JP2019041228A - Electronic control equipment - Google Patents

Abstract

To provide electronic control equipment capable of verifying legitimacy of a message, while reducing a processing load.SOLUTION: A MAC generating section 33 of an ECU30 divides a message body of a received message into multiple blocks, and generates a MAC by using a common key. A determination part 36 determines whether or not the generated MAC matches the MAC in the received message. A reference table storage section 35 is a block containing only the protection object data, and stores the reference data from a first block to a j-th block, and the reference table formed by encrypting reference data by a common key, and indicating correspondence with a cipher text, i.e., midway operation results of the MAC. The MAC generating section surveys the reference table, and when the data matching the reference data has been registered, refers to the cipher text corresponding to the reference data from the reference table, and generates the MAC by the referred cipher text, the common key, and the data of the remaining blocks not registered with the reference table.SELECTED DRAWING: Figure 3

Description

  The disclosure in this specification relates to an electronic control device connected to a network together with other devices.

  A CAN (Controller Area Network) is adopted as an in-vehicle network. CAN is a registered trademark. The message communicated in the CAN does not include the identification information of the transmission source and the destination. Therefore, a method has been proposed in which a message authentication code (MAC) is used to prevent message tampering, and a replay attack (replay attack) from an unauthorized device connected to the CAN is prevented (Patent Document 1). reference). In the electronic control device (communication device) disclosed in Patent Literature 1, a message authentication code is generated by an algorithm such as CMAC (Cipher based MAC).

JP 2017-38144 A

  When a block cipher based authentication algorithm such as CMAC is used, a message body and the above message authentication code are set in the data field. In order to prevent retransmission attacks, protection target data such as control data and data for preventing retransmission attacks (hereinafter, referred to as anti-retransmission attack data) are set as the message body. The resend-proof attack data is set at the end of the message body, for example. The resend-proof attack data is data that is updated according to a fixed rule, for example, in both transmission and reception. Thereby, even if the protection target data of the message body is the same, the message authentication code can be made different.

  When receiving the message, the electronic control unit divides the message body in the message into a plurality of blocks having a certain length. Then, a message authentication code is generated by calculation using the common key, and it is determined whether or not the generated message authentication code matches the message authentication code of the received message.

  As described above, since the message body is divided into a plurality of blocks and the encryption process is performed using the common key, it takes time to create a message authentication code and thus to verify the validity of the message. In particular, the longer the message (message body), the greater the processing load.

  The present disclosure has been made in view of such a problem, and an object thereof is to provide an electronic control device capable of verifying the validity of a message and reducing the processing load.

  The present disclosure employs the following technical means to achieve the above object. In addition, the code | symbol in parenthesis shows the corresponding relationship with the specific means as described in embodiment mentioned later as one aspect | mode, Comprising: The technical scope is not limited.

One of the present disclosure is an electronic control device connected to a network together with other devices,
Receives a message that is transmitted from another device and includes a message body in which data for preventing a replay attack is set subsequent to the protection target data to be protected, and a message authentication code calculated based on the message body Receiving unit (32),
A generating unit (33) that divides a message body of a message received by the receiving unit into a plurality of blocks having a certain length and generates a message authentication code by an operation using a common key;
A determination unit (36) for determining whether or not the message authentication code generated by the generation unit matches the message authentication code included in the message received by the reception unit;
A block including only the protection target data, the reference data being the protection target data from the first block to the j-th block (j is a positive number of 2 or more), and the reference data are encrypted with a common key, A storage unit (35) for storing a reference table indicating a correspondence relationship with a ciphertext that is an intermediate result of calculation of a message authentication code;
With
When the generation unit searches the reference table and determines that data matching the reference data of the message received by the reception unit is registered in the reference table, the generation unit refers to the ciphertext corresponding to the reference data from the reference table. Thus, a message authentication code is generated using the ciphertext referred to, the common key, and the remaining block data not registered in the reference table.

  Since the data for preventing a replay attack is at the end of the message body, if the reference data is the same, the intermediate result of the message authentication code calculation is also the same. In this electronic control device, a reference table indicating the correspondence between the reference data and the ciphertext corresponding to the reference data is stored. Then, the reference table is searched, and when data that matches the reference data in the message is registered in the reference table, the ciphertext corresponding to the reference data is referenced from the reference table to generate a message authentication code.

