG. 8 is a sequence chart showing an example of a procedure for providing an ECU code. In the example of the ECU code providing procedure shown in FIG. 8, the ECU code applied to the second ECU 1020 is taken as an example, but the ECU code applied to the first ECU 1010 is also applied to the ECU code. The same procedure can be applied only by becoming the first ECU 1010.

  In FIG. 8, the server apparatus 1300 includes a server secret key Key_sv_s. The server secret key Key_sv_s is stored in the storage unit 12. The IC chip 1202 of the control module 1201 includes a master key Master_Secret and a server public key certificate Cert_sv. The server public key certificate Cert_sv is a public key certificate corresponding to the server private key Key_sv_s. The master key Master_Secret and the server public key certificate Cert_sv are stored in the storage unit 1203.

  The SHE 1022 of the second ECU 1020 includes the initial key Key_ecu of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is stored in the storage unit 1023 of the SHE 1022 of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is written in advance in the SHE 1022 of the second ECU 1020. For example, when the second ECU 1020 is manufactured, the initial key Key_ecu is written in the SHE 1022 of the second ECU 1020. The method for generating the initial key Key_ecu is the same as that in the first embodiment.

  Note that the initial key Key_ecu of the first ECU 1010 is also stored in advance in the HSM 1012 of the first ECU 1010 in the same manner as the second ECU 1020. The initial key Key_ecu of the first ECU 1010 is stored in the storage unit 1013 of the HSM 1012 of the first ECU 1010.

(Step S200) The server apparatus 1300 attaches an electronic signature to the ECU code provided to the automobile 1001 using the server secret key Key_sv_s. The communication unit 11 of the server device 1300 transmits the ECU code with the electronic signature to the maintenance tool 1200. The maintenance tool 1200 receives the electronically signed ECU code through the communication unit 61.

(Step S201) The control unit 71 of the control module 1201 of the maintenance tool 1200 passes the ECU code with electronic signature received by the communication unit 61 to the IC chip 1202, and requests verification of the electronic signature. The verification unit 74 of the IC chip 1202 verifies the electronic signature of the ECU code with the electronic signature using the server public key certificate Cert_sv stored in the storage unit 1203. The IC chip 1202 returns the verification result of the electronic signature to the control unit 71. When the verification of the electronic signature is acceptable, the control unit 71 proceeds with the process after step S202. On the other hand, the control unit 71 stops providing the ECU code when the verification of the electronic signature fails. When the ECU code provided to the automobile 1001 is valid, the electronic signature need not be verified.

(Step S202) The control unit 71 of the control module 1201 of the maintenance tool 1200 sends a request message (ECU identifier request message) of the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied via the diagnostic port interface 62 to the automobile. 1001 is transmitted. In the automobile 1001, the ECU identifier request message received by the first ECU 1010 via the diagnostic port 1060 is transferred to the second ECU 1020 to which the ECU code is applied via the first ECU 1010.

(Step S203) Upon receiving the ECU identifier request message, the control unit 41 of the second ECU 1020 returns its own ECU identifier ECU_ID. The ECU identifier ECU_ID of the second ECU 1020 is transmitted from the diagnostic port 1060 to the maintenance tool 1200 via the first ECU 1010. The control unit 71 of the control module 1201 of the maintenance tool 1200 uses the ECU identifier ECU_ID transmitted from the automobile 1001 via the diagnosis port 1060, that is, the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied, as the diagnosis port interface 62. Receive via.

  Note that when the maintenance tool 1200 acquires the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied in advance, the above-described steps S202 and S203 are not necessary. For example, when the server apparatus 1300 manages a list of ECU identifiers ECU_ID of the second ECU 1020 of the automobile 1001, the maintenance tool 1200 uses the second list of the server apparatus 1300 to apply the second ECU code application destination. The ECU identifier ECU_ID of the ECU 1020 may be acquired.

(Step S204) The control unit 71 of the control module 1201 of the maintenance tool 1200 passes the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied to the IC chip 1202, and requests generation of the initial key Key_ecu. The initial key generation unit 75 of the IC chip 1202 uses the master key Master_Secret stored in the storage unit 1203 and the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied. The initial key Key_ecu of the second ECU 1020 is generated.

