JP2019195229A - Roadside equipment, execution method for same, service provider device and mobile station - Google Patents

Abstract

To easily update security processing data.SOLUTION: Roadside equipment 3 includes: a storage unit 34 in which a plurality of security processing data are stored; and a processing unit 33 performing security processing for communication data of the roadside equipment 3, using either one of the plurality of security processing data. Each of the security processing data includes a public key certificate 52a of the roadside equipment 3 and a secret key 52b. The security processing data is published by an administration agency 100 which is a third-party agency other than a service provider of the roadside equipment 3. On the occurrence of a change opportunity of the security processing data currently in use, the processing unit 33 determines security processing data to be newly used, from among the plurality of security processing data.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a roadside device that transmits data to a mobile station such as an in-vehicle device.

In recent years, road-to-vehicle communication and intelligent road traffic system (ITS) by vehicle-to-vehicle communication have been studied. Road-to-vehicle communication is communication between a roadside device (base station) and a vehicle-mounted device (mobile station), and vehicle-to-vehicle communication is communication between a vehicle-mounted device (mobile station).
Patent document 1 is disclosing performing the security process with respect to the communication data of a roadside machine.

Japanese Patent No. 5350561

  Security processing data such as a public key and a secret key is used for security processing for securing communication by a roadside device. The security processing data is issued by a reliable management organization (certificate authority). A data sender who desires secure communication acquires the security processing data from the management organization, and performs communication using the acquired security processing data.

  Regarding roadside equipment, it is necessary to consider the risk of leakage of security processing data due to theft of roadside equipment. As a countermeasure against leakage, it is considered to update the security processing data used by the roadside device at an appropriate time. As a method for updating the security processing data, it is conceivable that information necessary for the update (new security processing data or the like) is given from the security processing data management organization to the roadside device. However, at the time of updating, it is not always easy to give information necessary for updating directly from the management organization to the roadside machine.

  Therefore, it is conceivable that a service provider (for example, an ITS service provider such as the police) by the roadside machine is involved in the update. Specifically, first, the service provider obtains information necessary for the update from the security processing data management organization. The service provider device (center device) transmits information necessary for updating to a roadside device connected to the service provider device over a network. The roadside device can acquire information necessary for updating via the service provider device.

When the service provider is involved in the update as described above, the service provider handles data for security processing that requires strict handling. For this reason, the service provider is required to strictly manage information as in the case of the security processing data management organization. However, it is not always easy for a service provider who is not a management organization to perform the same strict management as a management organization.
It is desirable to update the security processing data more easily.

  From a certain point of view, the roadside machine includes a storage unit that stores a plurality of security processing data, and a processing unit that performs security processing on communication data of the roadside device using any of the plurality of security processing data. Each of the plurality of security processing data includes a public key certificate and a secret key of the roadside device, and the plurality of security processing data is a third party other than a service provider by the roadside device. Is issued by a management organization, and when the trigger for switching the currently used security processing data occurs, the processing unit determines new security processing data to be used from among the plurality of security processing data. It is a roadside machine.

  From another point of view, the roadside machine includes a storage unit storing a plurality of security processing data and a processing unit that performs security processing on communication data of the roadside machine using any of the plurality of security processing data And the processing unit determines a new security processing data to be used from among the plurality of security processing data when a trigger for switching the currently used security processing data occurs. It is.

  A method seen from a certain point of view is a method executed by a roadside machine, and when a security processing data switching trigger currently used by the roadside machine for security processing for communication data of the roadside machine occurs, a new Determining the security processing data to be used from the plurality of security processing data set in the roadside machine, wherein the plurality of security processing data is preset in the roadside machine Each of the plurality of security processing data includes a public key certificate and a secret key of the roadside device, and the plurality of security processing data is a third party other than a service provider by the roadside device. It is issued by a certain management organization.

  The method seen from another viewpoint is a method executed by the roadside machine, and when a switching timing of the security processing data currently used by the roadside machine for security processing on the communication data of the roadside machine occurs, Determining newly used security processing data from a plurality of security processing data set in the roadside device, the plurality of security processing data being preset in the roadside device Is.

  A service provider device from a certain point of view is a service provider device by a roadside device, and is configured to transmit the switching instruction to the roadside device.

  A service provider device viewed from another viewpoint is a service provider device by a roadside device, and is configured to transmit the time correction command subjected to the security processing to the roadside device.

  A service provider device viewed from another viewpoint is a service provider device by a roadside device, and is configured to transmit the time correction command subjected to the security processing to the roadside device.

  From a certain viewpoint, the mobile station includes a storage unit storing a plurality of security processing keys, identifiers assigned to the plurality of security processing keys, and the identifier corresponding to the identifier included in the received data. A processing unit that performs security processing on communication data of the mobile station using a security processing key, and the processing unit performs verification of the received data, and the data is inappropriate due to the verification If determined, the use of the security processing key corresponding to the key identifier included in the transmission data of the roadside device is withheld.

  According to the present invention, updating of security processing data is facilitated.

1 is an overall configuration diagram of a communication system having a roadside device. It is a block diagram of a center apparatus, a roadside machine, and a vehicle equipment. It is explanatory drawing which shows the transmission data from a center apparatus, and the memory content of a roadside machine. It is explanatory drawing of the information regarding a common key. It is explanatory drawing of the information regarding the road-vehicle communication data and the data for electronic signatures. It is a flowchart of a switching process. It is explanatory drawing which shows the expiration date of the key for several generations, and how to switch a key. It is a flowchart of a switching process. It is a flowchart of a switching process. It is a flowchart of a switching process. It is a figure which shows a mode that the data for security processing are distributed from a center apparatus. It is a flowchart which shows the switching process of vehicle equipment.

  Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.

[1. Outline of Embodiment]

(1) The roadside device according to the embodiment performs security processing on communication data of the roadside device using any of the storage unit storing a plurality of security processing data and the plurality of security processing data. A processing unit. Each of the plurality of security processing data includes a public key certificate and a private key of the roadside device. The plurality of security processing data are issued by a management organization that is a third party other than the service provider of the roadside device. When the trigger for switching the currently used security processing data occurs, the processing unit determines the security processing data to be newly used from the plurality of security processing data.
When a switching opportunity occurs, the roadside device can determine newly used security processing data from among a plurality of security processing data possessed by the roadside device. Therefore, the roadside device acquires the security processing data including the public key certificate and private key of the roadside device issued by the management organization from the service provider even when the security processing data needs to be switched. There is no need. Therefore, it is easy to update the security processing data.

(2) The roadside device according to the embodiment performs security processing on communication data of the roadside device using any of the storage unit storing a plurality of security processing data and the plurality of security processing data. The processing unit determines a new security processing data to be used from among the plurality of security processing data when a trigger for switching the currently used security processing data occurs. . When a switching opportunity occurs, the roadside device can determine newly used security processing data from among a plurality of security processing data possessed by the roadside device. Therefore, it is easy to update the security processing data.

(3) It is preferable that the plurality of security processing data are issued by a management organization that is a third party other than a service provider by the roadside device.

(4) It is preferable that the switching trigger is generated based on a result of determining the switching timing of the security processing data by the processing unit. In this case, the security processing data can be switched based on the judgment of the roadside device itself.

(5) It is preferable that the processing unit is configured to correct a time managed by the roadside device according to a time correction command from a service provider device by the roadside device. The roadside machine can keep the time accurately by the time correction command, and as a result, can appropriately switch.

(6) The time correction command is preferably subjected to security processing by the service provider device. Since the security processing is performed on the time correction command, the roadside machine can prevent the time from being corrected based on the unauthorized time correction command.