  In this way, since the ciphertext is referred to from the reference table, a part of the computation of the encryption process using the common key can be omitted. Therefore, the validity of the message can be verified, and the processing load can be reduced.

It is a figure which shows a communication system provided with the electronic control apparatus of 1st Embodiment. It is a figure which shows the structure of a data frame. It is a figure which shows an electronic control apparatus. It is a figure explaining normal processing of MAC generation. It is a figure explaining a reference table. It is a flowchart which shows a reception process. It is a figure which shows the electronic control apparatus of 2nd Embodiment. It is a flowchart which shows a reception process. It is a figure which shows the process which an edit part performs. It is a figure which shows the process which an edit part performs in the electronic control apparatus of 3rd Embodiment. It is a figure which shows the process which an edit part performs in the electronic control apparatus of 4th Embodiment. It is a flowchart which shows a reception process in the electronic control apparatus of 5th Embodiment.

  A plurality of embodiments will be described with reference to the drawings. In several embodiments, functionally and / or structurally corresponding parts are given the same reference numerals.

(First embodiment)
First, a communication system including the electronic control device of the present embodiment will be described based on FIG.

  A communication system 10 shown in FIG. 1 includes a CAN bus 20 and a plurality of electronic control units (Electronic Control Units) 30. CAN is a serial communication protocol that employs a bus network. Hereinafter, the electronic control unit 30 is referred to as an ECU 30. The plurality of ECUs 30 (nodes) are connected to the CAN bus 20. In the present embodiment, a plurality of ECUs 30 mounted on the vehicle are connected to the CAN bus 20 as nodes, and an in-vehicle network is constructed.

  The ECU 30 determines the validity of the message based on the message authentication code. Hereinafter, the message authentication code is denoted as MAC.

  Next, a data frame will be described with reference to FIG.

  As shown in FIG. 2, the data frame includes an ID field and a data field. In addition, a CRC field (not shown) is included. The message corresponds to a data frame that can be transmitted. In the ID field, an ID that is identification information indicating the type and priority of the message is set. For example, the ECU 30 on the receiving side refers to the ID to determine whether or not the data needs to be processed by itself.

  A message body and a MAC are set in the data field. The message body includes data to be protected and resend-proof attack data for preventing a replay attack (replay attack). The protection target data is information related to a specific function of the vehicle, such as a control function or a monitoring function. That is, the information to be protected. The data to be protected includes, for example, information related to the engine speed and information that instructs driving of the actuator.

  The retransmission resilience attack data is set subsequent to the protection target data. The retransmission resilience attack data is set at the end of the message body. The resend-proof attack data is data that is updated according to a rule determined for both transmission and reception. The retransmission resilience attack data is similarly updated by transmission / reception. In the present embodiment, the ECU 30 connected to the CAN bus 20 is updated according to a predetermined rule. For this reason, even if the protection target data of the message body is the same, the MAC can be made different.

  Specifically, when a message is wiretapped by an unauthorized device connected to the CAN bus 20 and this message is later retransmitted to the CAN bus 20, the resend resistant data of the retransmitted message is set at the time of wiretapping. . At the time of retransmission, the anti-retransmission attack data is updated in the ECU 30, and the MAC value differs accordingly, so that it is possible to determine that the retransmitted message is an illegal message.

  Next, the ECU 30 (electronic control device) of the present embodiment will be described with reference to FIGS. The configuration described below is the same for the plurality of ECUs 30.

  As shown in FIG. 3, the ECU 30 has a microcomputer 31. The microcomputer 31 includes a CPU, a ROM, a RAM, a flash memory, a register, an input / output interface, and the like. In the microcomputer 31, the CPU executes a predetermined process according to a control program stored in advance in the ROM while using a temporary storage function of a RAM or a register. The microcomputer 31 executes a predetermined process under software control. The microcomputer 31 includes a reception unit 32, a MAC generation unit 33, a common key storage unit 34, a reference table storage unit 35, and a determination unit 36 as functional units that verify the validity of the received message.

  The receiving unit 32 receives a message transmitted from another ECU 30. Based on the ID of the received message, the receiving unit 32 determines whether it is a processing target of the received ECU 30 (self) and requires authentication by the MAC. The other ECU 30 that has transmitted the message corresponds to another device.