(Step S205) The control unit 71 passes the ECU code to be provided to the automobile 1001 to the IC chip 1202, and requests the calculation of the expected value. The expected value calculation unit 73 of the IC chip 1202 uses the initial key Key_ecu generated by the initial key generation unit 75 to calculate the expected value of the ECU code to be provided to the automobile 1001. In this embodiment, CMAC is used as an example of an expected value. Therefore, the expected value calculation unit 73 uses the initial key Key_ecu generated by the initial key generation unit 75 to calculate the CMAC of the ECU code to be provided to the automobile 1001. The IC chip 1202 passes the CMAC calculated by the expected value calculation unit 73 to the control unit 71.

(Step S206) The control unit 71 of the control module 1201 of the maintenance tool 1200 transmits the ECU code and the CMAC of the ECU code calculated by the IC chip 1202 to the automobile 1001 via the diagnostic port interface 62. In the automobile 1001, the ECU code received by the first ECU 1010 via the diagnostic port 1060 and the CMAC of the ECU code are transferred via the first ECU 1010 to the second ECU 1020 to which the ECU code is applied. .

  Next, steps S107 to S110 are executed. Steps S107 to S110 are the same as the example of the ECU code provision procedure of FIG. 5 according to the first embodiment described above. Following step S110, step S211 is executed.

(Step S211) The control unit 41 of the second ECU 1020 transmits the CMAC verification result in the secure boot to the first ECU 1010. The CMAC verification result in the secure boot is transmitted from the diagnostic port 1060 to the maintenance tool 1200 via the first ECU 1010. The control unit 71 of the control module 1201 of the maintenance tool 1200 receives the CMAC verification result in the secure boot transmitted from the automobile 1001 via the diagnostic port 1060 via the diagnostic port interface 62.

(Step S212) The control unit 71 of the control module 1201 of the maintenance tool 1200 determines whether the application of the ECU code provided to the automobile 1001 is successful based on the CMAC verification result in secure boot received from the automobile 1001. When the verification result of CMAC in secure boot is acceptable, the application of the ECU code is successful, and when the verification result of CMAC in secure boot is unacceptable, the application of the ECU code is unsuccessful.

  Note that the control unit 41 of the second ECU 1020 may include the CMAC calculated by the SHE 1022 in step S107 in the CMAC verification result in the secure boot. In this case, the control unit 71 of the control module 1201 of the maintenance tool 1200 may pass the CMAC included in the CMAC verification result in the secure boot to the IC chip 1202 to perform the CMAC verification. The verification unit 74 of the IC chip 1202 compares the CMAC included in the CMAC verification result in the secure boot with the CMAC of the ECU code transmitted together with the ECU code to the automobile 1001 in step S206, and the comparison result is compared with the control unit 71. To respond. The control unit 71 determines the success or failure of application of the ECU code provided to the automobile 1001 based on the comparison result. When the comparison result is coincident, the application of the ECU code is successful, and when the comparison result is not coincident, the application of the ECU code is unsuccessful.

(Step S <b> 213) The communication unit 61 of the maintenance tool 1200 transmits to the server device 1300 the determination result of success or failure of application of the ECU code provided to the automobile 1001.

  The maintenance tool 1200 may transmit the CMAC included in the CMAC verification result in the secure boot to the server device 1300. The server apparatus 1300 may perform CMAC verification included in the CMAC verification result in the secure boot.

  According to the second embodiment described above, the maintenance tool 1200 generates an initial key of the ECU to which the ECU code is applied, generates an expected value of the ECU code using the generated initial key, The generated expected value is provided to the automobile 1001. The ECU of the automobile 1001 verifies the expected value received together with the ECU code using its own initial key. Thereby, the reliability of the ECU code applied to the ECU of the automobile 1001 can be improved.

  In the second embodiment, the maintenance tool 1200 corresponds to a data providing device, and the control unit 71 and the diagnostic port interface 62 correspond to a providing unit. In the example of FIG. 8 described above, the control unit 41 of the second ECU 1020 corresponds to an expected value verification unit.

