JP2018074481A - Radio equipment, road-side communication unit, update method, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology for preventing a state where a radio communication with other equipment is disabled.SOLUTION: Radio equipment comprises: a volatile storage part for storing a key ID of a present generation and a key ID of a next generation; a non-volatile storage part for storing any one of the multiple key IDs as storage information; a restoration part 37 by which, when the volatile storage part is reset, the storage information is restored in the volatile storage part as a new key ID of the present generation; a first update part 35 which stores the key ID of the next generation in the non-volatile storage part based on timing in which data for electronic signature of the present generation are switched to data for electronic signature of the next generation, resets the volatile storage part thereafter, thereby causing the restoration part 37 to restore the storage information in the non-volatile storage part in the volatile storage part as a new key ID of the present generation, and updates the key ID of the present generation with the key ID of the next generation; and a second update part 36 by which, after the first update part 35 updates the key ID of the present generation, a key ID indicating data for electronic signature available in or after the next generation is stored in the non-volatile storage part as storage information.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a wireless device, a roadside communication device, an updating method, and a computer program.

In recent years, road-to-vehicle communication and intelligent road traffic system (ITS) by vehicle-to-vehicle communication have been studied. Road-to-vehicle communication is communication between a roadside communication device and an in-vehicle communication device (mobile communication device), and vehicle-to-vehicle communication is communication between an in-vehicle communication device (mobile communication device).
Standards and guidelines have been established for such communication systems and security for intelligent transportation systems (see Non-Patent Documents 1 and 2, for example).

JP, 2006-105770, A

Radio Industry Association of Japan, “700MHz Band Intelligent Transport System ARIB-STD-T109 1.2 Edition”, [online], December 10, 2013, [Search June 27, 2016], Internet < http: // www. arib. or. jp / tyosakenyu / kikaku_tushin / tsushin_kikaku_number. html> ITS Information Communication System Promotion Conference, “Security Guidelines for Driving Support Communication Systems ITSFORM RC-009 1.2 Edition”, [online], November 25, 2013, [Search June 27, 2016], Internet < http: // www. itsforum. gr. jp / Public / J7 Database / index. html>

As a security measure for each communication in the above-described system, a method (electronic signature method) to which an electronic signature using a public key algorithm is applied has been studied.
In the electronic signature method, a key pair (security processing data) of a private key and a public key is stored in a communication device, and the communication device uses this key pair to add a public key certificate and an electronic signature to transmission data. . The communication device that has received the information can authenticate the data by using the public key certificate and the electronic signature, and can prevent spoofing and data falsification.

A plurality of the key pairs are prepared, for example, as in Patent Document 1, and an expiration date that can be used for each of the plurality of key pairs may be set.
The expiration date is different for each of the plurality of key pairs, and the roadside communication device switches the key pair to be used based on the expiration date and performs wireless communication using different key pairs over a plurality of generations. Can be configured.

The roadside communication device needs to grasp the current date and time in order to switch the key pair based on the expiration date of each of the plurality of key pairs.
Here, the roadside communication device used in the above system is wired to the central device in addition to the roadside communication device (online roadside communication device) connected to the central device that manages the roadside communication device by a wired communication line. Roadside communication devices that are not connected by communication lines (stand-alone roadside communication devices) may be included.

The online roadside communication device corrects the internal time and measures the current date and time based on time information such as a time correction command transmitted periodically or upon request from the central device through a wired communication line.
On the other hand, the stand-alone roadside communication device acquires time information from the central device through roadside communication with the online roadside communication device, corrects the internal time, and measures the current date and time.

By the way, the roadside communication device is configured to expand the identification information for identifying the current generation key pair currently in use in the volatile storage unit and identify the key pair to be used based on the identification information. be able to.
Further, the roadside communication device can store the current generation identification information in the nonvolatile storage unit.
In this case, even if the power is turned off for some reason, the roadside communication device reads the current generation identification information stored in the nonvolatile storage unit and restores the current generation identification information to the volatile storage unit. Configured to be able to.

FIG. 11 is a diagram showing the relationship between the timing when the roadside communication device is turned off and then restarted, and the expiration date of the key pair.
As shown in FIG. 11A, when both the power-off timing and the subsequent restart timing are within the valid period of the current generation key pair, the roadside communicator is The current generation identification information stored in the volatile storage unit can be restored to the volatile storage unit.

  On the other hand, as shown in FIG. 11B, when the expiration date of the current generation key pair is positioned between the power-off timing and the subsequent restart timing, the roadside communication device is non-volatile. Even if the current generation identification information stored in the storage unit is read and the current generation identification information is restored in the volatile storage unit, the expiration date of the current generation key pair has already expired. Therefore, in this state, the roadside communication device cannot perform wireless communication using the key pair with other communication devices. FIG. 11B shows a case where the power is turned off for some reason before the roadside communication device spontaneously switches the key pair.

Furthermore, the roadside communication device loses the current date and time that has been counted until then by turning off the power supply unless the timekeeping is maintained with a battery or the like.
In this regard, if it is an online roadside communication device, even if wireless communication using a key pair cannot be performed with another communication device, the current date and time is started based on the time information from the central device. The key pair can be switched according to the expiration date. If the key pair is appropriately switched, the online roadside communication device can perform wireless communication using the key pair with another communication device.

However, when the stand-alone roadside communication device is in a situation as shown in FIG. 11B, wireless communication using a key pair cannot be performed with another communication device. The communication between the roads cannot be performed, and the time information from the central device cannot be acquired.
For this reason, the stand-alone roadside communicator can no longer switch the key pair according to the expiration date, and must exit from a state in which wireless communication using the key pair cannot be performed with another communicator. It becomes difficult.

  The present invention has been made in view of such circumstances, and an object thereof is to provide a technique capable of preventing a state in which wireless communication with other devices cannot be performed.

  A wireless device according to an embodiment is a wireless device that acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations. And storing first identification information indicating current generation security processing data used for the wireless communication and second identification information indicating next generation security processing data among the plurality of security processing data. Stored in the non-volatile storage unit when the volatile storage unit is reset, and a non-volatile storage unit that stores storage information indicating any of the plurality of security processing data. A restoration unit that restores the stored information to the volatile storage unit as new first identification information, and the current generation security processing data that is specified based on the time information. An update unit that updates the first identification information with the second identification information based on the timing of switching from the next generation security processing data to the next generation security processing data, the update unit based on the timing, 2 by storing the identification information in the nonvolatile storage unit, and then resetting the volatile storage unit, the storage unit stores the storage information in the nonvolatile storage unit as the first identification information. A first processing unit for restoring the first identification information with the second identification information, and after the first processing unit has updated the first identification information, for the next-generation security processing Identification information indicating security processing data other than data and usable for the next generation or later is stored in the nonvolatile storage unit as the storage information. It comprises a second processing unit.

  Moreover, the roadside communication apparatus which is one Embodiment is provided with the said radio | wireless machine.