  The MAC generation unit 33 generates a MAC using a common key when the received message is a processing target and a MAC authentication target. The MAC generation unit 33 corresponds to a generation unit that generates a MAC. The common key is an encryption key that is common between transmission and reception devices. The common key is stored in the common key storage unit 34. The MAC generation unit 33 performs switching between MAC generation by normal processing and MAC generation using a reference ciphertext according to conditions.

  First, normal processing will be described. The MAC generation unit 33 generates a MAC by applying a block cipher based authentication algorithm. In this embodiment, CMAC (Cipher based MAC) is applied. Normal processing is a technique known as CMAC.

First, the MAC generation unit 33 divides the message body into a plurality of blocks M ₁ , M ₂ ,..., M _n ^* having a certain length (predetermined bits) as shown in FIG. Hereinafter, a certain length is referred to as an encryption length. When M _n ^* satisfies the encryption length, as shown in FIG. 4, the exclusive OR (XOR) of M _n ^* and the common key K is set as the final block M _n . On the other hand, when M _n ^* is less than the encryption length, although not shown in the figure, padding (adding) data with a leading bit of 1 and a trailing bit of 0 is omitted. Then, the exclusive OR (XOR) of the padded M _n ^* and the common key K is defined as the final block M _n .

FIG. 4 is cited from the following known prior art.
NIST, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Special Publication 800-38B.
MAC generation unit 33, the block _{M 1} of the first (1st), executes encryption processing CIPH _K using the common key K. For the i-th block (i is a positive number equal to or greater than 2), an exclusive OR with the result of the (i−1) -th encryption process CIPH _K is calculated, and this exclusive OR is calculated as the common key K. Use the encryption process CIPH _K. In the example shown in FIG. 5, the exclusive OR of the final block M _n and the result of the encryption process CIPH _K of the (n−1) -th block M _n−1 is calculated, and this exclusive OR is used as the common key. The encryption process CIPH K is performed using _K. Then, a process of cutting out the bit string obtained by the encryption process CIPH _K by Tlen bits having the MAC size from the left is executed, and the obtained value T is set as the MAC value. In the normal process, the encryption process CIPH _K for n times the number of blocks is executed to generate a MAC.

More specifically, the MAC generation unit 33 generates a MAC using the sub key K1 calculated from the common key K when M _n ^* satisfies the encryption length. When M _n ^* is less than the encryption length, a MAC is generated using the sub key K2 calculated from the common key K. However, in this embodiment, for the sake of convenience, the sub key and the common key are not distinguished, and are simply described as the common key. Therefore, also in FIG. 4, the common key K is shown instead of the subkey K1.

Next, processing using a reference ciphertext will be described. As described above, in the data field, anti-replay attack data is set at the end of the message body. Therefore, at least the last block M _n includes anti-retransmission attack data. Further, anti-retransmission attack data is data that is updated according to a predetermined rule. Therefore, the result of the encryption process CIPH _K using the common key K for the block including the anti-retransmission attack data is not always the same. On the other hand, for blocks including only protection target data, if the data is the same, the result of encryption processing CIPH _K using the common key K is also the same.

Therefore, a block that contains only protected data, j-th from the first block M ₁ (j is 2 or more positive) and reference block up to the block M _j of reference data protected data of said reference block And Then, a reference table showing a correspondence relationship between the reference data and the result of the encryption process CIPH _K using the common key K up to the block M _j , that is, the ciphertext that is the midway calculation result of the MAC by the normal process described above, It is stored in the reference table storage unit 35. The reference data is plain text, and the intermediate calculation result is the cipher text. The reference table storage unit 35 corresponds to a storage unit that stores a reference table.

In the present embodiment, as shown in FIG. 5, only the last block M _n includes anti-retransmission attack data. Protected data includes the first block M ₁ to the last block M _n. The protection target data up to the (n−1) th block M _{n−1 is} used as reference data. That is, the data of all blocks including only the protection target data is used as the reference data. Further, the result of the encryption process CIPH _K up to the (n−1) th block M _n−1 is used as an intermediate calculation result corresponding to the reference data. The reference table is stored in advance as a fixed value.

The MAC generation unit 33 extracts the reference data of the message body, in other words, the block in which the reference data is stored. Then, it is searched whether the extracted standard data is registered in the reference table. When the standard data of the received message is registered in the reference table, the corresponding ciphertext of the intermediate calculation result is referred to. That is, this ciphertext is used as a result of the encryption process CIPH _K up to the (n−1) -th block M _n−1 . Then, an exclusive OR of the ciphertext referred to and the final block _Mn is calculated, and this exclusive OR is subjected to encryption processing CIPH _K using the common key K. Thereafter, the same processing as the normal processing is executed. That is, the bit string obtained by the encryption process CIPH _K is extracted from the left by Tlen bits having the MAC size, and the obtained value T is set as the MAC value.