[Third Embodiment]
FIG. 9 is a diagram illustrating a configuration example of an automobile 1001 according to the present embodiment. In the present embodiment, a case where data such as an update program is applied to an ECU (electronic control unit) mounted on the automobile 1001 will be described as an example.

  9, parts corresponding to those in FIG. 1 are given the same reference numerals, and descriptions thereof are omitted. In the configuration example of the automobile illustrated in FIG. 9, the SIM 1052 of the communication module 1051 of the TCU 1050 includes a storage unit 1053 that stores data such as a key. Note that an eSIM may be used as the SIM 1052. SIM and eSIM have tamper resistance. SIM and eSIM are examples of secure elements. The secure element has tamper resistance. SIM and eSIM are a kind of computer, and a desired function is realized by a computer program.

  The server apparatus 1300 transmits and receives data to and from the communication module 1051 of the TCU 1050 of the automobile 1001 via the communication line, as in the first embodiment described above. For example, the server apparatus 1300 and the communication module 1051 may be connected by a dedicated line such as a VPN line, and data may be transmitted / received through the dedicated line. For example, a dedicated line such as a VPN line may be provided by a wireless communication network corresponding to the SIM 1052.

  Server device 1300 provides TCU 1050 with an ECU code applied to the ECU. The ECU code is an example of data applied to the ECU. The ECU code may be a computer program such as an update program installed in the ECU, or may be setting data such as a parameter setting value set in the ECU.

  FIG. 10 is a diagram illustrating a configuration example of the TCU 1050. In FIG. 10, the TCU 1050 includes an interface unit 82 and a communication module 1051. The communication module 1051 includes a wireless communication unit 91 and a SIM 1052. The SIM 1052 includes a storage unit 1053, an expected value calculation unit 93, a verification unit 94, and an initial key generation unit 95. The interface unit 82 includes an interface that transmits and receives data to and from the first ECU 1010. The wireless communication unit 91 communicates with other devices via a wireless communication line.

  The storage unit 1053 stores data such as keys. The expected value calculation unit 93 calculates an expected value for the ECU code. The verification unit 94 verifies an electronic signature or the like. The initial key generation unit 95 generates an initial key for the ECU.

  The function of the wireless communication unit 91 is realized by the CPU provided in the wireless communication unit 91 executing a computer program. The function of the SIM 1052 is realized by a CPU included in the SIM 1052 executing a computer program.

  Next, an example of a procedure for providing the ECU code according to the present embodiment will be described with reference to FIG. FIG. 11 is a sequence chart illustrating an example of an ECU code provision procedure. In the example of the ECU code provision procedure shown in FIG. 11, the ECU code applied to the second ECU 1020 is taken as an example, but the ECU code applied to the first ECU 1010 is also applied to the ECU code. The same procedure can be applied only by becoming the first ECU 1010.

  In FIG. 11, the server device 1300 includes a server secret key Key_sv_s. The server secret key Key_sv_s is stored in the storage unit 12. The SIM 1052 of the communication module 1051 includes a master key Master_Secret and a server public key certificate Cert_sv. The server public key certificate Cert_sv is a public key certificate corresponding to the server private key Key_sv_s. The master key Master_Secret and the server public key certificate Cert_sv are stored in the storage unit 1053.

  The SHE 1022 of the second ECU 1020 includes the initial key Key_ecu of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is stored in the storage unit 1023 of the SHE 1022 of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is written in advance in the SHE 1022 of the second ECU 1020. For example, when the second ECU 1020 is manufactured, the initial key Key_ecu is written in the SHE 1022 of the second ECU 1020. The method for generating the initial key Key_ecu is the same as that in the first embodiment.

  Note that the initial key Key_ecu of the first ECU 1010 is also stored in advance in the HSM 1012 of the first ECU 1010 in the same manner as the second ECU 1020. The initial key Key_ecu of the first ECU 1010 is stored in the storage unit 1013 of the HSM 1012 of the first ECU 1010.

(Step S300) The server apparatus 1300 attaches an electronic signature to the ECU code provided to the automobile 1001 using the server secret key Key_sv_s. The communication unit 11 of the server device 1300 transmits the electronic signature-added ECU code to the communication module 1051 of the automobile 1001. The communication module 1051 of the automobile 1001 receives the ECU code with the electronic signature by the wireless communication unit 91.