  In addition, the update method according to an embodiment acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations. First identification information indicating current generation security processing data used for the wireless communication among the plurality of security processing data, second identification information indicating next generation security processing data, A method for updating the first identification information executed in a wireless device including a volatile storage unit that stores information and a nonvolatile storage unit that stores storage information indicating any of the plurality of security processing data. When the volatile storage unit is reset, the storage information stored in the nonvolatile storage unit is restored to the volatile storage unit as new first identification information. The second identification information is stored in the nonvolatile storage unit based on the timing and the timing of switching from the current generation security processing data to the next generation security processing data specified based on the time information. And then resetting the volatile storage unit to restore the storage information in the nonvolatile storage unit to the volatile storage unit as new first identification information by the restoration step, An update step of updating information with the second identification information, and security processing data other than the next-generation security processing data that can be used in the next generation or later after the update step. And storing the stored identification information as the storage information in the nonvolatile storage unit.

  A computer program according to an embodiment is a wireless device that acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations. And storing first identification information indicating current generation security processing data used for the wireless communication and second identification information indicating next generation security processing data among the plurality of security processing data. And a non-volatile storage unit that stores storage information indicating any of the plurality of pieces of security processing data, causing a computer included in the wireless device to execute the update process of the first identification information When the volatile storage unit is reset in the computer, the computer program stored in the nonvolatile storage unit A restoration step of restoring storage information as new first identification information to the volatile storage unit, and the next-generation security processing data from the current-generation security processing data identified based on the time information The second identification information is stored in the non-volatile storage unit based on the timing to switch to, and then the volatile storage unit is reset, whereby the storage information in the non-volatile storage unit is newly updated by the restoration step. An update step for restoring the first identification information to the volatile storage unit as the first identification information, and updating the first identification information with the second identification information, and after the updating step, other than the next-generation security processing data Identification information indicating security processing data that can be used in the next generation or later is stored. A storage step of storing in the nonvolatile storage unit as broadcast, a computer program for execution.

  According to the present invention, it is possible to prevent a state in which wireless communication with another device cannot be performed.

It is a schematic perspective view which shows the whole structure of the intelligent transport system (ITS) which concerns on embodiment. It is a figure which shows an example of the aspect of the communication connection of each roadside communication apparatus in this system. It is a block diagram which shows the structure of the roadside communication apparatus which concerns on this embodiment. It is a block diagram which shows the structure of a radio | wireless module. (A) is a figure which shows the aspect of the transmission data which a wireless module transmits, the figure which shows an example of the data for electronic signatures memorize | stored in the memory | storage part, and the figure which shows an example of an expiration date list. It is the figure which showed typically the information which the memory | storage part has memorize | stored. It is a flowchart which shows an example of the update process which a communication control part performs. It is a flowchart which shows an example of a process of the decompression | restoration part at the time of restarts other than an update process. It is a figure showing an example of a mode of processing when starting a stand-alone roadside communication machine for the first time after installing. It is a figure showing an example of the mode of the update process by a stand-alone roadside communication apparatus, and the process at the time of restarting other than an update process over time. It is the figure which showed the relationship between the timing when a roadside communication apparatus turns off and restarts after that, and the expiration date of a key pair.

[Description of Embodiment]
First, the contents of the embodiment will be listed and described.
(1) A wireless device according to an embodiment acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations. 1st identification information which shows the present generation security processing data used for the said radio | wireless communication among the said several security processing data, and 2nd identification information which shows the next generation security processing data, , A non-volatile storage unit that stores storage information indicating any of the plurality of security processing data, and when the volatile storage unit is reset, the non-volatile storage unit A restoration unit that restores the stored information to the volatile storage unit as new first identification information; and the current generation security process that is specified based on the time information An update unit that updates the first identification information with the second identification information based on the timing of switching from the data to the next-generation security processing data, the update unit based on the timing, By storing the second identification information in the nonvolatile storage unit, and then resetting the volatile storage unit, the storage unit stores the storage information of the nonvolatile storage unit as new first identification information. A first processing unit that restores the volatile storage unit and updates the first identification information with the second identification information; and after the first processing unit updates the first identification information, the next-generation security processing Identification information indicating security processing data other than security data and usable for the next generation or later is recorded in the nonvolatile storage unit as the storage information. And a, a second processing unit for.

According to the wireless device having the above configuration, after the first identification information is updated with the second identification information, the identification information indicating the security processing data that can be used in the next generation or later is stored in the nonvolatile storage unit as the storage information. Therefore, after that, when the radio is turned off for some reason and the volatile storage unit is reset, the restoration unit uses the identification information indicating the security processing data that can be used in the next generation or later as the new first information. The identification information is restored to the volatile storage unit.
Therefore, even if the expiration date of the security processing data used before the power is turned off, the generation progresses between the timing of turning off the power of the wireless device and the timing of restarting after that, The roadside communication device can perform wireless communication with other wireless devices by using security processing data that can be used in the next generation or later. As a result, it is possible to prevent a situation in which wireless communication with other wireless devices cannot be performed due to expiration of the security processing data.

(2) In the above wireless device, security processing data other than the next generation security processing data that can be used in the next generation or later is the most future generation of the plurality of generations. The corresponding security processing data is preferable.

(3) In the wireless device, the nonvolatile storage unit may store identification information indicating security processing data corresponding to the future generation among the plurality of generations as initial storage information.
In this case, when the wireless device is activated for the first time, identification information indicating security processing data that can be used in the next generation or later is restored to the volatile storage unit as new first identification information. Therefore, it is possible to prevent the security processing data to be used from expiring regardless of the time of the first activation.

(4) Moreover, the roadside communication apparatus which is one Embodiment is provided with the radio | wireless apparatus as described in said (1) to (3).

(5) The update method according to one embodiment acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations. 1st identification information which shows the present generation security processing data used for the said radio | wireless communication among the said several security processing data, and 2nd identification information which shows the next generation security processing data, A method for updating the first identification information, which is executed in a wireless device, including a volatile storage unit that stores information and a nonvolatile storage unit that stores storage information indicating any of the plurality of security processing data. Then, when the volatile storage unit is reset, the storage information stored in the nonvolatile storage unit is restored to the volatile storage unit as new first identification information. The second identification information is stored in the nonvolatile storage unit based on the timing and the timing of switching from the current generation security processing data to the next generation security processing data specified based on the time information. And then resetting the volatile storage unit to restore the storage information in the nonvolatile storage unit to the volatile storage unit as new first identification information by the restoration step, An update step of updating information with the second identification information, and security processing data other than the next-generation security processing data that can be used in the next generation or later after the update step. And storing the stored identification information as the storage information in the nonvolatile storage unit.

(6) In addition, the computer program according to the embodiment obtains time information from another wireless device and uses the plurality of security processing data corresponding to a plurality of generations with the other wireless device. First identification information indicating current generation security processing data used for the wireless communication and second identification indicating next generation security processing data among the plurality of security processing data And a volatile storage unit that stores information, and a non-volatile storage unit that stores storage information indicating any of the plurality of security processing data. A computer program for executing update processing, wherein when the volatile storage unit is reset to a computer, the nonvolatile storage unit A restoration step of restoring the stored storage information to the volatile storage unit as new first identification information, and the next generation security processing data identified based on the time information. Based on the timing to switch to the security processing data, the second identification information is stored in the nonvolatile storage unit, and then the volatile storage unit is reset. An update step of restoring storage information as the new first identification information in the volatile storage unit and updating the first identification information with the second identification information, and after the update step, the next-generation security processing Identification information indicating security processing data that can be used in the next generation or later, other than security processing data Which is a computer program for executing, a storage step of storing in the nonvolatile storage unit as the storage information.