As described above, in the process using the reference ciphertext, the MAC is generated with a smaller number of calculations than in the normal process by referring to the intermediate calculation result (ciphertext) corresponding to the reference data registered in the reference table. To do. In this embodiment, the MAC is generated by two exclusive ORs and one encryption process CIPH _K.

  The determination unit 36 sets the MAC generated by the MAC generation unit 33 and the data field of the message received by the reception unit 32 when the received message is a processing target and an authentication target by the MAC. Compared to the MAC. Then, it is determined whether or not both MACs match.

  Furthermore, the microcomputer 31 includes a message main body generation unit 37, a frame generation unit 38, and a transmission unit 39 in addition to the MAC generation unit 33 and the common key storage unit 34 described above as functional units that transmit messages.

  The message body generation unit 37 generates a message body when the ECU 30 transmits a message. That is, the data to be protected and the anti-retransmission attack data are generated. The MAC generation unit 33 generates a MAC by executing the above-described normal processing, that is, encryption processing using a common key, on the message body generated by the message body generation unit 37.

  The frame generation unit 38 sets the message body generated by the message body generation unit 37 and the MAC generated by the MAC generation unit 33 in the data field of the data frame. In addition, a data frame that can be transmitted, that is, a message is generated by these processes of setting an ID in the ID field. Then, a message is transmitted from the transmission unit 39 to the CAN bus 20.

  Next, the reception process executed by the microcomputer 31 will be described with reference to FIG.

  When the receiving unit 32 receives a message, and the received message is a processing target and a MAC authentication target, the following processing is executed.

First, the MAC generation unit 33 extracts reference data from the message body set in the data field of the received message (step S10). Next, the MAC generation unit 33 searches the reference table (step S20) and determines whether or not the extracted reference data is registered in the reference table (step S30).
If it determines with having registered in the reference table in step S30, the MAC production | generation part 33 will refer to the ciphertext corresponding to the reference | standard data extracted from the reference table, ie, an intermediate calculation result (step S40). Then, the process using the reference ciphertext is executed to generate the MAC (step S50).

In the present embodiment, the ciphertext referred to is used as a result of the encryption process CIPH _K up to the (n−1) th block M _n−1, and an exclusive OR with the final block M _n is calculated. Then, the exclusive OR of the common key K encryption process using CIPH _K, a bit string obtained by the encryption process CIPH _K, running Tlen bits, cut processing is the MAC size from the left MAC Is generated.

  On the other hand, if it determines with having not registered in step S30, the MAC production | generation part 33 will perform the above-mentioned normal process, and produces | generates MAC (step S60).

  When the process of step S50 or step S60 ends, the determination unit 36 then determines whether or not the MAC generated by the process of step S50 or step S60 matches the MAC set in the data field of the received message. (Step S70).

  If it is determined in step S70 that they match, the determination unit 36 determines that the received message is a valid message (step S80). At this time, the determination unit 36 outputs a signal indicating that it is valid, for example. Thereby, ECU30 will perform the process using the protection object data of the received message.

  If it is determined in step S70 that they do not match, the determination unit 36 determines that the received message is an unauthorized message (step S90). At this time, the determination unit 36 outputs a signal indicating fraud. Thereby, ECU30 does not process the received message. Then, when the process of step S80 or step S90 ends, a series of reception processes ends.

  Next, effects of the ECU 30 and the communication system 10 of the present embodiment will be described.

As described above, the anti-retransmission attack data is set at the end of the message body. Therefore, a block that contains only protected data, from the first block M ₁ to j-th block M _j as the reference block, a reference data protected data of the reference block. The ECU 30 stores a correspondence relationship between the reference data and the MAC intermediate calculation result (ciphertext) that is the result of the encryption process CIPH _K using the common key K up to the block M _j as a reference table. .