(Step S301) The wireless communication unit 91 of the communication module 1051 passes the ECU code with electronic signature received from the server device 1300 to the SIM 1052, and requests verification of the electronic signature. The verification unit 94 of the SIM 1052 verifies the electronic signature of the ECU code with the electronic signature using the server public key certificate Cert_sv stored in the storage unit 1053. The SIM 1052 responds to the wireless communication unit 91 with the verification result of the electronic signature. When the verification of the electronic signature is successful, the wireless communication unit 91 proceeds with the process after step S302. On the other hand, when the verification of the electronic signature fails, the wireless communication unit 91 stops providing the ECU code. When the ECU code provided to the automobile 1001 is valid, the electronic signature need not be verified.

(Step S302) The wireless communication unit 91 of the communication module 1051 sends a request message (ECU identifier request message) of the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied to the first ECU 1010 via the interface unit 82. Send. The ECU identifier request message received by the first ECU 1010 is transferred via the first ECU 1010 to the second ECU 1020 to which the ECU code is applied.

(Step S303) Upon receiving the ECU identifier request message, the control unit 41 of the second ECU 1020 returns its own ECU identifier ECU_ID. The ECU identifier ECU_ID of the second ECU 1020 is transmitted to the TCU 1050 via the first ECU 1010. The wireless communication unit 91 of the communication module 1051 receives the ECU identifier ECU_ID, that is, the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied, via the interface unit 82.

  Note that when the TCU 1050 acquires the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied in advance, the above-described steps S302 and S303 are not necessary. For example, when the server apparatus 1300 manages a list of ECU identifiers ECU_ID of the second ECU 1020 of the automobile 1001, the TCU 1050 determines the second ECU 1020 to which the ECU code is applied from the list of the server apparatus 1300. You may acquire ECU identifier ECU_ID.

(Step S304) The wireless communication unit 91 of the communication module 1051 passes the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied to the SIM 1052, and requests generation of the initial key Key_ecu. The initial key generation unit 95 of the SIM 1052 uses the master key Master_Secret stored in the storage unit 1053 and the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied. 2 generates an initial key Key_ecu for the ECU 1020.

(Step S305) The wireless communication unit 91 passes the ECU code to be provided to the automobile 1001 to the SIM 1052, and requests calculation of an expected value. The expected value calculation unit 93 of the SIM 1052 uses the initial key Key_ecu generated by the initial key generation unit 95 to calculate the expected value of the ECU code to be provided to the automobile 1001. In this embodiment, CMAC is used as an example of an expected value. Therefore, the expected value calculation unit 93 uses the initial key Key_ecu generated by the initial key generation unit 95 to calculate the CMAC of the ECU code to be provided to the automobile 1001. The SIM 1052 passes the CMAC calculated by the expected value calculation unit 93 to the wireless communication unit 91.

(Step S306) The wireless communication unit 91 transmits the ECU code and the CMAC of the ECU code calculated by the SIM 1052 to the first ECU 1010 via the interface unit 82. The ECU code received by the first ECU 1010 and the CMAC of the ECU code are transferred via the first ECU 1010 to the second ECU 1020 to which the ECU code is applied.

  Next, steps S107 to S110 are executed. Steps S107 to S110 are the same as the example of the ECU code provision procedure of FIG. 5 according to the first embodiment described above. Following step S110, step S311 is executed.

(Step S311) The control unit 41 of the second ECU 1020 transmits the CMAC verification result in the secure boot to the first ECU 1010. The CMAC verification result in the secure boot is transmitted to the TCU 1050 via the first ECU 1010. The wireless communication unit 91 of the communication module 1051 of the TCU 1050 receives the CMAC verification result in the secure boot transmitted from the first ECU 1010 via the interface unit 82.

(Step S312) The wireless communication unit 91 of the communication module 1051 of the TCU 1050 determines whether the application of the ECU code provided to the automobile 1001 is successful based on the CMAC verification result in the secure boot received from the first ECU 1010. When the verification result of CMAC in secure boot is acceptable, the application of the ECU code is successful, and when the verification result of CMAC in secure boot is unacceptable, the application of the ECU code is unsuccessful.