[Details of the embodiment]
Hereinafter, preferred embodiments will be described with reference to the drawings.
Note that at least a part of each embodiment described below may be arbitrarily combined.
[Configuration of communication system]
FIG. 1 is a schematic perspective view showing an overall configuration of an intelligent road traffic system (ITS) according to an embodiment. In this embodiment, as an example of the road structure, a grid structure in which a plurality of roads in the north-south direction and the east-west direction intersect with each other is assumed.
As shown in FIG. 1, the intelligent transportation system of the present embodiment includes a traffic signal 1, a roadside communication device 2, an in-vehicle communication device (mobile communication device) 3, a central device 4, a vehicle 5 equipped with the in-vehicle communication device 3, And the roadside sensor 6 which consists of a vehicle sensor, a surveillance camera, etc. is included.
Note that points not particularly described in the present embodiment are based on Non-Patent Document 1.

The traffic signal 1 and the roadside communication device 2 are installed at each of a plurality of intersections J1 to J9, and are connected to a router 8 via a wired communication line 7 such as a telephone line. This router 8 is connected to the central device 4 in the traffic control center.
The central device 4 constitutes a local area network (LAN) with the traffic signal device 1 and the roadside communication device 2 in the area under its control. The central device 4 may be installed on the road instead of the traffic control center.

  The roadside sensor 6 is installed in various places on the road in the jurisdiction area for the purpose of counting the number of vehicles flowing into or out of each intersection. The roadside sensor 6 includes a vehicle sensor that ultrasonically senses the vehicle 5 that passes directly below, or a monitoring camera that captures traffic conditions on the road in time series, and the sensing information and image data are transmitted through the wired communication line 7. To the central device 4. In FIG. 1, for the sake of simplicity, only one signal lamp is depicted at each intersection. However, at each actual intersection, at least four signal lights are used for ascending and descending roads that intersect each other. A vessel is installed.

In an intelligent road traffic system, a plurality of roadside communication devices 2 installed at a plurality of intersections constituting a wireless communication system are wirelessly communicated with an in-vehicle communication device 3 of a vehicle traveling around the roadside communication (road-to-vehicle communication). Is possible.
Each roadside communication device 2 is also capable of wireless communication (inter-road communication) with other roadside communication devices 2 that are located within a predetermined range within which their transmission waves reach.
The in-vehicle communication device 3 that also constitutes a wireless communication system performs wireless communication (inter-road communication) with the roadside communication device 2 by the carrier sense method, and wireless communication with other in-vehicle communication devices 3 (vehicles). Inter-vehicle communication) is possible.

The road-to-road communication is communication performed between the roadside communication devices 2, and is performed when one roadside communication device 2 transmits a communication packet toward another roadside communication device 2.
Road-to-vehicle communication is communication performed between the roadside communication device 2 and the vehicle-mounted communication device 3, and the roadside communication device 2 broadcasts a communication packet (road-vehicle communication information) to the vehicle-mounted communication device 3. Is done by doing.
The inter-vehicle communication is communication performed between the in-vehicle communication devices 3 and is performed by transmitting a communication packet (vehicle-to-vehicle communication information) by a carrier sense method.
The inter-vehicle communication is communication performed between the in-vehicle communication device 3 and the roadside communication device 2, and the in-vehicle communication device 3 sends a communication packet (into the roadside communication) to the roadside communication device 2 using a carrier sense method. (Communication information) is transmitted.

The traffic signal device 1 and the roadside communication device 2 (online roadside communication device 2a) connected to the central device 4 via the wired communication line 7 are one of all the roadside communication devices 2 included in the area controlled by the central device 4. There is also a roadside communication device 2 (stand-alone roadside communication device 2b) that is not connected to the central device 4 via the wired communication line 7.
In FIG. 1, the roadside communication devices 2 installed at intersections J4 to J6 are online roadside communication devices 2a, and the roadside communication devices 2 installed at other intersections are stand-alone roadside communication devices 2b.

  The stand-alone roadside communication device 2b performs wireless communication with other online roadside communication devices 2a and other stand-alone roadside communication devices 2b, and exchanges information necessary for the system, such as traffic information, signal information, and device management information. Do.

FIG. 2 is a diagram illustrating an example of a communication connection mode of each roadside communication device 2 in the present system. As shown in the drawing, each online roadside communication device 2a is connected to the central device 4 via a wired communication line 7 and lower devices such as a router and a communication processing device. Therefore, the online roadside communication device 2 a acquires various information given from the central device 4 through the wired communication line 7.
In addition, the stand-alone roadside communication device 2b is communicably connected to the online roadside communication device 2a by roadside communication. Therefore, the stand-alone roadside communication device 2b acquires various information given from the central device 4 through road-to-road communication with the online roadside communication device 2a.

FIG. 3 is a block diagram illustrating a configuration of the roadside communication device 2 according to the present embodiment.
As shown in FIG. 3, the online roadside communication device 2 a is related to a wireless module 21 to which an antenna 20 is connected, a wired communication unit 22 for communicating with the central device 4 via a wired communication line 7, and communication control. And a communication processing device 23 that performs processing.

The communication processing device 23 has a function of performing processing related to wireless communication and wired communication by controlling the wireless module 21 and the wired communication unit 22.
The communication processing device 23 has a function of processing transmission / reception data transmitted and received by communication such as road-to-vehicle (vehicle) communication and road-to-road communication. The communication processing device 23 also has a function of processing transmission / reception data transmitted / received by wired communication with the central device 4.

  The wireless module 21 is a wireless device for performing wireless transmission / reception in road-to-vehicle (road) communication and road-to-road communication. The wireless module 21 wirelessly transmits transmission data regarding road-to-vehicle communication, road-to-road communication, and the like given from the communication processing device 23 as a transmission signal. Further, the wireless module 21 receives a reception signal by road-to-vehicle (vehicle) communication and road-to-road communication, and provides the received reception signal to the communication processing device 23 as reception data.

As shown in FIG. 3, the stand-alone roadside communication device 2 b includes a wireless module 24 and a communication processing device 23, but does not include a wired communication unit for performing wired communication with the central device 4.
The communication processing device 23 of the stand-alone roadside communication device 2b and the communication processing device 23 of the online roadside communication device 2a have the same function.
The wireless module 24 of the stand-alone roadside communication device 2b has substantially the same function as the wireless module 21 of the online roadside communication device 2a.

FIG. 4 is a block diagram illustrating a configuration of the wireless module 24.
The wireless module 24 includes a transmission / reception unit 30 to which the antenna 20 is connected, a processing unit 31, and a storage unit 32.
The transmission / reception unit 30 has a function of modulating / demodulating and amplifying transmission / reception signals transmitted / received by the antenna 20.