(7) It is preferable that the security processing performed on the time adjustment command is encryption of the time adjustment command by the service provider device. The encryption is preferably performed using a common key shared by the roadside device and the service provider device. In this case, the roadside device can prevent the time from being corrected based on a time correction command that is not encrypted or a time correction command that is encrypted with an inappropriate encryption key. Communication between the roadside device and the service providing device is performed not only in communication with the mobile station (wireless communication) but also in communication (wired communication) between the communication roadside device and the service providing device. Can be secured. In addition, since encryption is performed using a common key shared by the roadside device and the service provider device, if the encrypted time correction command can be decrypted, the authenticity of the transmission source of the time correction command (regular service) Confirm that the device is a provider device.

(8) It is preferable that the security processing applied to the time correction instruction is addition of an electronic signature to the time correction instruction by the service provider device. In this case, the roadside machine can confirm the creator of the time correction command.

(9) It is preferable that the processing unit is configured to verify the time correction command. The roadside machine can prevent the time from being corrected based on the inappropriate time adjustment command by verifying the time adjustment command. The verification of the time correction command preferably includes verification of the security processing of the time correction command. Further, the verification of the time correction command preferably includes verification of time information included in the time correction command. The verification of the time information included in the time correction command is preferably performed in comparison with other time information referred for verification.

(10) Preferably, the processing unit is configured to correct a time managed by the roadside device based on time information transmitted from a positioning satellite. The roadside device can accurately maintain the time based on the time information of the positioning satellite, and as a result, can appropriately switch.

(11) It is preferable that the switching opportunity is generated based on the roadside device receiving a switching instruction from the service provider device. In this case, switching can be performed by an instruction from the center.

(12) Preferably, the switching instruction is a switching instruction generated by the service provider device. The switching instruction preferably does not include information generated by the management organization for switching the security processing data. Since the roadside device can perform switching according to a switching instruction that does not include information from the management organization, the service provider device does not need to transmit a switching instruction that includes information from the management organization.

(13) The switching instruction may include information generated (issued) by the management organization. That is, the switching instruction may be a switching instruction based on the switching instruction acquired by the service provider device from the management organization. In this case, since it becomes necessary for the service provider device to acquire the switching instruction from the management organization in order to transmit the switching instruction, the service provider device is illegally operated by an unauthorized service provider device (for example, a stolen service provider device). Transmission of a simple switching instruction to the roadside device can be suppressed.

(14) It is preferable that the switching instruction is subjected to security processing by the service provider device. Since the security processing is performed on the switching instruction, the roadside device can prevent the security processing data from being switched based on the unauthorized switching instruction.

(15) It is preferable that the security processing applied to the switching instruction is encryption of the switching instruction by the service provider device. The encryption is preferably performed using a common key shared by the roadside device and the service provider device. In this case, the roadside device can prevent the security processing data from being switched based on a switching instruction that is not encrypted or a switching instruction that is encrypted with an inappropriate encryption key. Communication between the roadside device and the service providing device is performed not only in communication with the mobile station (wireless communication) but also in communication (wired communication) between the communication roadside device and the service providing device. Can be secured. In addition, since encryption is performed using a common key shared by the roadside device and the service provider device, if the encrypted switching instruction can be decrypted, the authenticity of the switching instruction transmission source (authorized service provider) Confirm that the device is a device.

(16) It is preferable that the security processing applied to the switching instruction is addition of an electronic signature to the switching instruction by the service provider device. In this case, the roadside machine can confirm the generator of the switching instruction.

(17) The processing unit is preferably configured to verify the switching instruction. By verifying the switching instruction, the roadside device can prevent the security processing data from being switched based on the inappropriate switching instruction. The verification of the switching instruction preferably includes verification of the security processing of the switching instruction. The verification of the switching instruction preferably includes verification of the appropriateness of the timing of the switching instruction. It is preferable that the appropriateness of the timing of the switching instruction is performed in comparison with a preset switching timing. The appropriateness of the timing of the switching instruction is preferably determined by determining whether the period calculated from the time when the previous switching instruction is received is less than the predetermined period.

(18) It is preferable that the switching opportunity also occurs based on a result of determining the switching timing of the security processing data by the processing unit. In this case, the roadside device can switch the security processing data not only when the switching instruction is received from the service provider device but also when it is determined that the roadside device needs to be switched.

(19) When the roadside unit receives the switching instruction, the processing unit verifies the switching instruction, and the verification of the switching instruction includes a time when the switching instruction is received and a preset switching time. And comparing. The roadside device can verify the switching instruction based on the reception timing of the switching instruction. Therefore, the roadside device can determine that the switching instruction received at an inappropriate time is an inappropriate switching instruction.

(20) The processing unit transmits a request for the switching instruction to the service provider device, and the switching instruction is transmitted by the service provider device as a response to the request for the switching instruction. preferable. In this case, it is a condition that the service provider device and the roadside device exchange each other for switching the security processing data. This makes the switching procedure more secure.

(21) It is preferable that the processing unit transmits a request for the switching instruction at a preset switching time. The roadside machine can perform switching after exchanging with the service provider device at the time of switching. Accordingly, switching at a preset switching time can be performed more securely.

(22) The plurality of security processing data includes a plurality of security processing keys and an identifier assigned to each of the plurality of security processing keys.
It is preferable that the security processing key and the identifier are issued by a management organization that is a third party other than the service provider of the roadside device.

(23) The plurality of security processing data includes a plurality of security processing keys and an identifier assigned to each of the plurality of security processing keys, and the security processing key and the identifier include the management It is preferable that the switching instruction issued by an organization does not include the security processing key and the identifier. If the switching instruction does not include the security processing key, and even does not include the security processing key identifier, these pieces of information that may make the content of the security processing data known to a third party are Transmission from the provider device to the roadside device can be avoided.

(24) The plurality of security processing data is obtained by storing a plurality of security processing data data stored in a recording medium provided by a management organization that has issued the security processing data in the storage unit. Preferably there is. In this case, the plurality of security processing data stored in the roadside device may be provided from the management organization without intervening service providers.

(25) The storage unit preferably includes a plurality of pieces of expiration date information. The plurality of pieces of expiration date information are associated with the plurality of pieces of security processing data and indicate different expiration dates of the plurality of pieces of security processing data. At least one expiration date information among the plurality of expiration date information includes an expiration date of the corresponding security processing data. The validity period indicated by the validity period information including the validity period is when the validity period expires from the end of use of the other security processing data. In this case, even if the security processing data is switched to the new security processing data before the expiration date of the certain security processing data, the period during which the new security processing data is used is prevented from becoming longer. it can.

(26) It is preferable that the plurality of security processing data are security processing data for a plurality of generations having different expiration dates for each generation. The processing unit newly uses the security processing data of n generations ahead from the security processing data currently used when a switching opportunity occurs based on the expiration date of the security processing data currently used. If a switching trigger other than the switching trigger that occurs based on the expiration date of the security processing data currently used is determined as the security processing data to be used, m generations from the currently used security processing data It is preferable to determine the security processing data as new security processing data to be used.
The n is a positive number of 2 or more, and the m is a positive number of 1 or more. The n is preferably larger than the m. In this case, in the case of a switching trigger other than the switching trigger that occurs based on the expiration date, the security processing data is switched to a smaller number of m generations ahead. Therefore, depending on the switching trigger other than the switching trigger that occurs based on the expiration date It is possible to prevent the use period of the security processing data after being switched from becoming long.

(27) The method according to the embodiment is a method executed by a roadside machine, and an opportunity to switch security processing data currently used by the roadside machine for security processing on communication data of the roadside machine occurs. Then, the security processing data to be newly used is determined from the plurality of security processing data set in the roadside device. The plurality of security processing data is preset in the roadside device, and each of the plurality of security processing data includes a public key certificate and a secret key of the roadside device, and the plurality of security processing data The business data is issued by a management organization that is a third party other than the service provider of the roadside device.