  Note that the control unit 41 of the second ECU 1020 may include the CMAC calculated by the SHE 1022 in step S107 in the CMAC verification result in the secure boot. In this case, the wireless communication unit 91 may pass the CMAC included in the CMAC verification result in the secure boot to the SIM 1052 to perform the CMAC verification. The verification unit 94 of the SIM 1052 compares the CMAC included in the CMAC verification result in the secure boot with the CMAC of the ECU code transmitted together with the ECU code in step S306, and responds to the wireless communication unit 91 with the comparison result. The wireless communication unit 91 determines success or failure of application of the ECU code provided to the automobile 1001 based on the comparison result. When the comparison result is coincident, the application of the ECU code is successful, and when the comparison result is not coincident, the application of the ECU code is unsuccessful.

(Step S <b> 313) The wireless communication unit 91 transmits a determination result of success or failure of application of the ECU code provided to the automobile 1001 to the server device 1300.

  Note that the wireless communication unit 91 may transmit the CMAC included in the CMAC verification result in the secure boot to the server device 1300. The server apparatus 1300 may perform CMAC verification included in the CMAC verification result in the secure boot.

  According to the third embodiment described above, the communication module 1051 generates an initial key of the ECU to which the ECU code is applied, generates an expected value of the ECU code using the generated initial key, The generated expected value is provided to the automobile 1001. The ECU of the automobile 1001 verifies the expected value received together with the ECU code using its own initial key. Thereby, the reliability of the ECU code applied to the ECU of the automobile 1001 can be improved.

  In the third embodiment, the TCU 1050 corresponds to a data providing device, and the wireless communication unit 91 and the interface unit 82 correspond to a providing unit. In the example of FIG. 11 described above, the control unit 41 of the second ECU 1020 corresponds to an expected value verification unit.

[Fourth Embodiment]
In the present embodiment, FIG. 1 can be applied as a configuration example of the automobile 1001. FIG. 12 is a diagram illustrating a configuration example of the first ECU 1010 according to the present embodiment. 12, parts corresponding to those in FIG. 3 are given the same reference numerals, and descriptions thereof are omitted. In the first ECU 1010 shown in FIG. 12, the HSM 1012 further includes an initial key generation unit 33 in addition to the configuration of FIG. The initial key generation unit 33 generates an initial key for the ECU.

  Next, an example of a procedure for providing an ECU code according to the present embodiment will be described with reference to FIG. FIG. 13 is a sequence chart illustrating an example of an ECU code providing procedure. In the example of the ECU code providing procedure shown in FIG. 13, the ECU code applied to the second ECU 1020 is taken as an example, but the ECU code applied to the first ECU 1010 is also applied to the ECU code. The same procedure can be applied only by becoming the first ECU 1010.

  In FIG. 13, the server device 1300 includes a server secret key Key_sv_s. The server secret key Key_sv_s is stored in the storage unit 12. The HSM 1012 of the first ECU 1010 includes a master key Master_Secret and a server public key certificate Cert_sv. The server public key certificate Cert_sv is a public key certificate corresponding to the server private key Key_sv_s. The master key Master_Secret and the server public key certificate Cert_sv are stored in the storage unit 1013.

  The SHE 1022 of the second ECU 1020 includes the initial key Key_ecu of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is stored in the storage unit 1023 of the SHE 1022 of the second ECU 1020. The initial key Key_ecu of the second ECU 1020 is written in advance in the SHE 1022 of the second ECU 1020. For example, when the second ECU 1020 is manufactured, the initial key Key_ecu is written in the SHE 1022 of the second ECU 1020. The method for generating the initial key Key_ecu is the same as that in the first embodiment.

  Note that the initial key Key_ecu of the first ECU 1010 is also stored in advance in the HSM 1012 of the first ECU 1010 in the same manner as the second ECU 1020. The initial key Key_ecu of the first ECU 1010 is stored in the storage unit 1013 of the HSM 1012 of the first ECU 1010.

(Step S400) The server apparatus 1300 attaches an electronic signature to the ECU code provided to the automobile 1001 using the server secret key Key_sv_s. The communication unit 11 of the server device 1300 transmits the electronic signature-added ECU code to the communication module 1051 of the automobile 1001. The communication module 1051 of the automobile 1001 transfers the ECU code with electronic signature received from the server device 1300 to the first ECU 1010.