When the standard data of the received message is registered in the reference table, the ECU 30 refers to the corresponding encrypted text of the intermediate calculation result. That is, this ciphertext is used as a result of the encryption process CIPH _K up to the j-th block M _j . Then, an exclusive OR between the ciphertext referred to and the (j + 1) -th block M _{j + 1} is calculated, and this exclusive OR is subjected to encryption processing CIPH _K using the common key K. Thereafter, the same processing as the normal processing is executed.

Thus, according to the ECU 30 of the present embodiment, when the standard data of the received message is registered in the reference table, the intermediate calculation result (ciphertext) of the reference table is referred to, so that the normal process is exclusive. A part of the logical sum and encryption processing CIPH _K can be omitted, and the MAC can be generated with fewer operations than the normal processing. Therefore, the validity of the message can be verified and the processing load can be reduced.

Further, the data of all blocks including only the protection target data is used as the reference data. In other words, all blocks including only the protection target data are set as the reference block. Therefore, the MAC can be generated with fewer operations than normal processing. In particular, in the present embodiment, of the n blocks, only the last block _Mn includes anti-retransmission attack data, and data of other blocks is used as reference data. Therefore, a MAC can be generated by two exclusive ORs and one encryption process CIPH _K. Thus, the processing load can be effectively reduced.

  The reference table is stored in advance in the reference table storage unit 35 as a fixed value that is not changed. This also can reduce the processing load.

(Second Embodiment)
This embodiment can refer to the preceding embodiment. For this reason, the description about the part which is common in the communication system 10 and ECU30 which were shown to prior embodiment is abbreviate | omitted.

  As shown in FIG. 7, the ECU 30 of the present embodiment further includes an editing unit 40 that edits the reference table. The editing unit 40 is configured as a functional unit of the microcomputer 31. The editing unit 40 executes an editing process for additionally registering unregistered reference data whose number of receptions is equal to or greater than a predetermined value and a midway calculation result corresponding to the reference data in the reference table of the reference table storage unit 35. The reference table storage unit 35 is configured by a rewritable nonvolatile memory such as a flash memory.

  The editing unit 40 stores, for example, in the RAM, the reference data that is not initially registered in the reference table and the intermediate calculation result corresponding to the reference data in association with the number of receptions (extraction number) of the reference data. The editing unit 40 acquires the extracted reference data and the intermediate calculation result for the reference data by the normal process from the MAC generation unit 33. The number of receptions is updated every time the MAC generation unit 33 extracts reference data and generates a MAC. The number of receptions may be counted on the MAC generation unit 33 side or on the editing unit 40 side.

  FIG. 8 shows a reception process executed by the microcomputer 31. The point that the process of step S65 is added is different from the preceding embodiment (FIG. 6). In FIG. 8, after the process of step S60 is complete | finished, the process which edits a reference table is performed (step S65). At this timing, the reference data extracted in step S10 and the midway calculation result corresponding to the reference data are acquired from the MAC generation unit 33, and stored in the RAM in association with the number of receptions. Then, if there is unregistered reference data whose number of receptions is equal to or greater than a predetermined value and an intermediate calculation result corresponding to the reference data, it is additionally registered from the RAM to the reference table. Then, a series of processing ends. If there is no unregistered reference data whose number of receptions exceeds a predetermined value, the process ends without performing additional registration.

  For example, in FIG. 9, four data are stored in the RAM as reference data that is not initially registered in the reference table. Of these, the three reference data have already exceeded the predetermined value of 500 times and are additionally registered in the reference table. At the timing of step S65, since the number of receptions of the unregistered reference data DDDDDD has reached a predetermined value, the reference data DDDDD and the corresponding midway calculation result WWWWW are additionally registered in the reference table.

  As described above, according to the present embodiment, the reference data whose reception frequency has increased and the corresponding intermediate calculation result can be additionally registered in the reference table even if they are not initially registered in the reference table. Therefore, even when the reception frequency increases halfway, the processing load can be reduced.

  Note that the timing of executing the editing process is not limited to the example shown in FIG. Any timing may be used as long as the reference data and the intermediate calculation result can be acquired from the MAC generation unit 33. Therefore, what is necessary is just after Step S60. For example, the editing process may be executed after the process of step S80 or step S90 is completed.

  In the RAM, the reference data additionally registered in the reference table and the corresponding intermediate calculation result may be deleted.

  The reference data initially registered in the reference table and the corresponding intermediate calculation result may also be stored in the RAM, and the number of receptions may be updated. That is, all the reference data extracted in step S10 and intermediate calculation results corresponding to the reference data may be stored in the RAM. For the registered reference data, the extracted reference data and the referred midway calculation result are acquired from the MAC generation unit 33.