The processing unit 31 constitutes a computer together with the storage unit 32, and the functions of the processing unit 31 are realized by the processing unit 31 executing a computer program stored in the storage unit 32.
The processing unit 31 functionally includes a communication control unit 33 and a timer 34.
The communication control unit 33 performs necessary processing on the transmission data provided from the communication processing device 23 and provides the transmission data subjected to the necessary processing to the transmission / reception unit 30 as a transmission signal. In addition, the communication control unit 33 performs necessary processing on the reception signal received by the transmission / reception unit 30, acquires reception data from the reception signal, and supplies the received data to the communication processing device 23.

The communication control unit 33 also has a function of executing a security process as a necessary process when transmitting / receiving data.
The communication control unit 33 performs security processing based on an electronic signature method when performing road-to-vehicle communication and road-to-road communication.
The communication control unit 33 includes a first update unit 35, a second update unit 36, and a restoration unit 37 as functional units for executing update processing of information used for security processing.
Security processing performed by the communication control unit 33 will be described later.

  Furthermore, the communication control unit 33 has a function of causing the timer 34 to count the current date and time necessary for executing various processes. The communication control unit 33 sets the date and time counted by the timer 34 to be the current date and time (current date and time) based on the time information given from the central device 4 and causes the timer 34 to count the current date and time.

Note that the timer 34 outputs an indefinite value when the current date and time cannot be measured because the wireless module 24 is reset or the power is turned off while measuring the current date and time. To do. The indeterminate value is a value represented by a value other than the value for representing the date and time, and is a value that cannot be recognized as the date and time by the other party receiving it.
When the timer 34 outputs an indefinite value due to power-off or the like, when the communication control unit 33 acquires the time information, the communication control unit 33 sets the timer 34 to time the current date and time based on the time information.

The time information from the central device 4 may be given in response to the request by requesting the time information from the roadside communication device 2 to the central device 4 in addition to being given periodically.
The time information from the central device 4 may be given to the communication control unit 33 from the communication processing device 23 in addition to being given to the communication control unit 33 through the road-to-road communication with the online roadside communication device 2a.

Here, the online roadside communication device 2 a can acquire time information through either the roadside communication by the wireless module 21 or the wired communication by the wired communication unit 22.
On the other hand, the stand-alone roadside communication device 2b acquires time information only through road-to-road communication with the online roadside communication device 2a by the wireless module 24.

The communication processing device 23 has a function of measuring the current date and time based on time information from the central device 4 given through either road-to-road communication or wired communication.
Therefore, for example, when the wireless module 21 (or the wireless module 24) is reset and the timer 34 is also reset, the communication control unit 33 acquires information indicating the current date and time from the communication processing device 23, and from the communication processing device 23. Based on this information, the timer 34 can be made to measure the current date and time.

  In addition to the computer program described above, the storage unit 32 stores information used for security processing executed by the communication control unit 33.

[About security processing]
The wireless module 24 of the present embodiment performs security processing based on the electronic signature method as described above when performing road-to-vehicle communication and road-to-road communication.

FIG. 5A is a diagram illustrating an aspect of transmission data transmitted by the wireless module 24.
When performing the road-to-vehicle communication and the road-to-road communication, the wireless module 24 adds the public key certificate 41 and the electronic signature 42 to the transmission data and transmits it.

Upon receiving the transmission data to which the public key certificate 41 and the electronic signature 42 are added, the receiving-side radio (wireless module 24) verifies the electronic signature 42 on the transmission data, and verifies the public key certificate 41. By performing the above, it is possible to confirm that the transmission source of the received transmission data is not spoofed and to confirm that the data has not been tampered with.
Therefore, if the public key certificate 41 and the electronic signature 42 are not added to the received transmission data, the receiving side wireless device (wireless modules 21 and 24) discards the transmission data without giving it to the communication processing device 23. To do.

  The public key certificate 41 has an expiration date, and the reception of the transmission data to which the public key certificate 41 and the electronic signature 42 using the electronic signature data with the expiration date are received is received. The wireless device (wireless module 21, 24) discards the received transmission data without giving it to the communication processing device 23.

For this reason, the communication control unit 33 cannot provide transmission data to the receiving-side radio (radio modules 21 and 24) unless security processing is performed, and can perform road-to-vehicle communication and road-to-road communication. Can not.
Therefore, when transmitting the transmission data, the communication control unit 33 adds a valid (not expired) public key certificate 41 and electronic signature 42 to the transmission data as a security process, and transmits the transmission data. .

The storage unit 32 of the wireless module 24 stores electronic signature data (key pair) that is security processing data used by the communication control unit 33 for security processing.
FIG. 5B is a diagram illustrating an example of electronic signature data stored in the storage unit 32.
As shown in FIG. 5B, a plurality of electronic signature data is stored in the storage unit 32 as the key pair table 40.

  Each of the plurality of digital signature data is configured by a pair of a roadside public key certificate (public key certificate of the roadside communication device 2) 41 and a private key 43.

The secret key 43 is used by the communication control unit 33 to generate an electronic signature 42 to be added to transmission data.
As shown in FIG. 5B, the roadside public key certificate 41 includes a public key 41a of the roadside communication device 2 and expiration date information 41b of the public key 41a. That is, the electronic signature data constitutes a key pair including the public key 41 a and the private key 43 that are used in pairs.
The roadside public key certificate 41 is for the management organization to prove that the owner of the public key 41 a is the roadside communication device 2. The management organization is a third party organization (certificate authority: CA) other than the ITS service provider.
The expiration date information 41b is information indicating the expiration date of each public key 41a (each electronic signature data).

In the key pair table 40, each of a plurality of electronic signature data is associated with a key ID 44 that is identification information for identifying each electronic signature data (each key pair).
The key ID 44 indicates the generation of each digital signature data. The expiration dates for multiple digital signature data are set to be different from each other. By setting a valid period for each generation, the digital signature data to be used for each generation is set. ing.
In the plurality of electronic signature data, the expiration date of the public key 41a indicated by the expiration date information 41b is set to the earlier time as the digital signature data of the previous generation (the larger the number of key IDs 44).

  In the key pair table 40 of the present embodiment, n keys from “1” to “n” are registered as key IDs 44 (“i”), and n key signatures 44 are used for n electronic signatures. Data is registered. Therefore, electronic signature data for n generations from the first generation to the nth generation is registered in the key pair table 40.

  The communication control unit 33 selects and uses one of a plurality of electronic signature data. The communication control unit 33 identifies the key ID 44 indicating the electronic signature data of the generation corresponding to the current date and time, and reads out the electronic signature data corresponding to the identified key ID 44 from the key pair table 40.

The storage unit 32 of the wireless module 24 stores an expiration date list in which the key ID 44 and the expiration date of the electronic signature data are registered in association with each other.
FIG. 5C shows an example of the expiration date list.
In the expiration date list 45, the key ID 44 and the expiration date indicated by the expiration date information 41b of the electronic signature data corresponding to the key ID 44 are registered.

The communication control unit 33 refers to the expiration date list in order to specify the digital signature data of the generation corresponding to the current date and time.
The communication control unit 33 specifies the key ID 44 that is the nearest expiration date among the expiration dates that have not passed the current date and time counted by the timer 34 from the expiration date list 45, and the electronic ID indicated by the key ID 44 The signature data is used as electronic signature data for the current generation (current generation).
As a result, the communication control unit 33 uses the valid (not expired) digital signature data, and adds the valid public key certificate 41 and the digital signature 42 to the transmission data. To send.