(Step S401) The control unit 21 of the first ECU 1010 passes the ECU code with electronic signature received from the communication module 1051 to the HSM 1012 to request verification of the electronic signature. The verification unit 32 of the HSM 1012 verifies the electronic signature of the ECU code with the electronic signature using the server public key certificate Cert_sv stored in the storage unit 1013. The HSM 1012 returns the verification result of the electronic signature to the control unit 21. When the verification of the electronic signature is acceptable, the control unit 21 proceeds with the process after step S402. On the other hand, if the verification of the electronic signature fails, the control unit 21 stops providing the ECU code. When the ECU code provided to the automobile 1001 is valid, the electronic signature need not be verified.

(Step S402) The control unit 21 of the first ECU 1010 applies a request message (ECU identifier request message) of the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied via the interface unit 20 to the application of the ECU code. It transmits to previous 2nd ECU1020.

(Step S403) Upon receiving the ECU identifier request message, the control unit 41 of the second ECU 1020 returns its own ECU identifier ECU_ID to the first ECU 1010. The control unit 21 of the first ECU 1010 receives the ECU identifier ECU_ID, that is, the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied, via the interface unit 20.

  Note that when the first ECU 1010 acquires the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied in advance, the above-described steps S402 and S403 are not necessary. For example, when the server apparatus 1300 manages a list of ECU identifiers ECU_ID of the second ECU 1020 of the automobile 1001, the first ECU 1010 uses the second ECU code application destination from the list of the server apparatus 1300. The ECU identifier ECU_ID of the ECU 1020 may be acquired.

(Step S404) The control unit 21 of the first ECU 1010 passes the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied to the HSM 1012 to request generation of the initial key Key_ecu. The initial key generation unit 33 of the HSM 1012 uses the master key Master_Secret stored in the storage unit 1013 and the ECU identifier ECU_ID of the second ECU 1020 to which the ECU code is applied. 2 generates an initial key Key_ecu for the ECU 1020.

(Step S405) The control unit 21 passes the ECU code to be provided to the automobile 1001 to the HSM 1012 and requests the expected value to be calculated. The expected value calculation unit 31 of the HSM 1012 calculates the expected value of the ECU code to be provided to the automobile 1001 using the initial key Key_ecu generated by the initial key generation unit 33. In this embodiment, CMAC is used as an example of an expected value. Therefore, the expected value calculation unit 31 uses the initial key Key_ecu generated by the initial key generation unit 33 to calculate the CMAC of the ECU code to be provided to the automobile 1001. The HSM 1012 passes the CMAC calculated by the expected value calculation unit 31 to the control unit 21.

(Step S406) The control unit 21 transmits the ECU code and the CMAC of the ECU code calculated by the HSM 1012 to the second ECU 1020 to which the ECU code is applied via the interface unit 20.

  Next, steps S107 to S110 are executed. Steps S107 to S110 are the same as the example of the ECU code provision procedure of FIG. 5 according to the first embodiment described above. Following step S110, step S411 is executed.

(Step S411) The control unit 41 of the second ECU 1020 transmits the CMAC verification result in the secure boot to the first ECU 1010.

(Step S412) The control unit 21 of the first ECU 1010 determines whether the application of the ECU code provided to the automobile 1001 is successful based on the CMAC verification result in the secure boot received from the second ECU 1020. When the verification result of CMAC in secure boot is acceptable, the application of the ECU code is successful, and when the verification result of CMAC in secure boot is unacceptable, the application of the ECU code is unsuccessful.

  Note that the control unit 41 of the second ECU 1020 may include the CMAC calculated by the SHE 1022 in step S107 in the CMAC verification result in the secure boot. In this case, the control unit 21 of the first ECU 1010 may pass the CMAC included in the CMAC verification result in the secure boot to the HSM 1012 to perform the CMAC verification. The verification unit 32 of the HSM 1012 compares the CMAC included in the CMAC verification result in secure boot with the CMAC of the ECU code transmitted together with the ECU code in step S <b> 406, and returns the comparison result to the control unit 21. The control unit 21 determines whether the application of the ECU code provided to the automobile 1001 is successful based on the comparison result. When the comparison result is coincident, the application of the ECU code is successful, and when the comparison result is not coincident, the application of the ECU code is unsuccessful.