(Third embodiment)
This embodiment can refer to the preceding embodiment. For this reason, the description about the part which is common in the communication system 10 and ECU30 which were shown to prior embodiment is abbreviate | omitted.

  In the present embodiment, the editing unit 40 executes editing processing for deleting, from the reference table, the reference data in which the number of times of reference by the MAC generation unit 33 during a predetermined period is less than a predetermined value and the intermediate calculation result corresponding to the reference data. The reference count is updated each time the MAC generation unit 33 refers to the midway calculation result from the reference table. The reference count is counted by the MAC generation unit 33. Then, as shown in FIG. 10, it is stored in the reference table in association with the reference data. For example, in the process of step S40, the MAC generation unit 33 refers to the intermediate calculation result (ciphertext), and increments (+1) the reference table reference number corresponding to the referred intermediate calculation result.

  The editing unit 40 executes the editing process every predetermined period, that is, at a predetermined cycle. The editing unit 40 deletes from the reference table any reference data whose reference table reference count is less than a predetermined value and intermediate calculation results corresponding to the reference data. Then, the reference count in the reference table is cleared. In FIG. 10, since the number of receptions of the reference data DDDDDD falls below the predetermined value of 500, the reference data DDDDDD and the corresponding midway calculation result WWWWWW are deleted from the reference table. Also, the reference count is cleared for other reference data.

  Thus, according to the present embodiment, it is possible to delete the reference data whose reference frequency has decreased and the corresponding intermediate calculation result from the reference table. Thereby, the search time for the reference table can be shortened.

  The predetermined time may be a predetermined period. For example, a period in which the total number of messages received by the receiving unit 32 reaches a certain value may be set as a predetermined period.

(Fourth embodiment)
This embodiment can refer to the preceding embodiment. For this reason, the description about the part which is common in the communication system 10 and ECU30 which were shown to prior embodiment is abbreviate | omitted.

  In the present embodiment, the editing unit 40 executes a process of editing the reference table in accordance with the reference count so that the reference data with a large reference count by the MAC generation unit 33 can be found quickly. Again, the reference count is updated each time the MAC generation unit 33 refers to the midway calculation result from the reference table. The reference count is counted by the MAC generation unit 33. Then, as shown in FIG. 11, it is stored in the reference table in association with the reference data. For example, in the process of step S40, the MAC generation unit 33 refers to the intermediate calculation result (ciphertext), and increments (+1) the reference table reference number corresponding to the referred intermediate calculation result.

  The editing unit 40 executes an editing process at a predetermined cycle, for example. The editing unit 40 rearranges the reference data and the corresponding midway calculation results according to the reference table reference count. Specifically, as shown in FIG. 11, the reference data and the corresponding intermediate calculation result are rearranged so that the reference data corresponding to the intermediate calculation result with a larger number of references has a faster search order.

  Thus, according to the present embodiment, the reference table can be edited according to the reference count. Thereby, the search time for the reference table can be shortened.

  Note that the timing for executing the editing process is not limited to the above example. The editing process may be executed every time the MAC table 33 updates the reference table reference count, that is, every time the reception process is executed. For example, the editing process may be executed after the process of step S80 or step S90 is completed.

(Fifth embodiment)
This embodiment can refer to the preceding embodiment. For this reason, the description about the part which is common in the communication system 10 and ECU30 which were shown to prior embodiment is abbreviate | omitted.

  In the present embodiment, when the reference data of the received message is equal to or shorter than a predetermined length, the MAC generation unit 33 generates a MAC by normal processing without searching the reference table.

  FIG. 12 shows a reception process executed by the microcomputer 31. The point that the process of step S15 is added is different from the preceding embodiment (FIG. 6). In FIG. 12, after the process of step S10 is complete | finished, the MAC production | generation part 33 determines whether the extracted reference | standard data is more than predetermined length (step S15).

  Here, when the reference data is equal to or longer than the predetermined length, referring to the midway calculation result (ciphertext) reduces the processing load compared to the normal processing. On the other hand, if the reference data is less than the predetermined length, the processing load is higher than the normal processing when referring to the intermediate calculation result. In this way, the predetermined length is set in consideration of the processing load and is stored in the memory in advance.