(28) The method according to the embodiment is a method executed by a roadside machine, and an opportunity to switch security processing data currently used by the roadside machine for security processing on communication data of the roadside machine occurs. Then, the security processing data to be newly used is determined from the plurality of security processing data set in the roadside device. The plurality of security processing data is preset in the roadside machine.

(29) The service provider device according to the embodiment is a service provider device by a roadside device, and is configured to transmit the switching instruction to the roadside device.

(30) It is preferable that the service provider device is configured to verify the roadside device before transmitting the switching instruction.

(31) The service provider device according to the embodiment is a service provider device by a roadside device, and is configured to transmit the time correction command for which the security processing has been performed to the roadside device.

(32) A service provider device according to an embodiment is a service provider device by a roadside device, and is configured to transmit the switching instruction that has been subjected to the security processing to the roadside device.

(33) The mobile station according to the embodiment includes a storage unit storing a plurality of security processing keys, identifiers assigned to the plurality of security processing keys, and an identifier included in the received data. A processing unit that performs security processing on communication data of the mobile station using the corresponding security processing key, and the processing unit verifies the received data, and inappropriate data is obtained by the verification. If it is determined that the security processing key is used, the use of the security processing key corresponding to the key identifier included in the transmission data of the roadside device is withheld. This mobile station can refrain from using a security processing key corresponding to an identifier included in inappropriate data.

[2. Details of Embodiment]
[2.1 Communication system]
FIG. 1 shows a communication system 1 used for an intelligent transportation system (ITS). The communication system 1 includes a center device (service provider device) 20 and a roadside device (base station) 3 installed in the center 2. In the present embodiment, the center 2 is an ITS service center. The center device 20 is operated and managed by an ITS service provider (for example, police). The center device 20 has a plurality of roadside machines 3 under its control. The center device 20 and each of the plurality of roadside machines 3 are connected via a communication line (network) 5.

Each of the plurality of roadside devices 3 is connected to a router 7 (not shown in FIG. 1; see FIG. 8), and the router 7 is connected to the center apparatus 20 via the communication line 5. The center device 20 can communicate (wired communication) with the roadside device 3.
The roadside machine 3 is installed near an intersection. The roadside device 3 can perform wireless communication (road-to-vehicle communication) with an in-vehicle device (mobile station) 4 around the roadside device 3. The in-vehicle device 4 is mounted on the vehicle. The in-vehicle device (mobile station) 4 can perform wireless communication (vehicle-to-vehicle communication) with other in-vehicle devices 4 in the vicinity by the carrier sense method.

FIG. 2 shows configurations of the center device 20, the roadside device 3, and the in-vehicle device 4.
The center device 20 includes a computer. The computer of the center device 20 has a processing unit 23 and a storage unit 24. The function of the center device 20 is exhibited when the computer unit stored in the storage unit 24 is executed by the processing unit 23. The processing unit 23 can execute various processes such as security processing 23a for communication data, security processing data switching instruction 23b, and time correction 23c for the roadside device 3.

  The storage unit 24 has center security processing data 24 a and 24 b used by the center device 20. The storage unit 24 has a tamper resistant area, and the security processing data group including the security processing data 24a and 24b is stored in the tamper resistant area of the storage unit 24 and is held in a secure state. During the security process 23a, the processing unit 23 (secure application module; SAM) accesses the tamper resistant area and refers to the security processing data group.

  The center security processing data 24a and 24b include a center public key certificate 24a and a secret key (center secret key) 24b. The center public key certificate 24a and the private key 24b are issued by the management organization 100. The management organization 100 is a third-party organization (certificate authority: CA) other than the ITS service provider. As shown in FIG. 1, the management organization 100 is not connected to the center device physically online, or it is difficult to construct a secure closed network from the viewpoint of security even if it is connected online. The security processing data 24 a and 24 b for the apparatus 20 are stored in a recording medium 200 such as a CD-R, and the recording medium 200 is provided to the center 2. The center 2 sets up (stores) the security processing data 24 a and 24 b stored in the recording medium 200 in the storage unit 24 of the center device 20. As a result, the center device 20 can use the security processing data 24a and 24b.

The center public key certificate 24a and the private key (center private key) 24b are used in association with the electronic signature of the center apparatus 20 (center 2), for example.
The secret key 24b is used by the processing unit 23 of the center device 20 to generate the electronic signature 10a of the center device 20 (center 2). The electronic signature 10a is added to the transmission data 10 of the center device 20 (see FIG. 3).

The public key certificate 24a includes the public key (center public key) of the center device 20. The public key is used by the receiving side (roadside device 3) of the electronic signature 10a to verify the electronic signature 10a. The center public key certificate 24a is a certificate that the management organization 100 proves that the owner of the center public key is the center device 20 (center 2). The center public key certificate 24a is also added to the transmission data 10 of the center device 20 (see FIG. 3).
The center public key and the center secret key 24b may be used for encrypting communication performed by the center device 20 using a public key cryptosystem.

As shown in FIG. 2, the roadside device 3 includes a control device 31 and a radio device 32. The control device 31 controls communication with the center device 20 and the like. The wireless device 32 includes a computer having a processing unit 33 and a storage unit 34, a wireless communication unit 35, and a GPS receiver 36. The wireless communication unit 35 performs wireless communication with the in-vehicle device 4 or another roadside device 3. The functions of the radio device 32 of the roadside machine 2 are exhibited when the computer program stored in the storage unit 34 is executed by the processing unit 33. The processing unit 33 can execute various processes such as a security process 33a for communication data, a security process data data switching process 33b, and a time correction 33c.
The storage unit 34 includes a security processing data group 50 for roadside machines used by the roadside machine 3. The contents stored in the storage unit 34 of the roadside machine 3 will be described later.

The in-vehicle device 4 includes a computer having a processing unit 43 and a storage unit 44, and a wireless communication unit 45. The functions of the in-vehicle device 4 are exhibited when the computer program stored in the storage unit 44 is executed by the processing unit 43. The processing unit 43 can execute various processes such as a security process 43a for communication data.
The storage unit 44 includes a security processing data group for in-vehicle devices used by the in-vehicle device 3. The storage unit 44 has a tamper-resistant area, and the security processing data group is stored in the tamper-resistant area of the storage unit 44 and held in a secure state. During the security process 43a, the processing unit 43 (the SAM) accesses the tamper resistant area and refers to the security process data. The security processing data group for the in-vehicle device includes a common key table 44a. The common key table 44a will be described later.

As shown in FIG. 3, the storage unit 34 of the roadside machine 3 has a security processing data group 50 for the roadside machine. The storage unit 34 has a tamper-resistant area, and the security processing data group is stored in the tamper-resistant area of the storage unit 34 and held in a secure state. During the security process 33a, the processing unit 33 (the SAM) accesses the tamper resistant area and refers to the security process data. Each security processing data included in the security processing data group 50 is issued by the management organization 100.
As shown in FIG. 1, the management organization 100 stores a security processing data group 50 for a roadside machine in a storage medium 300 and provides the recording medium 300 to the manufacturer of the roadside machine 3. The roadside machine manufacturer sets up (stores) the security processing data group 50 stored in the recording medium 300 in the storage unit 34 of the roadside machine 3. Thereby, the roadside machine 3 will be in the state by which the security processing data group 50 was preset. In this state, the operation of the roadside machine 3 can be started.

  As illustrated in FIG. 3, the security processing data group 50 includes a common key table (a plurality of first security processing data) 51. The common key table 51 is set with a plurality of generations of common keys that are security processing data (security processing keys). The plurality of common keys set in the common key table 51 are used for generating a message authentication code (MAC), encryption using a common key encryption method, and the like.

As shown in FIG. 4A, each of a plurality of common keys (common keys for a plurality of generations) set in the common key table 51 is configured by a pair of a master key 51a and a communication key 51b. An ID (identifier) 51c is set for each of a plurality of key pairs (a master key and a communication key pair). That is, the master key 51a and the communication key 51b corresponding to the ID 51c can be specified by one ID 51c.
A common key table 51 is stored in the storage unit 44 of the in-vehicle device 4 as a common key table 44a. That is, the plurality of common keys set in the common key table 51 are shared by the roadside device 3 and the in-vehicle device 4. The common key table 44 a of the in-vehicle device 4 is also issued by the management organization 100.