  The communication control unit 33 stores the key ID 44 (current generation key ID 44) indicating the specified current generation electronic signature data in the storage unit 32, and then refers to the key pair table 40 to set the current generation key ID 44 as the current generation key ID 44. The corresponding electronic signature data is read from the key pair table 40.

FIG. 6 is a diagram schematically illustrating information stored in the storage unit 32.
As illustrated in FIG. 6, the storage unit 32 includes a volatile storage unit 50 and a nonvolatile storage unit 51.
In the volatile storage unit 50, a use key ID area 52 for writing a key ID 44 corresponding to electronic signature data to be used by the communication control unit 33, and a next generation electronic signature that is the next generation of the current generation. And a next generation key ID area 53, which is an area for writing a key ID 44 (next generation key ID 44) indicating data for use. The volatile storage unit 50 can store the current generation key ID 44 and the next generation key ID 44 by providing the use key ID area 52 and the next generation key ID area 53.
When the volatile storage unit 50 is reset by powering off or resetting the wireless module 24 or the roadside communication device 2, the information stored in each area is lost.

  The communication control unit 33 writes the key ID 44 corresponding to the electronic signature data to be used at present in the use key ID area 52. Further, the communication control unit 33 specifies the next generation key ID 44 and writes the specified next generation key ID 44 in the next generation key ID area 53.

  The nonvolatile storage unit 51 stores the key pair table 40 described above, and an area for storing a key ID used after the wireless module 24 is reset or restarted. A certain activation key ID area 54 is provided.

  When executing the security process, the communication control unit 33 refers to the key ID 44 written in the use key ID area 52 and stores the electronic signature data corresponding to the key ID 44 written in the use key ID area 52 in a nonvolatile manner. It reads out from the key pair table 40 of the memory | storage part 51, and uses it for a security process. Thereby, the digital signature data corresponding to the current generation key ID 44 is used for the security processing.

  Here, the electronic signature data has an expiration date as described above. For this reason, when the communication control unit 33 writes the current generation key ID 44 in the usage key ID area 52, the communication control unit 33 maintains the contents of the usage key ID area 52 until immediately before the current date and time reaches the expiration date.

For example, when the expiration date of the current generation electronic signature data becomes several days remaining and the communication control unit 33 needs to switch from the current generation electronic signature data to the next generation electronic signature data, the key ID 44 Is updated (update process).
The update process is performed by rewriting the stored contents of the used key ID area 52 from the current generation key ID 44 currently written to the next generation key ID 44.

FIG. 7 is a flowchart illustrating an example of the update process executed by the communication control unit 33.
First, the communication control unit 33 refers to the current date and time counted by the timer 34 and the expiration date list 45, and switches from the electronic signature data valid in the current generation to the electronic signature data valid in the next generation. The first update unit 35 is made to determine whether it is timing (step S1).
The first update unit 35 determines that it is the switching timing when the current date and time counted by the timer 34 is several days before the expiration date of the digital signature data valid in the current generation (for example, five days before).
When it is not determined as the switching timing, the first updating unit 35 returns to Step S1 again and determines whether it is the switching timing. Therefore, the 1st update part 35 performs determination of switching timing continuously until it determines with switching timing.

If it is determined in step S1 that it is the switching timing, the first update unit 35 proceeds to step S2 and stores the next generation key ID 44 written in the next generation key ID area 53 of the volatile storage unit 50 in a nonvolatile manner. It is written as stored information in the activation key ID area 54 of the unit 51 (step S2).
Here, the current generation key ID 44 is represented by “i”, and the next generation key ID 44 is represented by “i + 1”. Also, the current generation key ID 44 (ID = i) is written in the use key ID area 52, and the next generation key ID 44 (ID = i + 1) is stored in the next generation key ID area 53 in the stage of step S1. It is assumed that it has been written by the communication control unit 33.

Next, the first updating unit 35 proceeds to step S3, resets the wireless module 24, and restarts (step S3).
At this time, in this embodiment, the reset of the wireless module 24 also resets the volatile storage unit 50 of the storage unit 32, and the current generation key ID 44 and the next generation key ID 44 stored in the volatile storage unit 50 are Lost.

  Although the timer 34 is also reset by resetting the wireless module 24, as described above, the communication control unit 33 acquires information indicating the current date and time from the communication processing device 23 and causes the timer 34 to count the current date and time. be able to. Thereby, even after the reset of the wireless module 24, the timer 34 can measure the current date and time.

  In step S3, when the wireless module 24 is reset and restarted, and the volatile storage unit 50 is also reset, the restoration unit 37 of the communication control unit 33 proceeds to step S4 and stores the storage information in the nonvolatile storage unit 51. The next-generation key ID 44 is written in the use key ID area 52 of the volatile storage unit 50 (step S4).

The communication control unit 33 reads out the electronic signature data corresponding to the key ID 44 written in the used key ID area 52 from the key pair table 40 and uses it for the security processing. Therefore, the key ID 44 written in the used key ID area 52 is the current generation key ID 44.
In this way, the restoration unit 37 writes the next generation key ID 44 (ID = i + 1) into the used key ID area 52 of the volatile storage unit 50, thereby generating the next generation key ID 44 (ID = i + 1). Restored to the volatile storage unit 50 as the generation key ID 44.

That is, when the volatile storage unit 50 is reset, the restoration unit 37 restores the storage information stored in the nonvolatile storage unit 51 to the volatile storage unit 50 as a new current generation key ID 44 (first identification information). It has a function to do.
Further, the first updating unit 35 stores the next generation key ID 44 (second identification information) written in the next generation key ID area 53 of the volatile storage unit 50 in the nonvolatile storage unit 51 based on the switching timing. Then, the volatile storage unit 50 is reset to cause the restoration unit 37 to restore the storage information in the non-volatile storage unit 51 to the volatile storage unit 50 as a new current generation key ID 44. It has a function of updating the ID 44 with the next-generation key ID 44.

After step S4, the second update unit 36 of the communication control unit 33 proceeds to step S5, and writes the n-th generation key ID 44 (ID = n) in the activation key ID area 54 of the nonvolatile storage unit 51 (step S5). S5).
The electronic signature data corresponding to the nth generation key ID 44 (ID = n) is the electronic signature corresponding to the future generation among the n generations of electronic signature data registered in the key pair table 40. Data. Therefore, the expiration date is set to the future in the digital signature data registered in the key pair table 40.

  As described above, the second update unit 36 stores the key ID 44 indicating the electronic signature data that can be used in the next generation or later after the first update unit 35 updates the current generation key ID 44 with the next generation key ID 44. It has a function of storing the information in the nonvolatile storage unit 51 as information.

  After step S5, the restoration unit 37 proceeds to step S6, further specifies the next generation key ID 44 (ID = (i + 1) +1), and specifies the specified next generation key ID 44 in the next generation of the volatile storage unit 50. Writing to the key ID area 53 (step S6), the process ends.

  As described above, the first update unit 35 and the second update unit 36 constitute an update unit that updates the current generation key ID 44 with the next generation key ID 44 based on the switching timing.