(Step S413) The control unit 21 of the first ECU 1010 transmits a determination result of success or failure of application of the ECU code provided to the automobile 1001 to the server apparatus 1300 via the communication module 1051 of the TCU 1050.

  The control unit 21 of the first ECU 1010 may transmit the CMAC included in the CMAC verification result in the secure boot to the server device 1300. The server apparatus 1300 may perform CMAC verification included in the CMAC verification result in the secure boot.

  According to the above-described fourth embodiment, the first ECU 1010 generates an initial key of the ECU to which the ECU code is applied, generates an expected value of the ECU code using the generated initial key, The generated expected value is provided to the automobile 1001. The ECU of the automobile 1001 verifies the expected value received together with the ECU code using its own initial key. Thereby, the reliability of the ECU code applied to the ECU of the automobile 1001 can be improved.

  In 4th Embodiment, 1st ECU1010 respond | corresponds to a data provision apparatus, and the control part 21 and the interface part 20 respond | correspond to a provision part. In the example of FIG. 13 described above, the control unit 41 of the second ECU 1020 corresponds to an expected value verification unit.

  As mentioned above, although embodiment of this invention was explained in full detail with reference to drawings, the specific structure is not restricted to this embodiment, The design change etc. of the range which does not deviate from the summary of this invention are included.

  Note that the encryption processing unit included in the first ECU 1010 is not limited to the HSM 1012. For example, a cryptographic processing chip called “TPM (Trusted Platform Module) f” may be used as the cryptographic processing unit included in the first ECU 1010. TPMf has tamper resistance. TPMf is an example of a secure element.

  Further, the encryption processing unit included in the second ECU 1020 is not limited to the SHE1022. For example, a cryptographic processing chip called “TPMt” may be used as the cryptographic processing unit included in the second ECU 1020. TPMt has tamper resistance. TPMt is an example of a secure element.

  In the above-described embodiment, an automobile is taken as an example of the vehicle, but the present invention can also be applied to vehicles other than automobiles such as a motorbike and a railway vehicle.

Further, a computer program for realizing the functions of the above-described server device, maintenance tool, or each device provided in the automobile is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into the computer system. May be executed. Here, the “computer system” may include an OS and hardware such as peripheral devices.
“Computer-readable recording medium” refers to a flexible disk, a magneto-optical disk, a ROM, a writable nonvolatile memory such as a flash memory, a portable medium such as a DVD (Digital Versatile Disc), and a built-in computer system. A storage device such as a hard disk.

Further, the “computer-readable recording medium” means a volatile memory (for example, DRAM (Dynamic DRAM) in a computer system that becomes a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. Random Access Memory)), etc., which hold programs for a certain period of time.
The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 11, 61 ... Communication part, 12, 22, 42 ... Memory | storage part, 13, 31, 51, 73, 93 ... Expected value calculation part, 14, 32, 52, 74, 94 ... Verification part, 15, 33, 75, 95 ... Initial key generation unit, 21, 41, 71 ... Control unit, 91 ... Wireless communication unit, 1001 ... Automobile, 1002 ... In-vehicle computer system, 1010 ... First ECU, 1011, 1021 ... Main arithmetic unit, 1012 ... HSM , 1013, 1023, 1203, storage unit, 1020, second ECU, 1022, SHE, 1030, CAN, 1040, infotainment device, 1050, TCU, 1051, communication module, 1052, SIM, 1060, diagnostic port , 1065 ... diagnostic terminal, 1200 ... maintenance tool, 1201 ... control module, 1202 ... IC chip, 1 00 ... server device

Claims (11)