  The master key (first common key) 51a is used for transmission data (road-vehicle communication data) of the roadside device 3. More specifically, the master key 51a is used for security processing for data (road-to-vehicle communication data) wirelessly transmitted by the roadside device 3. This security process is performed by the processing unit 33 of the roadside machine 3. The security process using the master key 51a includes, for example, adding a message authentication code to transmission data (road-to-vehicle communication data), encrypting transmission data, and the like. The ID 51c of the master key 51a used for the security processing is added as “key ID” to the transmission data (road-vehicle communication data) of the roadside machine 3 (see FIG. 5A).

  The processing unit 33 selects and uses one of the plurality of master keys (security processing data) 51a. When a master key (common key) 51a indicated by a certain ID 51c is used, the processing unit 33 newly uses the master key (common key) 51a when any switching opportunity (switching reason) to switch is generated. A master key 51a (with ID 51c) is determined from among a plurality of master keys 51a (with ID 51c) in the common key table 51. In the present embodiment, the ID 51c indicates the generation of the master key 51a and the communication key 51b. When a switching trigger occurs, the next generation (the number of IDs obtained by adding 1 to the current ID) is set as the new master key 51a. ) Master key 51a.

  Based on the “key ID” 51c included in the road-to-vehicle communication data, the processing unit 43 of the on-vehicle device 4 that is the receiving side of the road-to-vehicle communication data refers to the common key table 44a of the storage unit 44 of the on-vehicle device 4; Identify the required master key. The in-vehicle device 4 performs a process (such as decryption) to unsecure secure road-to-vehicle communication data that has been subjected to a security process (such as encryption) using the identified master key.

The communication key (second common key) 51b is used for transmission data (vehicle-to-vehicle communication data) of the in-vehicle device 4. More specifically, the communication key 51b is used for security processing by the processing unit 43 of the in-vehicle device 4 with respect to data (vehicle-to-vehicle communication data) wirelessly transmitted by the in-vehicle device 4. This security process is performed by the processing unit 43 of the in-vehicle device 4. The security process using the communication key includes, for example, adding a message authentication code to transmission data (road-to-vehicle communication data), encrypting transmission data, and the like.
The processing unit 43 of the in-vehicle device 4 uses the communication key specified by the “key ID” 51 c included in the road-to-vehicle communication data received by the in-vehicle device 4 for security processing. As a result, the master key 51a used by the roadside device 3 and the ID (generation) of the communication key used by the in-vehicle device 4 can be aligned.

  The ID of the communication key used for the security process is added to the transmission data (vehicle-to-vehicle communication data) of the in-vehicle device 4 as the “key ID”, as in the road-to-vehicle communication data. When the roadside device 3 receives the inter-vehicle communication data, the processing unit 33 of the roadside device 3 uses the common key of the storage unit 34 of the roadside device 3 based on the “key ID” included in the inter-vehicle communication data. A necessary communication key is specified with reference to the table 51. The roadside device 3 performs a process (such as decryption) to unsecure secure vehicle-to-vehicle communication data that has been subjected to a security process (such as encryption) using the identified communication key.

  The security processing data group 50 shown in FIG. 3 has an electronic signature data table (electronic signature data group; a plurality of second security processing data) 52. The electronic signature data table 52 is set with a plurality of pieces of electronic signature data that are security processing data (security processing keys). Each of the plurality of electronic signature data includes a pair of a roadside public key certificate (public key certificate of the roadside machine 3) 52a and a private key (roadside secret key) 52b. Note that the plurality of electronic signature data need not be set in a table format, and it is only necessary that a plurality of electronic signature data exist.

Each of the plurality of electronic signature data is used in association with the electronic signature of the roadside device 3. The roadside secret key 52b is used by the processing unit 33 of the roadside machine 3 to generate the electronic signature 52c of the roadside machine 3. The electronic signature 52c is added to transmission data (road-vehicle communication data) of the roadside device 3 (see FIG. 5A). The electronic signature 52c is added not only to the wireless transmission data (road-vehicle communication data) of the roadside device 3, but also to transmission data (roadside device-center communication data) of wired communication with the center device 20. can do.
As shown in FIG. 5B, the roadside public key certificate 52a includes a public key (roadside public key) 52a-1 of the roadside machine 3 and expiration date information 52a-2 of the public key 52a-1. .
The roadside public key certificate 52a is the certificate of the management organization 100 that the owner of the roadside public key is the roadside machine 3. The roadside public key certificate 52a is also added to the transmission data (road-to-vehicle communication data) of the roadside machine 3 (see FIG. 5A). The roadside public key certificate 52a can also be added to the roadside machine-center communication data. The roadside public key 52a-1 and the roadside secret key 52b may be used to encrypt communication performed by the roadside machine 3 using a public key cryptosystem.

  The processing unit 33 selects and uses one of a plurality of digital signature data (security processing data). When the processing unit 33 is using certain electronic signature data 52a and 52b, if any switching trigger (switching reason) for switching the electronic signature data 52a and 52b occurs, the processing unit 33 newly uses the electronic signature data. Data 52a and 52b are determined from among a plurality of electronic signature data 52a and 52b in the electronic signature data table 52.

  In the present embodiment, each of the plurality of electronic signature data 52a and 52b is associated with an ID (identifier) 52c, and the ID 52c indicates the generation of the electronic signature data 52a and 52b. In the electronic signature data 52a and 52b for a plurality of generations, the expiration date 52a-2 is set to the earlier time as the electronic signature data of the previous generation (the larger the number of IDs 52c). When an opportunity to switch the electronic signature data 52a, 52b occurs, the next generation of electronic signature data 52a, 52b can be determined as new electronic signature data 52a, 52b.

Note that a security processing data group similar to the security processing data group 50 of the roadside machine shown in FIG. 3 may be held in the tamper resistant area of the storage unit 24 of the center device 20. That is, the storage unit 24 of the center device 20 has a common key table for the center device 20, a data table for electronic signature, a common key table ID switching list, a data switching list for electronic signature, and the like in the tamper resistant area. May be. The common key table of the center device 20 has a plurality of common keys shared by the center device 20 and the roadside device 3. The electronic signature data table of the center device 20 includes a public key certificate (center public key certificate) and a private key (center secret key) of the center device 20.
Switching of the security processing data in the center device 20 can be performed in the same manner as switching of the security processing data by the roadside device 3. As will be described later, when the “switching instruction” for switching the security processing data of the roadside device 3 is given from the management organization 100 to the center apparatus 20, the center apparatus 20 determines that the roadside is based on the acquired switching instruction. In addition to transmitting a switching instruction to the machine 3, the security processing data (common key or electronic signature data) possessed by the center apparatus 20 itself may be switched. By doing in this way, the security processing data which the center apparatus 20 uses, and the security processing data which the roadside machine 3 uses can be synchronized.

[2.2 Security data switching process]
Returning to FIG. 3, the storage unit 34 of the roadside machine 3 has a common key table ID switching list 55. The common key table ID switching list 55 is used for switching processing 33b in which the processing unit 33 switches the master key 51a used for the security processing to a new master key 51a. As shown in FIG. 4B, the common key table ID switching list 55 associates a plurality of key IDs (identifiers) 55a with a plurality of expiration date information 55b. The plurality of key IDs 55 a are the same as the ID 51 c in the common key table 51. The switch list 55 associates a plurality of expiration date information 55b with a plurality of “master key 51a and communication key 51b pairs”. The common key table ID switching list 55 is also issued by the management organization 100 and set up in the storage unit 34.