  Note that, as described above, the restoration unit 37 of the communication control unit 33 converts the storage information of the nonvolatile storage unit 51 into the use key ID area of the volatile storage unit 50 in response to the reset of the volatile storage unit 50 in the update process. 52, the key ID 44 stored as the stored information is restored to the volatile storage unit 50 as a new current generation key ID 44 (restoration process). Step S4).

  Therefore, the restoration unit 37 makes the storage information in the nonvolatile storage unit 51 volatile even when the roadside communication device 2 or the wireless module 24 is reset and restarted and the volatile storage unit 50 is reset except for the update process. A process of writing the key ID 44 in the used key ID area 52 of the storage unit 50 is performed.

FIG. 8 is a flowchart illustrating an example of processing of the restoration unit 37 at the time of restart other than the update processing.
First, when a restart other than the update process occurs (step S13), the volatile storage unit 50 is reset, so the restoration unit 37 uses the storage information in the nonvolatile storage unit 51 as the key used for the volatile storage unit 50. Write in the ID area 52 (step S14).
At this time, the n-th generation key ID 44 (ID = n) is written in the activation key ID area 54 of the nonvolatile storage unit 51 in step S5 in FIG.
Accordingly, in step S14, the restoration unit 37 writes the nth generation key ID 44 (ID = n) in the used key ID area 52 of the volatile storage unit 50 (step S14).

  As a result, the communication control unit 33 executes security processing using the electronic signature data corresponding to the nth generation key ID 44.

Next, the restoration unit 37 determines whether or not the timer 34 has started counting the current time (step S15).
If it is determined that the current time has not been started, the restoration unit 37 returns to step S15 and repeats the determination of whether or not the current time has been started.

  On the other hand, if it is determined that the current time has been started, the restoration unit 37 proceeds to step S16, specifies the next generation key ID 44 (next generation key ID 44) corresponding to the current time, The identified next-generation key ID 44 is written into the next-generation key ID area 53 of the volatile storage unit 50 (step S16), and the process is terminated.

  As described above, the restoration unit 37 performs a process of writing the stored ID information in the nonvolatile storage unit 51 into the used key ID area 52 of the volatile storage unit 50 even during reset and restart other than the update process. Even if the power of the roadside communication device 2b is turned off for some reason and the current generation key ID 44 stored in the volatile storage unit 50 is lost, the key ID 44 stored as storage information in the nonvolatile storage unit 51 is used. Then, the new current generation key ID 44 is written in the used key ID area 52.

The wireless module 21 of the online roadside communication device 2a is also configured to perform the same processing as the wireless module 24 of the above-mentioned stand-alone roadside communication device 2b.
However, the radio processing module 23 of the online roadside communication device 2a can acquire time information from the central device 4 by wired communication even if the power of the roadside communication device 2a is turned off for some reason. The information indicating the current date and time can be acquired through.
Therefore, even if the power of the roadside communication device 2b is turned off for some reason and the timer 34 is reset, the wireless module 21 of the online roadside communication device 2a can grasp the current date and time.

Here, when the generation progresses between the power-off timing of the online roadside communication device 2a and the subsequent restart timing, and the expiration date of the electronic signature data used before the power-off expires If the key ID 44 written in the activation key ID area 54 of the nonvolatile storage unit 51 is the key ID written in step S2 of the immediately preceding update process, the electronic signature data expired. A key ID 44 corresponding to is considered.
In this case, the wireless module 21 of the online roadside communication device 2a performs roadside communication using the electronic signature data with other roadside communication devices 2 even if restoration processing is performed in response to the restart. I can't do that. This is because the expiration date of the electronic signature data of the key ID 44 restored in the used key ID area 52 has expired.
However, since the wireless module 21 of the online roadside communication device 2a can time the current date and time as described above, it can recognize the current generation and execute update processing.

If the update process can be executed, the wireless module 21 of the online roadside communication device 2a can perform security processing using valid digital signature data, and can perform wireless communication with other communication devices. .
Therefore, in the wireless module 21 of the online roadside communication device 2a, for example, the key ID 44 written in the used key ID area 52 of the volatile storage unit 50 in step S14 is the key corresponding to the electronic signature data whose expiration date has expired. Even if it is ID44, since an update process can be performed after that, wireless communication with another communication apparatus is attained.

Therefore, in the wireless module 21 of the online roadside communication device 2a, the key ID 44 to be written in the used key ID area 52 of the volatile storage unit 50 in step S14 needs to be the nth generation key ID 44 (ID = n). Low.
Therefore, in the update process executed by the wireless module 21 of the online roadside communication device 2a, the second update unit 36 that executes the process shown in step S5 in FIG. 7 can be omitted.

  On the other hand, for the wireless module 24 of the stand-alone roadside communication device 2b, the generation progresses between the power-off timing and the subsequent restart timing, and the expiration date of the electronic signature data used before the power-off is reached. If the key ID 44 written in the activation key ID area 54 of the nonvolatile storage unit 51 is the key ID 44 corresponding to the expired electronic signature data, the wireless module of the stand-alone roadside communication device 2b. 24, even if restoration processing is performed, it becomes impossible to perform road-to-road communication using data for electronic signatures with other roadside communication devices 2, and time information from the central device 4 can be acquired. become unable.

  For this reason, the stand-alone roadside communication device 2b cannot execute update processing and cannot perform security processing using valid electronic signature data, and thus performs wireless communication with other communication devices. It may be difficult to get out of a state where it cannot.

In this regard, in the wireless module 24 of the stand-alone roadside communication device 2b of the present embodiment, the next generation key ID 44 stored in the nonvolatile storage unit 51 is restored to the volatile storage unit 50 as the new current generation key ID 44. After updating the current generation key ID 44 (step S4 in FIG. 7), the nth generation key ID 44 (ID = n) is written in the activation key ID area 54 of the nonvolatile storage unit 51.
Therefore, after that, when the wireless module 24 of the stand-alone roadside communication device 2b is turned off for some reason and the volatile storage unit 50 is reset, the restoration unit 37 receives the nth generation key ID 44 (ID = n). Is restored to the volatile storage unit 50 as the new current generation key ID 44 (step S14 in FIG. 8). This n-th generation key ID 44 is a key ID 44 of electronic signature data whose expiration date is set to the future among a plurality of electronic signature data.

Therefore, even if the expiration date of the electronic signature data used before turning off the power of the stand-alone roadside communication device 2b expires, the used key ID area 52 of the volatile storage unit 50 is restored to the nth generation by the restoration process. The key ID 44 is restored. For this reason, the communication control unit 33 can perform security processing by using the electronic signature data whose expiration date is set to the future among the plurality of electronic signature data. Can communicate with each other.
As a result, it is possible to prevent a state in which wireless communication with another wireless device cannot be performed due to expiration of the electronic signature data.

[Specific examples of processing]
FIG. 9 is a diagram showing an example of the processing mode when the stand-alone roadside communication device 2b is activated for the first time after installation.

  In the figure, the horizontal axis indicates the passage of time. In the figure, “expiration date” indicates the expiration date of the current generation electronic signature data and the current generation key ID 44. “Use” of “volatile memory” indicates the key ID 44 written in the use key ID area 52 of the volatile storage unit 50. “Next” of “volatile memory” indicates the key ID 44 written in the next generation key ID area 53 of the volatile storage unit 50. “Nonvolatile memory” indicates the key ID 44 written in the activation key ID area 54 of the nonvolatile storage unit 51. “Timer” indicates the operation status of the timer 34.