An in-vehicle computer mounted on a vehicle and a data providing device;
The in-vehicle computer includes a first storage unit that stores an initial key generated from a master key and its own in-vehicle computer identifier,
The data providing device includes:
A second storage unit for storing the master key;
An initial key generation unit that generates an initial key of the in-vehicle computer from the in-vehicle computer identifier of the in-vehicle computer and the master key stored in the second storage unit;
A first expected value calculation unit that calculates an expected value of data applied to the in-vehicle computer using the initial key of the in-vehicle computer generated by the initial key generation unit;
A provision unit that provides the vehicle with data applied to the in-vehicle computer and the expected value calculated by the first expected value calculation unit;
The in-vehicle computer is
A second expected value calculation unit that calculates an expected value of the data provided from the providing unit using the initial key stored in the first storage unit;
An expected value verification unit that compares the expected value provided by the providing unit with the expected value calculated by the second expected value calculation unit;
Data provision system. The providing unit transmits the data and the expected value to the vehicle via a communication line.
The data providing system according to claim 1. The providing unit transmits the data and the expected value to the vehicle via a diagnostic port of the vehicle.
The data providing system according to claim 1. The data providing device is provided in the vehicle.
The data providing system according to claim 1. The data providing device is a communication device provided in the vehicle.
The data providing system according to claim 1. The data providing device is an in-vehicle computer provided in the vehicle.
The data providing system according to claim 1. A second storage unit for storing a master key used together with the in-vehicle computer identifier of the in-vehicle computer in generating an initial key provided in the in-vehicle computer mounted in the vehicle;
An initial key generation unit that generates an initial key of the in-vehicle computer from the in-vehicle computer identifier of the in-vehicle computer and the master key stored in the second storage unit;
A first expected value calculation unit that calculates an expected value of data applied to the in-vehicle computer using the initial key of the in-vehicle computer generated by the initial key generation unit;
A providing unit for providing the vehicle with data applied to the in-vehicle computer and the expected value calculated by the first expected value calculating unit;
A data providing apparatus comprising: In an in-vehicle computer mounted on a vehicle,
A first storage unit for storing an initial key generated from the master key and its own in-vehicle computer identifier;
A second expected value calculation unit that calculates an expected value of data provided from the providing unit of the data providing device according to claim 7, using the initial key stored in the first storage unit;
An expected value verification unit that compares the expected value provided together with the data from the providing unit with the expected value calculated by the second expected value calculation unit;
In-vehicle computer equipped with. A data providing method of a data providing system comprising an in-vehicle computer mounted on a vehicle and a data providing device,
A first storage step in which the in-vehicle computer stores an initial key generated from a master key and its own in-vehicle computer identifier in a first storage unit;
A second storage step in which the data providing device stores the master key in a second storage unit;
An initial key generating step for generating an initial key of the in-vehicle computer from the in-vehicle computer identifier of the in-vehicle computer and the master key stored in the second storage unit;
A first expected value calculating step in which the data providing device calculates an expected value of data applied to the in-vehicle computer using the initial key of the in-vehicle computer generated in the initial key generating step;
A providing step in which the data providing device provides the vehicle with data applied to the in-vehicle computer and the expected value calculated in the first expected value calculating step;
A second expected value calculating step in which the in-vehicle computer calculates the expected value of the data provided by the providing step using the initial key stored in the first storage unit;
The in-vehicle computer compares the expected value provided in the providing step with the expected value calculated in the second expected value calculation step;
A method of providing data including: In the computer of the data providing device,
A second storage function for storing a master key used together with the in-vehicle computer identifier of the in-vehicle computer in generating an initial key provided in the in-vehicle computer mounted in the vehicle;
An initial key generation function for generating an initial key of the in-vehicle computer from the in-vehicle computer identifier of the in-vehicle computer and the master key stored in the second storage function;
A first expected value calculation function for calculating an expected value of data applied to the in-vehicle computer using the initial key of the in-vehicle computer generated by the initial key generation function;
A providing function for providing the vehicle with data applied to the in-vehicle computer and the expected value calculated by the first expected value calculating function;
Computer program for realizing. In-vehicle computers mounted on vehicles
A first storage function for storing an initial key generated from a master key and its own in-vehicle computer identifier;
A second expected value calculation function for calculating an expected value of data provided from the providing unit of the data providing device according to claim 7, using the initial key stored in the first storage function;
An expected value verification function for comparing the expected value provided together with the data from the providing unit and the expected value calculated by the second expected value calculation function;
Computer program for realizing.

Images