4A and 4B, for example, the expiration date of the master key 51a with ID = 1 and the communication key 51b is March 2010. Similarly, the expiration date of the master key 51a and the communication key 51b with ID = 2 is March 2015.
Since the roadside machine 3 has the switching list 55, the roadside machine 3 can determine the switching time of the common keys 51a and 51b based on the expiration date information 55b. That is, when the expiration date of the currently used common keys 51a and 51b comes or comes within a predetermined period before the expiration date, the processing unit 33 determines that the switching time has come. That is, in this case, the switching opportunity occurs based on the judgment of the processing unit 33 itself. Note that the processing unit 33 grasps the current date and time by the timer 33d of the roadside device 3.

  The processing unit 33 that has determined that the switching time has come switches the common keys 51a and 51b to the next generation common keys 51a and 51b. For example, when the common keys 51a and 51b with ID = 1 are used, the next generation is switched to the common keys 51a and 51b with ID = 2.

The switching opportunity is not limited to that generated based on the judgment of the processing unit 33 of the roadside device 3 itself, and may be generated based on a switching instruction from the center device 20, for example.
When switching to a new common key 51a, 51b at a time other than the switching time according to the expiration date, the use of the common key 51a, 51b is terminated before the expiration date of the currently used common key 51a, 51b. become. Therefore, the use period of the new common keys 51a and 51b after switching becomes longer. When it is desired to prevent the usage period after switching from becoming unnecessarily long, for example, the common key table ID switching list 55 shown in FIG. 4C can be employed.

  In the common key table ID switching list 55 in FIG. 4C, the expiration date 55b is set to the expiration date with a specific date for the first generation (ID = 1) common keys 51a and 51b. . However, for other generations (ID = 2 and later), the expiration date information 55b is indicated by the validity period from the end of use of the other common keys (common key of the previous generation) 51a, 51b. . For example, for the common keys 51a and 51b with ID = 2, an effective period of “5 years” is set from the end of use of the common keys 51a and 51b with ID = 1. Therefore, the validity period of the ID = 2 common keys 51a, 51b has a validity period of 5 years from the end of use even if the ID = 1 common keys 51a, 51b have been used before the expiration date. It will be time to expire.

  Returning to FIG. 3 again, the storage unit 34 of the roadside device 3 has a data switching list 56 for electronic signature. The electronic signature data switching list 56 is used for switching processing 33b in which the processing unit 33 switches the electronic signature data 52a and 52b used for the security processing to new electronic signature data 51a and 52b. As shown in FIG. 5 (c), the digital signature data switching list 56 associates a plurality of data IDs (identifiers) 56a with a plurality of expiration date information 55b. The plurality of data IDs 56a are the same as the ID 52c of the electronic signature data table 52. The plurality of expiration date information 56b is also the same as the expiration date information 52a-2 included in the roadside public key certificate. By the switching list 56, a plurality of expiration date information 56b is associated with a plurality of pieces of electronic signature data 52a, 52b. The electronic signature data switching list 56 is also issued by the management organization 100 and set up in the storage unit 34.

  Since the roadside machine 3 has the switching list 56, the roadside machine 3 itself can determine the switching time of the electronic signature data 52a and 52b, as with the common keys 51a and 51b. In this case, the switching opportunity occurs based on the judgment of the processing unit 33 itself. The electronic signature data switching list 56 may be omitted. Since the roadside public key certificate 52a included in the electronic signature data includes the expiration date information 52a-2, the processing unit 33 directly refers to the expiration date information 52a-2 in the electronic signature data table 52. Thus, it is possible to determine the switching timing of the electronic signature data 52a and 52b.

The electronic signature data switching trigger is not limited to the one generated based on the determination of the processing unit 33 of the roadside device 3 itself, and may be generated based on, for example, a switching instruction from the center device 20.
When switching to new electronic signature data 52a, 52b at a time other than the switching time according to the expiration date, the electronic signature data 52a, 52b before the expiration date of the currently used electronic signature data 52a, 52b. Will be terminated. Therefore, the usage period of the new electronic signatures 52a and 52b after switching becomes longer. When it is desired to prevent the usage period after switching from becoming unnecessarily long, switching processing 33b as shown in FIGS. 6 and 7 can be performed.

  In the switching process 33b shown in FIG. 6, if the generated switching trigger is within a predetermined period (step S1), the data is switched to the electronic signature data 52a and 52b of two generations ahead (current ID + 2) (step 2). If it is determined in step S1 that the generated switching trigger is outside the predetermined period, the data is switched to the electronic signature data 52a and 52b of the next generation (current ID + 1) (step S3). Here, as shown in FIG. 7, the difference between the expiration date of the current generation and the expiration date of the second generation is assumed as an appropriate usage period.

As shown in FIG. 7, the “predetermined period” in step S <b> 1 is a predetermined period before the expiration date (for example, several months before the expiration date), and this predetermined period is set in advance as a switching time due to the expiration of the expiration date. Has been. Switching to the second generation ahead within this predetermined period is a switching that should be performed in principle. In principle, by switching to the second generation ahead, the usage period after switching coincides with the period assumed as an appropriate usage period.
However, when the switching instruction from the center apparatus 20 is made outside the predetermined period, the first generation destination switching which is smaller than the basic two generation destination switching is performed. One-generation destination switching is switching from ID = 1 to ID = 2, for example. If switching from ID = 1 to ID = 3 by switching outside a predetermined period, the usage period of ID = 3 after switching is changed to an appropriate usage period (the expiration date of the current generation and the expiration date of the second generation ahead). Will be larger than the difference. On the other hand, as shown in FIG. 6, in the case of switching outside the predetermined period, switching to one generation ahead can prevent the use period after switching from becoming unnecessarily long.

  Note that the switching trigger of the common keys 51a and 51b and the switching trigger of the data for electronic signatures 52a and 52b are generated independently, but the common keys 51a and 51b and the digital signature are switched according to one switching trigger. Both data 52a and 52b may be switched simultaneously.

[2.3 Automatic switching by roadside machine 2]
FIG. 8 shows the details of the procedure for switching the security processing data (common key 51a, 51b or electronic signature data 52a, 52b) by the roadside device 3 itself judging the switching time.
The processing unit 33 included in the wireless device 32 of the roadside device 3 uses the timer 33d to determine the switching timing of the security processing data (step S24-1). When the switching time is reached, the processing unit 33 automatically switches the security processing data to new security processing data (step S25-1). That is, the roadside machine 3 can perform switching based on the judgment of the roadside machine 3 itself even if there is no switching instruction from the center device 20. In this case, since the information necessary for switching (new security processing data) is not transmitted from the center device 20, the exposure of the security processing data is small, and the communication amount between the center device 20 and the roadside device 3 is small. it can. Moreover, since it can switch by roadside machine 3's own judgment, the operation stop time of the roadside machine 3 accompanying switching can be shortened.

  When the switching is completed, the processing unit 33 transmits a switching result notification to the center device 20 via the control device 31 of the roadside machine 3 (steps S26 and S35). The switching result notification may include the ID of the roadside device 3, the device ID 58 of the secure application module (SAM) of the wireless device 32, the type of switched security processing data, and its ID. The secure application module (SAM) is a module that executes the security process 33a. The SAM identifier is stored in the storage unit 34 as “device ID” 58.

  As described above, the timer 33d is used to determine the switching time by the roadside device 3. The time (timer value; including date) of the timer 33d is corrected by the time correction command (step S13) from the center device 20 or the time information (steps S41 and S42) transmitted from the GPS satellite (positioning satellite). The time of the timer 33d can be kept appropriate.

  The center device 20 periodically generates a time correction command (steps S11 and S14). The time correction command includes the ID of the center device 20, time information, the ID of the application that generated the time correction command, and the like. The processing unit 23 of the center device 20 can perform security processing on the time correction command (steps S12 and S15). Thereafter, the time correction command is transmitted to the roadside device 3 (steps S13, S31, S16, S33).