  If it determines with it being beyond predetermined length in step S15, the MAC production | generation part 33 will perform the process after step S20. That is, when a reference table is searched and the extracted standard data is registered, the MAC is generated with reference to the midway calculation result (ciphertext). If the reference data is not registered, normal processing is executed to generate a MAC.

  On the other hand, if it is determined in step S15 that the length is less than the predetermined length, the process of step S60, that is, the normal process is performed without executing the processes of step S20 and step S30, and the MAC is generated.

  As described above, according to the present embodiment, the process using the reference ciphertext is executed when the reference data is long, and the normal process is executed when the reference data is short. In this way, the MAC generation process can be switched according to the length of the reference data.

  The disclosure of this specification is not limited to the illustrated embodiments. The disclosure encompasses the illustrated embodiments and variations by those skilled in the art based thereon. For example, the disclosure is not limited to the combination of elements shown in the embodiments. The disclosure can be implemented in various combinations. The technical scope disclosed is not limited to the description of the embodiments. The several technical scopes disclosed are indicated by the description of the claims, and should be understood to include all modifications within the meaning and scope equivalent to the description of the claims. .

  The reception unit 32, the MAC generation unit 33, the common key storage unit 34, the reference table storage unit 35, the determination unit 36, the message body generation unit 37, the frame generation unit 38, the transmission unit 39, and the editing unit 40 are functions of the microcomputer 31. Although the example comprised as a part was shown, it is not limited to this. Software recorded in a substantial memory device and a computer that executes the software, software only, hardware only, or a combination thereof can be provided. When provided by a circuit that is hardware, it can be provided by a digital circuit including multiple logic circuits, or an analog circuit.

However, the MAC generation unit 33 executes exclusive OR and encryption processing CIPH _{K a} plurality of times during normal processing. Therefore, when configured with hardware, the cost increases. On the other hand, as shown in this embodiment, when the function unit of the microcomputer 31 is used, the processing load can be reduced while reducing the cost.

10: Communication system,
20 ... CAN bus,
30 ... ECU (electronic control unit),
31 ... Microcomputer,
32 ... receiving part,
33 ... MAC generator,
34 ... common key storage unit,
35 ... Reference table storage unit,
36 ... determination part,
37 ... Message body generation unit,
38 ... Frame generation unit,
39: Transmitter,
40 ... Editor

Claims (8)

An electronic control device connected to a network together with other devices,
A message including a message body that is transmitted from the other device and in which data for preventing a replay attack is set subsequent to the protection target data that is a protection target, and a message authentication code calculated based on the message body Receiving unit (32) for receiving
A generating unit (33) that divides the message body of the message received by the receiving unit into a plurality of blocks having a certain length and generates a message authentication code by a calculation using a common key;
A determination unit (36) for determining whether or not the message authentication code generated by the generation unit and the message authentication code included in the message received by the reception unit match;
A block including only the protection target data, the reference data that is the protection target data from the first block to the jth block (j is a positive number of 2 or more), and the reference data is encrypted with the common key A storage unit (35) for storing a reference table indicating a correspondence relationship with a ciphertext that is an intermediate result of the calculation of the message authentication code,
With
When the generation unit searches the reference table and determines that data matching the reference data of the message received by the reception unit is registered in the reference table, the ciphertext corresponding to the reference data The electronic control device generates the message authentication code by referring to the ciphertext, the common key, and the remaining block data not registered in the reference table.   The electronic control device according to claim 1, wherein the reference data is the protection target data of all blocks including only the protection target data.   The electronic control device according to claim 1, wherein the reference table is stored in advance in the storage unit as a fixed value.   The electronic control device according to any one of claims 1 to 3, further comprising an editing unit (40) for editing the reference table.   The electronic control device according to claim 4, wherein the editing unit additionally registers reference data having a reception count equal to or greater than a predetermined value and a ciphertext corresponding to the reference data in the reference table.   The electronic control device according to claim 4, wherein the editing unit deletes, from the reference table, standard data whose number of references in a predetermined period is less than a predetermined value and ciphertext corresponding to the standard data.   The electronic control device according to claim 4, wherein the editing unit edits the reference table according to the reference count so that the generation unit can quickly find reference data having a high reference count.   The said authentication part produces | generates the said message authentication code by calculation, without searching the said reference table, when the reference | standard data of the said message received by the said receiving part are less than predetermined length. The electronic control device according to item 1.

Images