In the figure, the number in “# number” indicates the key ID 44. For example, “# 1” indicates that the key ID 44 is “1”.
In the “expiration date”, the number in the “# number” represents the generation of the digital signature data that is valid during the period together with the key ID 44. For example, “# 1” indicates the first generation. In “volatile memory” and “nonvolatile memory”, the key ID 44 written in each area is shown.

In the present embodiment, an n-th generation key ID 44 (ID = n) is written as initial storage information in the activation key ID area 54 of the nonvolatile storage unit 51 (of the wireless module 24) of the stand-alone roadside communication device 2b. Yes.
For this reason, when the stand-alone roadside communication device 2b is installed and activated for the first time, the restoration unit 37 writes the n-th generation key ID 44 (ID = n) in the used key ID area 52 of the volatile storage unit 50.

In addition, at the time of initial activation, the communication control unit 33 of the wireless module 24 has not yet acquired time information from the central device 4, so the timer 34 does not measure the current date and time and outputs an indefinite value. . For this reason, it is expressed as “indefinite” in FIG. 9.
Therefore, the communication control unit 33 of the wireless module 24 cannot grasp the current date and time and cannot identify the current generation key ID 44 and the next generation key ID 44.
For this reason, at the time of the first activation, information is not written in the next generation key ID area 53 of the volatile storage unit 50 and is indefinite. For this reason, it is expressed as “indefinite” in FIG. 9.

In this embodiment, since the nth generation key ID 44 (ID = n) is written as the initial storage information in the activation key ID area 54 of the nonvolatile storage unit 51 of the wireless module 24, the first activation is performed. The restoration unit 37 writes the nth generation key ID 44 (ID = n) in the used key ID area 52 of the volatile storage unit 50.
For this reason, the wireless module 24 performs security processing using the electronic signature data corresponding to the nth generation key ID 44 (ID = n), so that the electronic signature data to be used is used regardless of the time of initial activation. Can be prevented from expiring.
Therefore, even if the current date and time cannot be grasped by the timer 34, the wireless module 24 executes security processing using valid digital signature data and performs road-to-road communication with other roadside communication devices 2. Can do.

Since the wireless module 24 can perform road-to-road communication with other roadside communication devices 2, the time information from the central device 4 can be acquired through the road-to-road communication.
As illustrated in FIG. 9, when the wireless module 24 acquires time information from the central device 4, the wireless module 24 causes the timer 34 to start measuring the current date and time.
This also allows the wireless module 24 to specify the current generation key ID 44. Therefore, when the time information is acquired, the wireless module 24 specifies the current generation key ID 44 and writes the current generation key ID 44 in the next generation key ID area 53 of the volatile storage unit 50.
In FIG. 9, since the valid electronic signature data is the first generation when the time information is acquired, the wireless module 24 uses the first generation key ID 44 (ID = 1) as the next generation key ID 44 for the next generation. Write to the key ID area 53.

  At a timing (update timing) when a predetermined period has elapsed since the first generation (current generation) key ID 44 (ID = 1) is written in the next generation key ID area 53 of the volatile storage unit 50, the wireless module 24 Processing for writing the first generation key ID 44 (ID = 1) in the used key ID area 52 of the volatile storage unit 50 is executed.

  That is, the wireless module 24 first uses the first generation key ID 44 (ID = 1) written in the next generation key ID area 53 of the volatile storage unit 50 at the update timing as the activation key of the nonvolatile storage unit 51. Write to the ID area 54.

Thereafter, the wireless module 24 resets and restarts the own wireless module 24.
The volatile storage unit 50 is reset by the restart. Therefore, the wireless module 24 writes the storage information (first generation key ID 44 (ID = 1)) of the nonvolatile storage unit 51 into the used key ID area 52 of the volatile storage unit 50. Further, the wireless module 24 writes the second generation key ID 44 (ID = 2) in the next generation key ID area 53 as the next generation key ID 44.

In addition, the wireless module 24 writes the nth generation key ID 44 (ID = n) in the activation key ID area 54 of the nonvolatile storage unit 51.
According to the above procedure, the wireless module 24 is in a state where wireless communication can be performed by performing security processing using the current generation key ID 44 (ID = 1) after the initial activation.

FIG. 10 is a diagram illustrating an example of the processing of the update process by the stand-alone roadside communication device 2b and the process at the time of restart other than the update process over time.
10 shows the continuation of the mode shown in FIG. 9, and the generations and the contents stored in the storage unit are continued from FIG.

The wireless module 24 of the stand-alone roadside communication device 2b starts the update process from the first generation to the second generation at the switching timing in FIG.
Note that, as described above, the wireless module 24 determines that it is the switching timing when it is several days before the expiration date of the electronic signature data valid in the first generation (current generation) (for example, 5 days before).

In addition, the use start date and time is set for the electronic signature data effective in the second generation (next generation). The use start date and time of the second generation electronic signature data is set, for example, a few days before the expiration date of the first generation (current generation) electronic signature data (for example, five days before). As described above, the current generation electronic signature data and the next generation electronic signature data may have overlapping effective periods.
The wireless module 24 can set the switching timing from the use start date and time of the second generation electronic signature data to the expiration date of the first generation (current generation) electronic signature data.

  Note that the use start date and time set for the electronic signature data indicates the date and time when the use should start, and does not indicate the start date when the data can be used. Therefore, for example, it does not mean that the second generation electronic signature data cannot be used because the current date and time has not reached the use start date and time of the second generation electronic signature data.

At the switching timing, the wireless module 24 stores the first generation key ID 44 (ID = 1) (first identification information) and the second generation key ID 44 (ID = 2) (second) in the volatile storage unit 50. Identification information) is stored.
The wireless module 24 writes the second generation key ID 44 (ID = 2) written in the next generation key ID area 53 of the volatile storage unit 50 as the storage information of the activation key ID area 54 of the nonvolatile storage unit 51. (Step S2 in FIG. 7).

Next, the wireless module 24 resets and restarts the own wireless module 24.
When the wireless module 24 is reset and restarted and the volatile storage unit 50 is also reset, the wireless module 24 uses the second generation key ID 44 (ID = 2), which is the storage information of the nonvolatile storage unit 51, to be volatile. The data is written in the used key ID area 52 of the storage unit 50 (step S4 in FIG. 7).

Further, the wireless module 24 writes the n-th generation key ID 44 (ID = n) in the activation key ID area 54 of the nonvolatile storage unit 51 (step S5 in FIG. 7).
Then, the wireless module 24 identifies the next generation key ID 44 (third generation key ID 44 (ID = 3)), and identifies the third generation key ID 44 (ID = 3), which is the identified next generation key ID 44. Writing to the next-generation key ID area 53 of the volatile storage unit 50 (step S6 in FIG. 7), the update process ends.