  The security process applied to the time adjustment command is at least one of the addition of the electronic signature 10a generated using the center secret key 24b and the encryption of the time adjustment command (see FIG. 3). A common key shared by the center apparatus 20 and the roadside device 3 is used as the encryption key used for encrypting the time correction command. As the common key, the center device 20 may have the same common key table 51 as the roadside device 3 and may use the common keys 51a and 51b included in the common key table 51. The encryption key used for encrypting the time correction command may be another randomly generated common key. When the center device 20 randomly generates a common key, the common key is preferably encrypted with the common keys 51 a and 51 b included in the common key table 51 and given to the roadside device 3. The security process for the time correction command may be omitted.

The processing unit 33 of the roadside machine 3 verifies the time correction command (step S21). Specifically, the processing unit 33 of the roadside machine 3 verifies the security processing of the time correction command when the security processing is applied to the time correction command (step S21). Since the timer value of the timer 33d affects the determination of the switching time, the correctness or completeness of the time correction command (steps S11 and S14) from the center device 20 is guaranteed in order to perform switching appropriately. Is preferred. Since the electronic signature is attached to the time correction command, the processing unit 33 can verify the authenticity of the time correction command. Thereby, it becomes a countermeasure against counterfeiting of the center apparatus 20. Further, since the time correction command is encrypted, the processing unit 33 can verify the completeness of the time correction command. In addition, the processing unit 33 verifies whether or not the time information included in the time correction command has deviated from another time referred to for verification (verification time) by a predetermined time or more. The time for verification is, for example, time information included in data transmitted by another roadside device 3, time managed by the roadside device 3 itself (timer 33d) (time before correction by the time correction command), or GPS satellite Time information transmitted from can be adopted.
The processing unit 33 determines that the time information included in the time correction command is an inappropriate time correction command when there is a divergence greater than or equal to a predetermined time compared to the verification time. A plurality of verifications may be performed using each of the plurality of times described above as the verification time.
If the processing unit 33 determines that the time correction command is appropriate as a result of the verification, the processing unit 33 accepts the time correction command and corrects the timer value of the timer 33d (step S22). When the processing unit 33 determines that the time correction command is inappropriate as a result of the verification, the processing unit 33 does not perform correction based on the time correction command.
When the time correction is performed, the processing unit 33 transmits a time correction response to the control device 31 of the roadside machine 3 (step S23). As a result, the control device 31 also corrects the time (step S32). By doing so, the control device 31 can also correct the time in accordance with the time correction command from the regular center 2.
When the time correction command is not performed because the time correction command is inappropriate, the processing unit 33 may notify the control device 31 that the time correction command is abnormal (unsuitable). The control device 31 can further notify the center device 30 that the time correction command is abnormal. Further, when the time correction command is abnormal, the processing unit 33 may disable (lock) the security processing data until a predetermined unlocking procedure is performed (execution of switching lock). The unlocking procedure is, for example, a password input to the processing unit 33.

[2.4 Switching by instructions from the center device 20]
FIG. 9 shows details of the procedure for switching the security processing data (the common keys 51a and 51b or the electronic signature data 52a and 52b in response to a switching instruction from the center device 20.
Also in FIG. 9, the time of the timer 33d is corrected by the time correction command (steps S13 and S16) from the center device 20 as in FIG.

In FIG. 9, the processing unit 23 of the center device 20 generates a security processing data switching instruction at an appropriate time (such as an update time) (step S <b> 17). The switching instruction includes the ID of the center device 20, time information, the ID of the application that generated the switching instruction, the ID of the roadside device that is the switching instruction destination, and the like. When there are a plurality of types of security processing data to be switched, the switching instruction includes information specifying the type of security processing data to be switched. The information specifying the type of security processing data includes whether the security processing data to be switched is the common key (first security processing data) 51a, 51b, or the data for electronic signature (second security processing data). This is information for distinguishing between 52a and 52b.
The switching instruction includes only information that can be generated by the center apparatus 20 itself, and does not include information generated by the management organization 100 and provided from the management organization 100 (such as security processing data).

  For example, information provided from the management organization 100 such as security processing data after switching or information (ID) indicating security processing data after switching may be included in the switching instruction. However, in this case, each time switching is performed, the center 2 needs to acquire new security processing data from the management organization 100, and distribute the new security processing data after switching to the subordinate roadside device 3, which is complicated. It becomes. Further, the center 2 needs to strictly manage the security processing data to be distributed in the same manner as the management organization 100.

  In this regard, in the present embodiment, even if the switching instruction does not include information (new security processing data or the like) generated by the management organization 100 for switching, the roadside device 3 can perform a plurality of security processing. Information is stored in advance, and the next security processing data can be determined by itself. Accordingly, exposure of security processing data can be avoided, switching processing is facilitated, and operation stop time of the roadside machine 3 accompanying switching can be reduced.

Here, the switching instruction transmitted by the processing unit 33 may be issued by the management organization 100. The processing unit 23 of the center apparatus 20 acquires the switching instruction issued and transmitted by the management organization 100 (the management apparatus thereof), and stores it in the tamper resistant area of the storage unit 24. In this case, it is assumed that the center device 20 and the management organization 100 (management device) are connected online.
When the processing unit 23 of the center apparatus 20 needs to transmit a switching instruction to the roadside device 3, the processing unit 23 reads the switching instruction stored in the tamper resistant area of the storage unit 24 and sends the read switching instruction to the roadside device 3. Send.

  In the switching instruction issued by the management organization 100, it is preferable that an expiration date or the number of possible uses is set. When the switching unit 23 of the center apparatus 20 needs to be updated, the processing unit 23 transmits a switching instruction request to the management institution 100 and acquires information on the switching instruction from the management institution 100. The acquired switching instruction information is securely stored in the tamper resistant area of the storage unit 24. Thereby, the switching instruction | indication which the center apparatus 20 has is updated. The center device 20 may acquire a switching instruction to be transmitted from the management organization 100 every time a switching instruction is transmitted to the roadside device 3. Thereby, it is possible to suppress an unauthorized switching instruction from being transmitted to a roadside device by an unauthorized center device (for example, a center device illegally accessed by a malicious third party).

The processing unit 23 of the center apparatus 20 can perform security processing for the generated switching instruction (step S18). Thereafter, the switching instruction is transmitted to the roadside device 3 (steps S19 and S34).
The security process applied to the switching instruction is the same as the security process for the time correction command. That is, the security process applied to the switching instruction is at least one of the addition of the electronic signature 10a generated using the center secret key 24b and the encryption of the switching instruction (see FIG. 3). Security processing for the switching instruction may be omitted.

  When the security process is applied to the switching instruction, the processing unit 33 of the roadside machine 3 verifies the security process of the switching instruction (step S24-2). Since the electronic signature is attached to the switching instruction, the processing unit 33 can verify the authenticity of the switching instruction. Thereby, the counterfeit countermeasure of the center apparatus 20 can be performed. Further, since the switching instruction is encrypted, the processing unit 33 can verify the completeness of the switching instruction.

When it is determined that the instruction is an appropriate switching instruction as a result of the verification of the security process, the processing unit 33 further verifies whether or not the instruction is a switching instruction of an appropriate switching time by using the timer 33d. The appropriateness of the timing is, for example, by comparing the timing at which the switching instruction is received with the switching timing set in advance based on the expiration date of the security processing data to be switched (for example, the predetermined period in FIG. 7). I can judge.
In addition, the appropriateness of the time may be determined by comparing the time when the previous switching instruction is received with the time when the current switching instruction is received. Since one generation of security processing data is expected to be used for a long period of time in principle, some occurrence of frequent switching instructions is suspected. Therefore, it is preferable that the switching is not performed even if the switching instruction is received for a predetermined period immediately after the switching instruction is received. That is, if the period from the time when the previous switching instruction is received to the time when the current switching instruction is received is less than the predetermined period, it is determined that the switching instruction is inappropriate and the switching is not performed.

  When determining that the timing of the switching instruction is also appropriate, the processing unit 33 accepts the switching instruction and switches the currently used security processing data to new security processing data (step S25-2). When the security processing data to be switched is specified in the switching instruction, only switching of the specified type of security processing data is performed.

  When the switching instruction includes the ID (ID 51c, 55a) of the security processing data to be switched, the processing unit 33 includes the ID corresponding to the security processing data currently used by the roadside device 3 and the switching instruction. In contrast, when both are separated by a predetermined value or more (for example, two generations or more), it may be determined that the switching instruction is inappropriate.

  When the switching instruction is not performed because the switching instruction is inappropriate, the processing unit 33 may notify the control device 31 that the switching instruction is abnormal (unsuitable). The control device 31 can further notify the center device 30 that the switching instruction is abnormal. Further, when the switching instruction is abnormal, the processing unit 33 may disable the switching of the security processing data (switch lock) until a predetermined unlocking procedure is performed (execution of the switch lock). The unlocking procedure is, for example, a password input to the processing unit 33.

  Verification of the appropriateness of the timing of the switching instruction may be omitted. When the verification of the appropriateness of the timing of the switching instruction is omitted, the switching can be performed based on the switching instruction from the center device 20 even at a time other than the switching time preset based on the expiration date. In this case, when a leakage of security processing data or the like is detected, the roadside device 3 can switch to the next generation security processing data even before the expiration date by an instruction from the center device 20. That is, the security processing data can be switched urgently.

  When the switching is completed, the processing unit 33 transmits a switching result notification to the center device 20 via the control device 31 of the roadside machine 3 (step S35). This switching result notification is the same as that shown in FIG. 8, but the processing unit 33 of the roadside device 3 may perform security processing (addition of an electronic signature or encryption) on the switching result notification. The electronic signature is generated by the roadside secret key 52b, and encryption can be performed with a common key shared with the center apparatus 20.

[2.5 Verification of roadside machine 3 by center device 20]
FIG. 10 shows a procedure in which the center device 20 verifies the roadside device 3 before transmitting the security processing data switching instruction to the roadside device 3.
Also in FIG. 10, the time of the timer 33d is corrected by the time correction command (step S13) from the center device 20 as in FIG.

In FIG. 10, the center device 20 generates a roadside device information request at an appropriate time (step S111). The roadside machine information request includes the ID of the center device 20, time information, the ID of the application that generated the roadside machine information request, and the like.
The processing unit 23 of the center device 20 can perform security processing for the generated roadside device information request (step S112). Thereafter, the roadside machine information request is transmitted to the roadside machine 3 (step S113).
The security process applied to the roadside machine information request is the same as the security process for the time correction instruction and the switching instruction. That is, the security process applied to the roadside device information request is at least one of the addition of the electronic signature 10a generated using the center secret key 24b and the encryption of the roadside device information request. Security processing for a roadside machine information request may be omitted.

  When receiving the roadside machine information request, the control device 31 of the roadside machine 3 transmits a SAM information request to the wireless device 32 (step S131). The SAM information request is a request for the control device 31 to acquire information on the roadside device 3 from the wireless device 32. The SAM information request includes the roadside machine ID and the roadside machine information request transmitted from the center device 20.

Upon receiving the SAM information request, the processing unit 33 of the wireless device 32 prepares SAM information (SAM information response) and performs security processing on the SAM information. This security processing is at least one of, for example, addition of an electronic signature generated using the roadside secret key 52b and encryption of SAM information. The SAM information can be encrypted using, for example, a common key shared with the center apparatus 20.
The SAM information includes the roadside machine ID, the content of the roadside machine information request, the device ID (of SAM), and the switching counter. The switching counter is information indicating the ID of the security processing data currently used.

  Thereafter, the processing unit 33 transmits a SAM information response to the control device 31 (step S122). Receiving the SAM information response, the control device 31 transmits a roadside device information response to the center device 20 (step S114). The roadside device information response includes the contents of the SAM information response.

  When receiving the roadside device information response, the processing unit 23 of the center device 20 verifies the roadside device 3 (step S115). For example, the processing unit 23 checks the roadside machine ID and device ID included in the roadside machine information response (SAM information), and verifies whether the roadside machine 3 is a legitimate roadside machine 3 (presence of forgery). Further, the processing unit 23 may monitor the value of the switching counter and verify whether or not the value is appropriate. Further, when the roadside machine information response includes information on the time (value of the timer 33d) of the roadside machine 3, the probability of the time of the roadside machine 3 may be verified. Security processing applied to roadside machine information may be verified.

  Further, the processing unit 23 may verify the roadside device 3 based on the transmission source IP address of the roadside device information response. In the communication between the roadside device 3 and the center device 20, the router 7 performs network address translation (NAT), so that the router 7 to which the roadside device 3 is connected transmits the information transmitted from the roadside device 3. It becomes. The processing unit 23 can verify the roadside device 3 depending on whether or not the roadside device information response is transmitted from the appropriate router 7. For example, when the stolen or forged roadside device 3 tries to connect to the center device 20 via a router different from the appropriate router 7, the source IP address (IP address of the router) is confirmed. Thus, it can be detected that the roadside device is not properly installed.

  As a result of verifying the roadside device 3, the processing unit 23 generates a security processing information switching instruction when it is determined that the roadside device 3 is appropriate (step S17). Step S17 in FIG. 10 and the subsequent steps are the same processing as step 17 and the subsequent steps in FIG.

The roadside device 3 may transmit a switching request to the center device 20 when the security processing data switching time has been reached (step S114). The switching request includes the same content as the roadside machine information response described above. When there are a plurality of types of security processing data that the roadside device 3 has, the switching request includes information that specifies the type of security processing data that the roadside device 3 wants to be switched.
When the center device 20 verifies the content of the switching request (step S115) and determines that the switching request is from the appropriate roadside device 3, the center device 20 can generate a security processing information switching instruction (step S17).
Further, when the roadside device 3 transmits a switching request to the center device 20, the center device 20 transmits a roadside device information request to the roadside device 3, verifies the roadside device information response, and then generates a switching instruction. You may do it.

  8 and 9, the roadside device 3 performs verification of the center device 20 (verification of time correction command or switching notification). However, in the procedure illustrated in FIG. 10, the center device 20 also verifies the roadside device 3. I do. That is, the security processing data is switched after the verification by mutual authentication is performed. Therefore, the procedure shown in FIG. 10 is more secure than FIGS.

[2.6 Contrast with Comparative Example]
FIG. 11 shows a comparative example. When the security processing data for a plurality of generations is not stored in the roadside device 3, the center 2 sends the security processing data from the management organization 100 to the recording medium every time the security processing data is updated as shown in FIG. It is necessary to perform a procedure for obtaining the security processing data 150 for the roadside device stored in 400 to update the security processing data 150 for the subordinate roadside device 3. In this case, since the center 2 handles not only the security processing data 24a and 24b of the center 2 itself but also the security processing data 150 for the roadside machine, strict management is required.

  On the other hand, in this embodiment, the center 2 only needs to obtain the security processing data 24a24b used by itself from the management organization 100, and does not need to handle the roadside machine security processing data. The burden of is reduced.

  In the present embodiment, the security processing data for the roadside machine 3 must be transmitted from the management organization 100 to the roadside machine 3 (for example, the security processing data for future generations of the roadside machine 3 When a leakage occurs), as in the comparative example, new security processing data (common key table or electronic signature data table) is transferred from the management organization 100 to the roadside device 3 via the center device 20. Does not prevent you from sending. In order to perform secure transmission from the management organization 100 to the roadside device 3, a common key (table update key 59) shared between the management organization 100 (the management apparatus) and the roadside device 3 is used. The table update key 59 is stored in a tamper resistant area of the storage unit 34 of the roadside machine 3 (see FIG. 3). A similar table update key 59 is stored in the tamper-resistant area of the storage unit of the management apparatus of the management organization 100. The management apparatus of the management organization 100 performs security processing on data to be transmitted to the roadside device 3 with the table update key 59.