As described above, the wireless module 24 writes the second generation key ID 44 (ID = 2) in the use key ID area 52 of the volatile storage unit 50 and the nth generation in the activation key ID area 54 of the nonvolatile storage unit 51. Key ID 44 (ID = n) is written.
In the update process, the wireless module 24 acquires information related to the current date and time from the communication processing device 23, so that the timer 34 can continuously measure the current date and time.

In FIG. 10, the power interruption indicates a case where the stand-alone roadside communication device 2b is turned off and restarted for some reason.
When the power is turned off, the volatile storage unit 50 of the wireless module 24 is reset, and the used key ID area 52 and the next-generation key ID area 53 become undefined. Therefore, the storage information of the nonvolatile storage unit 51 is written into the use key ID area 52 of the volatile storage unit 50 (step S14 in FIG. 8).

  Thereafter, when time information is acquired and it is specified that the next generation key ID 44 is the third generation key ID 44 (ID = 3), the specified key ID 44 is used as the next generation key ID area 53 of the volatile storage unit 50. (Step S16 in FIG. 8), and the process ends.

  In this case, since the nth generation key ID 44 (ID = n) is written in the activation key ID area 54 of the nonvolatile storage unit 51 in the update process executed at the switching timing, the stand-alone roadside communication device 2b is turned off When restarted, the nth generation key ID 44 (ID = n) can be restored as the current generation key ID 44 in the used key ID area 52 of the volatile storage unit 50.

Therefore, even if the process proceeds from the second generation to the third generation between the power-off and restart in FIG. 10, the wireless module 24 stores the use key ID area 52 of the volatile storage unit 50 in the use key ID area 52. Since the nth generation key ID 44 (ID = n) is written, security processing can be performed using electronic signature data whose expiration date is set to the future among a plurality of electronic signature data. It is possible to communicate with the other roadside communication device 2.
As a result, it is possible to prevent a situation in which wireless communication with another wireless device cannot be performed due to expiration of the electronic signature data.

[Others]
In each of the above embodiments, the second update unit 36 writes the n-th generation key ID 44 (ID = n) in the activation key ID area 54 of the nonvolatile storage unit 51 in step S5 in FIG. As shown, the information to be written in the activation key ID area 54 as the storage information of the nonvolatile storage unit 51 is a key ID 44 other than the next generation key ID 44 (ID = i + 1) and can be used in the next generation or later. A key ID 44 indicating data may be used. For example, a key ID 44 of a generation several generations later than a next-generation key ID 44 (ID = i + 1) may be used, or a key ID 44 with no expiration date set may be used. Alternatively, a key ID 44 or the like for which restrictions such as an expiration date are released for use in an emergency may be used.

The embodiment disclosed this time should be considered as illustrative in all points and not restrictive.
The scope of the present invention is defined by the terms of the claims, rather than the meanings described above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

DESCRIPTION OF SYMBOLS 1 Traffic signal device 2 Roadside communication device 2a Online roadside communication device 2b Stand-alone roadside communication device 3 In-vehicle communication device 4 Central device 5 Vehicle 6 Roadside sensor 7 Wired communication line 8 Router 20 Antenna 21 Wireless module 22 Wired communication unit 23 Communication processing device 24 Wireless Module 30 Transmission / Reception Unit 31 Processing Unit 32 Storage Unit 33 Communication Control Unit 34 Timer 35 First Update Unit 36 Second Update Unit 37 Restore Unit 40 Key Pair Table 41 Public Key Certificate 41a Public Key 41b Expiration Date Information 42 Electronic Signature 43 Secret Key 44 Key ID
45 Expiration Date List 50 Volatile Storage Unit 51 Nonvolatile Storage Unit 52 Used Key ID Area 53 Next Generation Key ID Area 54 Activation Key ID Area J1-J9 Intersection

Claims (6)

A wireless device that obtains time information from another wireless device and performs wireless communication using a plurality of security processing data corresponding to a plurality of generations with the other wireless device,
Volatility for storing first identification information indicating current generation security processing data used for the wireless communication and second identification information indicating next generation security processing data among the plurality of security processing data A storage unit;
A non-volatile storage unit that stores storage information indicating any of the plurality of security processing data;
When the volatile storage unit is reset, a restoration unit that restores the storage information stored in the nonvolatile storage unit to the volatile storage unit as new first identification information;
An update unit that updates the first identification information with the second identification information based on the timing of switching from the current generation security processing data to the next generation security processing data, which is specified based on the time information. And comprising
The update unit
Based on the timing, the second identification information is stored in the non-volatile storage unit, and then the volatile storage unit is reset, so that the storage unit stores new information stored in the non-volatile storage unit. A first processing unit that restores the volatile storage unit as the first identification information and updates the first identification information with the second identification information;
After the first processing unit updates the first identification information, identification information indicating security processing data that is security processing data other than the next generation security processing data and can be used in the next generation or later. And a second processing unit that stores the stored information in the nonvolatile storage unit.   The security processing data other than the next generation security processing data and usable in the next generation or later is the security processing data corresponding to the future generation of the plurality of generations. The wireless device according to claim 1.   The wireless device according to claim 1, wherein the nonvolatile storage unit stores identification information indicating security processing data corresponding to a future generation of the plurality of generations as initial storage information.   A roadside communication device comprising the wireless device according to any one of claims 1 to 3. A wireless device that acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations, the plurality of security processing devices A volatile storage unit that stores first identification information indicating current generation security processing data used for the wireless communication in the data and second identification information indicating next generation security processing data; A non-volatile storage unit that stores storage information indicating any one of the security processing data, and the first identification information update method that is executed in the wireless device,
When the volatile storage unit is reset, a restoration step of restoring the storage information stored in the nonvolatile storage unit to the volatile storage unit as new first identification information;
Based on the timing of switching from the current generation security processing data to the next generation security processing data specified based on the time information, the second identification information is stored in the nonvolatile storage unit, and then Resetting the volatile storage unit to restore the storage information of the nonvolatile storage unit to the volatile storage unit as the first identification information by the restoration step, and the first identification information to the An update step for updating with the second identification information;
After the updating step, identification information indicating security processing data other than the next generation security processing data and usable for the next generation or later is used as the storage information in the nonvolatile storage unit. And a storage step for storing. A wireless device that acquires time information from another wireless device and performs wireless communication with the other wireless device using a plurality of security processing data corresponding to a plurality of generations, the plurality of security processing devices A volatile storage unit that stores first identification information indicating current generation security processing data used for the wireless communication in the data and second identification information indicating next generation security processing data; A non-volatile storage unit that stores storage information indicating any one of the security processing data, and a computer program for causing the computer included in the wireless device to execute the update processing of the first identification information,
On the computer,
When the volatile storage unit is reset, a restoration step of restoring the storage information stored in the nonvolatile storage unit to the volatile storage unit as new first identification information;
Based on the timing of switching from the current generation security processing data to the next generation security processing data specified based on the time information, the second identification information is stored in the nonvolatile storage unit, and then Resetting the volatile storage unit to restore the storage information of the nonvolatile storage unit to the volatile storage unit as the first identification information by the restoration step, and the first identification information to the An update step for updating with the second identification information;
After the updating step, identification information indicating security processing data other than the next generation security processing data and usable for the next generation or later is used as the storage information in the nonvolatile storage unit. And a storage step for storing the computer program.

Images