[2.7 Verification of road-to-vehicle communication data by in-vehicle device (mobile station)]
As described above, the storage unit 44 of the in-vehicle device 4 stores a common key table 44a similar to the common key table 51 (see FIG. 4A) of the roadside device 3 (see FIG. 2).
The processing unit 43 of the in-vehicle device 4 uses the communication key specified by the “key ID” 51 c included in the road-to-vehicle communication data received by the in-vehicle device 4 for security processing. That is, the roadside device 3 uses the ID (identifier) of the master key 51a used for the security processing of the transmission data (roadway-to-vehicle communication data) of the roadside device 3 as the “key ID (key identifier)” 51c to perform road-vehicle communication. It is added to the data (see FIG. 5A). When receiving the road-to-vehicle communication data including the “key ID (key identifier)” 51c, the in-vehicle device 4 refers to the common table 44a in the storage unit 44 based on the “key ID” 51c included in the road-to-vehicle communication data. The key bear (master key and communication key pair; security processing key) corresponding to the ID (identifier) that matches the “key ID” 51c included in the road-to-vehicle communication data is specified. The processing unit 43 of the in-vehicle device 4 performs processing (security processing) for unsecure secure road-to-vehicle communication data using the specified master key, and also uses the specified communication key to convert the vehicle-to-vehicle communication data. Process to secure (security process).

  The in-vehicle device 4 uses the communication key ID (identifier) used for the security processing of the transmission data (vehicle-to-vehicle communication data) of the in-vehicle device 4 as the “key ID (key identifier)” as the “vehicle ID”. Append to inter-vehicle communication data. When the other in-vehicle device 4 and the roadside device 3 receive the inter-vehicle communication data, the other on-vehicle device 4 and the roadside device 3 specify a necessary communication key based on the “key ID” included in the inter-vehicle communication data.

As described above, the in-vehicle device 4 has a plurality of (a plurality of generations) of security processing data (as the common key table 51) in advance, and the security processing data actually used by the in-vehicle device 4 (its generation). Is specified by a “key ID” included in transmission data (road-vehicle communication data; vehicle-to-vehicle communication data) from the roadside device 3 or the like.
However, in the case of an inappropriate roadside machine 3 such as a stolen roadside machine, the generation of the security processing data used by the roadside machine 3 may be inappropriately switched to the next generation (future generation).

  When the generation of the security processing data used by the roadside device 3 is switched inappropriately, the vehicle-mounted device 4 that has received the road-to-vehicle communication data transmitted by the roadside device 3 inappropriately uses the generation of the security processing data used. It will switch to. Furthermore, the influence of improper switching of the security processing data generation may possibly affect other in-vehicle devices 4 via the inter-vehicle communication data.

  FIG. 12 shows a procedure of security processing data switching processing in the in-vehicle device 4. In the procedure of FIG. 12, data (here, especially road-to-vehicle communication data here) from a transmission source (here, especially roadside equipment 3) that may have been switched inappropriately, (Mobile station) 3 can discriminate and eliminate.

When receiving the data (road-to-vehicle communication data), the processing unit 43 of the in-vehicle device 4 verifies the data (road-to-vehicle communication data) (steps S41 and S42). As a result of the verification, the received data is inappropriate. If it is determined that the data is correct, the received data (road-to-vehicle communication data) is discarded (step S43). Therefore, even if the generation of the security processing data used by the roadside device 3 is switched inappropriately, the in-vehicle device 4 refrains from switching the generation of the security processing data (non-execution of switching). Further, when the processing unit 43 determines that the received data is inappropriate data, it indicates that the roadside device 3 that is the transmission source of the data is an abnormal roadside device, the other in-vehicle device 4 or another roadside device. The machine 3 is notified by wireless communication (step S44). Thereby, the other in-vehicle device 4 or the other roadside device 3 can easily recognize the existence of the abnormal roadside device and prevent the generation of the security processing data from being inappropriately switched.
If the processing unit 43 determines that the received data is not inappropriate as a result of the verification, the processing unit 43 determines the generation of the security processing data (key) used for the security processing as the “key ID” 51c included in the received data. Is switched to the generation specified by (step S45).

  In FIG. 12, verification of the received road-vehicle communication data includes two verifications (steps S41 and S42). The first verification is verification of the public key certificate 52a (see FIG. 5A) included in the road-vehicle communication data (security header thereof) (step S41), and the second verification is road-vehicle communication data. This is verification of the key ID 51c included in the (security header).

  In the first verification, the processing unit 43 performs verification based on the expiration date 52a-2 of the public key certificate 52a. Here, the expiration date 52a-2 of the public key certificate 52a has not passed, and even if it is a valid public key certificate 52a, the generation of the security processing data of the roadside device 3 is inappropriate and future generations. When it is switched to, the period from the current time to the expiration date becomes abnormally long. Therefore, in the first verification (step S41), the processing unit 43 performs verification with reference to the expiration date 52a-2 of the public key certificate 52a. For example, when the period between the current time and the expiration date 52a-2 is equal to or longer than a predetermined period (for example, 10 years or longer), it is determined to be inappropriate. For example, if the normal validity period of one public key (1 generation) is 5 years, the public key certificate 52a having an expiration date of 10 years or more ahead is that of 2 generations or more away. The generation may have been switched inappropriately. However, such road-to-vehicle communication data is excluded by the first verification.

  In the second verification, the processing unit 43 performs verification based on the key DI 51c. The processing unit 43 compares the ID corresponding to the currently used security processing keys (key pairs) 51a and 51b with the key ID included in the received data, and both are equal to or greater than a predetermined value (for example, 2) More than 2 generations) Also in this case, it is possible to exclude road-vehicle communication data from the roadside device 3 that may have a generation switched inappropriately.

  Note that only one of the first verification and the second verification may be performed. Further, the verification shown in FIG. 12 includes verification of whether or not the roadside device 3 that is the transmission source of road-to-vehicle communication data is a roadside device that has been notified as an abnormal roadside device from another in-vehicle device 3. Also good.

[3. Addendum]
The above-described embodiments and modifications should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

1 Communication system 2 Center (service provider)
3 Roadside device 4 Vehicle-mounted device 5 Communication line 7 Router 10 Transmission data 20 Center device (service provider device)
23 processing unit 23a security processing 23b switching instruction 23c time correction 24 storage unit 24a center public key certificate 24b private key 31 control device 32 wireless device 33 processing unit 33a security processing 33b switching processing 33c time correction 33d timer 34 storage unit 35 wireless communication Unit 36 GPS receiver 43 processing unit 43a security processing 44 storage unit 44a common key table 45 wireless communication unit 50 security processing data group 51 common key table (a plurality of first security processing data)
51a Master key 51b Communication key 51c ID
52 Data table for electronic signature (multiple second security processing data)
52a Roadside public key certificate 52a-1 Public key 52a-2 Expiration date information 52b Private key 52c Electronic signature 55 Common key table ID switching list 55a Key ID
55b Expiration date information 56 Electronic signature data switching list 56a Data ID
56b Expiration date information 58 Device ID
100 Management Organization 150 Security Processing Data 200 Recording Medium 300 Recording Medium 400 Recording Medium

Claims (1)

A roadside machine,
A storage unit storing a plurality of data for security processing;
A processing unit that performs security processing on communication data of the roadside device using any of the plurality of security processing data;
With
The processing unit determines new security processing data to be used from among the plurality of security processing data when an opportunity to switch the security processing data currently used occurs.

Images